A vendor discovers that a recent shipment of cards is missing a set. Which of the following responses would you expect in a compliant organization?
Correct Answer: D
Explanation According to the PCI Card Production Physical Security Requirements, one of the security controls for card shipment is to ensure that the vendor has an incident response plan in place to handle any card shipment incidents, such as loss, theft, or tampering. The incident response plan should include the following steps1: The vendor should conduct an incident review to determine the cause and scope of the incident, and document the findings and actions taken. The vendor should notify the VPA, the issuer, and law enforcement of the incident within 24 hours of discovery, or as soon as possible. The vendor should cooperate with the VPA, the issuer, and law enforcement in the investigation and resolution of the incident, and provide any evidence or information requested. The vendor should implement corrective actions to prevent the recurrence of the incident, and report the results to the VPA and the issuer. Therefore, the response that best reflects a compliant organization is option D, which follows the steps of the incident response plan as required by the PCI Card Production Physical Security Requirements. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 6, Requirement 6.2, Page 131
Question 7
In relation to guards, which of the following must the vendor ensure?
Correct Answer: B
Explanation According to the PCI Card Production Physical Security Requirements, the vendor must ensure that a clear segregation of duties is maintained between guard and reception related job functions. This is to prevent any conflict of interest or collusion that could compromise the security of the card production and provisioning processes or the cardholder data. The vendor must also ensure that the guards are adequately trained, supervised, and evaluated, and that they follow the security policies and procedures established by the vendor. The vendor must also have a documented policy and procedure for the selection, hiring, and termination of guards, and must maintain a log of all guard activities. References: PCI Card Production Physical Security Requirements, v2.0, April 2019, page 24, requirement 6.1.1 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 25, requirement 6.1.2 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 26, requirement 6.1.3 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 27, requirement 6.1.4
Question 8
John works for ACME Inc Personalizers. an organization that personalizes payment cards as well as printing the corresponding PIN mailers for distribution directly to the cardholder. Which of the following statements is true?
Correct Answer: C
Explanation According to the PCI Card Production and Provisioning - Logical Security Requirements, there must be a clear segregation of duties between the staff involved in different card production and provisioning activities, such as card personalization, PIN generation and printing, and card fulfillment. This is to prevent any unauthorized access, modification, or disclosure of sensitive cardholder data and to ensure the integrity and confidentiality of the card production process. Therefore, if John is involved in card personalization, which is the process of transferring cardholder information to a payment card, then he must never be involved in PIN printing, which is the process of printing the personal identification number associated with the cardholder account on a mailer. This way, John cannot link the cardholder data on the card with the PIN on the mailer, and cannot compromise the security of the cardholder authentication. The other statements are not true, as there is no requirement that prohibits John from being involved in the card shipment process, as long as he does not have access to both the card and the PIN mailer at the same time. References: Payment Card Industry (PCI) Card Production and Provisioning - Logical Security Requirements, Section 2.1.1 and 2.1.2 Payment Card Industry (PCI) Card Production and Provisioning - Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization and PIN Printing
Question 9
To liberate a person detected inside of the inner shipping delivery room and stop the alarm, the software monitoring the access-control system must only allow the opening of which door?
Correct Answer: C
Explanation According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-191
Question 10
A vendor is unsure which forms are needed to complete an assessment. Who should they ask?
