2024年最新の100%無料CPSA_P_New日常練習試験には52問があります [Q31-Q50]

Share

2024年最新の100%無料CPSA_P_New日常練習試験には52問があります

CPSA_P_New試験資料PCI学習ガイド

質問 # 31
Which of the following statements is true about the facility's non-emergency exits?

  • A. They must be configured to prevent staff tailgating
  • B. They must be contact-alarm monitored only when card production activities are taking place
  • C. They may be left unlocked when a guard is present
  • D. They must be fitted with biometric access-control devices

正解:A

解説:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must ensure that all non-emergency exits are configured to prevent staff tailgating. Tailgating is the act of following someone closely through a door or other entry point without proper authorization. The vendor must use access-control devices, such as turnstiles, mantraps, or biometric readers, to prevent tailgating and unauthorized access or exit. The vendor must also monitor and alarm all non-emergency exits 24/7, and have procedures to respond to any alarms or incidents. The vendor must not leave any non-emergency exits unlocked, even when a guard is present, as this may compromise the security of the facility and the card production andprovisioning materials. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 8-91


質問 # 32
If a vendor plans to terminate an employee, which of these must be done?

  • A. The security manager must be notified in writing prior to termination
  • B. The employee must be escorted from the premises immediately
  • C. The employee's locker and desk must be searched prior to termination
  • D. The Human Resources department must be notified prior to termination

正解:A

解説:
Explanation
According to the PCI Card Production Logical Security Requirements, the vendor must have a formal employee termination process that includes notifying the security manager in writing prior to the termination of any employee who has access to cardholder data or sensitive authentication data. This is to ensure that the security manager can take appropriate actions to revoke the employee's access rights, credentials, and keys, and to prevent any unauthorized use or disclosure of cardholder data or sensitive authentication data by the terminated employee. The vendor must also have a documented policy and procedure for the employee termination process, and must maintain a log of all termination activities. References:
PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.2 PCI Card Production Logical Security Requirements, v2.0, April 2019, page 20, requirement 6.1.3


質問 # 33
Which of the following statements about unsolicited visitors is true?

  • A. They must be registered, their identities confirmed, and must be allocated an escort before entry
  • B. They must be able to prove a legitimate reason for their visit prior to entry
  • C. They must complete an NDA before entry is granted
  • D. They must be turned away

正解:A

解説:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, unsolicited visitors are defined as "individuals who do not have a pre-arranged appointment or a legitimate reason for visiting the Card Production Entity". The requirement for dealing with unsolicited visitors is that they must be registered, their identities confirmed, and must be allocated an escort before entry. The escort must accompany the unsolicited visitor at all times and ensure that they do not access any restricted areas or sensitive information.
The other options are not true statements about unsolicited visitors, as they may not comply with the PCI Card Production Standards or the best practices for physical security. References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
101
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
111


質問 # 34
Who performs regular AQM audits of CPSA companies?

  • A. PCI SSC
  • B. Issuing banks
  • C. Payment brands
  • D. Vendor

正解:A

解説:
Explanation
The PCI Security Standards Council (PCI SSC) performs regular Assessor Quality Management (AQM) audits of CPSA companies to ensure that they comply with the PCI CPSA Qualification Requirements and the PCI Card Production Standards. The AQM audits are conducted by PCI SSC staff or authorized third parties, and may include onsite visits, remote reviews, or both. The AQM audits aim to verify the quality and consistency of the CPSA companies' assessment processes, reports, and documentation, as well as their adherence to the PCI SSC Code of Professional Responsibility. The AQM audits may result in corrective actions, sanctions, or revocation of the CPSA company status, depending on the severity and frequency of the non-compliance issues identified. References:
PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 12, requirement 8.1 PCI Card Production Security Assessor (CPSA) Program Guide, v1.0, April 2019, page 6, section 3.2


質問 # 35
You wish to check that you are using the most current version of the Card Production requirements. What should you do?

