PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI_CP_v1_1_ROC_Reporting_Template_Physical_June_2016b.pdf PCI_CP_ROC_v3.0_Reporting_Template_Physical_Form.pdf
39% similar
93 → 203 Pages
21732 → 59281 Words
533 Content Changes

From Revision History

  • July 2015 1.0 Initial version

Content Changes

533 content changes. 37 administrative changes (dates, page numbers) hidden.

Added p. 2
April 2017 2.0 Updated for changes incorporated into v2 of the Security Requirements, including Mobile Provisioning.

December 2017 2.1 Updated with addition of Test Procedures

June 2022 3.0 Updated for release of new Requirements
Added p. 4
• It serves as a declaration of the results of the card vendor’s assessment of compliance with the PCI Card Production and Provisioning Physical Security Requirements v3.0.1.

• Select the appropriate response for “Compliant to PCI CP Requirement” for each requirement.

• If non-compliance, a description of the reason for non-compliance.

Do’s and Don’ts: Reporting Expectations DO: DON’T:

• Provide useful, meaningful diagrams, as directed.

• Don’t simply repeat or echo the security requirement in the response.

• Don’t copy responses from one requirement to another.

• Don’t copy responses from previous assessments.

• Don’t include information irrelevant to the assessment.

• Company name: Payment Brand Identification Code:

• Address of facility where assessment was performed:

• Was the review done onsite or remotely: Select

• If remotely, state the rationale:

• Card Manufacturing Select

• Chip Embedding Select

• Data Preparation Select

• Card Personalization Select

• Pre-Personalization Select

• Chip Personalization Select

• PIN Printing and Mailing (personalized, credit or debit) Select

• PIN Printing (non-personalized prepaid cards) …
Added p. 10
• Secure Element Provisioning Services Select

• Cloud-based (HCE) Provisioning Services Secure Element Provisioning Services
Added p. 10
5. Select Product/Solution Description Cloud-based (HCE) Provisioning Services
Added p. 11
• A Security Operations Center subject to PCI Card Production and Provisioning Physical Security Requirements, Appendix C, “Security Operations Center” requirements, is located on the premises of this facility.

• This facility has been monitored for any part of the audit cycle by a SOC subject to PCI Card Production and Provisioning Physical Security Requirements, Appendix C, “Security Operations Center.”

• This facility operates a Security Control Room (SCR) and was also monitored by a remote SOC (Subject to Appendix C) for part of the audit cycle.

• This facility operates a Security Control Room (SCR) and was not monitored by a remote SOC (Subject to Appendix C) for any part of the audit cycle.

• Security Operations Center This facility operates a SOC (Subject to Appendix C)

• Remote SOC This facility is monitored by a SOC (Subject to Appendix C) Select If yes, indicate the Country, City and Payment Brand Identification Code in …
Added p. 12
• including the section reference number the non-compliance relates to

•within the findings text as each non-compliance occurs. List all non- compliances in order, including the relevant section reference number the non-compliance

•for example:

3.7.1.r Card components are not returned to the vault during non-production hours.
Added p. 15
3. Inspection Overview 3.1 Facility Description The auditor must provide a general description of the vendor facility and Card Production and Provisioning environment. For example, “The facility consists of multiple buildings, and card production activities are performed in one building consisting of a High Security Area for Card Production and Provisioning. Administration functions are performed external to the HSA. The vendor being audited is the only occupant of this building.” The introduction must also include any unusual conditions that may impact the audit scope or compliance assessment process. For example, “First audit after relocation, significant expansion / reconfiguration of the HAS, significant changes to key personnel, introduction of new technologies,” and any other unusual conditions.

• Vendor Facility and Card Production and Provisioning Environment

• Conditions that may Impact Audit Scope
Added p. 20
4. Validating the Requirements The validation methods identified for each requirement describe the expected activities to be performed by the assessor to validate whether the entity has met the requirement. The intent behind each validation method is described as follows:

• Examine: The assessor critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.

• Observe: The assessor watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, system configurations/settings, environmental conditions, and physical controls.

• Interview: The assessor converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.

The validation methods are intended to allow the assessed entity to demonstrate how it has met a …
Added p. 21
a) Senior management and corporate officers Select Interview personnel to verify that roles a) through d) are filled by vendor employees.

Examine the relevant appointment information for these positions.

b) Physical security manager Select Select

c) Acting physical security manager is any qualified individual acting as the physical security manager during any operational period of a facility⎯i.e., there must be such a designated individual accessible on-site during any operational period of the facility.

d) Card production supervisor is any card production staff that fulfills a supervisory role of other staff.

a) The vendor must retain all personnel’s background information on file for at least 18 months after termination of the contract of employment.

Select Examine policies and procedures to verify that all applicant and personnel background information is retained for at least 18 months after termination of the contract of employment.

b) This information must be available for the inspector during site security reviews.

Select Examine a sample …
Added p. 23
• Current photograph, updated at least every three years

• Record of any arrests or convictions, updated annually

• Annual credit checks

Select See above. Select 1.1.4.2 Job and Sensitive Task Allocation

• Restrictions

a) The vendor is responsible for determining the level of job responsibilities assigned to any temporary or interim staff (including consultants and contractors), except where the job function is restricted to employees.

Select Interview appropriate management personnel to verify the process of assigning job responsibility levels to temporary or interim staff (including consultants and contractors), except where the job function is restricted to employees 1.1.5 Personnel Changes 1.1.5.1 Changes in Personnel Job Function The vendor must ensure that:

Select Examine policies and procedures to verify that the physical security manager is notified in writing of any personnel’s expected job change prior to taking effect.

Examine a sample of documentation to verify that the security manager is notified in writing prior to an employee’s job …
Added p. 27
Select Interview the appropriate personnel designated with responsibility for all security matters and concerns to confirm that they understand their responsibility, including reporting to a senior company executive.

Select Examine a sample of employment agreements to verify that all individuals performing or managing tasks requiring access to card components or data or support for cloud-based provisioning processes and/or environment:

• Have a signed employment agreement; and

• The agreement stipulates that the card production staff complies with company policies and rules.

c) Providing a copy of vendor’s internal security manual to all card production staff and security personnel.

• Security requirements and guidelines

• Procedures that card production staff must follow while working in the secure facility

• Specific requirements as they pertain to the cloud- based provisioning platforms and systems Select Examine policies and procedures to verify that a copy of the internal security manual is provided to all card production staff and security personnel.

Examine the …
Added p. 31
Select Examine policies and procedures to verify that guards are not permitted to perform any of the functions normally associated with the production of card products or card components.

• Physical master keys that provide access to card production or provisioning areas

• Audit logs Select Examine policies and procedures to verify that guards are not permitted access to the restricted areas and assets identified.

Examine the access rights granted to a sample of guards on the access control system. Verify the guards do not have physical access to the HSA or to any restricted areas where the vendor processes, stores, or delivers card products and card components.

Select Interview system administrator(s) to verify the guards cannot modify or alter internal settings on access system controls, intrusion alarm system, closed circuit television (CCTV).

Examine a sample of access permission settings to verify guards cannot modify or alter internal settings on access system controls, intrusion alarm …
Added p. 32
a) If an unauthorized access attempt is detected internally or reported by law enforcement agents, the guard must ensure emergency procedures are followed. The vendor must make an assessment of any unauthorized access attempt. Access attempts that are not accidental or testing must be reported to the VPA.

Select Interview guards and production staff to confirm that they have a clear segregation of duties and independence from the production staff.

Select Interview guards to confirm that at least one guard occupies the security control room any time activities are performed in the HSA.

Examine a sample of access-control system activity logs, CCTV logs, or other mechanisms to verify that at least one guard is present in the security control room when the HSA is occupied.
Added p. 33
Examine the internal security procedures manual to verify that they contain the following minimum information:

b) Vendor’s security policies Select

• Vendor’s security policies Select

h) Access-control system and computer monitoring (such as the logging in and out of staff entering or leaving the facility and internal movement at area access points) Select

• Access-control system and computer monitoring (such as the logging in and out of staff entering or leaving the facility and internal movement at area access points)

i) Company policy concerning card production staff, consultant, and visitor access to the facility (both exterior and interior) Select

• Company policy concerning card production staff, consultant, and visitor access to the facility (both exterior and interior)

m) Response to alarms, including notification to law enforcement in cases of unauthorized access to the facility Select

• Response to alarms, including notification to law enforcement in cases of unauthorized access to the facility

• Potential threats

•such as burglary or theft

•to …
Added p. 35
a) Procedures must be reviewed, validated and if necessary, updated annually.

Select Examine documentation to verify updates occur annually as necessary.

Section 1 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 1.2.4 Security Training

Select Interview guards to confirm that they have been trained and are aware of all of their assigned tasked as defined within the internal security procedures manual and that their training occurs at least every 12 months and prior to the assignment of any new responsibilities.

Examine records evidencing the guards received the training at least annually.

Select Examine a sample of reports of any exceptional situations not specified within the security procedures manual to verify that they were reported to the physical security manager for appropriate action and possible inclusion into the security procedures manual.

a) Procedures for how visitors are managed at the vendor facility must be documented and followed.

Select Examine the security procedures …
Added p. 48
Select Observe vendor facility to verify any devices

• e.g., carriers, waste containers, and tools

•are not against the facility’s external wall.
Added p. 48
Select Interview personnel to determine the vendor facility is located in an area that is serviced on a timely basis by public law enforcement and fire protection services.
Added p. 49
Select Examine documentation to verify alarm system is equipped with an auxiliary power or battery backup system with capabilities for ensuring operation for a minimum of 48 hours in the event of a power failure. Observe that the alarm system is equipped with an auxiliary power or battery backup system with capabilities for ensuring operation.

Select Examine documentation to verify all systems are to notify the vendor in real time in the event backup systems are invoked. Examine a sample of documentation

•e.g., logs

•to verify vendors are notified in real time in the event backup systems are invoked.

Select Observe that all external entry and exit points, including those for freight and maintenance, are equipped with a peephole, a security window, or external CCTV cameras allowing security personnel to visually inspect the immediate area.

Select Examine a sample of evidentiary matter to verify external doors alarms have been tested every three months.

Section 2 Requirement …
Added p. 51
Select Observe CCTV footage to verify that exterior lights illuminate the exterior of the facility as well as all entrances and shipping and delivery areas, such that persons within these areas can be identified.

Select Examine a sample of vendor logs to determine that all exterior lights are checked monthly and a record is maintained for 24 months.

Select Observe the facility to verify trees, telegraph poles, fences, etc. located adjacent to the property line that might facilitate roof access have been removed, relocated, or otherwise secured against unauthorized access.

Select Observe to verify all access points into the building from the roof are locked or otherwise controlled from the inside.

Select Observe to verify all access points into the building from the roof have magnetic contacts or contact sensors, both of which have monitored access.

Select Observe all skylights, ventilation, and cooling system ducts that penetrate the building structure are secured with security mesh, …
Added p. 63
• Shipping or delivery

• Shipping or delivery

• HCE and SE mobile provisioning Select Examine documentation to verify that the activities listed below only occur within the HSA. Observe to verify that the activities listed below, at a minimum, take place within the HSA and only within the HSA. Interview personnel to verify the activities listed below only occur within the HSA.

• HCE and SE mobile provisioning

Select Examine documentation to verify that card production staff are only allowed to bring in items related to card production and provisioning activity into the HSA.

Observe that card production staff are only allowed to bring items related to card production and provisioning activity into the HSA.

Interview personnel to verify that card production staff are only allowed to bring items related to card production and provisioning activity into the HSA.

Select Examine documentation of HSA design to verify that if the facility performs multiple production activities, they …
Added p. 66
Select Examine access-control systems documentation to verify that they:

• Are always connected to the computer that monitors and logs all staff and visitor movements.

• Are always connected to the computer that monitors and logs all staff and visitor movements.

• Enforce person-by-person access.

• Enforce person-by-person access.

• Enforce dual presence. If the number of authorized card production staff is less than two for more than a minute, the alarm must be activated.

• Enforce dual presence. If the number of authorized card production staff is less than two for more than a minute, the alarm must be activated.

Observe access-control systems to verify that they:

Select Examine access settings to verify that the vendor has programmed the software access-control system access to a person-by-person basis and is restricted to authorized personnel.

Select Examine access-control system settings to verify the access-control system will activate an alarm system each time the last person leaves the HSA.

Examine a sample …
Added p. 70
Select Examine documentation to verify bullet- resistant

•e.g., UL 752

•glass or iron bars protects all windows in HSAs. Observe that bullet-resistant glass or iron bars are used to protect all windows in HSAs.

Select Observe to validate that activities in the HSA cannot be viewed from the exterior of the building•e.g., by use of opaque or non- transparent glass.

Note: See Annex A for further clarification.

Select Examine documentation to verify that the walls and ceilings are constructed around the HSA consistent with the enforcement of dual presence

•e.g., prevention of access via false ceilings or raised floors. Observe to validate that the walls and ceilings are constructed around the HSA consistent with the enforcement of dual presence

•e.g., prevention of access via false ceilings or raised floors.

Select Examine documentation to verify that all access points

•e.g., electrical conduits, opening windows, and ventilation shafts

•in/to the HSAs have physical barriers. Observe a sufficient sample of access points to …
Added p. 73
Select Observe via demonstration the access-control system by requesting that one authorized person authenticates to the access reader:

• If the door opens, does a “single occupancy” alarm sound within a 60-second period?

• If the door does not open, verify that it opens after two authorized authentications have been presented.

Select Examine HSA documentation to verify separate rooms within the HSA meet all of the HSA requirements with the exception of person-by- person access.

Observe that separate rooms within the HSA meet the HSA requirements with the exception of person-by-person access.

Select Examine documentation to verify that toilets, if present, are required by local law.

Observe to determine that, if present, the toilet room’s entry/exit ways are camera-monitored.

Select Observe to verify that any fire doors present in the HSA are normally closed or can be manually closed, and these doors are subject to the same access controls as any other door that provides access to …
Added p. 75
Select Observe to verify that destruction of card product and component waste takes place in a separate room(s) within the HSA that is dedicated for destruction.

b) Destruction by a third party may take place in the loading bay using portable/mobile equipment. All requirements for a destruction room must be met for this temporary usage.

Select Examine documentation to verify that destruction by a third party takes place in the loading bay using portable/mobile equipment. Examine a sample of video logs to verify all requirements for a destruction room are met for this temporary usage. Interview personnel to verify destruction by a third party that takes place in the loading bay using portable/mobile equipment meets all requirements for a destruction room for this temporary usage.

Select Observe to verify that PIN mailer production is performed in a separate room within the HSA.

Select Examine documentation to verify that card production staff involved in personal …
Added p. 88
Note: If existing facilities have used wired enclosures for the outer room, they may continue. All new facilities requiring initial validation against these requirements must comply with the requirement as written⎯i.e., a room that is part of the building structure.

Select Observe to verify the shipping and delivery areas (loading/unloading) of card components to have at a minimum:

• At least two consecutive enclosed rooms and three doors (external, intermediate, and inner), and

• Minimization of physical contact between the individuals collecting or delivering materials and the shipment/delivery card production staff.

Select Observe a demonstration of the shipping and delivery processes to verify the shipping and delivery doors operate on an electronic and interlocking basis so that when one of the doors is open the others are electronically locked. Test in multiple configurations with different doors starting in the open position. With all doors closed, try opening multiple doors at the same time•i.e., badging …
Added p. 96
a) Procedures must be documented and followed for managing identification (ID) badges.

Select Examine badging administration documentation to verify procedures are defined for managing ID badges.

Examine a sample of logs to verify procedures are followed in managing ID badges.

b) The vendor must issue a photo identification (ID) badge to each card production staff member and consultant. A temporary badge valid ONLY for the work shift does not need to contain a picture.

Select Examine documented procedures to verify the vendor issues a photo identification badge to each card production staff member and consultant.

Examine a sample of logs to verify badge issuance to card production staff and consultants.

c) ID badges and lanyards must not be imprinted with the company name or logo and are not allowed to be imprinted with any information that may identify the vendor’s name or location.

Select Observe to verify that ID badges and lanyards do not contain the corporate …
Added p. 97
a) The access-control system must grant physical access to card production staff or consultants only during authorized working hours, and only to those areas required by the card production staff or consultants’ job functions.

Select Examine access-control system settings to verify physical access to card production staff or consultants is only during authorized working hours, and only to those areas required by the card production staff or consultants’ job functions.

Examine a sample of logs to verify that the physical access is only granted during authorized working hours and only to the areas required by the individual’s job functions.

Observe a demonstration of one or more individuals attempting to access areas they are not authorized for to verify the access-control system prevents that access.

b) Personnel must display their ID badges at all times while in the facility.

Select Observe that personnel display their ID badges at all times while in the facility.

c) Card production …
Added p. 98
Select Examine the unassigned badge inventory log to verify completeness.

b) Ensure dual control exists for badge access and distribution to individuals.

Select Examine procedures to validate a process is in place to have dual control for badge access and distribution to individuals.

Examine a sample of logs to verify dual control for badge access and assignments.

c) Ensure ID badges are retrieved from terminated individuals prior to their departure from the facility.

Select Examine procedures to validate a process is in place to retrieve ID badges from terminated individuals prior to their departure from the facility.

Examine a sample of terminated personnel documentation to verify ID badges were retrieved from each terminated individual prior to their departure from the facility.

Select Examine procedures to validate a process is in place to deactivate all access rights immediately on a departure of an individual.

Examine a sample of terminated personnel documentation to verify all access rights were immediately deactivated.

Select …
Added p. 99
a) The vendor must document, follow, and maintain procedures for access- control system administration.

Select Examine policy and procedures to verify access- control system administration is documented and maintained.

Interview personnel to verify personnel follow the procedures for access-control system administration.

Select Examine documentation to verify the access- control systems into restricted areas are protected by a backup electrical power source with capabilities for ensuring operation for a minimum of 48 hours in the event of a power failure.

