The PCI SSC has released version 2.0 of both the Card Production Logical Security Requirements and the Card Production Physical Security Requirements. Both documents are now available on the Document Library. Why should many of you be interested in taking a closer look at both documents? The documents start with a scoping definition:
Logical: “All systems and business processes associated with the logical security activities associated with card production and provisioning such as data preparation, pre-personalization, card personalization, PIN generation, PIN mailers, and card carriers and distribution must comply with the requirements in this document”
Physical: “The PCI Card Production and Provisioning Physical Security Requirements manual is a comprehensive source of information for entities involved in card production and provisioning, which may include manufacturers, personalizers, pre-personalizers, chip embedders, data-preparation, and fulfillment.”
There is also a Summary of Changes to help call attention to changes made from Version 1.1 to Version 2.0. Some of the changes made are merely expanded guidance, while some of the controls are completely new controls.
Logical Control Requirements
At a high level, the Card Production Logical Security Requirements covers the following areas:
- Roles and Responsibilities
- Data Security
- Network Security
- System Security
- User Management and System Access Control
- Key Management
- PIN Distribution
Appendix A of the Logical Control Requirements provides a nice “Applicability of Requirements” table to help organizations identify which control requirements apply to them based on the provisioning method (Physical, Mobile Secure Element (SE), or Mobile Host Card Emulation (HCE)).
NOTE: This document does NOT apply to any providers who are only distributing secure elements.
Physical Control Requirements
At a high level, the Card Production Physical Security Requirements covers the following areas:
- Production Procedures and Audit Trails
- Packaging and Delivery Requirements
- PIN Printing and Packaging of Non-Personalized Prepaid Cards
Just like the Logical Control Requirements, the Physical Control Requirements has an Appendix with “Applicability of Requirements” that identifies which control requirements apply to them based on the provisioning method (Physical, Mobile Secure Element (SE), or Mobile Host Card Emulation (HCE)).
Hint: If physical cards are in-scope, all requirements are applicable.
As always, I am interested in your feedback. Feel free to reach out on any of the social networks below!