<img alt="" src="https://secure.meet3monk.com/215363.png" style="display:none;">

Supporting PCI CPP compliance with a comprehensive new framework

At Advantio we spend a great deal of our time advising and helping clients to meet the near-ubiquitous PCI DSS standard for card data protection. Less well-known throughout industry is the PCI standard governing vendors that manufacture and personalize the payment cards themselves, or provision payment information onto them or devices over-the-air.

This is the PCI CPP standard: a rigorous set of controls that applies to any company involved in card manufacturing, personalization, packaging, shipping, and many other processes. The standard is known with the names of PCI DSS Logical and Physical Requirements for Cards Production and we’ll refer to it as PCI CPP for simplicity.

The good news is Advantio has leveraged its experience in managing these environments directly to produce a new framework for streamlined governance and compliance.

What is PCI CPP?

PCI CPP is a detailed and technically complex undertaking, even by PCI standards. It includes:

Logical controls that cover IT assets such as servers, computers, and every electronic device inside the High-Security Area (HSA) perimeter. The HSA defines the card production environment. Everything outside is considered “external.” Some specific requirements include:

  • A DMZ with physical firewalls protecting network segments
  • You can only push data into the DMZ and all files must be reviewed and justified as being there by a PCI auditor
  • Approved devices to encrypt or decrypt card data. 
  • Schemas illustrating data flows, processes, and logical paths
  • Rigid change control processes
  • Precise patch management procedures

Physical controls must also be in place such as separate racks for servers, firewalls, and encryption devices—all of which must be under CCTV surveillance and accessible under dual access control. Other requirements include:

  • Two people to be present at all times for the execution of many processes
  • Inventory of all assets
  • Tamper-proofing for every cable and device
  • HSA walls to be built as per precise industry standards  
  • A staffed, 24-hour guard room

Assigned roles are also important. They must include:

  • A CISO with responsibility for certification
  • A precise hierarchy of personnel to govern the HSA

Why Advantio?

Documentation for PCI CPP is mandatory and must be provided to auditors on request. Given the complexity of compliance, expert third-party assistance is advised. That’s because even a small mistake could be costly—ie non-compliant HSMs and firewalls. 

Advantio has taken its subject matter expertise in managing these card production environments and developed a framework to help your business. It’s a collection of documentation, processes, procedures, and technologies, which together covers the whole PCI card production IT and Security governance stack. Where possible, we’ve automated to reduce the compliance burden further.

With Advantio, you get the benefit of proven expertise in PCI CPP compliance—delivered in a manner designed to reduce ongoing resource and cost overheads.

Advantio_CTA_PCICPP_V1.0

 

Column Header Text Column Header Text Column Header Text

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Discover More

Advantio_Blog_DNS_Diagram_V1 Image caption goes here. This is HTML text.

I am the CTO, Senior Security Consultant, and PCI QSA since 2010 at Advantio.

Having executed close to a hundred (and counting) assessments across Europe, Asia, South Africa, and North America, I was able to observe many different implementations of all classic security controls and much more.

Now I spend much of my time with cloud technologies. Being passionate about cloud security and cloud resources management, my researches focuses on the implementation of streamlined and scalable processes in the field of Threats Management for cloud-based ecosystems.

At Advantio, I am also part of the ZeroRisk team. Our vision is to make security and compliance simpler for our users.

Schedule a call with an expert