PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is archived content from PCI Security Standards Council bulletins, preserved for tracking changes over time.
View Original →

PCI Security Standards Council Bulletin: Card Production Errata, AOCs, ROCs, and FAQ Published

PDF













PCI Security Standards Council Bulletin: Card Production Errata, AOCs, ROCs , and FAQ
Published


30 June 2022

The PCI SSC has published documents supporting the Card Production and Provisioning Security
Requirements. With significant changes made to version 3.0 of the requirements, the documents will
help payment card vendors understand and implement the Security Requirements and assist with
performing and reporting results of their Card Production assessment.

The following documents are now available in the PCI SSC Document Library:

Card Production and Provisioning Security Requirements (Physical and Logical) v3.0.1
• Errata update to v3.0. Changes consist primarily of grammar and formatting, along with
incorporation of FAQ text.

Card Production and Provisioning Report on Compliance (ROCs) and Attestations of
Compliance (AOCs)
• AOCs and ROCs are validation tools intended to assist performing and reporting the results of
Card Production assessments. In addition to updated ROCs and AOCs for Physical and Logical
Security Requirements, there is a new ROC and AOC dedicated to use of a Security Operations
Center (SOC). The new SOC ROC and AOC are based on an Appendix in the Physical Security
Requirements.
• From 1 October through 31 December, ROCs and AOCs for version v2.0 and v3.0.1 are
supported. As of 1 January 2023, version 2 of the standards and validation documents will be
retired.

Card Production and Provisioning Technical FAQs
• These technical FAQs provide answers to questions regarding both the PCI Card Production
and Provisioning Logical Security Requirements and the PCI Card Production and Provisioning
Physical Security Requirements. This is the initial release of v3 Technical FAQs and includes
the addition of two new FAQs regarding Federal Information Processing Standards ( FIPS) or
PCI-approved Hardware Security Modules where their approvals have lapsed.

While the Card Production and Provisioning Security Requirements are maintained by the PCI SSC,
compliance is directly managed by the payment brands. Card vendors are encouraged to work with the
individual payment brands to confirm timing for performance of security reviews against the PCI Card
Production and Provisioning Security Requirements v3.0.1.