Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
.png)
David E. Acosta May 12, 2022
The Payment Card Industry Card Production and Provisioning standard (PCI CPP) is a rigorous set of controls that applies to any company involved in card manufacturing, personalization, packaging, shipping, and many other processes.
As a reminder, this standard is called PCI DSS Logical and Physical Requirements for Cards Production and we'll refer to it as PCI CPP for simplicity.
The good news is we have leveraged its experience in managing these environments directly to produce a new framework for streamlined governance and compliance.
Read here for part 1 of this series.
This article discusses the objective, applicability, contents (controls), and compliance assessment processes of the Payment Card Industry Card Production and Provisioning standard (PCI Card Production).
Introduction
Payment card production and provisioning organizations represent a large repository of high-risk data that requires a specialized security program to mitigate. Payment Card Industry (PCI) Card Production (PCI Card Production) is a set of standards published by the PCI Security Standards Council that defines the physical and logical security requirements for the manufacture of cards and provisioning of customer payment information on cards and mobile devices (collectively referred to as Card Production Entities).
Card production includes card manufacturing, magnetic stripe encoding, and embossing, card personalization, card initialization, chip embedding and personalization, card storage, packaging, shipping, and distribution. An over-the-air or Internet communication channel adds cardholder account information to a device.
PCI Card Production is composed of two main standards:
The current version of this standard is 3.0, published on January 20.22
Origin
The PCI Card Production standard was created in May 2013 to address a need that had been latent for some time. Before its definition, payment card manufacturers and other entities involved in the production and provisioning of cards had to comply with the PCI DSS standard, which did not entirely fit their needs. Therefore, the different payment card brands required these types of companies to comply with their regulations, which forced them to follow several different security programs for the same purpose, that of producing cards.
It must be taken into account that these type of companies has a very high risk since they produce a susceptible material (payment cards). With these standards, both the physical and logical requirements within this whole process will be centralized in the PCI SSC, which will facilitate its integration with other related standards and will allow a more uniform adoption in the affected companies, improving the related security levels.
Applicability
As indicated above, PCI Card Production is a set of standards that cover the physical and logical controls of the payment card production and data provisioning process and apply to different organizations based on the services they offer to their customers:
It is important to clarify that, although they are two different documents (logical and physical controls), they are not exclusive but complementary. An organization can have its compliance validated with the physical PCI Card Production standard, with the logical standard, or with both. On the other hand, those companies that offer card production and provisioning services must also comply with PCI DSS.
The PCI SSC within its frequently asked questions (FAQs) published this entry (7/7/2009).
"Do the PCI DSS requirements apply to card manufacturers, embossers, card personalizers, or entities that prepare data for card manufacturing?
FAQ Response: Organizations that participate in data preparation, manufacturing, personalizing, and/or embossing for plastic cards are considered Service Providers for purposes of PCI DSS and should adhere to PCI DSS. However, some payment brands may already have programs in place that include PCI DSS for entities that prepare data, manufacture, personalize, or emboss plastic cards - we encourage you to check with each payment brand about their requirements for these entities. Please contact the payment brands directly."
On the other hand, the PCI DSS v3.2.1 standard includes a note in requirement 3.2 clarifying that, under certain special and justified circumstances, card issuers may store confidential authentication data, making these entities an exception that was not yet regularized:
PCI DSS Requirement 3.2: "... It is permissible for issuers and companies that support issuing services to store sensitive authentication data if:
PCI Card Production and Provisioning Logical Security Requirements Version 3.0
A series of minimum logical security controls are defined in this document, including the process of preparation, manufacture, transport, and personalization of payment cards and their components. This document covers systems and business processes like card personalization, PIN generation, PIN sending, and plastic distribution.
The document is divided into the following sections:
Payment Card Industry Card Production Physical Security Requirements Version 2.0
This document defines a series of minimum physical controls for companies that manufacture, personalize and record card data on-chip or magnetic stripes before, during, and after the following processes:
Who can perform a formal PCI Card Production compliance assessment?
In early 2020, the PCI SSC launched the Card Production Security Assessor (CPSA) program to train and certify companies and assessors to assess PC Card Production standards formally. Prior to this program, the payment brands were responsible for managing and appointing both companies and authorized assessors for the assessment. Converging the various compliance assessment programs into a single program (PCI CSPA) optimizes consistency between assessments and ensures that guidance and training is aligned with the current threat landscape.
Security assessment in card production and provisioning has two aspects: logical and physical. To reflect these two different types of assessment, there are two types of assessors: logical and physical:
The list of companies and assessors certified to perform PCI Card Production compliance assessments can be found here:
In general, the steps involved in a PCI Card Production compliance assessment are:
Compliance reports
As with most PCI Security Standards Council (PCI SSC) standards, compliance with the PCI Card Production (Physical/Logical) standards is demonstrated by two documents:
These documents are valid for twelve (12) months.
Finally, the list of organizations that comply with these standards is managed by each of the payment brands in their lists of certified suppliers:
Advantio can help you to develop and validate your security program, providing a structured, controlled, and accelerated methodology to mitigate the related risks in both main aspects of card production – logical and physical - while turning the compliance into a digital opportunity to explore new business models. Our services include:
With Advantio, you get the benefit of proven expertise in PCI CPP compliance — delivered in a manner designed to reduce ongoing resource and cost overheads.
I am the Senior Security Consultant in Advantio. I have more than 15 years of experience, working both in South America and Europe. My information security background includes consultancy and audit, training, implementation of security technologies and design and policy development among others.
Certifications: CISSP, CISM, CISA, CRISC, CEH, CHFI, PCI QSA, QSA (P2PE), 3DS Assessor
Comments