Card Production and Provisioning Security Standard V 3.0

PCI Card Production and Provisioning Security Requirements helps payment card vendors to secure the components and sensitive data involved in the payment cards’ production and provisioning.

Card production includes card manufacturing; magnetic-stripe card encoding and embossing; card personalization; chip initializing, embedding, and personalization; card storing; shipping and mailing. This standard also provides protection against fraud via the compromise of card materials.

Provisioning is the process of adding cardholder account information to a device via an over-the-air or over-the-internet communication channel.

The Payment Card Industry Security Standards Council (‘PCI SSC’) released, on 13 January 2022, the PCI Card Production and Provisioning Security Requirements version 3.0 updates.

Version 3.0 updates include an appendix for the use of a Security Operations Center (SOC) to control Security Management Systems to protect buildings, assets, access, and staff. Additionally, there are new requirements related to using rail freight for secure transport of card products and added criteria for transport to and from sea and air freight facilities when those modes of transport are used.

In addition, the PSI SSC Senior Vice President, Standards Officer, Emma Sutcliffe, stated that “the updates to the Card Production and Provisioning Security Requirements are intended to meet the security and business needs of card vendor environments while protecting these environments from evolving threats and increasing security across the payment chain. These updates will help card vendors secure the card production process from design all the way through delivery.”

As such, the updates include:

  • the PCI Card Production and Provisioning Logical Security Requirements and Test Procedures version 3.0 that highlights the scope and establishes minimum security levels with which vendors must comply for magnetic-stripe encoding and chip personalization; and
  • the PCI Card Production and Provisioning Physical Security Requirements and Test Procedures version 3.0 that specifies the physical security requirements and procedures that entities must follow before, during, and after the card production and provisioning process.

While the Card Production and Provisioning Security Requirements are maintained by the PCI SSC, compliance is directly managed by the payment brands. Card vendors are encouraged to work with the individual payment brands to confirm timing for performance of security reviews against the PCI Card Production and Provisioning Security Requirements v3.0.

The table below provides an overview of the types of changes included in Version 3.0. Sections 1 and 2 on the following pages provide summaries of material changes to be found in both the Physical and Logical Security Requirements documents.

 

Change Types

 

Change TypeDefinition
Additional GuidanceExplanation, definition, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Requirement ChangeTo reflect the addition or modification or deletion of requirements.

 

Section 1: Summary of Changes to Physical Security Requirements

 

ReferenceChange to Physical Security RequirementsType
GeneralAdded Test Procedures to document.Additional

Guidance

GeneralRenumbered requirements from 2 through 6 to 1 through 5.Additional

Guidance

GeneralReplaced term, “employee,” throughout document with “personnel,” “individual,” “card production staff,” or “consultant” as applicable.Additional

Guidance

GeneralChanged badge system to access-control system throughout.Requirement

Change

Requirement 1 – Roles and Responsibilities
1.1.1

Vendor Roles

Defined roles that must be filled by employees of vendor.Requirement

Change

1.1.6

Security Communication and Training

Clarified that information concerning security at vendor facilities can be done via posters, notices, or electronic medium.Requirement

Change

1.2.1.1

Prescreening

Allow that, for contracted guards, evidence of prescreening requirements may alternatively be provided by the guarding company, by copies of licenses, etc.; however, the vendor must collect and retain this evidence.

Allow that vendors may use their own insurance policies to provide suitable liability coverage for contracted guard services.

Requirement

Change

1.2.2

Roles and

Responsibilities

Clarified responses for unauthorized access attempts using language from previously published FAQ.Requirement

Change

Requirement 2 – Premises
2.1.3

External Walls, Doors, and Windows

Specified criteria for openings in external wall and that HSA

windows must be non-openable.

Requirement

Change

2.3.2.1

Location and Security

Protection

Specified that Security Control Room windows must be non- openable.Requirement

Change

2.3.4.1

Access Control

Allow for use of audible alarms.

Specified that access-control server must be located in the same facility.

Requirement

Change

2.3.4.3

Transfer of Physical

Material

Added shipping and delivery area to good-tools trap and redefined as a requirement regarding transfer of materials between different HSAs within the same facility.

 

Clarified that the above applies to physical materials.

Requirement

Change

2.3.4.4

Security Controls

Clarified that the requirement for bullet-resistant glass or iron bars applies to windows on the exterior wall or door of the building.Requirement

Change

2.3.5.6

Vault

Added EN 1143-1 Secure storage units – Requirements, classification, and methods of test for resistance to burglary – Part 1: Safes, ATM safes, strongroom doors, and strongrooms: Grade 6 or higher may be used as equivalent to UL 608 Class1

Burglary Certification.

