PCI SSC updates card security standards to secure the card production process

The PCI Security Standards Council (PCI SSC) announced the availability of the PCI Card Production and Provisioning Security Requirements version 3.0. The updated standard helps payment card vendors secure the components and sensitive data involved in the production of payment cards, protecting against fraud via the compromise of card materials.

PCI Card Production and Provisioning Security Requirements version 3.0 ensure the strongest protections for customer payment information during card production and provisioning. Card production includes card manufacturing; magnetic-stripe card encoding and embossing; card personalization; chip initializing, embedding, and personalization; card storing; shipping and mailing.

Provisioning is the process of adding cardholder account information to a device via an over-the-air or over-the-internet communication channel. Version 3.0 updates include an appendix for the use of a Security Operations Center (SOC) to control Security Management Systems to protect buildings, assets, access, and staff. Additionally, there are new requirements related to using rail freight for secure transport of card products and added criteria for transport to and from sea and air freight facilities when those modes of transport are used.

“The updates to the Card Production and Provisioning Security Requirements are intended to meet the security and business needs of card vendor environments while protecting these environments from evolving threats and increasing security across the payment chain,” said PCI SSC SVP Standards Officer Emma Sutcliffe. “These updates will help card vendors secure the card production process from design all the way through delivery.”

Published documents are available in the PCI SSC Document library and include:

• PCI Card Production and Provisioning Security Requirements Summary of Changes from PCI Card Production and Provisioning Version 2.0 to 3.0
• PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0
• PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0

While the Card Production and Provisioning Security Requirements are maintained by the PCI SSC, compliance is directly managed by the payment brands. Card vendors are encouraged to work with the individual payment brands to confirm timing for performance of security reviews against the PCI Card Production and Provisioning Security Requirements v3.0.