pci cpsa practice test

A CPSA Company has submitted multiple reports that are incomplete and do not contain the
information described in the reporting instructions. Which of the following are possible outcomes?

• A. They may be put into remediation or revoked by the applicable payment brands
• B. They may be put into remediation or revoked by PCI SSC
• C. They may be fined by the applicable payment brands
• D. They may be fined by PCI SSC

Where can misprinted, partially finished cards be shredded?

• A. In any HSA room approved by the security manager
• B. Either in the HSA printing room or destruction room
• C. Only in the HSA destruction room
• D. Either in the HSA destruction room or a loading bay that meets all requirements of a destruction room

A vendor is unsure which forms are needed to complete an assessment. Who should they ask?

• A. Assessor
• B. Issuing banks
• C. Payment brands
• D. PCI SSC

During an assessment you do a walk-through of bringing card products into the HSA using the goods-
tools trap. You act as production staff, using an empty cardboard box as the card products. During the
process, the guard escorts you, along with the box, into the pre-press room. What is your conclusion?

• A. Compliant, because the guard escorted you
• B. Compliant, because the guard ensured that the card product remained under dual control
• C. Not compliant, because an inventory of the card product did not take place prior to entry
• D. Not compliant, because the guard escorted you

Under which circumstances may boxes containing card stock remain unsealed within the vault?

• A. Where stock from those boxes will be pulled multiple times per day
• B. Where the stock from those boxes will be pulled once at the beginning of production
• C. Always, as long as an accurate inventory is being maintained
• D. This is never permitted

John works for ACME Inc Personalizers. an organization that personalizes payment cards as well as
printing the corresponding PIN mailers for distribution directly to the cardholder. Which of the
following statements is true?

• A. If John is involved in card personalization then he must not be involved in the printing of the corresponding PINs
• B. If John is involved in card personalization, then he must never be involved in the card shipment process
• C. If John is involved in card personalization, then he must never be involved in PIN printing
• D. If John is involved in PIN printing, then he must never be involved in the card shipment process

A card production vendor employs a contracted guard service from an outside source. What is one of
the responsibilities of the contracted service?

• A. Provide only certified guards
• B. Register their service with the VPA
• C. Maintain their own liability insurance in case of losses to card material
• D. Undergo their own Card Production assessment and provide evidence of a passing result

For how long must a CPSA Company maintain workpapers and technical information obtained during
an assessment?

• A. Until each applicable payment brand has accepted (and signed off) the ROC and AOC
• B. As long as the entity under assessment is a client of the CPSA Company
• C. 3 years
• D. 1 year

Which document describes the results of an assessment, and is signed by both the assessor and the
vendor executive officer?

• A. Security Assessment Questionnaire (SAQ)
• B. Attestation of Compliance (AOC)
• C. Report on Compliance (ROC)
• D. Letter of Approval (LOA)

To liberate a person detected inside of the inner shipping delivery room and stop the alarm, the
software monitoring the access-control system must only allow the opening of which door?

• A. The external facing door
• B. The internal facing door
• C. The last activated door
• D. The least secure door