Observe the presence of a backup electrical power source with capabilities for ensuring operation of the access-control system for a minimum of 48 hours in the event of a power failure.

Select Examine contingency plans to verify procedures exist to secure card components in the event of an outage greater than 48 hours.

Interview personnel to verify procedures are known and followed for securing card components in the event of an outage greater than 48 hours.

d) For …
Added p. 102
Select Examine access-control system documentation to validate each access-control system administrator uses his or her own user ID and password.

Interview personnel to verify that each access- control system administrator uses his or her own user ID and password.

Select Examine documentation to verify procedures are in place that passwords are changed at least every 90 days.

Examine a sample of system configurations to verify passwords required to be changed at least every 90 days.

Interview personnel to verify that passwords are changed at least every 90 days.

Select Examine documentation to verify that user IDs and passwords are assigned to the physical security manager and authorized personnel Interview personnel to verify that access-control system administrators are vendor employees.

Examine a sample of logs to verify user IDs and passwords are assigned to the physical security manager and authorized personnel.

d) The physical security manager and other authorized personnel (who must be employees) are the only individuals …
Added p. 104
Select Examine documentation to verify that the remote- access requirements listed below are met where system administration is performed remotely.

Examine a sample of reports to verify system administrators follow requirements for remote access as stipulated below.

Examine documentation to verify vendor facilities not subject to logical security audits have a written statement that requirements are being met.

Interview personnel to verify that the following remote-access requirements are met where system administration is performed remotely:

• Offsite access to the access-control system is not permitted.

• Access-control system data must be backed up on a weekly basis.

• Access-control systems administration must be performed from within the security control room.

• For generic administrative accounts that cannot be disabled, the password must be used only for emergency. The password must be changed from the default value and managed under dual control.

In addition, the access-control system must meet the logical security requirements in Appendix B.

c) Access-control systems administration …
Added p. 109
• The locks each key operates Select Examine documentation to verify that a process exists for the physical security manager to review the following for keys issued that allow access to sensitive materials.

• The locks each key operates Examine evidence that for keys that allow access to sensitive materials, the physical security manager performed a quarterly review of:

• The locks each key operates

Select Examine documentation to verify a process is in place for the physical security manager to, at a minimum:

• Sign and date each of the key-control documents; and

• Attest that the review process was completed.

Examine a sample of records to verify the physical security manager performed the key- control process as noted above.

Select Examine documentation to verify that the physical security manager and executive managers are the only employees authorized to possess master or overriding keys to restricted areas.

Examine a sample of logs to verify the physical security …
Added p. 110
Select Examine documentation to verify that combinations for any combination locks where a combination holder had access must be changed when a combination holder is removed from the list of authorized combination holders.

Examine a sample of logs to verify that combinations for any combination locks where a combination holder had access was changed when a combination holder was removed from the list of authorized combination holders.

Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.6 Closed Circuit Television (CCTV) 2.4.6.1 CCTV Cameras

a) Procedures for managing the facility’s CCTV must be documented and followed.

Select Examine documentation to verify CCTV procedures are documented.

Interview personnel to verify they are aware of and follow the CCTV procedures.

Examine a sample of documents to verify CCTV media are managed per the policy.

Select Examine documentation to verify a process for all CCTV cameras to be tested and the images …
Added p. 115
a) The CCTV system must meet the logical security requirements in Appendix B.

Select See Appendix B.

• Access-control system

• Access-control system

• Window and door contacts

• Window and door contacts

• Glass-break detectors

• Glass-break detectors

• Emergency door alarms

• Emergency door alarms

• Passive infrared detectors

• Passive infrared detectors

• CCTV image recorders Select Examine documentation to verify inspections on all security devices and hardware were performed at least semi-annually and include but were not limited to:

• CCTV image recorders

Select Examine sample documents to verify security inspections are performed by a qualified external organization.

Select Examine a sample of documents to verify a copy of the inspection reports is retained for at least 18 months. This inspection report must list all devices within the Security Systems installed on site, the inspection conducted, results of the test, and evidence of any remediation required.

Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance …
Added p. 117
a) The vendor must have a written contingency plan to guarantee that security for card components, products, and data is maintained in case of critical business interruption.

Select Examine documentation to verify the vendor has a written contingency plan to guarantee that security for card components, products, and data are maintained in case of critical business interruption.

Interview personnel to validate they understand the process of the contingency plans to guarantee that security for card components, products, and data are maintained in case of critical business interruption.
Added p. 117
a) The vendor must document its policies and procedures by which assets associated with card production and provisioning activities are secured in the event production activities are terminated.

Select Examine the vendor’s policy and procedures to verify they include that assets associated with card production and provisioning activities are secured in the event production activities are terminated.

b) The procedures must identify all data storage, card design materials, cards, card components, physical keys, cryptographic keys, and hardware utilized for production activities that must be secured.

Select Examine procedures to verify the process identifies and secures all of the following but not limited to:

• Card design materials

• Hardware utilized for production activities

c) The disposition expectations for each identified item must be defined. For example, items may be returned to the owner, transported to an authorized user, or destroyed.

Select Examine the vendor’s policy and procedures to verify they include the disposition expectations for each identified …
Added p. 120
a) The vendor must follow submission procedures mandated by the appropriate payment brand to receive approval for the card design in order to confirm the design’s compliance to the applicable payment brand standards.

Select Examine the various card-design approval processes to verify that payment brand reviews are appropriately understood and documented by the design team.

Examine documentation with vendor to verify that all mandated approvals have been received and are on file to be reviewed upon request.
Added p. 120
Select Interview production management to verify what controls are in place to verify vendor only starts a manufacturing run after approvals have been received.

Examine a sample of artwork approval timeframes compared with production runs to verify approval has occurred prior to production.
Added p. 121
a) When requested by the payment brand, the vendor must send samples of the finished cards or components from each production run before shipping the finished card products. These samples must be functionally inoperative, and it must be visibly apparent that they are not live cards.

Select Examine policies/procedures to verify that when requested by the payment brand, the vendor sends samples of the finished cards or components from each production run before shipping the finished card products.

Examine a sample of payment brand requests for samples to verify the samples are functionally inoperative and it is visibly apparent that they are not live cards.

Select Examine policies/procedures to verify restricted access exists where film, plates, or electronic media are produced.

Observe that restricted access is in place for any room or area that includes the film, plates, or electronic media.

Examine a sample of physical access- control logs to verify that authorized personnel are …
Added p. 126
a) When partially finished cards

•e.g., pre-personalized

Select Observe to verify cards stored outside the vault are stored in secure, locked containers in the HSA under dual controls.

Examine procedures for use of the WIP area to verify that partially finished cards are stored properly in the HSA.

Select Examine documentation to determine what supplier the vendor is receiving proprietary components from, and whether they are authorized suppliers.

Select Examine sample orders to verify that the vendor provided the supplier with both the street and mailing addresses of the vendor’s facility, as well as names and signatures of the vendor’s authorized representatives that are allowed to order components.
Added p. 127
Select Examine policies/procedures to verify audit controls and an audit trail are in place for each job/batch and production step.

Examine a complete job run to verify procedures are followed.

• must be counted and reconciled prior to any transfer of responsibility.

Select Observe a sample production job/run and validate that all card products and components

•both good and rejected, including samples

•are counted and reconciled prior to any transfer of responsibility.

• Description of the component or card product(s) being transferred

• Description of the component or card product(s) being transferred

• Name and signature of the individual releasing the component or card product(s)

• Name and signature of the individual releasing the component or card product(s)

• Name and signature of the individual receiving the component or card product(s)

• Name and signature of the individual receiving the component or card product(s)

• Number of components or card products transferred

• Number of components or card products transferred

• Number of components …
Added p. 132
Select Examine a sample of audit logs to verify that all modifications to the audit logs are being made in the authorized and designated manner.

Select Examine a sample of logs to verify that all modifications to the audit log are being made in the authorized and designated manner.

Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.7.1.2 Log Review

Select Examine a sample of logs to verify that they are being reviewed and validated for accuracy at least weekly by an individual not involved in the direct operation of the equipment.

Select Examine a sample of logs and verify that it is signed and dated as required and by the proper individual.

c) All logs referenced in this document must be retained for a minimum of two years unless otherwise stated.

Select Examine a sample of logs and verify that logs are retained for a minimum of …
Added p. 134
• Number of cards originally placed in inventory

• Number of cards originally placed in inventory

• Reason for transaction

•e.g., job number

• Reason for transaction

•e.g., job number

• Number of cards removed from inventory

• Number of cards removed from inventory

• Number of cards returned to inventory

• Number of cards returned to inventory

• Balance remaining in the vault

• Balance remaining in the vault

• Date and time of activity

• Date and time of activity

• Names and signatures of the card production staff who handled the transaction Select Examine the vault log to verify that at a minimum it contains:

• Names and signatures of the card production staff who handled the transaction Observe items being logged in and out of the vault to verify that proper documentation is accurately completed.

Select Examine a sample of monthly inventory to verify that an inventory of cards and card components is being completed on a monthly basis by two card …
Added p. 135
Select Observe personalization process and validate controls are in place that ensure a secure method of handling and accountability.

• Card type Select Examine a sample of audit control logs to verify they include job number, issuer name, and card type.

• Initial card procurement (beginning balance)

• Initial card procurement (beginning balance)

• Cards returned to inventory

• Cards returned to inventory

• Machine/operation identification

• Machine/operation identification

• Date and time of reconciliation

• Date and time of reconciliation
Added p. 136
• Name and signature of an individual other than the operator, who is responsible for verifying the count

• Name and signature of an individual other than the operator, who is responsible for verifying the count

• Number of card carriers printed

• Number of card carriers printed

• Number of carriers wasted

• Number of carriers wasted

• Number of envelopes that contain cards

• Number of envelopes that contain cards

• Number of mailers to be printed

• Number of mailers to be printed

• Number of mailers actually printed

• Number of mailers actually printed

• Wasted mailers that have been printed

• Wasted mailers that have been printed

• Number of mailers transferred to the mailing area/room

• Number of mailers transferred to the mailing area/room

• Name and signature of an individual other than the operator, who is responsible for verifying the count 3.8 Production Equipment and Card Components 3.8.1 Personalization Equipment

a) The vendor must maintain a log of personalization equipment …
Added p. 151
Select Observe an example to verify the use of packaging materials of sufficient strength to minimize breakage during shipment.

Select Observe an example to verify the packaging does not indicate or imply the nature of the contents.

Select Observe an example to verify the tape used for sealing the packaging is reinforced, tamper-evident, unique, and color-coded.

Select Observe an example to verify the containers are uniquely numbered and labeled.

Select Observe an example to verify that the number of containers and cards on a packing list are recorded.

Select Examine evidence to verify that the packaging used for un-enveloped cards shipped in bulk are in double-walled cartons that have a bursting strength capable of handling a minimum 250 PSI, 1724 kPa or 17.6 kg/cm2.

Select Observe an example to verify that each carton that contains shipments of cards has:

• The number of cards contained therein printed on the carton.

• The batch/shipment details of which it forms …
Added p. 157
iii. The contents are secured with tamper-evident straps and checked upon delivery.

Select Examine vendor policies and procedures to verify the contents are secured with tamper-evident straps and checked upon delivery.

iv. The vehicle is loaded using dual control and locked during transport.

Select Examine vendor policies and procedures, if done in-house

•i.e., using internal staff

•or service provider agreement language to verify the card transport vehicle is loaded using dual control and locked during transport.

v. Vehicle drivers do not have a key or access to contents.

Select Examine vendor policies and procedures, if done in-house

•i.e., using internal staff

•or service provider agreement language to verify the card transport vehicle drivers do not have a key or access to contents.

vi. Two persons are in the vehicle equipped with a device to communicate with the security control room.

Select Examine vendor policies and procedures, if done in-house

•i.e., using internal staff

•or service provider agreement language to verify that two persons …
Added p. 160
Select Observe that the packages are secured under dual control with access limited to authorized personnel prior to transfer to courier service.

Select Examine policies and procedures to verify that:

• Only a courier service that assigns a unique tracking number for each package is used,

• A tracking system is in place to enable the identification of:

− Successful completion of delivery milestones during the delivery process from initial pick-up to final delivery.

− Exception conditions during the delivery process commencing with initial pick-up and ending with delivery.

Observe a sample of activity to verify the ability to track the package in accordance with the aforementioned.

• The type of each card

• The quantity per card type

• The date of shipment

• The date of receipt

• Name of receiving organization

• Name and signature of person receiving the cards Select Examine a sample of packages sent by courier to verify that each package contains a manifest prepared by …
Added p. 163
a) The vendor must confirm with the VPA whether specific requirements apply to its geographic locations.

Select Examine evidence of VPA guidance for whether specific requirements apply to its geographic locations.

b) Secure transport originates at the vendor or issuer and must terminate at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.

Select Examine policies and procedures to verify secure transport originates at the vendor or issuer and terminates at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.

Observe a sample of shipping logs to verify that secure transport originates at the vendor or issuer and terminates at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.

c) Secure transport must occur in one of the following manners: armored vehicle, unarmored vehicle, air freight, sea freight, …
Added p. 178
Select Examine policies and procedures to verify that all card components subject to return are delivered by secure transport.

Select Examine shipping activity logs to verify that the consignments of returned card components are received under dual control.

Select Examine shipping activity logs to verify that the consignment of returned card components is inventoried and handled under dual control as defined in “Audit Controls” (Section 3.7).

Select Examine shipping activity logs to verify that the names and signatures of the authorized recipients of returned card components are recorded prior to shipment.

Select Examine shipping activity logs to verify that the authorized signatures are verified prior to transfer at shipment.
Added p. 179
Select Examine a sample of agreements with issuers to verify that they contain language indicating that the transfer of shipment responsibility occurs at the point at which the vendor has delivered cards.

Select Examine policies/procedures to verify they require written authorization from the issuer for packaging, shipping, or mailing the card and PIN together to include confirmation that:

• Cards will not be activated or loaded with a stored value until they have reached their destination, and

• The issuer accepts all risk inherent in shipping or mailing cards and PINs together.

Examine a sample of written authorizations from issuers to verify that procedures are followed.

Select Examine a sample of authorization letters to verify that:

• An appropriate officer of the issuer has signed the authorization letter.

• A copy of the letter is maintained in its files until the card expiry date.

Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result …
Added p. 184
a) The personalization HSA Select Examine documentation to verify that clear-text PINs only exist within a single integrated device.

Observe that this occurs within the personalization HSA; or

Select Examine policies/procedures to verify that each of the following is required:

Select Observe the PIN-printing process to verify the printer is locked under dual controls before the print job starts and any PINs are decrypted.

Select Observe that the HSM is handled under dual control at all times.

Select Observe the PIN process to verify that a physical review of the chassis and cabling has been performed, and there is no evidence of tampering.

Select Observe the PIN process to verify that clear-text PINs are only available inside a securely locked and covered area of the machine, for the minimum time required printing, and are never stored.

Interview the owner of the PIN-printing process to validate that no storage of the clear-text PINs is allowed.

Select Observe the PIN-printing …
Added p. 186
a) Ensure that procedures are documented and followed by security personnel responsible for granting access to the CCTV and access-control systems.

Select Examine procedures for granting access to the CCTV system and access-control systems to verify existence.

Interview security personnel responsible for the adding or removing of authorized users on the CCTV system and access-control systems to verify adherence to procedures.

b) Restrict approval and level of access to staff with a documented business need before access is granted. At a minimum, documented approvals must be retained while the account is active.

Select Examine a sample of access grants and compare the positions of those granted access to the CCTV and access-control systems to verify access is appropriately restricted.

c) Restrict systems access by unique user ID to only those individuals who have a business need.

Select Examine documentation to verify there is a list of roles that need system access together with a legitimate business …
Added p. 187
d) Only grant individuals the minimum level of access sufficient to perform their duties.

Select Examine documentation and verify that the access is restricted based on least privileges necessary to perform job responsibilities.

Interview administrator to verify that individual access is based the minimum level of access sufficient to perform their duties.

e) Make certain that systems authentication requires at least the use of a unique ID and password.

Select Examine documentation to make certain that ID and password for system authentication is unique.

Observe logon to system to verify that

•at a minimum

•authentication requires the use of an ID and password.

f) Restrict administrative access to the minimum number of individuals required for management of the system.

Select Interview administrator to determine names of people with administrative access.

Interview management of systems to determine if the number of people with administrative access is the minimum number of individuals required for management of the system.

g) Ensure security guards do …
Added p. 195
a) Define, document, and follow procedures to demonstrate:

• Identification of security alerts

•e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT)

• Identification of security alerts

•e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT)

• Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components

• Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components

• Inventory of current systems in the environment including information about installed software components and about running services Select Examine anti-virus policies/procedures to verify that the following are defined and that corresponding procedures exist for each:

• Inventory of current systems in the environment including information about installed software components and about running services

b) Deploy anti-virus software on all systems potentially affected by malicious software•e.g., personal computers and servers.

Select Examine …
Added p. 198
• Identifying and evaluating newly discovered security vulnerabilities, and

• Identifying and evaluating security patches from software vendors.

Interview the system administrator to verify that procedures are implemented to identify and evaluate newly discovered security vulnerabilities and security patches from software vendors.

c) Ensure that secure configuration standards are established for all system components.

Select Examine documentation to verify that secure configuration standards are established for all system components.