Requirement

Change

2.3.6.2

Shipping and Delivery Areas

Changed log retention from permanent to two years where it is necessary to liberate a person inside the room.Requirement

Change

2.3.6.2

Shipping and Delivery Areas

Clarified outer room requirements for existing vs. new facilities.Additional

Guidance

2.4.1

Alarm Systems

Clarified that codes must be deactivated upon termination of any card production staff with knowledge of the code, and that only guards and security team members should have such knowledge.Requirement

Change

2.4.2

Badge administration

Modified badge to access-control system throughout.Requirement

Change

2.4.2.1

Identification Badges

Modified to include lanyards.Requirement

Change

2.4.3

Badge-Access System

Stipulate that for multiple buildings within the same facility, a single central location for a badge-access system can administer all buildings and the conditions for use of a public or private network.Requirement

Change

2.4.3.3

Remote-access Controls

New section using pre-existing requirements.Additional

Guidance

2.4.8.1

Semi-Annual Inspections

Specified that testing must also occur in addition to inspection for all security devices and hardware.Requirement

Change

2.4.8.2

Battery Testing

Clarified battery testing criteria.Requirement

Change

Requirement 3 Production Procedures and Audit Trails
3.7.1.2

Log Review

Specified that all logs in this document must be retained for a minimum of two years unless otherwise stated.Requirement

Change

3.8.4

Thermal Transfer Foil

Added section to address thermal ribbon.Requirement

Change

Requirement 4 – Packaging and Delivery Requirements
4Modified stipulations for courier delivery. Updated Terminology for consistency.Requirement

Change

4.5

Delivery Requirements

Specified additional criteria.Requirement

Change

4.5.1

Card Mailing

Clarified envelope criteria and use of presort facilities. Added criteria for transfer to the mail facility.Requirement

Change

4.5.2

Courier Service

Specified additional criteria for unpersonalized bulk cards.Requirement

Change

4.5.3.1

Unarmored Vehicle

Aligned language with additions added to Air and Sea Freight.Requirement

Change

4.5.3.3

Air Freight

Added transport requirements for to and from air terminal.Requirement

Change

4.5.3.4

Sea Freight

Added transport requirements for to and from the port facility.Requirement

Change

4.5.3.5

Rail Freight

Added new section for Rail Freight.Requirement

Change

 

 

ReferenceChange to Physical Security RequirementsType
Appendix B: Logical Security Requirements – CCTV and Access-Control System (ACS) Administration
B.1

User Management

Specified minimum capabilities for CCTV and access-control system upgrades.

Clarified remote administrative access exception if used in conjunction with an approved SOC.

Added password length requirement exception where system does not support.

Requirement

Change

B.2.2

Characteristics and

Usage

Systems enforce password lengths of at least 12 characters or an equivalent strength.Requirement

Change

Appendix C
Appendix CNew Section, “Security Operations Center”Requirement

Change

Glossary
GlossaryAdded glossary definitions for: Card Production Staff, Dual Control, Facility, Participating Payment Brand and Public Network.Additional

Guidance

 

Section 2: Summary of Changes to Logical Security Requirements

 

ReferenceChange to Logical Security RequirementsType
GeneralAdded Test Procedures to document.Additional

Guidance

GeneralRenumbered requirements from 2 through 10 to 1 through 9.Additional

Guidance

GeneralReplaced term “employee” throughout document with

“personnel” or “card production staff” as applicable.

Additional

Guidance

GeneralAdded FIPS 140-3 to wherever 140-2 is required.Requirement

Change

GeneralChanged badge system to access-control system throughout.Requirement

Change

 Requirement 1 – Roles and Responsibilities
1.2

Assignment of Security

 

 

 

Duties

Specified that the back-up CISO and the IT Security

Manager must be employees of the vendor.

Requirement

Change

Requirement 2 – Security Policy and Procedures
2.1

Information Security Policy

Clarified that the information security policy must be disseminated to all relevant personnel (including vendors and business partners).Requirement

Change

Requirement 3 – Data Security
3.4

Transmission of Cardholder Data

Clarified that preauthorized sources are defined and documented.Requirement

Change

Requirement 4 – Network Security
 

4.2

General Requirements

Clarified that diagrams for the flow of cardholder and cloud-based provisioning data within the environment from its receipt/generation to end of its lifecycle must be kept current.

Added that diagrams of the flow of cardholder and cloud- based provisioning data within the environment from its receipt/generation to end of its lifecycle must be reviewed for accuracy at least every 12 months.

Requirement

Change

4.6.1

Connection Conditions

Clarified access from outside the facility to the badge physical access-control system exception if used in conjunction with an approved SOC.Requirement

Change

4.8.2

Penetration

Clarified the use of Common Vulnerability Scoring.Requirement

Change

Requirement 6 – User Management and System Access Control
6.1

User Management

Added additional criteria for multi-factor authentication. Added password length requirement exception where

system does not support.

Requirement

Change

6.2.2

Characteristics and

Usage

Changed to requiring 12-character password minimums from 8 characters. Exception if the operating system does not support twelve characters then using the maximum

the system supports, but never less than a minimum

length of eight characters.

Requirement

Change

Requirement 7 – Key Management: Secret Data
7.4.2

Key Manager

 

Specified that deputy key manager must be an employee.

 

Requirement

Change

7.7

Key Loading

 

Clarified roles of key custodians and key manager for key loading.

 

Requirement

Change

Requirement 9 PIN Distribution via Electronic Methods
8.1

General Principles

Added criteria for generating keys and key components using a random or pseudo-random process.Requirement

Change

Normative Annex A
Minimum and Equivalent Key Sizes and Strengths for Approved AlgorithmsUpdated consistent with other standards. Added EdDSA as an approved algorithm.Additional

Guidance

 

ReferenceChange to Logical Security RequirementsType
Glossary of Acronyms and Terms
Glossary of Acronyms and TermsAdded glossary definitions for: Card Production Staff, Facility, Media, Multi-factor authentication, Non-console Access, Participating Payment Brand, Private Network, Public Network, and Topology Diagram; and clarified Remote Access.Additional

Guidance

 

Post a Comment