  • A. View it directly via PCI SSC Assessor Portal
  • B. Have the CPSA Company's point of contact request the document
  • C. Download it from PCI SSC's Document Library
  • D. Email a request for the document to PCI SSC

正解:C

解説:
Explanation
The best way to check that you are using the most current version of the Card Production requirements is to download it from PCI SSC's Document Library. The PCI SSC's Document Library is a repository of all the PCI standards, guidelines, and supporting documents that are developed and maintained by the PCI SSC. The Document Library is accessible to the public and provides the latest versions of the documents, as well as the summary of changes and the effective dates. The Document Library also allows you to search, filter, and sort the documents by category, type, date, and keyword. Therefore, by downloading the Card Production requirements from the Document Library, you can ensure that you have the most up-to-date and authoritative version of the requirements. The other options are not the best ways to check the version of the Card Production requirements, as they may not be reliable, efficient, or available. Having the CPSA Company's point of contact request the document may not be feasible, as the point of contact may not have the authority, the access, or the time to do so. Emailing a request for the document to PCI SSC may not be effective, as the PCI SSC may not respond promptly or provide the document in the format that you need. Viewing the document directly via PCI SSC Assessor Portal may not be possible, as the Assessor Portal may not have the latest version of the document or may require a login credential that you do not have. References:
PCI SSC Document Library1
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52


質問 # 36
Which of the following must be used by the vendor to protect doors that provide access to buildings containing air conditioning equipment?

  • A. Security tape that will leave an observable trace each time a door is opened
  • B. Magnetic contacts that are permanently alarmed and that are connected to the security control-room panels
  • C. Physical locks with a limited set of keys under constant supervision by a guard in the security control-room
  • D. Electrical contacts that log each open and close event to a secure system memory

正解:B

解説:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must use magnetic contacts that are permanently alarmed and that are connected to the security control-room panels to protect doors that provide access to buildings containing air conditioning equipment. The vendor must also ensure that the air conditioning equipment is located in a secure area that is not accessible to unauthorized personnel, and that the air conditioning system is monitored and maintained to prevent unauthorized access or tampering. The vendor must also have procedures to respond to any alarms or incidents related to the air conditioning system, and to report them to the relevant parties. The vendor must not use security tape, electrical contacts, or physical locks alone, as these may not provide adequate protection or detection of unauthorized access or tampering. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 21-221


質問 # 37
If you have a query about a missing field in the card production reporting template, which organization is best-placed to answer it?

  • A. PCI SSC
  • B. The payment brands
  • C. The vendor
  • D. The issuer

正解:A

解説:
Explanation
The PCI SSC is the best-placed organization to answer a query about a missing field in the card production reporting template, as they are the ones who develop and maintain the template and the standards. The card production reporting template is the mandatory template for use in completing a Card Production Report on Compliance (ROC), which provides detail on how to document the findings of a PCI Card Production Assessment. The template is based on the PCI Card Production and Provisioning LogicalSecurity Requirements and the PCI Card Production and Provisioning Physical Security Requirements, which are also developed and maintained by the PCI SSC. Therefore, the PCI SSC has the authority and the expertise to clarify any issues or questions regarding the template and the standards. The other options are not the best sources of information for the query, as they may not have the same level of knowledge or involvement in the template and the standards. References:
PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 31 PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52 PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 82


質問 # 38
A vendor wants to know if they will be penalized if their vault is not compliant. Who should they ask?

  • A. PCI SSC
  • B. Assessor
  • C. Issuing banks
  • D. Payment brands

正解:D

解説:
Explanation
The PCI SSC does not enforce compliance, nor does it mandate penalties for non-compliance. Compliance with the PCI Card Production Standards is enforced by the payment brands. The payment brands may have their own compliance programs and may apply penalties or fines to entities that are not compliant or suffer a breach. Therefore, a vendor who wants to know if they will be penalized if their vault is not compliant should ask the payment brands that they work with or are contracted by. References:
Payment Card Industry (PCI) Card Production Security Assessors Program Guide, Version 1.0, April
2019, page 51
PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 62


質問 # 39
To liberate a person detected inside of the inner shipping delivery room and stop the alarm, the software monitoring the access-control system must only allow the opening of which door?

  • A. The external facing door
  • B. The last activated door
  • C. The internal facing door
  • D. The least secure door

正解:B

解説:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-191


質問 # 40
Which of these are guards allowed access to?