Interview the system administrator to verify that a secure configuration standard exists and that there is a documented configuration standard for all system components.

d) Ensure that the configuration standards include system hardening by removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

Select Examine the organization’s system configuration standards for all types of system components and verify that the standard addresses:

• The removing of all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

e) Ensure …
Removed p. 4
The Report on Compliance (ROC) is originated by the card vendor and further refined by the payment brand-designated assessor during the onsite card production vendor assessment as part of validation process. The ROC provides details about the vendor environment and assessment methodology, and documents the vendor Card Production Security Requirement. A
Modified p. 4
PCI Card Production Physical Security Requirements v1.1 It provides reporting instructions and the template for assessors to use. This can help provide reasonable assurance that a consistent level of reporting is present among assessors.
It provides reporting instructions and the template for assessors to use. This can help provide reasonable assurance that a consistent level of reporting is present among assessors.
Modified p. 4
Use of this reporting template is subject to payment brand stipulations for all Card Production v1.1 submissions.
Use of this reporting template is subject to payment brand stipulations for all Card Production and Provisioning v3.0.1 submissions.
Modified p. 4
PCI Card Production Security compliance assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These work papers contain comprehensive records of the assessment activities including observations, results of system testing, configuration data, file lists, interview notes, documentation excerpts, references, screenshots, and other evidence collected during the course of the assessment. The ROC is effectively a summary of evidence performed the validation activities and how the resultant findings were reached. At a high level, …
The Report on Compliance (ROC) is originated by the card vendor and further refined by the payment brand-designated assessor during the onsite card production and provisioning vendor assessment as part of the card vendor’s validation process. The ROC provides details about the vendor’s environment and assessment methodology, and documents the vendor’s compliance status for each Card Production and Provisioning Security Requirement. A PCI Card Production and Provisioning Security compliance assessment involves thorough testing and assessment activities, from which the assessor …
Modified p. 5
Only one response should be selected at the sub-requirement level, and reporting of that should be consistent with other required documents. its compliance that provides the payment brand assessor with additional information to be considered for the compliance assessment.
Only one response should be selected at the sub-requirement level, and reporting of that should be consistent with other required documents.
Modified p. 5
Compliance column, the vendor must state the planned remediation action and the date for the remediation. In the event "Not Applicable" is entered in the Compliance column, the vendor must explain why they believe the requirement does not apply for their situation.
• In the “Comments/Remediation Date and Actions” section, the vendor may enter an explanation regarding its compliance that provides the payment brand assessor with additional information to be considered for the compliance assessment. In the event “No” is entered in the Compliance column, the vendor must state the planned remediation action and the date for the remediation. In the event "Not Applicable" is entered in the Compliance column, the vendor must explain why they believe the requirement does not apply …
Modified p. 6
The following table is a helpful representation when considering which selection to make and when to add comments. Remember, only one response may be selected at the sub-requirement level, and reporting of that should be consistent with other required documents.
The following table is a helpful representation when considering which selection to make and when to add comments. Remember, only one “Result” response may be selected at the sub-requirement level, and reporting of that should be consistent with other required documents.
Modified p. 6
Closed Indicates that this item was previously reported as a non-compliance finding and vendor corrective action has resolved the finding. The "Non-Compliance Description" column must describe the action the vendor has taken to resolve the finding.
Indicates that this item was previously reported as a non-compliance finding and vendor corrective action has resolved the finding. The "Non-Compliance Description" column must describe the action the vendor has taken to resolve the finding.
Modified p. 6
Not Applicable Indicates that the assessment confirms that the requirement does not apply to for the vendor. Not Applicable responses are only expected it the requirement applies to an activity that the vendor does not perform.
Not Applicable Indicates that the assessor’s assessment confirms that the requirement does not apply to for the vendor. Not Applicable responses are only expected it the requirement applies to an activity that the vendor does not perform.
Modified p. 6
Non-Compliance Assessment Use this column to indicate:
Comment/ Non-Compliance Assessment Use this column to indicate:
Modified p. 6
Clarification describing the conditions observed in support of conclusion of compliance, or If non-compliance, a description of the reason for non-compliance.
Clarification describing the conditions observed in support of the assessor’s conclusion of compliance, or
Removed p. 7
Provide useful, meaningful diagrams, as directed. security requirement in the response. requirement to another. assessments. information irrelevant to the assessment.
Modified p. 7
Reporting Expectations Use this Reporting Template when assessing against v1.1 of the Card Production Security Requirements.
Use this Reporting Template when assessing against v3.0.1 of the Card Production and Provisioning Security Requirements.
Modified p. 7
Complete all sections in the order specified.
Complete all sections in the order specified.
Modified p. 7
Read and understand the intent of each requirement and testing procedure.
Read and understand the intent of each requirement and testing procedure.
Modified p. 7
Provide a response for every security requirement.
Provide a response for every security requirement.
Modified p. 7
Provide sufficient detail and information to support the designated finding, but be concise.
Provide sufficient detail and information to support the designated finding, but be concise.
Modified p. 7
Describe how a Requirement was verified per the Reporting Instruction, not just that it was verified.
Describe how a Requirement was verified per the Reporting Instruction, not just that it was verified.
Modified p. 7
Ensure all parts of the Reporting Instructions are addressed.
Ensure all parts of the Reporting Instructions are addressed.
Modified p. 7
Ensure the response covers all applicable system components.
Ensure the response covers all applicable system components.
Modified p. 7
Perform an internal quality assurance review of the ROC for clarity, accuracy, and quality.
Perform an internal quality assurance review of the ROC for clarity, accuracy, and quality.
Removed p. 8
Company contact: Name:

Assessor Company Company name:

Primary Assessor: Name:
Removed p. 9
Card Manufacturing Select Chip Embedding Select Data Preparation Select Card Personalization Select Pre-Personalization Select Chip Personalization Select Fulfillment Select Mailing Select Packaging Select Shipping Select Storage Select PIN Printing and Mailing (personalized, credit or debit) Select Other PIN Printing (non- personalized prepaid cards) Select Electronic PIN Distribution Select
Modified p. 9
Date of Report (yyyy/dd/mm):
Date of Report (yyyy/mm/dd):
Modified p. 9
Timeframe of assessment (start date to completion date): Start date (yyyy/mm/dd): Completion date (yyyy/mm/dd):
Timeframe of assessment (start date to completion date): Start date (yyyy/mm/dd): Completion date (yyyy/mm/dd):
Modified p. 9
Identify date(s) spent onsite at the entity: Start date (yyyy/mm/dd): Completion date (yyyy/mm/dd):
• If applicable, identify date(s) spent onsite at the entity: Start date (yyyy/mm/dd): Completion date (yyyy/mm/dd):
Modified p. 10 → 12
2. Summary of Non-Compliance Findings Please use the table on the following page to report, covering all sections under each heading. Write up findings and list non-compliances including the section reference number the non-compliance relates to within the findings text as each non-compliance occurs. List all non- compliances in order, including the relevant section reference number the non-compliance for example:
2. Summary of Non-Compliance Findings Please use the table on the following page to report, covering all sections under each heading. Write up findings and list non-compliances
Modified p. 10 → 12
6.1, 6.2 The vendor could not produce written authorization for packaging, shipping, or mailing the card and PIN together from its customer (issuer name).
5.1, 5.2 The vendor could not produce written authorization for packaging, shipping, or mailing the card and PIN together from its customer (issuer name).
Modified p. 10 → 12
Notes for Consideration Please ensure non-compliances are written exactly as the examples above and be as specific as possible down to the exact bullet that covers the non-compliance.
Please ensure non-compliances are written exactly as the examples above and be as specific as possible down to the exact bullet that covers the non-compliance.
Modified p. 10 → 12
Also list items that are not non-compliances but are items that either the assessor is unsure of, or the vendor has discussed with the assessor and questions arising from this discussion can only be answered by the applicable payment brands(s). This section is optional, so if not required, please delete it from the report.
Also list items that are not non-compliances but are items that either the assessor is unsure of, or the vendor has discussed with the assessor and questions arising from this discussion can only be answered by the applicable payment brands(s). This section is optional, so if not required, please delete it from the report.
Removed p. 13
3. Inspection Overview 3.1 Facility Description lity consists of multiple buildings, and card production activities are performed in one building consisting of a High Security Area for card production.

The introduction must also include any unusual conditions that may impact the audit scope or compliance assessment process. For example, oduction of new Vendor Facility and Card Production Environment Conditions that may Impact Audit Scope
Modified p. 14 → 16
Number Document Name (including version, if applicable) Brief description of document purpose Document date (latest version date)
Document Name (including version, if applicable) Brief description of document purpose Document date (latest version)
Modified p. 15 → 18
Number Employee Name Role/Job Title Organization Summary of Topics Covered / Areas or Systems of (high-level summary only)
Employee Name Role/Job Title Organization Summary of Topics Covered / Areas or Systems of Expertise (high-level summary only)
Modified p. 16 → 21
4. Findings and Observations
5. Findings and Observations
Modified p. 16 → 21
Section 2: Roles and Responsibilities
Section 1: Roles and Responsibilities
Modified p. 16 → 21
Section 2 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.1 Employees The following set of requirements applies to all employees that have access to card products, components, and the high security area (HSA).
Section 1 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 1.1 Card Production Staff The following set of requirements applies to all individuals that have access to card products, components, and the high security area (HSA).
Modified p. 16 → 21
a) Full-time employees Select Select
a) Full-time employees Select Examine the pre-employment documentation for a sample of each
Modified p. 16 → 22
c) Temporary employees, consultants, and contractors Select Select
c) Temporary employees, consultants, and contractors Select category to verify it includes application documentation and a background check. Select
Modified p. 16 → 22
d) Guards (internal or external) Select Select 2.1.2 Applicant/Employee Background Information Retention The vendor must retain all applicant and employee background information on file for at least 18 months after termination of the contract of employment. This information must be available for the inspector during site security reviews.
d) Guards (internal or external) Select Select 1.1.3 Applicant/Employee Background Information Retention
Modified p. 16 → 22
a) The vendor must use employment application forms that include the following detail relating to List of their previous addresses or residences for the last seven years Previous employers for the last seven years Applicants must satisfactorily explain gaps in employment.
a) The vendor must use employment application forms that include the following detail relating to the applicant’s past:
Removed p. 17
i. Gathered as part of the hiring process:

c) These files must be available to the security inspectors during site reviews. Select Select 2.1.3.2 Job and Sensitive Task Allocation Restrictions The vendor must not allocate temporary or interim staff to a secure or sensitive job or task unless the job or activity is performed in the presence and under the control of authorized permanent staff.
Modified p. 17 → 22
b) The vendor must maintain a personnel file for each employee that includes but is not limited to the following information:
b) The vendor must maintain a personnel file for each individual listed in Section 1.1.2 that includes but is not limited to the following information:
Modified p. 17 → 23
Background check results Verification of aliases (when applicable) List of previous employers and referral follow-up results Education history Social security number or appropriate national identification number Signed document confirming that the employee has read and understands the Fingerprints and results of search against national and regional criminal records Select Select
i. Gathered as part of the hiring − Background check results Verification of aliases (when applicable) List of previous employers and referral follow-up results Education history Social security number or appropriate national identification number Signed document confirming that the individual has read and understands the vendor’s security policies and procedures − Fingerprints and results of search against national and regional criminal records Select Examine the personnel files of a sample of individuals to verify that …
Modified p. 17 → 23
Current photograph, updated at least every three years Record of any arrests or convictions, updated annually Annual credit checks Select Select
Current photograph, updated at least every three years Record of any arrests or convictions, updated annually Annual credit checks Select Examine the personnel files of a sample of individuals to verify that they contain the minimum required documentation during their hiring process and during their time of employment as follows:
Removed p. 18
a) The vendor must issue a photo identification (ID) badge to each employee. Select Select

b) The ID badge must not be imprinted with the company name or logo. Select Select

c) Access credentials (which may be the ID badge) must be programmed only for the access required based on job function.

Select Select 2.1.3.4 ID Badge or Access Card Usage

a) The access-control system must grant access to employees only during authorized working hours, and only to those areas required by the Select Select

b) Employees must display their ID badges at all times while in the facility. Select Select

c) Employees are responsible for their ID and access badges and must report any lost/ stolen or broken badges to the Security Manager immediately.

Select Select 2.1.3.5 ID Badge or Access Card Inventory and Management The security manager is responsible for unassigned ID badges and must:

a) Maintain an inventory of unassigned ID badges. Select Select

b) Enforce …
Modified p. 18 → 24
Section 2 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.1.3.3 Identification Badges
Section 1 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Removed p. 19
e) Maintain precise documentation accounting for all lost badges. Select Select 2.1.4 Personnel Changes 2.1.4.1 Change in Employee Job Function The vendor must ensure that:
Modified p. 19 → 24
a) The security manager is notified in writing of change taking effect.
a) The physical security manager is notified in writing of any personnel’s expected job change prior to the change taking effect.
Modified p. 19 → 24
b) The security manager must adapt the access control to restricted areas in a timely manner. Select Select
b) The physical security manager must adapt the access control to restricted areas within one business day.
Modified p. 19 → 25
a) If termination of employment is a planned event, the security manager must be notified in writing prior to termination.
a) If termination of employment is a planned event, the physical security manager must be notified in writing prior to termination.
Modified p. 19 → 25
b) If termination of employment is an unscheduled event, the security manager must be notified in writing as soon as the decision is made.
b) If termination of employment is an unscheduled event⎯e.g., termination or extended medical leave⎯the physical security manager must be notified in writing as soon as the decision is made.
Removed p. 20
d) Retrieve all company keys distributed to employee. Select Select e) identification and deactivate employee access to the facility.
Modified p. 20 → 26
c) Upon termination effective date of the employee the security manager or designated representative must:
c) Upon termination effective date of any personnel the physical security manager or designated representative must:
Modified p. 20 → 26
Deactivate all access rights.
Deactivate all access rights.
Modified p. 20 → 26
Recover the photo ID badge.
Recover the photo ID badge.
Modified p. 20 → 26
Change all applicable vault combinations and other applicable access codes known to or utilized by employee.
Change all applicable vault combinations and other applicable access codes known to or utilized by individual.
Modified p. 20 → 26
Recover all company property used in association with card production.
Recover all company property used in association with card production or provisioning.
Modified p. 20 → 26
Verify completion of the employee termination checklist activities, below.
Verify completion of the individual’s termination checklist activities in Section 1.1.5.3, below.
Modified p. 20 → 26
b) Retrieve all software programs and documentation distributed to employee. Select Select c) and applications. Select Select
b) Retrieve all software programs and documentation distributed to the individual.
Modified p. 20 → 26
f) Change all applicable vault combinations and other applicable access codes known to or utilized by employee.
Change all applicable vault combinations and other applicable access codes known to or utilized by individual.
Removed p. 21
Select Select c) manual to all employees and security personnel.
Modified p. 21 → 27
Section 2 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.1.5 Security Communication and Training The vendor must emphasize security by:
Section 1 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 21 → 27
a) Designating an individual (e.g., the CISO) responsible for all security matters and concerns, reporting to a senior company executive.
• e.g., the CISO

•responsible for all security matters and concerns, reporting to a senior company executive.
Modified p. 21 → 28
b) Ensuring that individuals performing or managing tasks requiring access to card components have a signed employment agreement with the vendor. The agreement includes stipulating that the employee complies with company polices and rules.
b) Ensuring that individuals performing or managing tasks requiring access to card components or data or support the cloud-based provisioning processes and/or environment have a signed employment agreement with the vendor. The agreement includes stipulating that the card production staff complies with company polices and rules.
Modified p. 21 → 28
The security manual must include the following Administration Security guidelines Procedures that employees must follow while working in the secure facility Select Select
The security manual must include the following sections:
Modified p. 21 → 29
d) Evidence of positive affirmation by the employee of receipt and understanding of responsibilities and obligations under the security policy.
d) Evidence of positive affirmation by the card production staff of receipt and understanding of responsibilities and obligations under the security policy.
Modified p. 21 → 29
e) Ensuring that vendor staff security training incorporates the obligation for employees to report any observed breaches of established security procedure.
e) Ensuring that vendor staff security training incorporates the obligation for card production staff to report any observed breaches of established security procedure.
Modified p. 22 → 29
f) Conducting mandatory training sessions at least annually. These sessions must include understanding the company security policies adherence to security policies.
f) Conducting mandatory training sessions at least annually. These sessions must include understanding the company security policies and the card production staff’s responsibilities and their adherence to security policies.
Modified p. 22 → 29
g) Displaying posters and notices concerning security at key locations within the vendor facility.
g) Displaying information concerning security at key locations within the vendor facility via posters, notices, or electronic medium•e.g., monitors.
Modified p. 22 → 30
Select Select 2.1.6 Notification The vendor must notify the Vendor Program Administration (VPA) of any personnel changes that directly affect the security of card products and related components, including but not limited to:
Section 1 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 1.1.7 Notification The vendor must notify the Vendor Program Administration (VPA) of any personnel changes that directly affect the security of card products and related components, including but not limited to:
Modified p. 22 → 30
a) Senior management and corporate officers Select Select
Senior management and corporate officers
Modified p. 22 → 30
b) Security manager Select Select
b) Physical security manager Select Select
Modified p. 22 → 30
c) Employees authorized to receive or sign for any card components Select Select 2.2 Guards 2.2.1 General Guidelines 2.2.1.1 Prescreening
c) Card production staff authorized to receive or sign for any card components Select Select 1.2. Guards 1.2.1 General Guidelines 1.2.1.1 Prescreening
Modified p. 22 → 30
a) In-house or contracted guards must meet the same prescreening qualification requirements as employees working in HSAs.
a) In-house or contracted guards must meet the same prescreening qualification requirements as card production staff working in HSAs. For contracted guards, evidence of prescreening requirements may alternatively be provided by the guarding company, by copies of licenses, etc. The vendor must collect and retain this evidence provided by the guarding company.
Modified p. 22 → 31
b) The vendor must ensure that any guard service contracted from an outside source maintains liability insurance to cover potential losses.
b) The vendor must ensure that any guard service contracted from an outside source maintains liability insurance to cover potential losses, or ensure that the vendor’s own insurance policies provide suitable coverage.
Removed p. 23
Employee records Physical master keys that provide access to card production areas Audit logs Any restricted areas where the vendor processes, stores, or delivers card products and card components.

