New security requirements for payment card vendors
The PCI Security Standards Council (PCI SSC) has published version 1.1. of its PCI Card Production Security Requirements. The updated standard helps payment card vendors secure the components and sensitive data involved in the production of payment cards, protecting against fraud via the compromise of card materials.
The standard consists of both physical and logical security requirements that address card production activities including card manufacturing, chip embedding, data preparation, pre-personalization, card personalization, chip personalization, fulfillment, packaging, storage, mailing, shipping, PIN printing and mailing (personalized, credit or debit), PIN printing (non-personalized prepaid cards), and electronic PIN distribution.
Version 1.1 provides additional guidance and also modifies or adds requirements in the following areas:
- Access control
- Alarms
- Card storage
- Embossing
- Emergency exits and fire doors
- PIN and card delivery
- Vault construction.
Go here for a summary of changes from version 1.0 to 1.1.
While the card production security standard is maintained by the PCI Council, assessments are directly managed by the payment brands. Card vendors are encouraged to work with the individual payment brands to confirm timing for performance of future security reviews against the PCI Card Production Security Requirements Version 1.1.
“We continue updating our standards to match the needs of today’s threat and business environments and to further increase security across the payment chain,” said PCI SSC Chief Technology Officer Troy Leach. “These updated card production requirements will help card vendors secure the card production process from design all the way through delivery.”