Questions for the CPSA were updated on : Nov 21 ,2025
Page 1 out of 4. Viewing questions 1-15 out of 50
Question 1
A cardholder wants to make purchases using their phone, so they have their cardholder information programmed into their SIM card using their mobile phone provider. Which of the following best describes this system?
A. Card personalization
B. Host Card Emulation (HCE) provisioning
C. Secure Element (SE) provisioning
D. Over-the-air (OTA) provisioning
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 2
In relation to guards, which of the following must the vendor ensure?
A. A clear segregation of duties is maintained between production staff and guards
B. A clear segregation of duties is maintained between guard and reception related job functions
C. There is always at least one guard on-site, including outside of working hours, to monitor security systems and premises
D. There is always at least one guard in the HSA and one guard in the security control room at all times
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 3
You wish to check that you are using the most current version of the Card Production requirements. What should you do?
A. Have the CPSA Company’s point of contact request the document
B. Download it from PCI SSC’s Document Library
C. Email a request for the document to PCI SSC
D. View it directly via PCI SSC Assessor Portal
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 4
Which of these are guards allowed access to?
A. HSAs
B. Audit logs
C. Loading bays
D. Physical master keys that provide access to card production or provisioning areas
A vendor’s HSA access is enforced by a security turnstile they have a logical access-control system that ensures anti pass-back. The device is functioning correctly. When must the status of the access change?
A. Only when an unauthorised badge is presented
B. Only when the person has successfully completed the access cycle
C. Upon initial entry of the person into the device, prior to completion of the access cycle
D. Upon initial presentation of an authorised badge, prior to completion of the access cycle
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 6
How frequently must alarms on external doors of a card production and provisioning vendor environment be tested?
A. Every day
B. Every week
C. Every month
D. Every 3 months
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 7
A vendor hosts virtual secure elements holding cardholder information in their data center. When a cardholder makes a purchase, the vendor creates a payment token which is sent to the cardholder’s mobile device. Which of the following best describes the vendor’s activities?
A. Card personalization
B. Host Card Emulation (HCE) provisioning
C. Secure Element (SE) provisioning
D. Over-the-air (OTA) provisioning
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 8
If you have a query about a missing field in the card production reporting template, which organization is best-placed to answer it?
A. The payment brands
B. The vendor
C. The issuer
D. PCI SSC
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 9
Which of the follow best describes a Technical FAQ?
A. Technical FAQs only apply to the specific technology as the FAQ defines it
B. Technical FAQs can be submitted to PCI SSC at any time
C. Use of the Technical FAQs is mandatory, they shall be used during an assessment
D. Use of the Technical FAQs is optional, they are considered guidance
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 10
A vendor has a list of pre-approved third parties which may be granted access to the facility. Under what circumstances can other third-parties be granted access?
A. None, only people on the pre-approved list may enter
B. When they are approved by the physical security manager or senior management
C. When the third party s liability insurance covers the risk
D. When no card production activities are taking place
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 11
Which of the following security awareness measures is required for compliance?
A. Annual training on common attack methods
B. Annual training on use of mantraps
C. Security awareness exams for all personnel
D. Security posters must be placed in the facility
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 12
The receptionist responsible for the entrance and departure of visitors must have which of the following?
A. A shredder for the destruction of disposable visitor badges
B. A constant, open communication channel with a guard
C. An unobstructed view of the reception area at all times
D. A means of communicating directly with the visitor while on the premises
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 13
Which of the following principles must be enforce by the HSA Access Control system?
A. Dual control
B. Dual presence
C. Dual control and dual presence
D. Dual guard entry when required
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 14
Before you go on-site, the vendor’s primary contact communicates a legitimate reason for delaying the assessment for several months. Who can approve the change in the report delivery schedule?
A. Vendor senior management
B. Payment brands
C. Affected issuers
D. PCI SSC
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 15
In which of the following locations must the CCTV and access control servers be located?
A. Within the Security Control Room (SCR)
B. Within a room in the HSA with security controls equivalent to the SCR applied
C. Within the SCR or a room with equivalent security
D. Within the secure server room inside of the HSA