Select Select 2.2.2 Role and Responsibilities n a high level of protection of the building, assets, access and staff, immediately reporting any discrepancy to the company. In addition, the vendor must ensure that:
Modified p. 23 → 31
Section 2 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.2.1.2 Restrictions/Limitations
Section 1 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 23 → 31
c) Guards must be prevented from modifying or altering the internal settings on access system controls, intrusion alarm system, closed circuit television (CCTV), and recording devices.
c) Guards must be prevented from modifying or altering the internal configuration settings on access system controls, intrusion alarm system, closed circuit television (CCTV).
Modified p. 23 → 32
a) Appropriate emergency procedures are followed and prompt attention to reports of unauthorized access to the premises is received from law enforcement agents, and where necessary the VPA Select Select
Select Interview guards to confirm that they follow appropriate emergency procedures and give prompt attention to reports of unauthorized access to the facility received from law enforcement agents, and where necessary the VPA.
Modified p. 23 → 32
b) They maintain a clear segregation of duties and independence between the production staff and the guards.
b) It maintains a clear segregation of duties and independence between the production staff and the guards.
Removed p. 24
Section 2 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.2.3 Documentation The vendor must provide guards or any other person assuming the security functions outlined in this document with a copy of the vendor's internal security procedures manual, which at a minimum must include:

h) Badge access system and computer monitoring (such as the logging in and out of staff entering or leaving the premises and internal movement at area access points) Select Select

i) Company policy concerning employee and visitor access to the facility (both exterior and interior) Select Select

m) Response to alarms Select Select
Modified p. 24 → 33
a) responsibilities, procedures, and activities by position Select Select
a) Guard’s responsibilities, procedures, and activities by position Select • Guard’s responsibilities, procedures, and activities by position
Modified p. 24 → 33
c) Interaction between production process management, contracted guard or monitoring services, the police, and other emergency Select Select
c) Interaction between production process management, contracted guard or monitoring services, the police, and other emergency services Select • Interaction between production process management, contracted guard or monitoring services, the police, and other emergency services
Modified p. 24 → 33
d) Access control at all entry and exit points of the premises, by date and time of activation Select Select
d) Access control at all entry and exit points of the facility, by date and time of activation Select • Access control at all entry and exit points of the facility, by date and time of activation
Modified p. 24 → 33
e) External resource response activities Select Select
e) External resource response activities Select • External resource response activities Select
Modified p. 24 → 33
f) CCTV monitoring and video or digital recordings Select Select
f) CCTV monitoring and video or digital recordings Select • CCTV monitoring and video or digital recordings
Modified p. 24 → 34
g) Administration of access cards and photo ID badges Select Select
g) Administration of access credentials and photo ID badges Select • Administration of access credentials and photo ID badges
Modified p. 24 → 34
j) Property removal Select Select
j) Property removal Select • Property removal Select
Modified p. 24 → 34
k) Shipping and receiving Select Select
k) Shipping and receiving Select • Shipping and receiving Select
Modified p. 24 → 34
l) Alarm activation procedures Select Select
l) Alarm activation procedures Select • Alarm activation procedures Select
Modified p. 24 → 34
n) Daily activity and immediate incident report Select Select
n) Daily activity and immediate incident report Select • Daily activity and immediate incident report
Removed p. 25
Earthquakes Severe weather Direct assault by armed felons Bomb threats Select Select

Select Select 2.2.4 Security Training

Select Select 2.3 Visitors
Modified p. 25 → 34
o) Potential threats such as burglary or theft Select Select
o) Potential threats •such as burglary or theft •to the facility’s external or internal security
Modified p. 25 → 35
q) All guards, whether employees or contract, must sign a document indicating that they have read and fully understand the contents of this manual.
a) All guards, whether employees or contract, must sign a document indicating that they have read and fully understand the contents of this manual.
Modified p. 25 → 36
a) Guards must be trained and aware of all of their assigned tasks defined within the vendor's internal security procedures manual. Training must occur at least annually and prior to the assignment of any new responsibilities. A record of the training session must be maintained.
a) Guards must be trained and aware of all of their assigned tasks defined within the vendor's internal security procedures manual. Training must occur at least every 12 months and prior to the assignment of any new responsibilities. A record of the training session must be maintained.
Modified p. 25 → 36
b) Exceptional situations not specified within these manuals must be reported immediately to the security manager for appropriate action and possible inclusion into the manuals.
b) Exceptional situations not specified within these manuals must be reported immediately to the physical security manager for appropriate action and possible inclusion into the manuals.
Modified p. 25 → 36
a) All visitors to the site must be registered ahead of their arrival. Select Select
b) All visitors to the facility must be registered ahead of their arrival.
Modified p. 25 → 36
b) The registration must include name and company they represent. Select Select
c) The registration must include name and company they represent.
Modified p. 25 → 37
c) If the visitor requires access to the HSA, this must be approved by both the Security Manager and the Production Manager.
d) If the visitor requires access to the HSA or cloud-based provisioning environment, this must be approved by both the physical security manager and the production manager.
Modified p. 26 → 37
d) Any unsolicited visitors must be turned away. Select Select
e) Any unsolicited visitors must be turned away.
Modified p. 26 → 37
e) An employee must accompany all visitors at all times while they are in the facility. Select Select
f) An authorized card production staff member must accompany all visitors at all times while they are in the facility.
Modified p. 26 → 37
f) Visitors must enter through the reception area. Select Select 2.3.1 Registration Procedures
g) Visitors must enter through the reception area.
Modified p. 26 → 38
a) The vendor must apply the same registration procedures to all visitors entering their facility.
a) The vendor must apply the same registration procedures to all visitors entering their facility. These procedures must include the following:
Modified p. 26 → 38
Confirmation of previously agreed appointment Verification of identification against an official, government issued picture ID Select Select
Verification of identification against an official, government-issued picture ID
Modified p. 26 → 38
c) All logs must be protected from modification. Select Select
c) All logs must be protected from modification.
Removed p. 27
Name of the visitor, printed and signed Number of the official ID document(s) presented and the date and place of issue Company the visitor represents (if any) Name of the person being visited or in charge of the visitor Purpose of the visit Visitor badge number Date and time of arrival and departure Signature of the employee initially assigned to escort the visitor Select Select e) records for at least 90 days. Select Select 2.3.2 Visitor Security Notification At a minimum, the vendor must make visitors aware of vendor security and confidentiality requirements, and the vendor-provided escort requirements.
Modified p. 27 → 40
a) Each visitor entering the production facility must be issued with and must wear visibly on their person a security pass or ID badge that identifies them as a non-employee.
a) Each visitor entering the facility must be issued with and must wear visibly on their person a security pass or ID badge that identifies them as a non-employee.
Modified p. 27 → 40
b) If the security pass or ID badge is disposable, name and date of entry to the facility and, if multi-day, the validity period must be clearly indicated on the front of the badge.
b) If the security pass or ID badge is disposable, the visitor’s name and date of entry to the facility and, if multi-day, the validity period must be clearly indicated on the front of the badge.
Modified p. 28 → 41
c) If the security pass or ID badge is the access- control type that enables a record to be kept of the visitor must be instructed on its proper use.
c) If the security pass or ID badge is the access-control type that enables a record to be kept of the visitor’s movement throughout the facility:
Modified p. 28 → 41
The vendor must program the visitor access badge or card to activate all card readers located in the areas that the visitor is authorized to enter.
The vendor must program the visitor access badge or card to enable the tracking of movement of all visitors. It should be activated only for areas that the visitor is authorized to enter.
Modified p. 28 → 41
Unissued visitor access badges must be securely stored.
d) Unissued visitor access badges must be securely stored.
Modified p. 28 → 41
Visitors must use their access card in the card readers activating the doors giving access to the area into which they are allowed to enter.
Visitors must use their access card in the card readers to the room into which they enter.
Modified p. 28 → 42
d) Employees responsible for escorting visitors while they are inside the facility must ensure that the visitor surrenders their ID badge to the receptionist or guard before leaving the building.
f) Card production staff responsible for escorting visitors while they are inside the facility must ensure that the visitor surrenders their ID badge to the receptionist or guard before leaving the building.
Modified p. 28 → 42
a) The requirements of Section 2.1, by the employer of all suppliers, repair and maintenance staff and any other external service provider.
b) The requirements of Section 1.1.2, “Card Production Staff,” of this document have been met by the employer of all suppliers, repair and maintenance staff, and any other external service provider.
Modified p. 28 → 43
b) A pre-approved list of third parties must be made available to the receptionist or to the guard on a daily or weekly basis for the preparation of ID badges. Only those persons with pre-approved ID badges may be granted facility access. The security manager or senior management must approve in writing any exceptions to this requirement.
c) A pre-approved list of third parties is made available to the receptionist or to the guard on a daily or weekly basis for the preparation of ID badges. Only those persons with pre- approved ID badges may be granted facility access. The physical security manager or senior management must approve in writing any exceptions to this requirement.
Modified p. 29 → 43
c) An employee must accompany all external service providers at all times while they are in the HSA(s).
d) An authorized card production staff member accompanies all external service providers at all times while they are in the HSA(s).
Modified p. 29 → 43
d) All external service providers that require access to HSAs to service equipment have adequate liability insurance.
e) All external service providers that require access to HSAs to service equipment have adequate liability insurance.
Modified p. 29 → 44
Select Select e) access to restricted or HSAs follow the visitor's registration procedures.
f) External service providers’ staff requiring access to restricted or HSAs follow the visitor-registration procedures.
Modified p. 29 → 44
a) Prior to conducting any business with an agent or third party regarding card-related activities, the vendor must register the agent with the VPA and obtain the following information:
a) Prior to conducting any business with an agent or third- party regarding card-related activities, the vendor must register the agent with the VPA and obtain the following information:
Modified p. 29 → 44
b) The vendor must inform the VPA whenever the agent relationship is changed or terminated. Select Select
b) The vendor must inform the VPA whenever the agent relationship is changed or terminated.
Removed p. 30
a) Contact alarm monitored Select Select
Modified p. 30 → 45
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.1 External Structure 3.1.1 External Construction The vendor must:
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.1 External Structure 2.1.1 External Construction
Modified p. 30 → 46
a) The vendor must prevent unauthorized access to buildings, building areas, or structures containing technical machinery or equipment such as the heating system generator, auxiliary power supply, and air conditioning.
b) The vendor must prevent unauthorized access to buildings, building areas, or structures containing technical machinery or equipment such as the heating system generator, auxiliary power supply, and air conditioning.
Modified p. 30 → 46
b) The vendor must protect doors that provide access to these by use of electrical or magnetic contacts that are permanently alarmed and that are connected to the security control-room panels.
c) The vendor must protect doors that provide access to these by use of electrical or magnetic contacts that are permanently alarmed and that are connected to the security control-room panels.
Modified p. 30 → 46
c) The vendor must establish a specific procedure to disable these door alarms and to control the delivery of the access key any time that repair or maintenance staff must access this machinery or equipment.
d) The vendor must establish a specific procedure to disable these door alarms and to control the delivery of the access key any time that repair or maintenance staff must access this machinery or equipment.
Modified p. 30 → 47
d) The vendor must keep a log of the disabling of the alarm and the key exchange, describing at Person(s) needing access Purpose of the access.
e) The vendor must keep a log of the disabling of the alarm and the key exchange, describing at least:
Modified p. 30 → 47
Select Select 3.1.2 Exterior Entrances and Exits All non-emergency exterior entrances and exits to the facility must be:
• Purpose of the access 2.1.2 Exterior Entrances and Exits All non-emergency exterior entrances and exits to the facility must be:
Modified p. 30 → 47
b) Locked or electronically controlled at all times Select Select
b) Locked or electronically controlled at all times Select Observe that all exterior entrances and exits are locked and are controlled at all times.
Removed p. 31
e) Fitted with a mantrap or interlocking tailgating (excluding emergency exits) Select Select 3.1.3 External Walls, Doors, and Windows
Modified p. 31 → 47
c) Reinforced, where applicable, to resist intrusion (e.g., steel or equivalent construction that meets local fire and safety codes) Select Select
c) Reinforced, where applicable, to resist intrusion•e.g., steel or equivalent construction that meets local fire and safety codes.
Modified p. 31 → 47
d) Fitted with an access-control device (i.e., card reader or biometric) that automatically activates the locking mechanism Select Select
d) Fitted with an access-control device
Modified p. 31 → 48
a) All exterior walls must be pre-cast or masonry block or material of equivalent strength and penetration resistance.
a) All exterior walls must be pre-cast or masonry block or material of equivalent strength and penetration resistance. Any openings in the external wall that penetrate the building structure must be secured with security mesh, grating, or metal bars to prevent unauthorized access.
Modified p. 31 → 48
b) Windows, doors, and other openings must be protected against intrusion by mechanisms such as intruder- - glass, bars, glass-break detectors, or motion or magnetic contact detectors.
b) Windows, doors, and other openings must be protected against intrusion by mechanisms such as intruder-resistant
Modified p. 31 → 48
Select Select 3.1.4 Building Peripheral Protection The vendor must not place any device (e.g., carriers, waste containers, and tools) against the external wall protecting the outer perimeter of the Select Select 3.2 External Security
a) The vendor must not place any device •e.g., carriers, waste containers, and tools

•against the external wall protecting the outer perimeter of the vendor’s facility.
Modified p. 31 → 48
a) The vendor premises must be located in an area serviced by public law enforcement and fire protection services in a timely manner.
a) The vendor facility must be located in an area serviced by public law enforcement and fire protection services in a timely manner.
Modified p. 31 → 49
b) The facility must be secured with an intrusion alarm system as defined in S Select Select
b) The facility must be secured with an intrusion alarm system as defined in Section 2.4.1, “Alarm Systems.” Select Examine the policy and procedures (or appropriate documentation) to determine the facility is secured with an intrusion alarm system as defined in Section 2.4.1, “Alarm Systems.”
Modified p. 32 → 49
d) All systems must notify the vendor in real time in the event the backup system is invoked. Select Select
d) All systems must notify the vendor in real time in the event the backup system is invoked.
Modified p. 32 → 49
e) All external entry and exit points, including those for freight and maintenance, must be equipped with a peep-hole, a security window, or external CCTV that allows security personnel visual inspection of the immediate area, thus allowing action to be taken in the event of unauthorized access.
e) All external entry and exit points, including those for freight and maintenance, must be equipped with a peephole, a security window, or external CCTV that allows security personnel visual inspection of the immediate area, thus allowing action to be taken in the event of unauthorized access.
Modified p. 32 → 49
f) Alarms on external doors must be tested every three months. Select Select 3.2.1 Emergency Exits
f) Alarms on external doors must be tested every three months.
Modified p. 32 → 50
a) All emergency exits must be fitted with local audible alarms and monitored 24 hours a day and also must display a sign indicating Select Select
a) All emergency exits must be fitted with local audible alarms and monitored 24 hours a day and also must display a sign indicating “emergency exit door with alarm.” Select Interview personnel to verify that emergency exits are monitored 24 hours a day. Observe via opening each emergency exit door to verify that:
Modified p. 32 → 50
b) Emergency exit doors must be fitted with an automatic closer to ensure self-latching of the door after being opened.
b) Emergency exit doors must be fitted with an automatic closer to ensure self- latching of the door after being opened.
Modified p. 32 → 50
c) Emergency exit doors must be contact-alarm monitored. Select Select
c) Emergency exit doors must be contact alarm monitored.
Removed p. 33
Select Select 3.2.3 Roof Access
Modified p. 33 → 50
f) During non-business hours, the activation of an emergency-exit alarm must summon the local police or a guard response directed by central monitoring service or on-site security control.
f) During non-business hours, the activation of an emergency-exit alarm must summon the local police, or a guard response directed by central monitoring service or on-site security control.
Modified p. 33 → 51
g) Emergency exit doors must not be capable of being opened from the outside. Select Select
g) Emergency exit doors must not be capable of being opened from the outside.
Modified p. 33 → 51
h) Emergency exits must not lead to a higher security area. Select Select 3.2.2 Exterior Lighting
h) Emergency exits must not lead to a higher security area.
Removed p. 34
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.2.4 Exterior CCTV
Modified p. 34 → 52
a) Exterior CCTV cameras must focus on all entrances and exits to the building, and capture legible images of all persons entering or leaving the facility.
a) Exterior CCTV cameras must focus on all entrances and exits to the building and capture legible images of all persons entering or leaving the facility.
Modified p. 34 → 52
b) Cameras must be monitored in the security control room during operational hours. Select Select 3.2.5 Signage Signage on the exterior of the building must neither indicate nor imply that the vendor processes card products.
b) Cameras must be monitored in the security control room during operational hours.
Modified p. 34 → 53
b) The reception area must be contained within a mantrap.
b) The reception area must be within a mantrap.
Modified p. 35 → 54
g) The electronic control points for operating this system must be located desk or in the security control room.
g) The electronic control points for operating this system must be located at the receptionist’s desk or in the security control room.
Modified p. 35 → 55
h) If the control points for operating the external wall(s) separating the receptionist area from the reception room must be reinforced and fitted with a security window i.e., a window of bullet- resistant transparent material containing a slot or device that allows the transfer of small packages and documents from the reception area to the receptionist or security guard.
h) If the control points for operating the external doors are located at the receptionist’s desk, the wall(s) separating the receptionist area from the reception room must be reinforced and fitted with a security window•i.e., a window of bullet-resistant transparent material containing a slot or device that allows the transfer of small packages and documents from the reception area to the receptionist or security guard.
Modified p. 35 → 55
i) The vendor must provide employees working in these areas with a telephone and a duress button that activates a silent alarm at a remote, central monitoring service or police station.
• A duress button that activates a silent alarm at a remote, central monitoring service or police station.
Modified p. 35 → 55
j) If the receptionist area houses or acts as a security control room, the requirements as Select Select
j) If the receptionist area houses or acts as a security control room, the requirements as defined in Section 2.3.2, “Security Control Room,” must be met.
Modified p. 35 → 56
k) Outside working hours, all security protection devices (including alarm activation and deactivation) must be monitored electronically by either an in-house security monitoring system or a private central monitoring company.
k) Outside working hours, all security protection devices (including alarm activation and deactivation) must be monitored electronically by either an in- house security monitoring system or a private central monitoring company.
Removed p. 36
l) Employees may enter the facility through the main entrance area or through an employee- only entrance. The external entrance door of the building must not lead directly to the entrance of the HSA.
Modified p. 36 → 57
Select Select 3.3.2 Security Control Room 3.3.2.1 Definition This is the room housing the primary CCTV monitoring systems, intrusion, fire, and alarm-system control and access-control systems.
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.2 Security Control Room This is the room housing the primary CCTV monitoring systems, intrusion, fire, and alarm-system control and access-control systems.
Modified p. 36 → 57
a) Staff the room at all times while activity occurs in the HSA Select Select
a) Staff the room at all times while activity occurs in the HSA.
Modified p. 36 → 57
b) Locate the security control room outside of the HSA to achieve the segregation of duties and independence between the guards and the HSA staff.
b) Locate the security control room outside of the HSA and cloud-based provisioning environment to achieve the segregation of duties and independence between the guards and the HSA staff.
Modified p. 36 → 57
d) Protect the room by an internal motion detector. Select Select
d) Protect the room by an internal motion detector.
Modified p. 36 → 58
f) Ensure that the software counter registering the in and out card transactions in the access- control system logs the card transactions at the end of an access cycle (activation of the card reader with the access card, opening and closing of the door).
f) Ensure that the software counter registering the in and out card transactions in the access-control system logs the card transactions at the end of an access cycle (activation of the card reader with the access card, opening and closing of the door).
Modified p. 37 → 59
g) Calibrate the security control room movement detector to generate an alarm if movement is detected inside the room when the software counter is zero (nobody registered in the room).
• An alarm is generated if movement is detected inside the room when the software counter is zero (nobody registered in the room).
Modified p. 37 → 59
The vendor must also calibrate the movement detector to generate an alarm if no movement within fifteen or fewer minutes is detected inside the room when the software counter is equal or greater than one (at least one person registered inside the room).
• An alarm is generated if no movement within fifteen or fewer minutes is detected inside the room when the software counter is equal or greater than one (at least one person registered inside the room).
Modified p. 37 → 60
i) Fit the door with an automatic closing device.
Select Observe to verify that the door is fitted with an automatic closing device.
Modified p. 37 → 60
The opening of the door for more than 30 seconds must automatically activate a sound alarm. The access-control system must be programmed, whereby access is on a person- by-person basis and restricted to authorized personnel only. Person-by-person access may be fulfilled through a procedural control.
i) Fit the door with an automatic closing device. The opening of the door for more than 30 seconds must automatically activate a sound alarm. The access- control system must be programmed, whereby access is on a person-by- person basis •e.g., a full mantrap, turnstile, or similar that prevents more than one person entering at a time

