無料CPSA_P_Newサンプル問題で100%カバー率のリアル試験問題(更新された52問あります) [Q20-Q35]

Share

無料CPSA_P_Newサンプル問題で100%カバー率のリアル試験問題(更新された52問あります)

今すぐダウンロード!リアルPCI CPSA_P_New試験問題集テストエンジン試験問題

質問 # 20
A vendor puts cardholder information into a chip by sliding a payment card through a machine that programs it and verifies the data. The chip can make contactless transactions. Which of the following best describes the vendor's activity?

  • A. Secure Element (SE) provisioning
  • B. Card personalization
  • C. Fulfillment
  • D. Host Card Emulation (HCE) provisioning

正解:B

解説:
Explanation
Card personalization is the process of transferring cardholder information, such as account number, name, expiration date, and other data, to a payment card. This can be done by various methods, such as magnetic stripe encoding, embossing, laser engraving, or chip programming. Chip programming is the method of personalizing a card that has an embedded microchip that can store and process data. Chip cards can support contact or contactless transactions, depending on the chip type and the terminal capabilities. Contact transactions require the card to be inserted into a reader, while contactless transactions use radio frequency (RF) communication between the card and the reader. The vendor in the question is performing card personalization by programming the chip and verifying the data on the card. References:
Payment Card Industry (PCI) Card Production and Provisioning - Logical Security Requirements, Section 1.1.1 Payment Card Industry (PCI) Card Production and Provisioning - Physical Security Requirements, Section 1.1.1 Payment Card Industry (PCI) Card Production and Provisioning - Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization, Chip Card, Contact Card, and Contactless Card


質問 # 21
During an assessment you ask to see employee records for employees with access to the HSA. The records include information about the screening process, including background information from the employee application process. The oldest background Information that is available is for an employee that left the vendor (terminated their contract) one year previously. You note this as non-compliant, why?

  • A. Employee information, including background checks, must be stored for at least seven years
  • B. The vendor must only retain background information for all current employees, not for those that have been terminated
  • C. The vendor must retain the background information for at least 18 months after termination of contract
  • D. Employee information must be securely destroyed (e.g. securely wiped) within 2 years (after termination of contract)

正解:D

解説:
Explanation
According to the PCI Card Production Logical Security Requirements, the vendor must securely destroy all employee information, including background checks, within two years of the employee's termination of contract. This is to prevent unauthorized access to sensitive employee data and to comply with the PCI DSS requirement 3.1, which states that cardholder data must not be stored longer than necessary. The vendor must also have a documented policy and procedure for the secure destruction of employee information, and must maintain a log of all destruction activities. References:
PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.1 PCI DSS, v3.2.1, May 2018, page 25, requirement 3.1


質問 # 22
Which document describes the results of an assessment, and is signed by both the assessor and the vendor executive officer?

  • A. Security Assessment Questionnaire (SAQ)
  • B. Letter of Approval (LOA)
  • C. Report on Compliance (ROC)
  • D. Attestation of Compliance (AOC)

正解:D

解説:
Explanation
The Attestation of Compliance (AOC) is the document that describes the results of a PCI Card Production Assessment, and is signed by both the CPSA and the vendor executive officer. The AOC is a summary of the findings and conclusions of the assessment, and indicates whether the vendor meets the PCI Card Production Logical Security Requirements and/or the PCI Card Production Physical Security Requirements. The AOC must be completed using the template provided by PCI SSC, and must be submitted to PCI SSC along with the Report on Compliance (ROC) and other supporting documents. The AOC must also be provided to the vendor's clients upon request. References:
PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 11, requirement 7.1.1 PCI Card Production and Provisioning Attestation of Compliance, v2.0, April 2019, page 1, section 1


質問 # 23
During an assessment you walk the perimeter of the building with a guard you find an emergency exit door from the facility and ask the guard what is on the other side. The guard can't remember, and so uses their assigned, secure key to open the door and show you a corridor within the facility. What most concerns you about the situation?

  • A. The exit door should not be capable of being opened from the outside
  • B. The exit door should not lead into the facility
  • C. The guard should not have forgotten where the door leads to
  • D. The guard should have sought permission from their manager before opening the door

正解:A

解説:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, emergency exit doors must be equipped with devices that prevent unauthorized entry from the outside, such as panic bars, crash bars, or push pads. These devices allow the door to be opened from the inside without a key or a code, but prevent the door from being opened from the outside by unauthorized persons. Therefore, the most concerning aspect of the situation is that the exit door can be opened from the outside with a key, which creates a security risk for the facility. The other options are not as concerning, as they do not directly affect the security of the exit door. The exit door can lead into the facility as long as it provides a safe and unobstructed path to the exit discharge. The guard's memory lapse is not a major issue, as long as they follow the proper proceduresand protocols for opening the door. The guard's permission from their manager is not relevant, as long as they have the authority and the responsibility to open the door for inspection purposes. References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
171
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
181


質問 # 24
Which of the following must be used by the vendor to protect doors that provide access to buildings containing air conditioning equipment?

