A.  

A clear segregation of duties is maintained between production staff and guards

B.  

A clear segregation of duties is maintained between guard and reception related job functions

C.  

There is always at least one guard on-site, including outside of working hours, to monitor security systems and premises

D.  

There is always at least one guard in the HSA and one guard in the security control room at all times

A.  

If John is involved in card personalization then he must not be involved in the printing of the corresponding PINs

B.  

If John is involved in card personalization, then he must never be involved in the card shipment process

C.  

If John is involved in card personalization, then he must never be involved in PIN printing

D.  

If John is involved in PIN printing, then he must never be involved in the card shipment process

A.  

Within the Security Control Room (SCR)

B.  

Within a room in the HSA with security controls equivalent to the SCR applied

C.  

Within the SCR or a room with equivalent security

D.  

Within the secure server room inside of the HSA

A.  

Each visitor entering the facility must be issued and must visibly wear a disposable ID badge that identifies them as a non-employee

B.  

Each visitor entering the facility must wear their issued access badge above waist height

C.  

Badges with access-controls must not be issued to visitors

D.  

Unissued visitor access badges must be securely stored

A.  

Only when an unauthorised badge is presented

B.  

Only when the person has successfully completed the access cycle

C.  

Upon initial entry of the person into the device, prior to completion of the access cycle

D.  

Upon initial presentation of an authorised badge, prior to completion of the access cycle

A.  

An immediate call is made to the issuer and the VPA who, between them, contact law enforcement and put together a joint statement

B.  

The head of security initiates a meeting, and once the VPA approves the messaging, law enforcement is notified in two days

C.  

A report is requested by the issuer, the vendor sends it to them, and the issuer handles the incident with the local police

D.  

After an incident review, the VPA, issuer and law enforcement are all notified within 24 hours

A.  

They may be put into remediation or revoked by the applicable payment brands

B.  

They may be put into remediation or revoked by PCI SSC

C.  

They may be fined by the applicable payment brands

D.  

They may be fined by PCI SSC