•and restricted to authorized personnel only. Person-by-person access may be fulfilled through a procedural control.
Modified p. 37 → 60
k) Equip the security control room with two independent means of communication. Select Select
k) Equip the security control room with two independent means of communication.
Modified p. 37 → 60
l) Ensure that the badge access-control monitor permanently displays the access card transactions on a real-time basis. Guards must be able to cross-check the access-control records with the CCTV images.
l) Ensure that the access-control monitor permanently displays the access transactions on a real-time basis. Guards must be able to cross-check the access-control records with the CCTV images.
Modified p. 37 → 61
m) Train guards in the security control room in the effective use of badge access-control system and CCTV system facilities.
m) Train guards in the security control room in the effective use of the access- control system and CCTV system facility.
Removed p. 38
q) Mechanisms must be in place to prevent observation of security equipment (e.g., CCTV monitors) inside the security control room. For example, by covering all security control room windows with a one-way mirror film or other material preventing viewing from outside Select Select
Modified p. 38 → 61
n) Ensure that a security guard is assigned to watch all real-time CCTV images on the monitors.
n) Ensure that a security guard is assigned to watch real-time CCTV images on the monitors.
Modified p. 38 → 62
r) Ensure all other windows within the security control room are protected by unbreakable glass or iron bars and are protected against intrusion by at least one of the following: burglar-resistant glass, glass-break detectors, or motion or magnetic contact detectors.
r) Ensure all other windows within the security control room are protected against intrusion by at least one of the following: iron bars, burglar-resistant glass, glass-break detectors, or motion detectors.
Modified p. 38 → 62
s) Ensure that when the room is used for reception control, the conditions outlined in Select Select
t) Ensure that when the room is used for reception control, the conditions outlined in Section 2.3.1, “Reception,” apply.
Removed p. 39
Card manufacturing Chip embedding Personalization Select Select
Modified p. 39 → 63
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.3.3 High Security Areas (HSAs) 3.3.3.1 Definition Areas in production facilities where card products, components, or data are stored or processed are called high security areas. Only card production-related activities shall take place within the HSA.
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.3 High Security Areas (HSAs) Areas in production facility where card products, components, or data are stored or processed are called high security areas. Only card production and provisioning-related activities shall take place within the HSA.
Modified p. 39 → 63
b) Employees may only bring items related to card production activity into the HSA. Select Select
b) Card production staff may only bring items related to card production and provisioning activity into the HSA.
Modified p. 39 → 64
c) If a facility performs multiple production activities (e.g., card manufacturing and personalization), these activities must be performed in separate areas within the HSA.
c) If a facility performs multiple production activities⎯e.g., card manufacturing and personalization⎯these activities must be performed in separate areas within the HSA.
Modified p. 39 → 64
d) If these HSAs are within the same building, they must be contiguous. Select Select
d) With the exception of mobile provisioning, if multiple HSAs are within the same building, they must be contiguous.
Modified p. 39 → 64
e) Equipment that is purely associated with test activities is not allowed in the HSA. Select Select 3.3.4 HSA Security Protection and Access Procedures 3.3.4.1 Access Control
e) Equipment that is purely associated with test activities is not allowed in the HSA.
Modified p. 40 → 66
Always be connected to the computer that monitors and logs all staff and visitor movements.
Always be connected to the computer that monitors and logs all staff and visitor movements.
Modified p. 40 → 66
Prevent employees from piggybacking Enforce person-by-person access.
Enforce person-by-person access.
Modified p. 40 → 66
Implement anti-pass-back mechanisms Enforce dual presence. If the number of personnel is less than two for more than a minute, the alarm must be activated Select Select
Enforce dual presence. If the number of authorized card production staff is less than two for more than a minute, the alarm must be activated.
Modified p. 40 → 66
c) The vendor must program the software access-control system, whereby access is on a person-by-person basis and restricted to authorized personnel.
c) The vendor must program the software access-control system, whereby access is on a person-by- person basis and restricted to authorized personnel.
Modified p. 40 → 67
e) The HSA and all separate rooms within the HSA must be protected by internal motion detectors.
e) The HSA and all separate rooms within the HSA must be protected by internal motion detectors, even if no production occurs in the room.
Modified p. 40 → 67
f) The motion detector must generate an alarm if movement is detected inside the HSA or rooms within the HSA when the access-control system indicates (e.g., the software counter is zero nobody registered in the room) the room is not occupied.
f) The motion detector must generate an alarm if movement is detected inside the HSA or rooms within the HSA when the access-control system indicates the room is not occupied

•e.g., the software counter is zero •nobody registered in the room.
Modified p. 40 → 68
g) The warning must be a local sound alarm and notification (silent alarm) within the security control room. Additionally, after working hours, a simultaneous alarm to the local external security company or local police must occur.
g) The warning must be a local sound alarm and notification (silent and/or audible alarm) within the security control room. Additionally, after working hours, a simultaneous alarm to the local external security company or local police must occur.
Modified p. 41 → 68
h) No one is allowed to bring personal items (for example, packages, lunch containers, purses) or any electronic devices (including but not limited to mobile telephones, photo cameras, and PDAs), into the high security area. Medical items such as medications and tissues are acceptable if in clear containers that can be examined. No food or beverages are allowed.
h) No one is allowed to bring personal items (for example, packages, lunch containers, purses) or any electronic devices (including but not limited to mobile telephones, photo cameras, and PDAs) into the high security area. Medical items such as medications and tissues are acceptable if in clear containers that can be examined. No external food or beverages are allowed. Company may provide water stations with disposable bottles and cups. These must be brought in/out through the goods/tools trap and be …
Modified p. 41 → 69
i) If the access-control server is not located in the security control room it must be located in a room of equivalent security. The access-control server cannot be located in the HSA.
i) If the access-control server is not located in the security control room, it must be located in a room of equivalent security. The access-control server cannot be located in the HSA but must be located in the same facility.
Modified p. 41 → 69
b) Activation of the access device must be controlled by a card reader that enforces an anti- pass-back function.
b) Activation of the access device must be controlled by a card reader that enforces an anti-pass-back function.
Modified p. 41 → 70
a) All materials required for production must be transferred to the HSA through either a goods- tools trap or the shipping and delivery area.
a) All physical materials required for production must be transferred to the HSA through either a goods-tools trap or the shipping and delivery area.
Modified p. 41 → 70
b) A goods-tools trap may be used to transfer materials between different areas within the HSA.
b) A goods-tools trap or a shipping and delivery area must be used to transfer physical materials between different HSAs within the same facility.
Removed p. 42
e) The entire HSA must be covered by CCTV as Select Select
Modified p. 42 → 70
a) Unbreakable glass or iron bars must protect all non-opening windows in HSAs Select Select
a) Bullet-resistant

•e.g., UL 752

•glass or iron bars must protect all windows in HSAs that are on an exterior wall or door of the building.
Modified p. 42 → 70
b) It must not be possible to view activities in the HSA from the exterior of the building (e.g., by use of opaque or non-transparent glass).
b) It must not be possible to view activities in the HSA from the exterior of the building•e.g., by use of opaque or non-transparent glass.
Modified p. 42 → 71
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.3.4.4 Security Controls
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 42 → 71
c) Walls and ceilings must be constructed around the HSA consistent with the enforcement of dual presence e.g., prevention of access via false ceilings or raised floors.
c) Walls and ceilings must be constructed around the HSA consistent with the enforcement of dual presence• e.g., prevention of access via false ceilings or raised floors.
Modified p. 42 → 71
d) All access points (e.g., electrical conduits, opening windows and ventilation shafts) in HSAs must have physical barriers; and opening windows must additionally be fitted with contact monitors to prevent card components from being passed through the windows.
d) All access points •e.g., electrical conduits, opening windows, and ventilation shafts

•in HSAs must have physical barriers.
Modified p. 42 → 72
f) All doors and gates to these areas must be contact monitored and fitted with automatic closing or locking devices and audible alarms that sound if the door or gate remains open for more than 30 seconds.
g) All doors and gates to these areas must be contact monitored and fitted with automatic closing or locking devices and audible alarms that sound if the door or gate remains open for more than 30 seconds.
Modified p. 42 → 72
g) All doors must be fitted with an in and out card reader access system plus an anti-pass- back function connected to a computer that records all movements.
h) All doors must be fitted with an in and out card reader access system plus an anti-pass-back function connected to a computer that records all movements.
Modified p. 42 → 72
Select Select h) exterior unless they are alarmed emergency exit doors.
i) Doors must not open directly to the building’s exterior unless they are alarmed emergency exit doors.
Removed p. 43
Select Select 3.3.5 Rooms
Modified p. 43 → 73
i) Emergency exits must be fitted with local audible alarms and monitored 24 hours a day and also must display a sign indicating Select Select 3.3.4.5 Minimum Number of Persons Whenever any room within the HSA is occupied, it must contain a minimum of two authorized employees. This must be enforced by the access- control system.
a) Whenever any room within the HSA is occupied, it must contain a minimum of two authorized card production staff. This must be enforced by the access- control system.
Modified p. 43 → 73
a) Separate rooms within the HSA must meet all of the above requirements with the exception of person-by-person access.
a) Separate rooms within the HSA must meet all of the HSA requirements with the exception of person-by-person access.
Modified p. 43 → 74
Select Select Within the HSA, the following separate rooms may exist:
Within the HSA, the following separate rooms may exist:
Modified p. 43 → 74
a) The pre-press process must be performed in a separate room within the HSA. Select Select
a) The pre-press process must be performed in a separate room within the HSA.
Removed p. 44
Select Select 3.3.5.4 PIN Mailer Production Room
Modified p. 44 → 75
Select Select 3.3.5.3 Card Product and Component Destruction Room(s) Destruction of card product and component waste must take place in a separate room(s) within the HSA that is dedicated for destruction.
a) Destruction of card product and component waste must take place in a separate room(s) within the HSA that is dedicated for destruction.
Modified p. 44 → 76
a) PIN mailer production must be performed in a separate room within the HSA. Select Select
a) PIN mailer production must be performed in a separate room within the HSA.
Removed p. 45
d) PIN mailers must be mailed as defined in Select Select

j) All waste material from the PIN printing process must be destroyed as defined in Section Select Select
Modified p. 45 → 76
b) Employees involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards.
b) Card production staff involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards. Individuals may perform other non- personalization activities in addition to PIN printing, except for those that give access to cardholder data such as data administration, packaging, or mailing activities.
Modified p. 45 → 77
c) PIN mailers must be printed in such a way that the plain-text PIN cannot be observed until the envelope is opened. The envelope must display the minimum data necessary to deliver the PIN mailer to the correct customer. PIN mailers must be tamper evident so that it is highly likely that accidental or fraudulent opening will be obvious to the customer.
d) PIN mailers must be printed in such a way that the plaintext PIN cannot be observed until the envelope is opened. The envelope must display the minimum data necessary to deliver the PIN mailer to the correct customer. PIN mailers must be tamper-evident so that it is highly likely that accidental or fraudulent opening will be obvious to the customer.
Modified p. 45 → 77
e) No activity other than PIN mailer production may take place in the room. Select Select
f) No activity other than PIN mailer production may take place in the room.
Modified p. 45 → 77
f) All re-runs of jobs to print PINs must be pre- approved in writing by management. Select Select
g) All re-runs of jobs to print PINs must be pre-approved in writing by management.
Modified p. 45 → 77
g) Reports and PIN mailers must not display printed PIN data in the clear. Select Select
h) Reports and PIN mailers must not display printed PIN data in the clear.
Modified p. 45 → 78
h) PIN mailers must not contain the associated cardholder account number Select Select
i) PIN mailers must not contain the associated cardholder account number.
Modified p. 45 → 78
i) PIN mailers must be stored in the vault or the PIN printing room prior to shipment. Select Select
j) PIN mailers must be stored in the vault or the PIN printing room prior to shipment.
Removed p. 46
Select Select 3.3.5.6 Vault The vault is the primary security area in the vendor facility.

Cards awaiting personalization Security components Materials awaiting destruction Samples and test cards prior to distribution and after return Any card that is personalized with production If the facility is closed, personalized cards that will not be shipped within the same working day.

Products awaiting return to the supplier.
Modified p. 46 → 76
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.3.5.5 Server Room & Key Management Room
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.5.4 PIN Mailer Production Room
Modified p. 46 → 78
a) Server processing and key management must be performed in a separate room within the personalization HSA. Data preparation must occur here. Server processing and key management may occur in the same room or each in a separate room Select Select
a) Server processing and key management must be performed in a separate room within the personalization HSA. Data preparation must occur here. Server processing and key management may occur in the same room or each in a separate room.
Modified p. 46 → 79
b) An internal CCTV camera must be installed to cover the access to this room and provide an overview of the room whenever there is activity within it. The camera must not have zoom or scanning functionality and must not be positioned in such a manner as to allow observation of keystroke entry or the monitoring of the screen.
e) The camera must not have zoom or scanning functionality and must not be positioned in such a manner as to allow observation of keystroke entry or the monitoring of the screen.
Modified p. 47 → 81
b) Vaults must be constructed of reinforced concrete (minimum 15 centimeters or 6 inches) or at least meet the Underwriters Laboratories Class I Burglary Certification Standard, which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces i.e., vault doors, walls, floors and ceilings.
b) Vaults must be constructed of reinforced concrete (minimum 15 centimeters or 6 inches) or at least meet the Underwriters Laboratories Class 1 Burglary Certification Standard

•e.g., UL 608 or the European Standard for Secure Storage Units (EN1143-1 class 6)

•which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces •i.e., vault doors, walls, floors, and ceilings.
Modified p. 47 → 81
i. An outside wall of the building must not be used as a wall of the vault. Select Select
i. An outside wall of the building must not be used as a wall of the vault.
Modified p. 47 → 81
ii. If the construction of the vault leaves a small (dead) space between the vault and the outside wall, this space must be constantly monitored for intrusion e.g., via motion sensors Select Select
ii. If the construction of the vault leaves a small (dead) space between the vault and the outside wall, this space must be constantly monitored for intrusion•e.g., via motion sensors.
Modified p. 47 → 81
iii. No windows are permitted. Select Select
iii. No windows are permitted. Select Observe to verify that no windows are in the vault.
Modified p. 47 → 82
iv. There must be no access to the vault except through the vault doors and gate configurations meeting these requirements. The vault must be protected with sufficient number of shock detectors to provide full coverage of the walls, ceiling, and floor.
iv. There must be no access to the vault except through the vault doors and gate configurations meeting these requirements. The vault must be protected with a sufficient number of intruder-detection devices that provide an early attack indication
Modified p. 47 → 82
v. The vault must be fitted with a main steel- reinforced door with a double mechanical or logical dual-locking mechanism that requires physical and simultaneous dual- control access. The access mechanism requires that access occurs under dual control and does not allow entry by a single individual i.e., it is not feasible for a single individual to use credentials belonging to someone else to simulate dual access.
v. The vault must be fitted with a main steel-reinforced door with a dual- locking mechanism (mechanical and/or logical

