Card Production Security Assessor (CPSA) Qualification Exam
Last exam update: Nov 18 ,2025
Page 1 out of 4. Viewing questions 1-15 out of 50
Question 1
A vendor puts cardholder information into a chip by sliding a payment card through a machine that programs it and verifies the dat a. The chip can make contactless transactions. Which of the following best describes the vendor’s activity?
You are driving to a vendor for their first assessment. The facility is in a rural area, twenty miles away from the nearest large town. What most concerns you about the location?
A.
The local fire service may not be able to reach the facility within 15 minutes
B.
Law enforcement services may not be able to reach the facility in a timely manner
C.
Power blackouts may affect security systems
D.
There may not be adequate retail outlets, which may cause problems when sourcing lunch items for onsite personnel
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 3
A vendor wants to know if they will be penalized if their vault is not compliant. Who should they ask?
A.
PCI SSC
B.
Assessor
C.
Issuing banks
D.
Payment brands
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 4
A vendor receives cardholder information and keys from a bank. The vendor then performs the following: * Uses its HSM to create keys * Creates cardholder information specific to each cardholder, including name and PAN * Formats the data for the hardware that will put it on a card * Writes it to an encrypted file Which of the following best describes this process?
A.
Data creation
B.
Data preparation
C.
Manufacture
D.
Pre-personalization
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 5
An assessor must provide which of the following to their client at the start of every assessment?
When must HSA motion detectors generate an alarm event?
A.
Each time movement is detected
B.
Each time movement is detected outside of regular business hours
C.
Each time movement is detected and the access-control system indicates the room is occupied
D.
Each time movement is detected and the access-control system indicates the room is not occupied
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 8
Which of these is a requirement of the security control room?
A.
Access must be controlled by a physical key (in case of power-failure)
B.
Access must be monitored in real-time
C.
At least one guard must be present at all times
D.
Dual-control must be used to grant entry
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 9
During an assessment you ask to see employee records for employees with access to the HS
A.
Employee information, including background checks, must be stored for at least seven years
B.
Employee information must be securely destroyed (e.g. securely wiped) within 2 years (after termination of contract)
C.
The vendor must retain the background information for at least 18 months after termination of contract
D.
The vendor must only retain background information for all current employees, not for those that have been terminated
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 10
The vendor's technical documentation shows that the alarm system does not send alerts to the security control room. After a discussion you learn that the alarm works perfectly, and sends a clear signal to summon the local police every time an emergency exit is opened. Why might this cause a problem for their assessment?
A.
If the local police have not been issued with an exterior key. they will not be able to investigate the cause of the alarm and reset it
B.
During working hours, the alarm should be managed in the security control room, or by a central monitoring service
C.
If the local police receive too many false-positive alerts, they may not respond within 15 minutes of the alarm
D.
During busy times, the local police may not be able to respond
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 11
A CPSA Company has submitted multiple reports that are incomplete and do not contain the information described in the reporting instructions. Which of the following are possible outcomes?
A.
They may be put into remediation or revoked by the applicable payment brands
B.
They may be put into remediation or revoked by PCI SSC
C.
They may be fined by the applicable payment brands
D.
They may be fined by PCI SSC
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 12
Where can misprinted, partially finished cards be shredded?
A.
In any HSA room approved by the security manager
B.
Either in the HSA printing room or destruction room
C.
Only in the HSA destruction room
D.
Either in the HSA destruction room or a loading bay that meets all requirements of a destruction room
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 13
A vendor is unsure which forms are needed to complete an assessment. Who should they ask?
A.
Assessor
B.
Issuing banks
C.
Payment brands
D.
PCI SSC
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 14
During an assessment you do a walk-through of bringing card products into the HSA using the goods- tools trap. You act as production staff, using an empty cardboard box as the card products. During the process, the guard escorts you, along with the box, into the pre-press room. What is your conclusion?
A.
Compliant, because the guard escorted you
B.
Compliant, because the guard ensured that the card product remained under dual control
C.
Not compliant, because an inventory of the card product did not take place prior to entry
D.
Not compliant, because the guard escorted you
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 15
Under which circumstances may boxes containing card stock remain unsealed within the vault?
A.
Where stock from those boxes will be pulled multiple times per day
B.
Where the stock from those boxes will be pulled once at the beginning of production
C.
Always, as long as an accurate inventory is being maintained