PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI%20CP_Physical_SR_TPs%20v3.pdf PCI_CP_Physical_SR_TPs%20v3.0.1.pdf
99% similar
190 → 190 Pages
73731 → 73974 Words
31 Content Changes

Content Changes

31 content changes. 150 administrative changes (dates, page numbers) hidden.

Added p. 2
June 2022 3.0.1 Errata
Added p. 45
• In a provisioning-only entity, housed in a separate room or cage in a data center. For example, in a traditional card vendor environment this could be:
Added p. 50
a) One-room configuration:
Added p. 92
Note: Sample cards or proofs sent to an issuer or payment brand are out of scope for this requirement.
Modified p. 1
Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements and Test Procedures Version 3.0
Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements and Test Procedures Version 3.0.1
Modified p. 8
Limitations The individual Participating Payment Brands are responsible for defining and managing compliance programs associated with these requirements. Contact the Payment Brand(s) of interest for any additional criteria.
Limitations The individual Participating Payment Brands are responsible for defining and managing compliance programs associated with these requirements. Contact the Participating Payment Brand(s) of interest for any additional criteria.
Removed p. 24
Section 2: Facilities 2.1 External Structure Requirement Test Procedure 2.1.1 External Construction
Modified p. 39
Observe that no personal items are brought into the HSA and that any company-provided water is brought in/out through the goods/tools trap and is discarded in the trash before existing the HSA.
Observe that no personal items are brought into the HSA and that any company-provided water is brought in/out through the goods/tools trap and is discarded in the trash before exiting the HSA.
Modified p. 39
i) If the access-control server is not located in the security control room it must be located in a room of equivalent security. The access-control server cannot be located in the HSA but must be located in the same facility.
i) If the access-control server is not located in the security control room, it must be located in a room of equivalent security. The access-control server cannot be located in the HSA but must be located in the same facility.
Modified p. 45
b) Systems and applications that make up the cloud-based provisioning network must be physically segregated from other vendor networks and Internet- connected networks. This includes separation of servers, firewall, and HSM. For example, in a traditional card vendor environment this could be:
b) Systems and applications that make up the cloud-based provisioning network must be physically segregated from other vendor networks and Internet- connected networks. This includes separation of servers, firewall, and HSM.
Modified p. 50
a) One-room configuration The goods-tools trap is composed of a unique, closed, solid construction room (goods transfer room) and two doors (inner and external) minimizing the physical contact between the individuals collecting or delivering materials and the HSA staff. In this configuration, the goods-tools trap must be operated as follows:
The goods-tools trap is composed of a unique, closed, solid construction room (goods transfer room) and two doors (inner and external) minimizing the physical contact between the individuals collecting or delivering materials and the HSA staff. In this configuration, the goods-tools trap must be operated as follows:
Modified p. 50
b) Two-room configuration
b) Two-room configuration:
Modified p. 56
b) The vendor must issue a photo identification (ID) badge to each card production staff member and consultant. A temporary badge is valid ONLY for the work shift does not need to contain picture.
b) The vendor must issue a photo identification (ID) badge to each card production staff member and consultant. A temporary badge valid ONLY for the work shift does not need to contain a picture.
Modified p. 57
Examine documentation to verify policies and procedures address but are not limited to: • Card production staff and consultants are responsible for securing their ID badge from loss or theft.
Examine documentation to verify policies and procedures address but are not limited to:
Modified p. 58
d) For multiple buildings within the same facility, a single central location for a access-control system can administer all buildings. Either a private or public network may be used. If a public network is used, a VPN as defined in the PCI Card Production and Provisioning

• Logical Security Requirements and Test Procedures in conformance with the requirements stipulated therein must be used.
d) For multiple buildings within the same facility, a single central location for an access-control system can administer all buildings. Either a private or public network may be used. If a public network is used, a VPN as defined in the PCI Card Production and Provisioning