•e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access. The access mechanism requires that access occurs under dual control and does not allow entry by a single individual •i.e., it is not feasible for a single individual to use credentials belonging to someone else to simulate dual access.
Removed p. 48
f) Every un-badged access to the vault must be recorded in a log. Logs may be electronic and/or manual.
Modified p. 48 → 84
g) Emergency exit doors from the vault to the HSA must meet the strength requirements for a vault door, must be alarmed and not capable of being opened from outside, and must conform to the requirements for emergency exits.
f) Emergency exit doors from the vault to the HSA must meet the strength requirements for a vault door, must be alarmed and not capable of being opened from outside, and must conform to the requirements for emergency exits.
Modified p. 48 → 84
h) Card components being taken in or out must be recorded in a vault log and confirmed by at least two employees.
g) Card components being taken in or out must be recorded in a vault log and confirmed by at least two card production staff.
Modified p. 48 → 84
i) Maintenance of these audit control logs is the longer of five years or the oldest card in the vault.
Select Examine a sample of the logs to verify that they are retained for the longer of five years or the oldest card in the vault.
Modified p. 49 → 84
j) If the vault also is used to store non-payment products, it must be physically segregated (e.g., stored on dedicated aisles or shelves) to create a physical separation between payment products and other card types.
i) If the vault also is used to store non- payment products, it must be physically segregated •e.g., stored on dedicated aisles or shelves

•to create a physical separation between payment products and other card types.
Modified p. 49 → 85
k) All boxes with payment cards must be sealed, and a label describing the product type, a unique product identifier number, the quantity of cards contained in the box and the date of control must be attached to the boxes and be visible Select Select
j) All boxes with payment cards must have a label, visibly attached, describing the product type, a unique product identifier number, the quantity of cards contained in the box and the date of control.
Modified p. 50 → 86
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.3.6 Other Areas 3.3.6.1 Goods-tools Traps Goods-tools trap configuration options are as follows:
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3.6 Other Areas 2.3.6.1 Goods-tools Traps Goods-tools trap configuration options are as follows:
Modified p. 50 → 87
a) One-room configuration The goods-tools trap is composed of a unique, closed, solid construction room (goods transfer room) and two doors (inner and external) minimizing the physical contact between the individuals collecting or delivering materials and the HSA staff.
The goods-tools trap is composed of a unique, closed, solid construction room (goods transfer room) and two doors (inner and external) minimizing the physical contact between the individuals collecting or delivering materials and the HSA staff.
Modified p. 50 → 87
The movement detector is deactivated when someone swipes the access card in the card reader.
The movement detector is deactivated when someone swipes the access card in the card reader.
Modified p. 50 → 87
The person opens the door, introduces the package, and closes the door.
The person opens the door, introduces the package, and closes the door.
Modified p. 50 → 87
The movement detector is reactivated automatically, so any person inside the goods-tools trap is detected. If someone is detected, the cycle cannot be completed, and the other goods-tools trap door cannot be opened to take the package back.
The movement detector is reactivated automatically, so any person inside the goods-tools trap is detected. If someone is detected, the cycle cannot be completed, and the other goods-tools trap door cannot be opened to take the package back.
Modified p. 50 → 87
If no motion is detected in the trap, and the first door has been closed, the second door in the HSA can be opened for someone to take the package.
If no motion is detected in the trap, and the first door has been closed, the second door in the HSA can be opened for someone to take the package.
Modified p. 50 → 88
b) Two-room configuration In this configuration, the goods-tools trap is composed of two consecutive rooms, similar to the classical shipping and delivery room configuration.
In this configuration, the goods-tools trap is composed of two consecutive rooms, similar to the classical shipping and delivery room configuration.
Modified p. 50 → 88
Security requirements, protection devices, and access procedures are the same as for the standard shipping and delivering area configuration, as defined below.
Security requirements, protection devices, and access procedures are the same as for the standard shipping and delivering area configuration, as defined below.
Removed p. 51
d) One of the rooms in the shipping area must contain a security window that allows the exchange of control documents.

e) The inner shipping/delivery area door must be protected by an in and out access-control system that monitors the movement of individuals.
Modified p. 51 → 88
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.3.6.2 Shipping and Delivery Areas
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 51 → 88
a) To facilitate the shipment and delivery of card components, the loading/unloading area must be composed of at least two consecutive enclosed rooms and three doors (external, intermediate, and inner), which minimizes physical contact between the individuals collecting or delivering materials and the shipment/delivery employees and card production staff.
a) To facilitate the shipment and delivery of card components, the loading/unloading area must be composed of at least two consecutive enclosed rooms and three doors (external, intermediate, and inner), which minimizes physical contact between the individuals collecting or delivering materials and the shipment/delivery card production staff.
Modified p. 52 → 91
h) To liberate a person detected inside the room and stop the alarm, the software monitoring the access-control system must only allow the opening of the last activated door. A logical (software) and physical (alarm report book) log of the event must permanently be kept.
h) To liberate a person detected inside the room and stop the alarm, the software monitoring the access-control system must only allow the opening of the last activated door. Either a logical (software) or physical (alarm report book) log of the event must be kept for at least two years.
Modified p. 52 → 92
i) The vendor must install CCTV cameras and orient the cameras to cover the external and inner access doors to the shipping and delivery areas, and capture all activities during shipping and delivery operations.
i) The vendor must install CCTV cameras and orient the cameras to cover the external and inner access doors to the shipping and delivery areas and capture all activities during shipping and delivery operations.
Modified p. 52 → 92
One external CCTV camera covering the external shipping and delivery area door and its environment Two CCTV cameras inside the outer room covering all sides of the vehicle One CCTV camera inside the inner room covering the shipping and delivery operations Select Select
One external CCTV camera covering the external shipping and delivery area door and its environment
Modified p. 53 → 93
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.4 Internal Security 3.4.1 Alarm Systems
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4 Internal Security 2.4.1 Alarm Systems
Modified p. 53 → 93
c) The system must notify the vendor in real time in the event the backup system is invoked. Select Select
c) The system must notify the vendor in real time in the event the backup system is invoked.
Modified p. 53 → 94
i. A specific procedure must be established to ensure quick corrective action in case an alarm is not activated in accordance with pre-arranged alarm time settings.
i. A specific procedure must be established to ensure quick corrective action in case an alarm is not activated in accordance with pre- arranged alarm time settings.
Modified p. 53 → 95
ii. Alarm activation and deactivation codes must be known only by the employees authorized to use them.
ii. Alarm activation and deactivation codes must be known only by guards or security team members authorized to use them.
Modified p. 53 → 95
iii. Guards and employees must follow these procedures in case of alarm system activation. These procedures must be clearly described and included in the internal security procedures manual.
iv. Guards and card production staff must follow these procedures in case of alarm system activation. These procedures must be clearly described and included in the internal security procedures manual.
Removed p. 54
Select Select 3.4.2 Badge Access System

Select Select 3.4.2.1 Activity Reports

Card reader Card reader status Card identification Date and time of access Access attempts results Unauthorized attempts Anti-pass-back violation and corrective actions taken Badge access system changes describing:

ii. The reasons for the change, and

iii. The person who made the change.
Modified p. 54 → 96
e) Access contacts and motion detectors must be activated in zones where no staff are present (e.g., vault, storage, production areas, shipping and delivery areas).
e) Access contacts and motion detectors must be activated in zones where no staff are present•e.g., vault, storage, production areas, shipping and delivery areas.
Modified p. 54 → 100
a) Badge access systems that allow entry into restricted areas must have a backup electrical power source capable of maintaining the system for 48 hours.
b) Access-control systems that allow entry into restricted areas must have a backup electrical power source capable of maintaining the system for 48 hours.
Modified p. 54 → 100
b) Contingency plans must exist for securing card components in the event of an outage greater than 48 hours.
c) Contingency plans must exist for securing card components in the event of an outage greater than 48 hours.
Modified p. 54 → 101
a) All procedures for badge access must be documented and kept current. Select Select
a) All procedures for access control must be documented and kept current.
Modified p. 54 → 101
b) The badge access system must log sufficient information to produce the daily card activity reports detailed below:
b) The access-control system must log sufficient information to produce the daily card activity reports detailed below:
Modified p. 54 → 101
i. The date and time of the change,
• Date and time of access
Modified p. 54 → 101
c) The security manager must review these reports weekly. Select Select
c) The physical security manager must review these reports weekly.
Removed p. 55
g) Systems administration (this does not include badge administration) must follow the requirements for remote access if performed remotely. Vendor facilities that are not subject to logical security audits must confirm in writing that the following requirements are met:
Modified p. 55 → 102
d) The badge access system audit trail must be maintained for at least three months. Select Select 3.4.2.2 System Administration The vendor must ensure that:
d) The access-control system audit trail must be maintained for at least three months.
Modified p. 55 → 102
a) Each badge access system administrator uses his or her own user ID and password. Select Select
a) Each access-control system administrator uses his or her own user ID and password.
Modified p. 55 → 102
b) Passwords are changed at least every 90 days. Select Select
b) Passwords are changed at least every 90 days.
Modified p. 55 → 102
c) User IDs and passwords are assigned to the security manager and authorized personnel. Select Select
c) User IDs and passwords are assigned to the physical security manager and authorized personnel, who must be employees.
Modified p. 55 → 103
d) The security manager and other authorized personnel are the only individuals able to modify the badge access system controls. All changes to the system must be logged.
Examine a sample of logs to verify the physical security manager and other authorized personnel are the only individuals who modified the access-control system controls.
Modified p. 55 → 103
e) At the end of each session, the individual who initiated the session must log off the system. Select Select
e) At the end of each session, the individual who initiated the session must log off the system.
Modified p. 55 → 103
f) All changes to card production and security- relevant systems are recorded and reviewed monthly by a senior manager who is not the individual initially involved in changing the system.
f) All changes to card production, provisioning, and security-relevant systems are recorded and reviewed monthly by a senior manager who is not the individual initially involved in changing the system.
Modified p. 55 → 104
h) Badge access systems are isolated on a dedicated network from the main office network. Select Select
g) Access-control systems are physically and logically isolated on a dedicated network from the main office network.
Modified p. 55 → 104
i) Offsite access to the badge access system is not permitted. Select Select
a) Offsite access to the access-control system is not permitted.
Modified p. 55 → 104
j) Access-control system data must be backed up on a weekly basis. Select Select
b) Access-control system data must be backed up on a weekly basis.
Removed p. 56
Time and date when the duress button was Time taken by the remote central monitoring service to respond Time taken by the police or other help to respond/arrive on site Chronology of all related activities, including names of personnel involved Reason for activating alarm Select Select 3.4.3.3 Testing All duress buttons must be tested and the results documented on a quarterly basis. Select Select
Modified p. 56 → 105
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.4.3 Duress Buttons 3.4.3.1 Location Duress buttons must be located in the following areas:
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.4 Duress Buttons 2.4.4.1 Location Duress buttons must be located in the following areas:
Modified p. 56 → 105
a) Visitor lobby receptionist desk, security control room, or both Select Select
b) Security control room Select Select
Modified p. 56 → 105
b) Within the vault Select Select
c) The vault Select Select
Modified p. 56 → 105
c) Shipping and delivery area Select Select
d) Shipping and delivery area Select Select
Modified p. 56 → 105
d) Employee entrances Select Select 3.4.3.2 Activation
e) Every card production staff entrance Select Select 2.4.4.2 Activation
Modified p. 56 → 105
a) When a duress button is activated, a warning or emergency signal must be sent to an on-site security control room, a remote central monitoring station, or the local police station.
a) When a duress button is activated, a warning or emergency signal must be sent to an on-site security control room, a remote central monitoring station, or the local police station. The anticipated initial response

•i.e., event verification
Modified p. 56 → 105
The anticipated initial response (i.e., event verification) must be within two minutes.
The anticipated initial response •i.e., event verification

•is within two minutes.
Removed p. 57
Key identification number Date and time the key is issued (transfer of responsibility) Name and signature of the employee issuing Name and signature of the authorized Date and time the key is returned (transfer of responsibility) Name and signature of the authorized individual returning the key Name and signature of the employee receiving the key Select Select
Modified p. 57 → 107
a) Employees who are issued keys must sign a consent form indicating they received such keys and that they will ensure that the key(s) entrusted to them cannot be accessed by unauthorized individuals.
b) Card production staff who are issued keys must sign a consent form indicating they received such keys and that they will ensure that the key(s) entrusted to them cannot be accessed by unauthorized individuals.
Modified p. 57 → 107
b) All unissued keys, master keys, and duplicate keys must be maintained under dual control in a safe or secure cabinet.
c) All unissued keys, master keys, and duplicate keys must be maintained under dual control in a safe or secure cabinet.
Modified p. 57 → 108
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.4.4 Locks and Keys 3.4.4.1 Key Receipt and Return to a restricted area, including those inside the HSA.
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 57 → 108
c) Any transfer of responsibility between the staff issuing the key and the key recipient must be recorded in a specific key logbook.
d) Any transfer of responsibility between the staff issuing the key and the key recipient must be recorded in a specific key logbook.
Modified p. 57 → 108
a) The key logbook must have consecutive, pre- numbered, bound pages and must contain at least the following information:
a) The key logbook must have consecutive, pre-numbered, bound pages and must contain at least the following information:
Removed p. 58
The key logbook The list of employees authorized to hold The locks each key operates Select Select

Select Select 3.4.5 Closed Circuit Television (CCTV) 3.4.5.1 CCTV Cameras
Modified p. 58 → 109
c) For keys that allow access to sensitive materials, the security manager must conduct a quarterly review of:
c) For keys that allow access to sensitive materials, the physical security manager must conduct a quarterly review of:
Modified p. 58 → 110
d) The security manager must sign and date each of the key control documents, attesting that the review process was completed.
d) The physical security manager must sign and date each of the key-control documents, attesting that the review process was completed.
Modified p. 58 → 110
Select Select 3.4.4.3 Master Keys The security manager and executive managers are the only employees authorized to possess master or overriding keys to restricted areas.
a) The physical security manager and executive managers are the only employees authorized to possess master or overriding keys to restricted areas.
Modified p. 58 → 110
Select Select 3.4.4.4 Safe and Vault Combinations Combinations for any combination locks where a combination holder had access must be changed when a combination holder is removed from the list of authorized combination holders.
a) Combinations for any combination locks where a combination holder had access must be changed when a combination holder is removed from the list of authorized combination holders.
Modified p. 58 → 111
a) All CCTV cameras must be tested, and the images displayed by the monitors checked for clear visibility at least monthly. The vendor must maintain a record of such testing on file for a minimum of two years.
b) All CCTV cameras must be tested, and the images displayed by the monitors checked for clear visibility at least monthly. The vendor must maintain a record of such testing on file for a minimum of two years.
Removed p. 59
Select Select 3.4.5.2 Monitor, Camera, and Digital Recorder Requirements
Modified p. 59 → 112
b) In case of CCTV involuntary or voluntary displayed by the monitors located in the security control room must be accompanied by a sound alarm.
c) In case of CCTV disconnection, the “video loss” notification displayed by the monitors located in the security control room must be accompanied by a sound alarm.
Modified p. 59 → 112
c) Both the digital recording and access-control systems must be synchronized with real time.
d) Both the digital recording and access- control systems must be synchronized with real time. The synchronization of the systems must be within two seconds of one another.
Modified p. 59 → 112
d) The recording system must be able to replay any recorded sequence without stopping the normal recording operation.
e) The recording system must be able to replay any recorded sequence without stopping the normal recording operation.
Modified p. 59 → 112
e) CCTV cameras in the server room and PIN- mailer room must not contain (or must have disabled) zoom or scanning functionality.
f) CCTV cameras in server rooms and PIN-mailer rooms must not contain (or must have disabled) zoom or scanning functionality.
Modified p. 59 → 113
a) Each monitor, camera, and digital recorder must function properly and produce clear images on the monitors without being out-of- focus, blurred, washed out, or excessively darkened. The equipment must record at a minimum of four frames per second.
a) Each monitor, camera, and digital recorder must function properly and produce clear images on the monitors without being out-of-focus, blurred, washed out, or excessively darkened. The equipment must record at a minimum of four frames per second.
Modified p. 59 → 113
b) CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activation. The recording must continue for at least 10 seconds after the last motion has been detected. The recording must capture any motion at least 10 seconds before and after the detected motion.
b) CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activation. The recording must capture any motion at least five seconds before and after the detected motion.
Removed p. 60
d) CCTV cameras must be connected at all Monitors located in the control room An alarm system that will generate an alarm if the CCTV is disrupted An active image-recording device Select Select 3.4.5.3 View Requirements
Modified p. 60 → 114
b) The recording must capture sufficient images to identify the individual (e.g., head and shoulders view) as well as the activity being performed.
b) The recording must capture sufficient images to identify the individual •e.g., head and shoulder’s view

