Crossbow Labs

Crossbow Labs Logo

PCI Card Production

Oragnziations which are involved in the production of physical cards abide by the requirements in the PCI-CP Standard. There are both physical and logical security requirements in this standard. 

  • Assessor Type
  • Applicability
  • Validity
  • Data Type
  • CP QSA
  • 3 Years
Network security


App security


Periodic VA & PT




Risk Management


If you are producing payments cards or cloud-based or secure element provisioning services then you must have heard about PCI CP Standard.

PCI CP is Payment Card Industry Card Production standard which has unified the need of maintaining security standards for card production companies and Payment brands are no longer maintaining their own security standards.

PCI Council is now maintaining the list of approved the PCI CP auditors, called as Card Production Security Assessors ( PCI CPSA )
If you are producing VISA or MasterCard Cards, then these payment brands have mandated to the PCI CP assessment done every year by PCI CPSA.

The standard has 2 parts, PCI CP Logical security and PCI CP Physical security.

PCI CP Parts

Logical Security

Physical Security

Why CBL?

How can CBL Help?

CBL provides following services with respect to PCI CP

PCI CP Consulting

We perform the gap assessment as per PCI CP Standard and provide gaps and solutions on how to mitigate those gaps. We also provide support services such as Security tests, Quarterly internal audit/review required to meet with PCI CP security requirements.

PCI CP Assessment

Entities involved in physical and logical security activities associated with card production and provisioning are required to comply with Payment Card Industry (PCI) Card Production and Provisioning requirements. We are PCI CPSA accredited by PCI SSC to conduct security audits to meet the payment industry compliance standards. We submit the reports to payment brands after doing the assessment.

Bespoke advisory Solutions

We understand silver bullet approach wont help at all, we provide customized solutions to make sure that you implement PCI CP Controls effectively in your environment.

industry experience

We have advised major card production vendors for a very long time even before the publishing of a specific standard for compliance of card production vendors. 

The activity is combination of both physical and logical security controls which are required to be implemented in the organization. 

Compliance Management tool

Our Automated approach in providing report, exchanging documents and workflow management saves lot efforts and keeps us away from audit fatigue

Comprehensive Services

Being a full service vendor of PCI , we provide all the auxiliary services needed to be PCI standards Compliant, Our consulting support will be there even after PCI CP Compliance.

Our Approach

PCI CP Consulting & Assessment

1. Scope Formulation

Involves identification of all the system components which store, process and/or transmit cardholder data.

2. Gap Analysis

Involves comparing the status of information security controls present in the organisation against the requirements outlined in the PCI CP standards. We provide recommendation/advisory wherever there is a challenge to meet the requirements outlined in the PCI CP standards.

3. Implementation Assistance

There comes an all-or-nothing stage in the effort of achieving PCI CP compliance. And, this is when the implementation or correction of security controls make all the difference. For technical support, we also bring in our engineering team to play. Our engineering team brings in the technical expertise for threat modelling, vulnerability identification and management.

4. Final Internal Audit

The final audit will be done before submitting the details to the PCI SSC.

PCI CPSA Assessment

Gap assessment

Involves comparing the status of information security controls present in the organisation against the requirements outlined in the PCI CP standards.

Reporting to Payment Brands

The identified gaps are reported to payment brands. In most cases, these gaps are to be closed in 1 month and report the status back to the payment brands.


Only the Approved from PCI Council, I.e. Card Production Security Assessor can perform the PCI Card Assessment and submit the final Report on Compliance to the Payment Brand.

The two standards are different so one can go for separate assessments. However, PCI CP Compliance programs are driven by payment brands, hence please contact the payment brands for the exact requirement by them.

PCI SSC has recently released remote assessment guidelines as it was much needed in the pandemic situation. However the PCI CP Compliance program is driven and managed by Payment brands, hence it is advised to contact Payment brands for all such requests.

Talk With an Expert

Learn more about how crossbow labs can help protect your business. Contact us today.