The PCI Security Standards Council (PCI SSC) has announced the availability of version 3.0 of the security requirements for the production and supply of PCI cards. The updated standard helps payment card vendors secure sensitive components and data involved in the production of payment cards, protecting against fraud through compromise of card materials.
PCI Version 3.0 card production and provisioning security requirements ensure the best protections for customer payment information during card production and provisioning. Card production includes card making; encoding and embossing of magnetic stripe cards; personalization of cards; chip initialization, integration and customization; card storage; shipping and sending.
Provisioning is the process of adding cardholder account information to a device through a live communication channel or the Internet. Version 3.0 updates include an appendix for using a Security Operations Center (SOC) to control security management systems to protect buildings, assets, access and security. staff. Additionally, there are new requirements related to the use of rail freight for the secure transport of card products and additional criteria for transport to and from ocean and air freight facilities when these modes of transport are used.
“The updates to the security requirements for card production and provisioning are intended to meet the security and business needs of card vendor environments while protecting those environments from evolving threats and enhancing security while across the payment chain,” said Emma Sutcliffe, SSC SVP Standards Manager. “These updates will help card vendors secure the card production process from design to delivery.”
Published documents are available in the PCI SSC Document Library and include:
- Security Requirements for PCI Card Production and Provisioning Summary of Changes to PCI Card Production and Provisioning Version 2.0 through 3.0
- Logical security requirements and test procedures for the production and supply of PCI v3.0 cards
- Physical Security Requirements and Testing Procedures for PCI v3.0 Card Production and Supply
While security requirements for card production and provisioning are maintained by the PCI SSC, compliance is directly managed by payment brands. Card vendors are encouraged to work with individual payment brands to confirm the timeline for performing security reviews against PCI v3.0 card production and supply security requirements.