A vendor wants to know if they will be penalized if their vault is not compliant. Who should they ask?
- A . PCI SSC
- B . Assessor
- C . Issuing banks
- D . Payment brands
The receptionist responsible for the entrance and departure of visitors must have which of the following?
- A . A shredder for the destruction of disposable visitor badges
- B . A constant, open communication channel with a guard
- C . An unobstructed view of the reception area at all times
- D . A means of communicating directly with the visitor while on the premises
Who performs regular AQM audits of CPSA companies?
- A . Issuing banks
- B . Payment brands
- C . PCI SSC
- D . Vendor
How frequently must alarms on external doors of a card production and provisioning vendor environment be tested?
- A . Every day
- B . Every week
- C . Every month
- D . Every 3 months
John works for ACME Inc Personalizers. an organization that personalizes payment cards as well as printing the corresponding PIN mailers for distribution directly to the cardholder.
Which of the following statements is true?
- A . If John is involved in card personalization then he must not be involved in the printing of the corresponding PINs
- B . If John is involved in card personalization, then he must never be involved in the card shipment process
- C . If John is involved in card personalization, then he must never be involved in PIN printing
- D . If John is involved in PIN printing, then he must never be involved in the card shipment process
A cardholder wants to make purchases using their phone, so they have their cardholder information programmed into their SIM card using their mobile phone provider.
Which of the following best describes this system?
- A . Card personalization
- B . Host Card Emulation (HCE) provisioning
- C . Secure Element (SE) provisioning
- D . Over-the-air (OTA) provisioning
A vendor discovers that a recent shipment of cards is missing a set.
Which of the following responses would you expect in a compliant organization?
- A . An immediate call is made to the issuer and the VPA who, between them, contact law enforcement and put together a joint statement
- B . The head of security initiates a meeting, and once the VPA approves the messaging, law enforcement is notified in two days
- C . A report is requested by the issuer, the vendor sends it to them, and the issuer handles the incident with the local police
- D . After an incident review, the VPA, issuer and law enforcement are all notified within 24 hours
Before you go on-site, the vendor’s primary contact communicates a legitimate reason for delaying the assessment for several months.
Who can approve the change in the report delivery schedule?
- A . Vendor senior management
- B . Payment brands
- C . Affected issuers
- D . PCI SSC
Which of these are guards allowed access to?
- A . HSAs
- B . Audit logs
- C . Loading bays
- D . Physical master keys that provide access to card production or provisioning areas
C
Explanation:
Guards are allowed access to loading bays to maintain security at the facility. They should not have access to HSAs (High-Security Areas), audit logs, or physical master keys that provide access to card production or provisioning areas, as this could pose a security risk.
Where can misprinted, partially finished cards be shredded?
- A . In any HSA room approved by the security manager
- B . Either in the HSA printing room or destruction room
- C . Only in the HSA destruction room
- D . Either in the HSA destruction room or a loading bay that meets all requirements of a destruction room
If a vendor plans to terminate an employee, which of these must be done?
- A . The employee must be escorted from the premises immediately
- B . The employee’s locker and desk must be searched prior to termination
- C . The Human Resources department must be notified prior to termination
- D . The security manager must be notified in writing prior to termination
D
Explanation:
When a vendor plans to terminate an employee, the security manager must be notified in writing before the termination. This ensures that the security manager can take appropriate actions to revoke the employee’s access and maintain the security of the facility.
Which of the following statements about unsolicited visitors is true?
- A . They must be turned away
- B . They must complete an NDA before entry is granted
- C . They must be able to prove a legitimate reason for their visit prior to entry
- D . They must be registered, their identities confirmed, and must be allocated an escort before entry
Which of these is a requirement of the security control room?
- A . Access must be controlled by a physical key (in case of power-failure)
- B . Access must be monitored in real-time
- C . At least one guard must be present at all times
- D . Dual-control must be used to grant entry
In which of the following locations must the CCTV and access control servers be located?
- A . Within the Security Control Room (SCR)
- B . Within a room in the HSA with security controls equivalent to the SCR applied
- C . Within the SCR or a room with equivalent security
- D . Within the secure server room inside of the HSA
To liberate a person detected inside of the inner shipping delivery room and stop the alarm, the software monitoring the access-control system must only allow the opening of which door?
- A . The external facing door
- B . The internal facing door
- C . The last activated door
- D . The least secure door