Supporting PCI CPP compliance with a comprehensive new framework
At Advantio we spend a great deal of our time advising and helping clients to meet the near-ubiquitous PCI DSS standard for card data protection. Less well-known throughout industry is the PCI standard governing vendors that manufacture and personalize the payment cards themselves, or provision payment information onto them or devices over-the-air.
This is the PCI CPP standard: a rigorous set of controls that applies to any company involved in card manufacturing, personalization, packaging, shipping, and many other processes. The standard is known with the names of PCI DSS Logical and Physical Requirements for Cards Production and we’ll refer to it as PCI CPP for simplicity.
The good news is Advantio has leveraged its experience in managing these environments directly to produce a new framework for streamlined governance and compliance.
What is PCI CPP?
PCI CPP is a detailed and technically complex undertaking, even by PCI standards. It includes:
Logical controls that cover IT assets such as servers, computers, and every electronic device inside the High-Security Area (HSA) perimeter. The HSA defines the card production environment. Everything outside is considered “external.” Some specific requirements include:
- A DMZ with physical firewalls protecting network segments
- You can only push data into the DMZ and all files must be reviewed and justified as being there by a PCI auditor
- Approved devices to encrypt or decrypt card data.
- Schemas illustrating data flows, processes, and logical paths
- Rigid change control processes
- Precise patch management procedures
Physical controls must also be in place such as separate racks for servers, firewalls, and encryption devices—all of which must be under CCTV surveillance and accessible under dual access control. Other requirements include:
- Two people to be present at all times for the execution of many processes
- Inventory of all assets
- Tamper-proofing for every cable and device
- HSA walls to be built as per precise industry standards
- A staffed, 24-hour guard room
Assigned roles are also important. They must include:
- A CISO with responsibility for certification
- A precise hierarchy of personnel to govern the HSA
Documentation for PCI CPP is mandatory and must be provided to auditors on request. Given the complexity of compliance, expert third-party assistance is advised. That’s because even a small mistake could be costly—ie non-compliant HSMs and firewalls.
Advantio has taken its subject matter expertise in managing these card production environments and developed a framework to help your business. It’s a collection of documentation, processes, procedures, and technologies, which together covers the whole PCI card production IT and Security governance stack. Where possible, we’ve automated to reduce the compliance burden further.
With Advantio, you get the benefit of proven expertise in PCI CPP compliance—delivered in a manner designed to reduce ongoing resource and cost overheads.