PCI CPP applies to vendors engaged in the secure manufacturing of payment cards. As well as vendors who provision payment information onto cards and mobile devices. In this blog, we are going to examine the requirements in more detail.

Card production in this context includes; card manufacturing, encoding, and initializing. As well as packaging shipping and mailing. Card provisioning is the process of adding account information to a device. Via an over-the-air or over-the-internet communication channel.

How is the PCI CPP composed?

Logical Controls

PCI CPP contains a set of logical controls related to information technology. Including servers, computers, and every electronic device inside the HSA (High-Security Area) perimeter. Its requirements are more restrictive than those of PCI DSS.

The HSA is the perimeter that defines the Card Production Environment. Everything outside of the HSA is ‘External.’

PCI CPP requires a specific type of infrastructure and the use of an acceptable schema. For example, you must have a DMZ in place, and it must have a physical firewall.

The same control applies to the card personalization network. Physical firewalls must only protect their specific segment of the network. The requirements do not accept VLANs as valid network segmentation, and there must be a physical separation between systems.

The logical controls state that you can only “push” data into the DMZ. All files that enter the DMZ, containing sensitive data or not, must have a justified reason for being in the DMZ. The PCI auditor and issuer must review and approved the justification for this.

Encryption controls are a core component of the logical requirements of PCI CPP. Your environment must install a physical device to encrypt and protect card data. This device is a Hardware Security Module - HSM. You must encrypt and secure every single channel.

An explicit schema showing data usage must be in place. The schema will explain the processes and logical paths the data flows over in its lifecycle.

An organization must patch and update every electronic device. You must protect devices with logical and physical policies. And they must only be used for their defined purpose and tagged with a visible unique ID.

Wi-Fi also has specific requirements under PCI CPP. The organization must perform periodic vulnerability scans, designed to detect and secure the environment from rogue networks.

Personnel cannot take or use any personal device inside the HSA (mobile phone, smartwatches, tablets, etc.). Staff cannot be alone in the HSA. There must be two people present at all times, and a timeframe limiting when you can enter the HSA.

There must be no communication with the external world as from within the HSA. There must be a justification and approval for all exceptions.


 PCI CPP has strict requirements on the physical controls which must be in place on the HSA. For example, racks that contain servers, firewalls, and encryption devices must be separate. They must always be accessible under dual access control. And under constant CCTV surveillance. HSA physical environments need at least two people to be present. Or an acoustic alarm in place ready to alert an external guard room. 

 And that is not all; every cable and device in the HSA must be hard to reach. There must be protection from tapering and an inventory of assets. All assets but have their presence justified. If the device is not in use must be under dual access control. 

 These examples are only a small part of what PCI CPP requires; this may seem excessive. Card production data is very sensitive. The information is lucrative to criminals or someone seeking to exploit the environment. 

 HSA rooms and facilities must be secure and not easily accessible. Dedicated rooms to card production, and in some cases personalization, must be in place.  

 Some requirements are quite severe. For example, you must construct the walls of the HSA with concrete, to prevent or resist explosions or intrusion. 

 For containment of cards with chips, the HSA must provide within it another dedicate room.This room shall have stronger physical controls to that of the main HSA. 

 All the HSA rooms and perimeters must have security cameras that cover all angles. There must be no blind spots. The walls and windows must have a specific type of railing. The railing design must not allow a card to fit through it. The perimeter must be strong enough to resist attacks and have alarms in case of attempted break-ins. 

 External to the HSA, there must be a staffed, 24-hour guard room. The guards are responsible for checking the credentials of all people wishing to access the HSA. Guards must impose the strict access control requirements that PCI CPP demand. 

 Also, the CCTV network is under PCI CPP requirements. The rules are the same for logicalconditions. There must be an NTP server with the minimum delay to be in line with the video recording and logs in case of intrusion. 


 PCI CPP requires a clear organization chart with specific roles assigned. Roles must includea CISO, who has the responsibility for the certification. The CISO must have the knowledge and understanding to approve all changes to the HSA. The CISO may delegate duties to named individuals. But will still be responsible for the certification.  

An organization must track, log, and audit all changes to the physical and logical environment. 

PCI CPP also requires that the vendor only uses its dedicated employees within the HSA. External consultants or staff employed in other roles by the vendor cannot work in the HSA. Guards employed outside the HSA can be from an external company. The CISO must detail and authorize all suppliers or external consultants.  


Finally, full documentation is mandatory and provided to auditors on request. Some organizations have perfect environments but fail audits due to documentation. Documentation must be in place for every PCI CPP requirement. 


An organization undergoes certification audit when all components and controls are in place. An authorized auditor reviews the implementation of controls in the environment, ensuring that the organization meets the logical and physical controls. 

Before 2019 audits were only performed by the Payment Brand and PCI. The PCI council now allows some consultancy firms to qualify employees as PCI CPP QSAs. a PCI CPP QSA can authorize, sign, and validate the certification. 


The PCI CPP is a complex requirement put in place within an organization. An organization must ensure access to a subject matter expert to guide you through the requirements. Mistakes could be costly, for example, if you purchased noncompliant devices such as HSM and firewalls. 

 Employing consultants with detailed knowledge of the PCI CPP project phases reduce mistakes. Advantio’s subject matter experts have extensive experience in delivering compliant projects for clients. 

 This is only a summary of what PCI CPP requires; for a more detailed consultation bespoke to your organization, contact our advisory team.

Get in touch today 


Michael Caruso

Written by Michael Caruso

Security Consultant with more than 8 years of experience within the cyber security and IT. I’ve been involved in PCI CPP project for a global payment service provider, lead several SOC departments and now performing Ethical Hacking activities.