Pass the PCI SSC CPSA Qualification CPSA_P_New Questions and answers with CertsForce

According to the Card Production Security Assessor (CPSA) Qualification Requirements, an assessor must provide their client with a Quality Assurance Manual at the start of every assessment. The Quality Assurance Manual is a document that describes the assessor’s methodology, procedures, and quality control measures for conducting assessments. The manual must be consistent with the CPSA Program Guide and the PCI Card Production and Provisioning Security Requirements. The manual must also include a description of the assessor’s roles and responsibilities, the assessment scope and objectives, the assessment plan and timeline, the assessment report format and content, and the assessor’s conflict of interestpolicy. References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 111

The PCI SSC has a quality assurance (QA) program that monitors the performance and compliance of CPSA Companies and CPSA Employees. The QA program is based on eight guiding principles that the assessor community must adhere to, one of which is to maintain consistent assessor procedures and reporting. The PCI SSC reviews the reports submitted by the CPSA Companies and provides feedback on the quality and completeness of the reports. If a CPSA Company submits multiple reports that are incomplete and do not contain the information described in the reporting instructions, they may be violating the QA program and the CPSA Qualification Requirements. The PCI SSC may take corrective actions against the CPSA Company, such as issuing a warning, requiring additional training, imposing remediation, or revoking the CPSA Company status. Remediation is a process that requires the CPSA Company to improve in one or more areas of their operations and demonstrate compliance with the PCI SSC requirements. Revocation is a process that terminates the CPSA Company status and removes the CPSA Company from the list of qualified assessors on the PCI SSC website. The PCI SSC has the sole authority and discretion to determine the appropriate corrective actions for any non-compliance issues by the CPSA Companies or CPSA Employees. The payment brands do not have the power to put the CPSA Companies into remediation or revoke their status, nor do they have the power to fine them. The payment brands may, however, impose their own sanctions or penalties on the card production entities that are assessed by the CPSA Companies, based on their own contractual agreements and compliance programs. References:

Card Production Security Assessor (CPSA) Program Guide, Section 3 and 5.1

Card Production Security Assessor (CPSA) Qualification Requirements, Section 3.1 and 3.2

CPSA Remediation Statement

According to the PCI Card Production and Provisioning Logical Security Requirements, Secure Element (SE) provisioning is the process of adding cardholder account information to a secure element on a mobile device via an over-the-air or over-the-internet communication channel. A secure element is a tamper-resistant platform that can securely host applications and their confidential and cryptographic data. A SIM card is an example of a secure element that can be used for mobile payments. SE provisioning is different from Host Card Emulation (HCE) provisioning, which is the process of adding cardholder account information to a cloud-based server that emulates a secure element on a mobile device. SE provisioning is also different from card personalization, which is the process of adding cardholder account information to a physical card. Over-the-air (OTA) provisioning is a generic term that can refer to either SE or HCE provisioning, depending on the type of mobile payment system used. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages 6-71

 According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must test all alarms on external doors of the card production and provisioning vendor environment at least every month. The vendor must also document the results of the tests and retain them for at least one year. The vendor must also have procedures to respond to any alarms or incidents, and to report them to the relevant parties. The vendor must not test the alarms less frequently than every month, as this may compromise the security and integrity of the card production and provisioning vendor environment and increase the risk of unauthorized access or theft. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101

According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-191