  • A. Audit logs
  • B. Loading bays
  • C. Physical master keys that provide access to card production or provisioning areas
  • D. HSAs

正解:B

解説:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they have limited access to card production or provisioning areas, and that they do not have access to HSAs, audit logs, or physical master keys that provide access to card production or provisioning areas. This is to prevent unauthorized access, theft, or misuse of card material or data by the contracted guard service. However, the contracted guard service may have access to loading bays, as long as they are escorted by authorized personnel and do not handle or interfere with card shipments. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section
1.1, Objective 2, Requirement 2.2.1, Page 71


質問 # 41
Which of these is a requirement of the security control room?

  • A. At least one guard must be present at all times
  • B. Access must be controlled by a physical key (in case of power-failure)
  • C. Access must be monitored in real-time
  • D. Dual-control must be used to grant entry

正解:C

解説:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the security control room is the area where the security systems are monitored and controlled. The requirement for the security control room is that access must be monitoredin real-time by a guard or an automated system that alerts the guard of any unauthorized access attempts. The security control room must also be protected by physical barriers and access control devices that prevent unauthorized entry. The other options are not requirements of the security control room, although they may be implemented as additional security measures. References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
151
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
161


質問 # 42
A vendor is unsure which forms are needed to complete an assessment. Who should they ask?

  • A. PCI SSC
  • B. Assessor
  • C. Issuing banks
  • D. Payment brands

正解:B


質問 # 43
After reviewing their completed ROC and AOC, which state that they are compliant, the vendor wishes to be listed on PCI SSC's list of Compliant Card Vendors. How should you assist them with the listing process?

  • A. Inform the vendor that PCI SSC does not list compliant vendors
  • B. Inform the vendor that they must request a listing via the payment brand(s) that received their ROC
  • C. Submit the full ROC to PCI SSC
  • D. Submit only the AOC to PCI SSC

正解:B

解説:
Explanation
According to the CPSA Program Guide1, PCI SSC does not list compliant card vendors on its website. The PCI SSC only lists the qualified CPSA Companies and CPSA Employees who are authorized to perform PCI Card Production Security Assessments. The PCI SSC also does not receive or review the full ROCs or AOCs from the card vendors or the CPSA Companies. The ROCs and AOCs are submitted by the CPSA Companies to the applicable payment brands that have contracted with the card vendors for card production and provisioning services. The payment brands are responsible for verifying the compliance status of the card vendors and determining whether to list them on their own websites or databases. Therefore, the CPSA Company should inform the vendor that they must request a listing via the payment brand(s) that received their ROC, and that the listing process may vary depending on the payment brand's policies and procedures.
The CPSA Company should also advise the vendor to maintain their compliance with the PCI Card Production Standards and to undergo annual assessments by a qualified CPSA Company.


質問 # 44
During an assessment you walk the perimeter of the building with a guard you find an emergency exit door from the facility and ask the guard what is on the other side. The guard can't remember, and so uses their assigned, secure key to open the door and show you a corridor within the facility. What most concerns you about the situation?

  • A. The guard should not have forgotten where the door leads to
  • B. The guard should have sought permission from their manager before opening the door
  • C. The exit door should not be capable of being opened from the outside
  • D. The exit door should not lead into the facility

正解:C

解説:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, emergency exit doors must be equipped with devices that prevent unauthorized entry from the outside, such as panic bars, crash bars, or push pads. These devices allow the door to be opened from the inside without a key or a code, but prevent the door from being opened from the outside by unauthorized persons. Therefore, the most concerning aspect of the situation is that the exit door can be opened from the outside with a key, which creates a security risk for the facility. The other options are not as concerning, as they do not directly affect the security of the exit door. The exit door can lead into the facility as long as it provides a safe and unobstructed path to the exit discharge. The guard's memory lapse is not a major issue, as long as they follow the proper proceduresand protocols for opening the door. The guard's permission from their manager is not relevant, as long as they have the authority and the responsibility to open the door for inspection purposes. References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
171
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
181


質問 # 45
Where can misprinted, partially finished cards be shredded?

  • A. Only in the HSA destruction room
  • B. Either in the HSA destruction room or a loading bay that meets all requirements of a destruction room
  • C. In any HSA room approved by the security manager
  • D. Either in the HSA printing room or destruction room

正解:A

解説:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for card destruction is to ensure that misprinted, partially finished, or rejected cards are shredded only in the HSA destruction room. This is to prevent unauthorized access, theft, or misuse of the cards, which may contain sensitive data or features. The HSA destruction room should have adequate security measures, such as locks, alarms, cameras, etc., to protect the cards until they are shredded. The shredding process should render the cards unusable and unrecognizable, and the shredded material should be disposed of securely. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 5, Requirement 5.1.1, Page 111


質問 # 46
A card production vendor employs a contracted guard service from an outside source. What is one of the responsibilities of the contracted service?