  • A. Electrical contacts that log each open and close event to a secure system memory
  • B. Magnetic contacts that are permanently alarmed and that are connected to the security control-room panels
  • C. Physical locks with a limited set of keys under constant supervision by a guard in the security control-room
  • D. Security tape that will leave an observable trace each time a door is opened

正解:B

解説:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must use magnetic contacts that are permanently alarmed and that are connected to the security control-room panels to protect doors that provide access to buildings containing air conditioning equipment. The vendor must also ensure that the air conditioning equipment is located in a secure area that is not accessible to unauthorized personnel, and that the air conditioning system is monitored and maintained to prevent unauthorized access or tampering. The vendor must also have procedures to respond to any alarms or incidents related to the air conditioning system, and to report them to the relevant parties. The vendor must not use security tape, electrical contacts, or physical locks alone, as these may not provide adequate protection or detection of unauthorized access or tampering. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 21-221


質問 # 25
For how long must a vendor retain all applicant and employee background information on file?

  • A. For at least 12 months after termination of the contract of employment
  • B. For at least 24 months after termination of the contract of employment
  • C. For at least 18 months after termination of the contract of employment
  • D. It is not a requirement to store this information beyond termination of the contract

正解:A

解説:
Explanation
According to the PCI CPSA Qualification Requirements, one of the administrative requirements for CPSA Companies is to retain all applicant and employee background information on file for at least 12 months after termination of the contract of employment. This is to ensure that the CPSA Company can provide evidence of the background checks performed on the CPSA Employees or other personnel involved in card production and provisioning activities. The background checks should include criminal history, employment history, education verification, and reference checks, and should be conducted at least every two years or upon rehire. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 6.1.2, Page 111


質問 # 26
Which of the following personnel changes must result in the vendor notifying the Vendor Program Administration (VPA)?

  • A. Hiring someone that will directly interact with the card issuers
  • B. Any change to a role that directly affects the security of card products and related components
  • C. Promoting someone to senior management level
  • D. Adding additional rights to someone's role to give them access to the mam production vault

正解:B

解説:
Explanation
According to the PCI CPSA Qualification Requirements, one of the administrative requirements for CPSA Companies is to notify the VPA of any changes to the roles of CPSA Employees or other personnel that directly affect the security of card products and related components. This is to ensure that the CPSA Company maintains the quality and integrity of the CPSA Program and the PCI Card Production Security Standards. The VPA should be notified within 10 business days of the change, and the CPSA Company should provide evidence of the qualifications and training of theaffected personnel. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 6.1.3, Page 121


質問 # 27
A vendor uses codes from a chip manufacturer to 'unlock' chips and prepare them for use by adding applications and keys. Which of the following best describes this process?

  • A. Pre-personalization
  • B. Data preparation
  • C. Data creation
  • D. Manufacture

正解:A

解説:
Explanation
According to the PCI Card Production and Provisioning Logical Security Requirements, pre-personalization is the process of unlocking the chip and loading the applications and keys onto the chip. This process is performed by the vendor using codes provided by the chip manufacturer. The codes are used to authenticate the vendor and enable the chip to accept the applications and keys. The pre-personalization process prepares the chip for the subsequent personalization process, where the chip is associated with a specific cardholder account andactivated. The pre-personalization process is different from data creation, data preparation, and manufacture, which are other processes involved in card production and provisioning. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages
6-71


質問 # 28
After reviewing their completed ROC and AOC, which state that they are compliant, the vendor wishes to be listed on PCI SSC's list of Compliant Card Vendors. How should you assist them with the listing process?

  • A. Inform the vendor that PCI SSC does not list compliant vendors
  • B. Submit only the AOC to PCI SSC
  • C. Inform the vendor that they must request a listing via the payment brand(s) that received their ROC
  • D. Submit the full ROC to PCI SSC

正解:C

解説:
Explanation
According to the CPSA Program Guide1, PCI SSC does not list compliant card vendors on its website. The PCI SSC only lists the qualified CPSA Companies and CPSA Employees who are authorized to perform PCI Card Production Security Assessments. The PCI SSC also does not receive or review the full ROCs or AOCs from the card vendors or the CPSA Companies. The ROCs and AOCs are submitted by the CPSA Companies to the applicable payment brands that have contracted with the card vendors for card production and provisioning services. The payment brands are responsible for verifying the compliance status of the card vendors and determining whether to list them on their own websites or databases. Therefore, the CPSA Company should inform the vendor that they must request a listing via the payment brand(s) that received their ROC, and that the listing process may vary depending on the payment brand's policies and procedures.
The CPSA Company should also advise the vendor to maintain their compliance with the PCI Card Production Standards and to undergo annual assessments by a qualified CPSA Company.


質問 # 29
John works for ACME Inc Personalizers. an organization that personalizes payment cards as well as printing the corresponding PIN mailers for distribution directly to the cardholder. Which of the following statements is true?

