Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Francesco Consiglio June 11, 2021
At Advantio we spend a great deal of our time advising and helping clients to meet the near-ubiquitous PCI DSS standard for card data protection. Less well-known throughout industry is the PCI standard governing vendors that manufacture and personalize the payment cards themselves, or provision payment information onto them or devices over-the-air.
This is the PCI CPP standard: a rigorous set of controls that applies to any company involved in card manufacturing, personalization, packaging, shipping, and many other processes. The standard is known with the names of PCI DSS Logical and Physical Requirements for Cards Production and we’ll refer to it as PCI CPP for simplicity.
The good news is Advantio has leveraged its experience in managing these environments directly to produce a new framework for streamlined governance and compliance.
PCI CPP is a detailed and technically complex undertaking, even by PCI standards. It includes:
Logical controls that cover IT assets such as servers, computers, and every electronic device inside the High-Security Area (HSA) perimeter. The HSA defines the card production environment. Everything outside is considered “external.” Some specific requirements include:
Physical controls must also be in place such as separate racks for servers, firewalls, and encryption devices—all of which must be under CCTV surveillance and accessible under dual access control. Other requirements include:
Assigned roles are also important. They must include:
Documentation for PCI CPP is mandatory and must be provided to auditors on request. Given the complexity of compliance, expert third-party assistance is advised. That’s because even a small mistake could be costly—ie non-compliant HSMs and firewalls.
Advantio has taken its subject matter expertise in managing these card production environments and developed a framework to help your business. It’s a collection of documentation, processes, procedures, and technologies, which together covers the whole PCI card production IT and Security governance stack. Where possible, we’ve automated to reduce the compliance burden further.
With Advantio, you get the benefit of proven expertise in PCI CPP compliance—delivered in a manner designed to reduce ongoing resource and cost overheads.
I am the CTO, Senior Security Consultant, and PCI QSA since 2010 at Advantio.
Having executed close to a hundred (and counting) assessments across Europe, Asia, South Africa, and North America, I was able to observe many different implementations of all classic security controls and much more.
Now I spend much of my time with cloud technologies. Being passionate about cloud security and cloud resources management, my research focuses on the implementation of streamlined and scalable processes in the field of Threat Management for cloud-based ecosystems.
At Advantio, I am also part of the ZeroRisk team. Our vision is to make security and compliance simpler for our users.
Comments