  • A. Undergo their own Card Production assessment and provide evidence of a passing result
  • B. Maintain their own liability insurance in case of losses to card material
  • C. Register their service with the VPA
  • D. Provide only certified guards

正解:B

解説:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they maintain their own liability insurance in case of losses to card material. This is to protect the card production vendor from any financial losses or damages caused by the contracted guard service, such as negligence,theft, or misuse of card material. The contracted guard service should also comply with the vendor's security policies and procedures, and undergo background checks and security training. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.2.1, Page 71


質問 # 47
Which of the following personnel changes must result in the vendor notifying the Vendor Program Administration (VPA)?

  • A. Promoting someone to senior management level
  • B. Any change to a role that directly affects the security of card products and related components
  • C. Adding additional rights to someone's role to give them access to the mam production vault
  • D. Hiring someone that will directly interact with the card issuers

正解:B

解説:
Explanation
According to the PCI CPSA Qualification Requirements, one of the administrative requirements for CPSA Companies is to notify the VPA of any changes to the roles of CPSA Employees or other personnel that directly affect the security of card products and related components. This is to ensure that the CPSA Company maintains the quality and integrity of the CPSA Program and the PCI Card Production Security Standards. The VPA should be notified within 10 business days of the change, and the CPSA Company should provide evidence of the qualifications and training of theaffected personnel. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 6.1.3, Page 121


質問 # 48
Which of the follow best describes a Technical FAQ?

  • A. Use of the Technical FAQs is mandatory, they shall be used during an assessment
  • B. Technical FAQs only apply to the specific technology as the FAQ defines it
  • C. Technical FAQs can be submitted to PCI SSC at any time
  • D. Use of the Technical FAQs is optional, they are considered guidance

正解:D

解説:
Explanation
According to the PCI CPSA Qualification Requirements, Technical FAQs are documents that provide guidance on specific technical topics related to the PCI Card Production Security Standards. Technical FAQs are not mandatory, but they are recommended to be used by CPSA Companies and CPSA Employees during the card production assessment process. Technical FAQs are intended to help clarify the intent and applicability of the PCI Card Production Security Requirements, and to provide examples and best practices for achieving compliance. Technical FAQs are published by the PCI SSC on its website, and are updated periodically based on feedback from the card production industry and the payment brands. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 4.2, Page 81


質問 # 49
John works for ACME Inc Personalizers. an organization that personalizes payment cards as well as printing the corresponding PIN mailers for distribution directly to the cardholder. Which of the following statements is true?

  • A. If John is involved in PIN printing, then he must never be involved in the card shipment process
  • B. If John is involved in card personalization, then he must never be involved in PIN printing
  • C. If John is involved in card personalization then he must not be involved in the printing of the corresponding PINs
  • D. If John is involved in card personalization, then he must never be involved in the card shipment process

正解:B

解説:
Explanation
According to the PCI Card Production and Provisioning - Logical Security Requirements, there must be a clear segregation of duties between the staff involved in different card production and provisioning activities, such as card personalization, PIN generation and printing, and card fulfillment. This is to prevent any unauthorized access, modification, or disclosure of sensitive cardholder data and to ensure the integrity and confidentiality of the card production process. Therefore, if John is involved in card personalization, which is the process of transferring cardholder information to a payment card, then he must never be involved in PIN printing, which is the process of printing the personal identification number associated with the cardholder account on a mailer. This way, John cannot link the cardholder data on the card with the PIN on the mailer, and cannot compromise the security of the cardholder authentication. The other statements are not true, as there is no requirement that prohibits John from being involved in the card shipment process, as long as he does not have access to both the card and the PIN mailer at the same time. References:
Payment Card Industry (PCI) Card Production and Provisioning - Logical Security Requirements, Section 2.1.1 and 2.1.2 Payment Card Industry (PCI) Card Production and Provisioning - Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization and PIN Printing


質問 # 50
......

有効な問題最新版を試そうCPSA_P_Newテスト解釈CPSA_P_New有効な試験ガイド:https://jp.fast2test.com/CPSA_P_New-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어