•as well as the activity being performed.
Modified p. 60 → 115
b) The backup recording must be stored in a separate, secure location within the facility and must ensure segregation of duties between the users and administrators of the system. Backups may also be stored in other facilities via techniques such as disk mirroring, provided the storage is secure in accordance with these requirements.
b) The backup recording or mirror image must be stored in a separate, secure location within the facility and must ensure segregation of duties between the users and administrators of the system. Backups may also be stored in other approved facilities of the card vendor via techniques such as disk mirroring, provided the storage is secure in accordance with these requirements. An approved facility is one evaluated as compliant to these requirements and is participating in the applicable card brand …
Removed p. 61
Alarm system Access-control system Window and door contacts Glass-break detectors Emergency door alarms Passive infrared detectors Microwave sensors CCTV monitors CCTV image recorders Select Select
Modified p. 61 → 116
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.4.6 Security Device Inspections 3.4.6.1 Semi-Annual Inspections
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.7 Security Device Inspections 2.4.7.1 Semi-Annual Inspections
Modified p. 61 → 116
a) A semi-annual inspection must be conducted on all security devices and hardware including but not limited to:
a) A semi-annual inspection and testing must be conducted on all security devices and hardware including but not limited to:
Modified p. 61 → 116
c) A copy of the inspection reports must be retained for at least 18 months. Select Select 3.4.6.2 Battery Testing
c) A copy of the inspection reports must be retained for at least 18 months. This inspection report must list all devices within the Security Systems installed on site, the inspection conducted, results of the test, and evidence of any remediation required.
Modified p. 61 → 117
a) Batteries used in local alarms must be tested at minimum monthly and replaced annually (or in accordance with technical specifications provided by the supplier, if testing is more frequent).
a) Batteries used in local alarms must be tested at least monthly. Batteries must be replaced annually or in accordance with technical specifications provided by the manufacturer or if failing testing.
Modified p. 61 → 117
b) Evidence (logs) must be retained for this testing for at least 18 months. Select Select
b) Evidence (logs) must be retained for this testing for at least 18 months.
Modified p. 62 → 118
Section 4 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.1 Order Limitations
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 62 → 119
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.5 Vendor Business Contingency Plan The vendor must have a written contingency plan to guarantee that an acceptable level of security for card components, products, and data is maintained in case of critical business interruption.
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.1 Order Limitations
Modified p. 62 → 119
Section 4: Production Procedures and Audit Trails
Section 3: Production Procedures and Audit Trails
Modified p. 62 → 119
a) The vendor must only produce card products or components in response to a specific, signed order from a representative of the payment Select Select
a) The vendor must only manufacture card products or components in response to a specific, signed order from a representative of the payment brand, issuer, or issuer’s authorized agent.
Modified p. 62 → 119
c) If a function normally associated with card production is subcontracted, the vendor must obtain authorization from the VPA and the issuer.
c) If a function normally associated with card production or provisioning is subcontracted, the vendor must obtain authorization from the VPA and the issuer.
Removed p. 63
Section 4 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.2 Card Design Approvals 4.2.1 Proof Submission The vendor must follow submission procedures mandated by the appropriate payment brand to receive approval for the card design in order to payment brand standards.
Modified p. 63 → 120
Select Select 4.2.2 Approval Response The vendor must proceed with card manufacturing only after the submission has been approved. Select Select 4.3 Samples 4.3.1 Sample Retention The vendor must maintain the following for each order:
a) The vendor must proceed with card manufacturing only after the submission has been approved.
Modified p. 63 → 120
a) All records of approval for the job from the applicable payment brand Select Select
a) All records of approval for the job from the applicable payment brand Select Examine a sample of order documentation to verify all payment brand job-approval records have been retained.
Modified p. 63 → 121
b) A sample of the partially processed product or component Select Select
b) A sample of the partially processed product or component Select Examine a sample of production run retentions to verify they include partially processed products or components.
Modified p. 63 → 121
c) A portion of a printed sheet Select Select
c) A portion of a printed sheet Select Examine a sample of production run retentions to verify they each include a portion of a printed sheet.
Modified p. 63 → 121
d) Documentation indicating the source, quantities, and the distribution of each product received from an external company Select Select
d) Documentation indicating the source, quantities, and the distribution of each product received from an external company Select Examine a sample of production run retentions to verify they include documentation of each product received from an external company.
Modified p. 63 → 121
e) All samples visually voided and functionally inoperable Select Select 4.3.2 Required Samples When requested by the payment brand, the vendor must send samples of the finished cards or components from each production run before shipping the finished card products. These samples must be functionally inoperative, and it must be visible that they are not live cards.
e) All samples visually voided and functionally inoperable Select Examine a sample of production run retentions to verify their inoperability and void markings.
Modified p. 64 → 122
Section 4 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.4 Origination Materials and Printing Plates Access and Inventory
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.4 Origination Materials and Printing Plates Access and Inventory
Modified p. 64 → 123
Signature of the pre-press staff delivering or collecting the printing films Job number identification and description of item(s) to be transferred Signature of the card printing staff collecting or delivering the printing films Quantity of item(s) transferred (number of films, front and reverse) Date and time of transfer Select Select
Signature of the pre-press staff delivering or collecting the printing films Job number identification and description of item(s) to be transferred Signature of the card printing staff collecting or delivering the printing films Quantity of item(s) transferred (number of films, front and reverse) Date and time of transfer Select Examine a sample of completed audit sheets to verify proper completion to include:

• Signature of the pre-press staff delivering or collecting the printing films

• Job number …
Modified p. 64 → 123
e) The vendor must audit this inventory quarterly. Select Select
e) The vendor must audit this inventory quarterly.
Removed p. 65
Good sheets Rejected sheets Set-up sheets Quality control sheets Unused core sheets Select Select
Modified p. 65 → 124
a) Access to unbundled core sheets must be restricted at all times. Select Select
a) Access to unbundled core sheets must be restricted at all times.
Modified p. 65 → 124
b) Core sheets must be allocated for production use under a materials/production regimen. Select Select 4.5.1.2 Partially or Fully Printed Sheets
b) Core sheets must be allocated for production use under a materials/production regimen.
Modified p. 65 → 125
a) When partially or fully printed sheets are stored outside the vault for more than one week, they must be stored in a work-in-progress (WIP) storage room.
a) When partially or fully printed sheets are stored outside the vault for more than one week, they must be stored in a work-in- progress (WIP) storage room.
Modified p. 66 → 126
Select Select 4.5.2 Partially Finished Cards When partially finished cards (e.g., pre- personalized) are temporarily stored outside the vault, they must be stored in a secure, locked container in the HSA under dual control. Cards shall not be stored outside of the vault except as WIP while the facility is in operation Select Select 4.6 Ordering Proprietary Components
are temporarily stored outside the vault, they must be stored in a secure, locked container in the HSA under dual control. Cards shall not be stored outside of the vault except as WIP while the facility is in operation.
Modified p. 66 → 127
a) The vendor must obtain proprietary components (e.g., signature panels, holographic materials, special dies) only from authorized suppliers.
a) The vendor must obtain proprietary components •e.g., signature panels, holographic materials, special dies

•only from authorized suppliers.
Modified p. 66 → 127
b) The vendor must provide the supplier with both the street and mailing addresses of the representatives that will be ordering components.
b) The vendor must provide the supplier with both the street and mailing addresses of the vendor’s facility, as well as names and signatures of the vendor’s authorized representatives that will be ordering components.
Removed p. 67
Description of the component or card product(s) being transferred Name and signature of the individual releasing the component or card product(s) Name and signature of the individual receiving the component or card product(s) Number of components or card products transferred Number of components used Number returned to vault or WIP storage Number rejected or damaged Number to be destroyed Date and time of transfer Name and signature of supervisor Signatures of persons inventorying components Select Select
Modified p. 67 → 127
Section 4 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.7 Audit Controls Production 4.7.1 General An order may be separated into multiple jobs, which may be split into different batches.
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.6 Ordering Proprietary Components
Modified p. 67 → 127
b) All card products and components both good and rejected, including samples must be counted and reconciled prior to any transfer of responsibility.
b) All card products and components •both good and rejected, including samples
Modified p. 68 → 130
j) Card components must be received and shipping documentation under dual control.
j) Card components must be received and initially inventoried against the supplier’s shipping documentation under dual control.
Removed p. 69
Date of usage Customer job number Number of images or modules placed on Number of rejected images or modules from header and trailer scrap Number of and reason for rejected images Select Select
Modified p. 69 → 130
k) A physical count of the boxes containing the card components must be completed at delivery Select Select
k) A physical count of the boxes containing the card components must be completed at delivery to confirm accuracy of the shipper’s documents.
Modified p. 69 → 130
l) An authorized employee must sign for all component stock received by the vendor. The person delivering the stock must also sign the transfer document.
l) An authorized card production staff member must sign for all component stock received by the vendor. The person delivering the stock must also sign the transfer document.
Modified p. 69 → 131
m) Card components must be transferred to the vault immediately. Select Select
m) Card components must be transferred to the vault immediately.
Modified p. 69 → 131
The reel number or equivalent control that provides unique identification.
The reel number or equivalent control that provides unique identification.
Modified p. 69 → 132
r) Card components must be returned to the vault during non-production hours. Select Select
r) Card components must be returned to the vault during non- production hours.
Removed p. 70
Select Select 4.7.1.2 Log Review

Name of the card issuer Type of card Number of cards originally placed in Reason for transaction (e.g., job number) Number of cards removed from inventory Number of cards returned to inventory Balance remaining in the vault Date and time of activity Names and signatures of the employees who handled the transaction Select Select
Modified p. 70 → 132
s) Rejected card components awaiting return for credits must be maintained under dual control. Select Select 4.7.1.1 Log Modifications
s) Rejected card components awaiting return for credits must be maintained under dual control.
Modified p. 70 → 132
b) The updated figure and the initials of the employee making the changes must be placed adjacent to the incorrect figure.
b) The updated figure and the initials of the card production staff member making the changes must be placed adjacent to the incorrect figure.
Modified p. 70 → 133
b) The review must be signed and dated as part of the log. Select Select 4.7.2 Vault Audit Controls
b) The review must be signed and dated as part of the log.
Modified p. 70 → 134
b) Two employees must create a written, physical inventory of card and card components monthly.
b) Two card production staff must create a written, physical inventory of card and card components monthly.
Removed p. 71
d) At a minimum, the monthly inventory log must Date of the review Name of the card issuer Type of card Number of cards indicated in the inventory Number of cards counted Name and signature of both employees who conducted the inventory Select Select

Job number Issuer name Select Select

Initial card procurement (beginning balance) Card re-makes Cards returned to inventory Spoiled cards Sample/test cards Machine/operation identification Date and time of reconciliation Operator name and signature Supervisor name and signature Select Select
Modified p. 71 → 134
c) Employees performing the inventory must not have knowledge of the results of the last inventory.
c) Card production staff performing the inventory must not have knowledge of the results of the last inventory.
Modified p. 71 → 135
e) Any discrepancies must be reported to management and resolved. Select Select 4.7.3 Personalization Audit Controls
e) Any discrepancies must be reported to management and resolved.
Modified p. 71 → 135
a) During personalization, cards and cardholder information must be handled in a secure manner to ensure accountability.
a) During personalization, cards and cardholder data must be handled in a secure manner to ensure accountability.
Removed p. 72
Number of accounts Number of card carriers printed Number of carriers wasted Number of envelopes that contain cards Operator name and signature Supervisor or auditor name and signature Select Select

Number of mailers to be printed Number of mailers actually printed Wasted mailers that have been printed Number of mailers transferred to the mailing Operator name and signature Select Select 4.8 Production Equipment and Card Components 4.8.1 Personalization Equipment The vendor must maintain a log of personalization equipment failures, including at a minimum:
Modified p. 72 → 137
b) Supervisor name and signature
Supervisor name and signature
Modified p. 72 → 137
c) Machine description/number
Machine description/number
Modified p. 72 → 137
a) Cause of the malfunction Select Select
Cause of the malfunction
Modified p. 73 → 138
a) The vendor must shred completely used tipping foil reels containing cardholder information as follows:
a) The vendor must shred completely used tipping foil reels containing cardholder data as follows:
Modified p. 73 → 138
Under dual control, and The destruction can occur as frequently as the vendor deems necessary but in all cases weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA.
The destruction can occur as frequently as the vendor deems necessary but •in all cases •weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA.
Modified p. 73 → 139
Section 4 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.8.2 Tipping Foil
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 73 → 139
b) Used tipping foil must be removed from the machine during non-production hours Select Select
b) Used tipping foil must be removed from the machine during non-production hours.
Modified p. 73 → 139
c) Prior to destruction e.g., shredding the foil must be stored within the HSA under dual access control.
c) Prior to destruction •e.g., shredding •the foil must be stored within the HSA under dual access control.
Modified p. 73 → 139
d) When destroyed the results must be non- readable and non-recoverable Select Select
d) When destroyed the results must be non-readable and non- recoverable.
Modified p. 73 → 139
Number of reels partial or full. All used foil must be accounted for and destroyed.
Number of reels •partial or full. All used foil must be accounted for and destroyed.
Modified p. 73 → 139
Date and time Written initials of both individuals who witnessed the destruction Select Select
Written initials of both individuals who witnessed the destruction
Removed p. 74
a) Use payment system proprietary type faces within indent-printing modules only for payment system cards.

b) Destroy, under dual control, payment system proprietary type faces within indent-printing modules that are no longer to be used.

Section 4.10 below. Select Select

Select Select 4.9.2 Accountability
Modified p. 74 → 140
Section 4 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.8.3 Indent Printing Module The vendor must:
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.8.4 Thermal Transfer Foil
Modified p. 74 → 142
a) Maintain a log of all returned cards and PIN mailers. Select Select
a) Maintain a log of all returned cards and PIN mailers.
Modified p. 74 → 143
b) Store all returned cards in a secure container under dual control. Select Select
b) Store all returned cards in a secure container under dual control.
Modified p. 74 → 143
c) Either send returned cards to the issuer or destroy them as defined in Section 4.10, Select Select
d) Destroy returned PIN mailers as defined in Section 3.10 below.
Modified p. 74 → 143
e) Place cards collected by the vendor from a third-party location in a secure container under dual control before leaving the third-party location.
e) Place cards collected by the vendor from a third-party location in a secure container under dual control before leaving the third- party location.
Removed p. 75
ii. The number of envelopes
Modified p. 75 → 144
b) The log must contain at a minimum:
b) The log must contain at a
Modified p. 75 → 144
Date of receipt, Written initials of both employees counting the cards, The issuer name, and For each package:
Written initials of both card production staff counting the cards,
Modified p. 75 → 144
iii. The number of cards Select Select 4.10 Destruction and Audit Procedures
− The card type − The number of envelopes − The number of cards 3.10 Destruction and Audit Procedures
Modified p. 75 → 144
a) All waste components must be counted before being destroyed in-house and under dual control. A record of destruction by reel number and item count must be maintained for 24 months.
a) All waste components must be counted before being destroyed in-house⎯i.e., within the facility⎯and under dual control. A record of destruction by reel number and item count must be maintained for 24 months.
Modified p. 75 → 145
Spoiled or waste card products Holographic materials Signature panels Sample and test cards Any other sensitive card component material or courier material related to any phase of the card production and personalization process.
Any other sensitive card component material or courier material related to any phase of the card production and personalization process
Modified p. 75 → 145
Destruction of chips, modules, or chip cards must ensure that the chip itself is destroyed.
c) Destruction of chips, modules, or chip cards must ensure that the chip itself is destroyed.
Modified p. 75 → 145
c) An exception to the above is that holograms failing the hot-stamping process must be rendered unusable at the machine.
d) An exception to the above is that holograms failing the hot- stamping process must be rendered unusable at the machine.
Modified p. 75 → 145
d) The material waiting to be destroyed must be stored securely, under dual control. Select Select
e) The material waiting to be destroyed must be stored securely, under dual control.
Removed p. 76
e) Destruction must be carried out in a separate room as defined in 3.3.5.3. Select Select

Signatures of the individuals presenting waste material Description of item(s) to be destroyed (such as product type, job number, and issuer name) Signatures of the persons observing or carrying out the waste destruction Quantity of item(s) to be destroyed Date and time of destruction Select Select
Modified p. 76 → 146
f) Proper destruction requires the following:
g) Proper destruction requires the following:
Modified p. 76 → 146
Individuals destroying the materials must ensure that they are rendered unusable and unreadable.
Individuals destroying the materials must ensure that they are rendered unusable and unreadable.
Modified p. 76 → 146
Two employees must simultaneously count and shred the material.
Two card production staff must simultaneously count and shred the material.
Modified p. 76 → 146
Before leaving the room, both employees must ensure that all material has been destroyed and not displaced in the machinery or equipment.
Before leaving the room, both card production staff must ensure that all material has been destroyed and not displaced in the machinery or equipment.
Modified p. 76 → 146
Employees must prepare, sign, and maintain a destruction document.
• Card production staff must prepare, sign, and maintain a destruction document.
Modified p. 76 → 146
Once the destruction process is initiated, the process must not be interrupted Select Select
Once the destruction process is initiated, the process must not be interrupted.
Modified p. 76 → 147
g) An audit log must be created which, at a minimum, contains the following information:
h) An audit log must be created which, at a minimum, contains the following information:
Removed p. 77
The complete and detailed chronology of Cardholder account numbers Personal identification numbers (PINs) Printing plates Encoding or personalizing equipment Signature panels Electronic storage media Chips or any carrier containing card components ication manual Select Select
Modified p. 77 → 148
Section 4 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.11 Lost and Stolen Reports
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.11 Lost and Stolen Reports
Modified p. 77 → 148
The report must include but is not limited to:
b) The report must include but is not limited to:
Removed p. 78
Name of issuer Type of card or product Name and address of the vendor Identification of source of cards Description of the incident including:

v. Name, e-mail address, and telephone number of the person to contact for additional information (if different from the person reporting the incident) Select Select
Modified p. 78 → 149
b) The written communication must contain information regarding the loss or theft, including but not limited to the following:
c) The written communication must contain information regarding the loss or theft, including but not limited to the following:
Modified p. 78 → 149
i. Date and time of incident
Date and time of incident
Modified p. 78 → 149
ii. Details of companies and persons
Details of companies and persons involved
Modified p. 78 → 149
iii. Details of the investigation
Details of the investigation
Modified p. 78 → 149
iv. Name, e-mail address, and telephone number of the person reporting the loss or theft
Name, e-mail address, and telephone number of the person reporting the loss or theft
Modified p. 78 → 149
c) Additional or follow-up reports should be forwarded to the VPA, issuer, and the appropriate law-enforcement agencies as activities or actions occur.
• Name, e-mail address, and telephone number of the person to contact for additional information (if different from the person reporting the incident) Additional or follow-up reports should be forwarded to the VPA, issuer, and the appropriate law- enforcement agencies as activities or actions occur.
Modified p. 78 → 150
Section 4 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Section 4 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.1 Vendor Responsibility and Shipment Documentation
Removed p. 79
Name of the issuer Destination Date of shipment Name of courier Manifest number Select Select
Modified p. 79 → 149
Section 5 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5 Packaging and Delivery Requirements
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 79 → 150
Section 5: Packaging and Delivery Requirements
Section 4: Packaging and Delivery Requirements
Modified p. 79 → 150
c) The vendor must report to the VPA when a shipment request is not in compliance with these shipping requirements, and must withhold shipment until instruction from VPA is received.
c) The vendor must report to the VPA when a shipment request is not in compliance with these shipping requirements and must withhold shipment until instruction from VPA is received.
Modified p. 79 → 150
a) Count all card products under dual control. Select Select
a) Count all card products under dual control.
Modified p. 79 → 151
b) Complete audit-control documentation before the cards are packaged. Select Select
b) Complete audit-control documentation before the cards are packaged.
Modified p. 79 → 151
c) Reconcile all counts with amount to be shipped prior to packaging. Select Select
c) Reconcile all counts with amount to be shipped prior to packaging.
Modified p. 79 → 151
d) Immediately seal containers for final packaging. Select Select
d) Immediately seal containers for final packaging.
Modified p. 79 → 151
e) Immediately investigate and resolve discrepancies. Select Select
e) Immediately investigate and resolve discrepancies.
Removed p. 80
Select Select 5.3 Storage before Shipment
Modified p. 80 → 151
Section 5 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.2 Packaging The vendor must:
Section 4 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 80 → 151
b) Use packaging that does not indicate or imply the nature of the contents. Select Select
b) Use packaging that does not indicate or imply the nature of the contents.
Modified p. 80 → 151
c) Use reinforced, tamper-evident, color-coded tape that is not in common use to band the containers.
c) Use reinforced, tamper- evident, color-coded tape that is not in common use to band the containers.
Modified p. 80 → 152
d) Use containers that are uniquely numbered and labeled. Select Select
d) Use containers that are uniquely numbered and labeled.
Modified p. 80 → 152
e) Record the number of containers and cards on a packing list. Select Select
e) Record the number of containers and cards on a packing list.
Modified p. 80 → 152
f) Package all un-enveloped cards shipped in bulk in double-walled cartons that must have a bursting strength capable of handling a minimum 250 pounds (112 kgs) of pressure.
f) Package all un-enveloped cards shipped in bulk in double- walled cartons that must have a bursting strength capable of handling a minimum of 250 PSI, 1724 kPa or 17.6 kg/cm2.
Modified p. 80 → 153
a) Card products awaiting shipment must be maintained under dual control in a vault when the facility is closed or in a HSA, where access is limited to authorized personnel only, when the facility is operational.
a) Card products awaiting shipment must be maintained under dual control in a vault when the facility is closed or in an HSA, where access is limited to authorized personnel only, when the facility is operational.
Removed p. 81
Section 6 of this document.

