PCI Card Production
Oragnziations which are involved in the production of physical cards abide by the requirements in the PCI-CP Standard. There are both physical and logical security requirements in this standard.
- Assessor Type
- Applicability
- Validity
- GOVERNING BODY
- Data Type
- REGIONS
- CP QSA
- CARD PRODUCTION VENDOR
- 3 Years
- PCI SSC
- ACCOUNT DATA
- GLOBAL
Required
REQUIRED
Required
NA
Required
If you are producing payments cards or cloud-based or secure element provisioning services then you must have heard about PCI CP Standard.
PCI CP is Payment Card Industry Card Production standard which has unified the need of maintaining security standards for card production companies and Payment brands are no longer maintaining their own security standards.
PCI Council is now maintaining the list of approved the PCI CP auditors, called as Card Production Security Assessors ( PCI CPSA )
If you are producing VISA or MasterCard Cards, then these payment brands have mandated to the PCI CP assessment done every year by PCI CPSA.
The standard has 2 parts, PCI CP Logical security and PCI CP Physical security.
PCI CP Parts
Logical Security
- Review of Roles and responsibilities
- Review Security policy ,procedures and processes
- Review of classification, Encryption, Secure Access, Transmission, and retention of the data
- Review of Network architecture, Firewalls, Remote Access, Wireless networks
- Review of Security testing reports
- Review of Encryption Key management
Physical Security
- Review of personnel security procedures for Employees, Guards, Visitors and service providers
- Review of Premises security including External structure, External security, Internal structure such as HSA and security control room
- Review of Internal security controls such as Alarm systems, Badge administration, Duress buttons, CCTV and Locks- key management
- Review of Production Procedures and Audit trails
- Review of PIN Printing and Packaging
Why CBL?
- Our Automated approach in providing report, exchanging documents and workflow management saves lot efforts and keeps us away from audit fatigue
- Our decades of experience in various industry has enabled us to address industry pain Our decades of experience in various industry has enabled us to address industry pain
- We provide customized solutions to make sure that you implement Cyber security Controls effectively in your environment.
- Have client footprint in more than 25 countries.
How can CBL Help?
PCI CP Consulting
We perform the gap assessment as per PCI CP Standard and provide gaps and solutions on how to mitigate those gaps. We also provide support services such as Security tests, Quarterly internal audit/review required to meet with PCI CP security requirements.
PCI CP Assessment
Entities involved in physical and logical security activities associated with card production and provisioning are required to comply with Payment Card Industry (PCI) Card Production and Provisioning requirements. We are PCI CPSA accredited by PCI SSC to conduct security audits to meet the payment industry compliance standards. We submit the reports to payment brands after doing the assessment.
Bespoke advisory Solutions
We understand silver bullet approach wont help at all, we provide customized solutions to make sure that you implement PCI CP Controls effectively in your environment.
industry experience
We have advised major card production vendors for a very long time even before the publishing of a specific standard for compliance of card production vendors.
The activity is combination of both physical and logical security controls which are required to be implemented in the organization.
Compliance Management tool
Our Automated approach in providing report, exchanging documents and workflow management saves lot efforts and keeps us away from audit fatigue
Comprehensive Services
Being a full service vendor of PCI , we provide all the auxiliary services needed to be PCI standards Compliant, Our consulting support will be there even after PCI CP Compliance.
Our Approach
1. Scope Formulation
Involves identification of all the system components which store, process and/or transmit cardholder data.
2. Gap Analysis
Involves comparing the status of information security controls present in the organisation against the requirements outlined in the PCI CP standards. We provide recommendation/advisory wherever there is a challenge to meet the requirements outlined in the PCI CP standards.
3. Implementation Assistance
There comes an all-or-nothing stage in the effort of achieving PCI CP compliance. And, this is when the implementation or correction of security controls make all the difference. For technical support, we also bring in our engineering team to play. Our engineering team brings in the technical expertise for threat modelling, vulnerability identification and management.
4. Final Internal Audit
The final audit will be done before submitting the details to the PCI SSC.
PCI CPSA Assessment
Gap assessment
Involves comparing the status of information security controls present in the organisation against the requirements outlined in the PCI CP standards.
Reporting to Payment Brands
The identified gaps are reported to payment brands. In most cases, these gaps are to be closed in 1 month and report the status back to the payment brands.
PCI CARD PRODUCTION FAQs
Only the Approved from PCI Council, I.e. Card Production Security Assessor can perform the PCI Card Assessment and submit the final Report on Compliance to the Payment Brand.
The two standards are different so one can go for separate assessments. However, PCI CP Compliance programs are driven by payment brands, hence please contact the payment brands for the exact requirement by them.
PCI SSC has recently released remote assessment guidelines as it was much needed in the pandemic situation. However the PCI CP Compliance program is driven and managed by Payment brands, hence it is advised to contact Payment brands for all such requests.