PCI Card Production and Provisioning Security Requirements helps payment card vendors to secure the components and sensitive data involved in the payment cards’ production and provisioning.
Card production includes card manufacturing; magnetic-stripe card encoding and embossing; card personalization; chip initializing, embedding, and personalization; card storing; shipping and mailing. This standard also provides protection against fraud via the compromise of card materials.
Provisioning is the process of adding cardholder account information to a device via an over-the-air or over-the-internet communication channel.
The Payment Card Industry Security Standards Council (‘PCI SSC’) released, on 13 January 2022, the PCI Card Production and Provisioning Security Requirements version 3.0 updates.
Version 3.0 updates include an appendix for the use of a Security Operations Center (SOC) to control Security Management Systems to protect buildings, assets, access, and staff. Additionally, there are new requirements related to using rail freight for secure transport of card products and added criteria for transport to and from sea and air freight facilities when those modes of transport are used.
In addition, the PSI SSC Senior Vice President, Standards Officer, Emma Sutcliffe, stated that “the updates to the Card Production and Provisioning Security Requirements are intended to meet the security and business needs of card vendor environments while protecting these environments from evolving threats and increasing security across the payment chain. These updates will help card vendors secure the card production process from design all the way through delivery.”
As such, the updates include:
- the PCI Card Production and Provisioning Logical Security Requirements and Test Procedures version 3.0 that highlights the scope and establishes minimum security levels with which vendors must comply for magnetic-stripe encoding and chip personalization; and
- the PCI Card Production and Provisioning Physical Security Requirements and Test Procedures version 3.0 that specifies the physical security requirements and procedures that entities must follow before, during, and after the card production and provisioning process.
While the Card Production and Provisioning Security Requirements are maintained by the PCI SSC, compliance is directly managed by the payment brands. Card vendors are encouraged to work with the individual payment brands to confirm timing for performance of security reviews against the PCI Card Production and Provisioning Security Requirements v3.0.