Select Select 5.4.1 Mailing

a) Personalized cards must be placed in envelopes that are nondescript (e.g., envelopes must not contain any brand marks) and the same size and color as other envelopes with which they may be presorted or delivered to the postal service.
Modified p. 81 → 154
Section 5 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.4 Delivery
Section 4 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.5 Delivery
Modified p. 81 → 155
a) PIN mailers and cards must be dispatched separately, a minimum of two days apart. The only exception is for the distribution of nonpersonalized prepaid cards, which may be distributed the same day in accordance with
c) PIN mailers and cards must be dispatched separately, a minimum of two days apart. The only exception is for the distribution of non-personalized prepaid cards, which may be distributed the same day in accordance with Section 5 of this document.
Modified p. 81 → 155
b) Electronic distribution of PINs may occur on the same day in accordance with the Logical Security Requirements Section 10.
d) Electronic distribution of PINs may occur on the same day in accordance with the Logical Security Requirements Section 9.
Modified p. 81 → 158
c) A receipt of delivery must be signed by a representative of the receiving organization, and a signed copy of the receipt must be retained by the vendor.
f) A receipt of delivery must be signed by a representative of the receiving organization, and a signed copy of the receipt must be retained by the vendor.
Removed p. 82
Section 5 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.4.1.1 Emergency Cards and PINs Vendors may include the PIN with the mailing of emergency cards only with written approval from the issuer. Card vendors will be responsible for ensuring an appropriate officer of the card issuer has signed the authorization letter and that a copy of the letter is maintained in their files. The authorization letter must acknowledge that the issuer accepts all risk inherent in shipping cards and PINs together and must confirm that the expedited process is permitted only for emergency card replacement orders. Issuers may provide the card vendor with a standing letter of instruction and do not need to approve each emergency card replacement order.

e) The loading and transfer process must use the shipping and delivery areas as defined in Select Select 5.4.2 Courier Service
Modified p. 82 → 159
a) Mail must be in tamper-evident packaging, and/or strapped to prevent the removal of envelopes, or placed in locked carts.
a) Mail must be in tamper- evident packaging and/or strapped to prevent the removal of envelopes or placed in locked carts.
Modified p. 82 → 159
b) The packaging must be the same as that used by the local mail service. Select Select
b) The packaging must be the same as that used by the local mail service.
Modified p. 82 → 160
c) Package labeling must not indicate the name of the vendor or issuer. Select Select
c) Labels on packages sent to the postal service or presort facility must not indicate the name of the vendor or issuer.
Modified p. 82 → 160
d) If postal service mailbags are used in place of trays or locked carts, the bags must be sealed until transferred to the postal service.
e) If postal service mailbags are used in place of trays or locked carts, the bags must be sealed until transferred to the postal service.
Removed p. 83
The type of each card The quantity per card type The job number(s) The date of shipment The date of receipt Name of receiving organization Name and signature of person receiving the Select Select
Modified p. 83 → 162
c) The vendor must ensure packages sent by courier service contain a manifest prepared by the vendor that describes the package contents and enables content-verification upon receipt.
c) The vendor must ensure packages sent by courier service contain a manifest prepared by the vendor that describes the package contents and enables content-verification upon receipt. The manifest prepared by the vendor must include but is not limited to:
Modified p. 83 → 162
d) The contents of the manifest must be reconciled with the audit trail for the job. Select Select
d) The contents of the manifest must be reconciled with the audit trail for the job.
Modified p. 83 → 162
e) Shipping of packages must not take place on the last working day of the week or the day operations and that of the recipient facilitate the delivery in the same manner as all other working days (i.e., they are both open for business).
e) Shipping of packages must not take place on the last working day of the week or the day before a public holiday unless the courier’s operations and that of the recipient facilitate the delivery in the same manner as all other working days•i.e., they are both open for business).
Removed p. 84
There are four types of secure transport, as noted below.

c) The vendor must ensure that the contract with the armored car service forbids intermediate stops where the cards may be accessible.

d) Non-emergency stops are not permitted. Select Select 5.4.3.3 Air Freight
Modified p. 84 → 164
Section 5 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.4.3 Secure Transport The vendor must confirm with the VPA whether specific requirements apply to their geographic locations.
Section 4 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 84 → 164
a) This service must be carried out under dual control. Select Select
a) This service must be carried out under dual control.
Modified p. 84 → 165
a) An accompanying vehicle must be used. This vehicle must not also be used as a card transport vehicle.
b) An accompanying escort vehicle must be used in conjunction with the unarmored transport vehicle. This vehicle must not also be used as a card transport vehicle.
Modified p. 84 → 165
b) The vehicle transporting the cards must be under dual control at all times (a driver accompanied by a guard) and never left unattended during the trip. The vehicle must be equipped with a telephone or have two-way radio contact with the security controller.
ii. If the cargo area is unarmored, the vehicle transporting the cards must be under dual control at all times⎯e.g., a driver accompanied by a guard⎯and never left unattended during the trip.
Modified p. 84 → 168
a) Goods must be secured in locked or sealed containers. Select Select
a) Goods must be secured in locked or sealed containers.
Modified p. 85 → 167
b) A nonstop transport between the vendor location and the destination location is required whenever possible.
f) The transport between the vendor location and the destination location must be non- stop whenever possible•i.e., non-emergency stops are not permitted.
Modified p. 85 → 168
c) A destination capable of handling secure cargo must be used. Select Select
i) An air freight facility capable of handling secure cargo must be used.
Modified p. 85 → 168
d) If intermediate stops are made during air transport, the vendor must ensure the integrity of the shipment remains intact.
h) If intermediate stops are made during air transport, the vendor must ensure the integrity of the shipment remains intact.
Modified p. 85 → 168
e) If any ground storage is required before, during, or after the flight, the location must be secured and inaccessible to unauthorized personnel.
j) If any ground storage is required before, during, or after the flight, the location must be secured and inaccessible to unauthorized personnel.
Modified p. 85 → 168
g) The hand-carrying of goods is strictly prohibited. Select Select 5.4.3.4 Sea Freight
k) The hand-carrying of goods is strictly prohibited.
Modified p. 85 → 169
f) Goods registered as consolidated cargo are not permitted. Select Select
b) Goods registered as consolidated cargo are not permitted.
Modified p. 85 → 169
b) A nonstop transport between the vendor location and the destination location is required whenever possible.
Select Examine service provider agreement language to verify that all transports between the vendor location and the destination location are required to be nonstop whenever possible.
Modified p. 85 → 169
c) The vendor must use container shipment. Select Select
d) The vendor must use container shipment.
Modified p. 85 → 169
d) The vendor must arrange delivery to and pick-up from dockside immediately. Select Select
Select Examine service provider agreement language to verify that the vendor arranges delivery to and pick-up from dockside immediately.
Modified p. 85 → 169
e) Sea-freight service must be bonded. Select Select
c) Sea-freight service must be bonded.
Modified p. 85 → 172
a) Goods must be secured in locked or sealed containers. Select Select
a) Goods must be secured in locked or sealed containers.
Modified p. 85 → 172
g) The hand-carry of goods is strictly prohibited. Select Select
t) The hand-carry of goods is strictly prohibited.
Modified p. 85 → 173
f) Goods registered as consolidated cargo are not permitted. Select Select
b) Goods registered as consolidated cargo are not permitted.
Removed p. 86
Select Select The vendor must:
Modified p. 86 → 169
Section 5 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.5 Shipping and Receiving
Section 4 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 86 → 176
b) Have access to the names and signatures of individuals who are authorized to collect and deliver shipments.
a) Have access to the names and signatures of individuals who are authorized to collect and deliver shipments.
Modified p. 86 → 177
c) Verify the identity of personnel arriving to collect or deliver shipments. Select Select
b) Verify the identity of personnel arriving to collect or deliver shipments.
Modified p. 86 → 177
d) Confirm the identity with the signature list. Select Select
c) Confirm the identity with the signature list.
Modified p. 86 → 177
e) Place the cartons on a pallet in such a manner that the sides of the carton showing the batch code are visible.
d) Place the cartons on a pallet in such a manner that the sides of the carton showing the batch code are visible.
Modified p. 86 → 177
a) Before release of the consignment, a pre- arranged method of identification between the vendor and destination party must be established to verify the authority and identity of the carrier to receive shipment.
a) Before release of the consignment, a pre-arranged method of identification between the vendor and destination party must be established to verify the authority and identity of the carrier to receive shipment.
Modified p. 87 → 178
d) If there is evidence that a container has been tampered with, is missing, or is not received as scheduled at its final destination, the requirements for loss or theft of card products (Section 4.11) must be followed, and there must be no further movement of the shipment without notification to the issuer and VPA.
d) If there is evidence that a container has been tampered with, is missing, or is not received as scheduled at its final destination, the requirements for loss or theft of card products (Section 3.11) must be followed, and there must be no further movement of the shipment without notification to the issuer and VPA.
Modified p. 87 → 178
e) Obtain positive confirmation of receipt of shipment. Select Select 5.5.2 Receipt and Return of Card Components
e) Obtain positive confirmation of receipt of shipment.
Modified p. 87 → 178
a) All card components must be delivered and returned by secure transport. Select Select
a) All card components must be delivered and returned by secure transport.
Modified p. 87 → 178
b) The consignment must be received under dual control. Select Select
b) The consignment must be received under dual control.
Modified p. 87 → 178
c) Whilst under dual control, the consignment must be inventoried and handled as defined in Select Select
c) Whilst under dual control, the consignment must be inventoried and handled as defined in ”Audit Controls” (Section 3.7).
Modified p. 87 → 179
Item description Sequential identification numbers (if applicable) Reel numbers Total quantity returned Recipient name and signatures Destination or origination address Shipping or receipt date and time Select Select
Sequential identification numbers (if applicable) Reel numbers (if applicable)

 Total quantity returned Recipient name and signatures Destination or origination address Shipping or receipt date and time Select Examine shipping activity logs to verify that documentation of the shipments is maintained for 24 months and includes:

• Sequential identification numbers (if applicable)

• Reel numbers (if applicable)

• Total quantity returned

• Recipient name and signatures

• Destination or origination address

• Shipping or receipt date and time
Modified p. 87 → 179
f) At shipment, the vendor must verify the authorized signatures prior to transfer. Select Select
f) At shipment, the vendor must verify the authorized signatures prior to transfer.
Removed p. 88
3. An employee who has been involved in the card personalization process must not be involved in PIN printing or in packaging the card with the PIN. An audit trail must be created and maintained as evidence that this separation has been enforced.
Modified p. 88 → 179
Section 5 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.6 Establishing Responsibility for Loss The transfer of shipment responsibility occurs at the point at which the vendor has delivered cards according to the contract between the issuer and the approved vendor Select Select
a) The transfer of shipment responsibility occurs at the point at which the vendor has delivered cards according to the contract between the issuer and the approved vendor.
Modified p. 88 → 180
Section 6: PIN Printing and Packaging of Non-personalized Prepaid Cards
Section 5: PIN Printing and Packaging of Non-personalized Prepaid Cards
Modified p. 88 → 180
Section 6 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment The following requirements apply only for non-personalized, prepaid cards. All other preceding requirements apply unless explicitly superseded in this section.
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment The following requirements apply only for non-personalized, prepaid cards. All other preceding requirements apply unless explicitly superseded in this section.
Modified p. 88 → 180
The PIN printing system may be a single, integrated device with multiple components (e.g., control system, HSM, and printer) or a system of separate components with dedicated functionality, connected via cables.
The PIN-printing system may be a single, integrated device with multiple components (e.g., control system, HSM, and printer) or a system of separate components with dedicated functionality, connected via cables.
Modified p. 88 → 180
1. The vendor must obtain written authorization from the issuer for packaging, shipping, or mailing the card and PIN together. This authorization must include confirmation that:
5.1. The vendor must obtain written authorization from the issuer for packaging, shipping, or mailing the card and PIN together. This authorization must include confirmation that:
Modified p. 88 → 180
b) The issuer accepts all risk inherent in shipping or mailing cards and PINs together. Select Select
b) The issuer accepts all risk inherent in shipping or mailing cards and PINs together.
Modified p. 88 → 180
2. The vendor must ensure that an appropriate officer of the issuer has signed the authorization letter and must maintain a copy of the letter in their files until the card expiry date.
Select Select 5.2 The vendor must ensure that an appropriate officer of the issuer has signed the authorization letter and must maintain a copy of the letter in its files until the card expiry date.
Removed p. 89
a) Be in a dedicated PIN printing room as defined in the Section 3.3.5.4 of this document, Select Select
Modified p. 89 → 182
5. Clear-text PINs must never be available on any system on the personalization network. Select Select
Select Examine documentation to verify that clear-text PINs are never to be available on any system on the personalization network.
Modified p. 89 → 183
8. PINs must be deleted from the PIN printing system immediately after printing using a secure erasure tool that prevents recovery of the PIN using forensic techniques or off-the-shelf recovery software.
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.8 PINs must be deleted from the PIN-printing system immediately after printing using a secure erasure tool that prevents recovery of the PIN using forensic techniques or off-the- shelf recovery software.
Removed p. 90
a) The personalization HSA Select Select
Modified p. 90 → 182
Section 6 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.5 Clear-text PINs must never be available on any system on the personalization network.
Modified p. 90 → 184
11. If the clear-text PIN is only available inside the single, integrated device (i.e., the HSM, controller, printer, and all cabling that carries the PIN are secured inside a single, integrated device), PIN printing may take place in any of the following Select Select
• i.e., the HSM, controller, printer, and all cabling that carries the PIN are secured inside a single, integrated device

•PIN printing may take place in any of the following places:
Modified p. 90 → 184
b) A dedicated PIN printing room within the personalization HSA Select Select
b) A dedicated PIN printing room within the personalization HSA Select Observe that that the activity occurs in a room dedicated to only PIN printing; or
Modified p. 90 → 184
c) A separate HSA that meets the physical and logical requirements for a personalization HSA Select Select
c) A separate HSA that meets the physical and logical requirements for a personalization HSA Select Observe the separate HSA to verify set- up of the separate HSA meets the physical and logical requirements for a personalization HSA.
Modified p. 90 → 184
d) Additionally, all of the following requirements must be fulfilled: Select Select
d) Additionally, all of the following requirements must be fulfilled:
Modified p. 90 → 185
f) The HSM in the printer must be under dual control at all times. Select Select
f) The HSM in the printer must be under dual control at all times.
Modified p. 91 → 185
i) The printed PIN must not be visible from outside the machine at any time i.e., the machine must be covered to prevent observation and the covers must be locked in place with dual control locks.
i) The printed PIN must not be visible from outside the machine at any time•i.e., the machine must be covered to prevent observation and the covers must be locked in place with dual- control locks.
Modified p. 91 → 185
j) The PIN must be concealed in tamper- evident packaging immediately after printing and before leaving the secured confines of the printer.
j) The PIN must be concealed in tamper-evident packaging immediately after printing and before leaving the secured confines of the printer.
Removed p. 92
Section 6 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment A.1 Exterior Windows in HSAs The vendor must ensure that no exterior windows, including operable and inoperable, are used within any HSA. (Reference items 3.3.4.4.a and b above) Select Select A.2 Work-In-Progress Cage Usage for American Express Products The vendor must ensure that American Express products are not held in work-in-progress (WIP) storage room during non-production periods, when the HSA is unoccupied, or for longer than one day waiting next step in production.

(Reference items 3.3.5.2 and 4.5.1.2a above) Select Select A.3 Segregation of American Express Products The vendor must ensure that American Express products are segregated from any other products within the vault or any other HSA areas the products are held, referencing items 3.3.5.3 and 4.8.2 above.

Select Select A.4 Card Reader Activity History The vendor must ensure that card-reader activity history be maintained for at …