  • A. If John is involved in card personalization, then he must never be involved in the card shipment process
  • B. If John is involved in card personalization then he must not be involved in the printing of the corresponding PINs
  • C. If John is involved in PIN printing, then he must never be involved in the card shipment process
  • D. If John is involved in card personalization, then he must never be involved in PIN printing

正解:D

解説:
Explanation
According to the PCI Card Production and Provisioning - Logical Security Requirements, there must be a clear segregation of duties between the staff involved in different card production and provisioning activities, such as card personalization, PIN generation and printing, and card fulfillment. This is to prevent any unauthorized access, modification, or disclosure of sensitive cardholder data and to ensure the integrity and confidentiality of the card production process. Therefore, if John is involved in card personalization, which is the process of transferring cardholder information to a payment card, then he must never be involved in PIN printing, which is the process of printing the personal identification number associated with the cardholder account on a mailer. This way, John cannot link the cardholder data on the card with the PIN on the mailer, and cannot compromise the security of the cardholder authentication. The other statements are not true, as there is no requirement that prohibits John from being involved in the card shipment process, as long as he does not have access to both the card and the PIN mailer at the same time. References:
Payment Card Industry (PCI) Card Production and Provisioning - Logical Security Requirements, Section 2.1.1 and 2.1.2 Payment Card Industry (PCI) Card Production and Provisioning - Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization and PIN Printing


質問 # 30
A vendor receives cardholder information and keys from a bank. The vendor then performs the following:
* Uses its HSM to create keys
* Creates cardholder information specific to each cardholder, including name and PAN
* Formats the data for the hardware that will put it on a card
* Writes it to an encrypted file
Which of the following best describes this process?

  • A. Pre-personalization
  • B. Data preparation
  • C. Data creation
  • D. Manufacture

正解:B

解説:
Explanation
Data preparation is the process of creating cardholder data and keys for each card, and formatting them for the hardware that will put them on a card. Data preparation involves the use of an HSM to generate keys and encrypt data, and the creation of an encrypted file that contains the cardholder data and keys. Data preparation is one of the steps in the card production lifecycle, and it precedes the manufacture and personalization of the cards. References:
Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 10 PCI Card Production Logical Security Requirements, v2.0, April 2019, page 9 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 9


質問 # 31
A vendor wants to know if they will be penalized if their vault is not compliant. Who should they ask?

  • A. Payment brands
  • B. PCI SSC
  • C. Assessor
  • D. Issuing banks

正解:A

解説:
Explanation
The PCI SSC does not enforce compliance, nor does it mandate penalties for non-compliance. Compliance with the PCI Card Production Standards is enforced by the payment brands. The payment brands may have their own compliance programs and may apply penalties or fines to entities that are not compliant or suffer a breach. Therefore, a vendor who wants to know if they will be penalized if their vault is not compliant should ask the payment brands that they work with or are contracted by. References:
Payment Card Industry (PCI) Card Production Security Assessors Program Guide, Version 1.0, April
2019, page 51
PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 62


質問 # 32
Which of these are guards allowed access to?

  • A. Loading bays
  • B. Physical master keys that provide access to card production or provisioning areas
  • C. Audit logs
  • D. HSAs

正解:A

解説:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they have limited access to card production or provisioning areas, and that they do not have access to HSAs, audit logs, or physical master keys that provide access to card production or provisioning areas. This is to prevent unauthorized access, theft, or misuse of card material or data by the contracted guard service. However, the contracted guard service may have access to loading bays, as long as they are escorted by authorized personnel and do not handle or interfere with card shipments. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section
1.1, Objective 2, Requirement 2.2.1, Page 71


質問 # 33
In which of the following locations must the CCTV and access control servers be located?

  • A. Within a room in the HSA with security controls equivalent to the SCR applied
  • B. Within the Security Control Room (SCR)
  • C. Within the secure server room inside of the HSA
  • D. Within the SCR or a room with equivalent security

正解:D

解説:
Explanation
According to the PCI Card Production Physical Security Requirements, the CCTV and access control servers must be located within the Security Control Room (SCR) or a room with equivalent security. This means that the room must have the same level of physical protection as the SCR, such as locks, alarms, sensors, cameras, and access control devices. The purpose of this requirement is to prevent unauthorized access, tampering, or theft of the servers that store and process sensitive data related to card production and security. References: PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16


質問 # 34
Which of the following statements about unsolicited visitors is true?

  • A. They must complete an NDA before entry is granted
  • B. They must be turned away
  • C. They must be registered, their identities confirmed, and must be allocated an escort before entry
  • D. They must be able to prove a legitimate reason for their visit prior to entry

正解:C

解説:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, unsolicited visitors are defined as "individuals who do not have a pre-arranged appointment or a legitimate reason for visiting the Card Production Entity". The requirement for dealing with unsolicited visitors is that they must be registered, their identities confirmed, and must be allocated an escort before entry. The escort must accompany the unsolicited visitor at all times and ensure that they do not access any restricted areas or sensitive information.
The other options are not true statements about unsolicited visitors, as they may not comply with the PCI Card Production Standards or the best practices for physical security. References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
101
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
111


質問 # 35
......

最新CPSA_P_Newテスト問題集を試そう!更新されたPCI試験が合格できます:https://jp.fast2test.com/CPSA_P_New-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어