• Logical Security Requirements and Test Procedures in conformance with the requirements stipulated therein must be used.
Modified p. 65
d) The physical security manager must sign and date each of the key control documents, attesting that the review process was completed.
d) The physical security manager must sign and date each of the key- control documents, attesting that the review process was completed.
Modified p. 65
• Sign and date each of the key control documents; and
• Sign and date each of the key-control documents; and
Modified p. 65
Examine a sample of records to verify the physical security manager performed the key control process as noted above.
Examine a sample of records to verify the physical security manager performed the key-control process as noted above.
Modified p. 91
− Date and time of incident − Details of companies and persons involved − Details of the investigation − Name, e-mail address, and telephone number of the person reporting the loss or − Name, e-mail address, and telephone number of the person to contact for additional information (if different from the person reporting the incident) Examine a sample of notifications to verify that reports of follow-up actions involving loss or theft have been forwarded to the VPA, issuer, and appropriate …
− Date and time of incident − Details of companies and persons involved − Details of the investigation − Name, e-mail address, and telephone number of the person reporting the loss or theft − Name, e-mail address, and telephone number of the person to contact for additional information (if different from the person reporting the incident) Examine a sample of notifications to verify that reports of follow-up actions involving loss or theft have been forwarded to the VPA, issuer, and …
Modified p. 92
Type of Delivery Card Volume Destination Personalized Cards

• Individual Card Maili Individual Package Cardholder Courier Service Individual Package Cardholder Unlimited Issuer, an approved vendor, or (with written issuer and VPA consent) to another destination Secure Transport Unlimited Issuer, an approved vendor, or (with written issuer2 and VPA consent) to another destination Personalized Cards

• Bulk 1 Card Mailing Not allowed Courier Service Unlimited Issuer, an approved vendor, or (with written issuer2 and VPA consent) to another destination Secure Transport Unlimited Issuer, …
Type of Delivery Card Volume Destination Personalized Cards

• Individual Card Mail Individual Package Cardholder Courier Service Individual Package Cardholder Unlimited Issuer, an approved vendor, or (with written issuer and VPA consent) to another destination Secure Transport Unlimited Issuer, an approved vendor, or (with written issuer1 and VPA consent) to another destination Personalized Cards

• Bulk Card Mailing Not allowed Courier Service Unlimited Issuer, an approved vendor, or (with written issuer1 and VPA consent) to another destination Secure Transport Unlimited Issuer, an …
Modified p. 94
f) Package all un-enveloped cards shipped in bulk in double-walled cartons that must have a bursting strength capable of handling a minimum 250 pounds (112 kgs) of pressure.
f) Package all un-enveloped cards shipped in bulk in double-walled cartons that must have a bursting strength capable of handling a minimum of 250 PSI, 1724 kPa or 17.6 kg/cm2.
Modified p. 94
Examine evidence to verify that the packaging used for un-enveloped cards shipped in bulk are in double-walled cartons that have a bursting strength capable of handling a minimum 250 pounds (112 kgs) of pressure.
Examine evidence to verify that the packaging used for un-enveloped cards shipped in bulk are in double-walled cartons that have a bursting strength capable of handling a minimum 250 PSI, 1724 kPa or 17.6 kg/cm2.
Modified p. 97
e) Transfer to the mail facility must be by one of the Secure Transport options or by a company vehicle meeting the following security controls:
e) Transfer to the mail facility by vendor-owned or commercially contracted vehicles must occur by one of the secure transport options meeting the following security controls:
Modified p. 101
c) The cards transport vehicle used between the vendor facility and the destination must be under dual control at all times (a driver accompanied by a guard) and never left unattended during the trip until the shipment enters a controlled environment at the destination.
c) The card transport vehicle used between the vendor facility and the destination must be under dual control at all times (a driver accompanied by a guard) and never left unattended during the trip until the shipment enters a controlled environment at the destination.
Modified p. 105
c) The hand-carry of goods is strictly prohibited. . Examine vendor policies and procedures, if done in-house

•i.e., using internal staff

•or service provider agreement language to verify that the hand-carrying of goods is strictly prohibited.
The hand-carry of goods is strictly prohibited. Examine vendor policies and procedures, if done in-house

•i.e., using internal staff

•or service provider agreement language to verify that the hand-carrying of goods is strictly prohibited.
Modified p. 110
Examine a sample of authorization letters to verify that:
Examine a sample of authorization letters to verify that: An appropriate officer of the issuer has signed the authorization letter. A copy of the letter is maintained in its files until the card expiry date.
Modified p. 110
• An appropriate officer of the issuer has signed the authorization letter.

• A copy of the letter is maintained in its files until the card expiry date. Examine policies/procedures to verify: Card production staff involved in PIN printing are not allowed to be involved in the card personalization process or the packaging of the card with the PIN process. An audit trail ensuring separation of duties regarding PIN printing and card personalization is maintained. Examine physical access-control system …
Examine policies/procedures to verify: Card production staff involved in PIN printing are not allowed to be involved in the card personalization process or the packaging of the card with the PIN process. An audit trail ensuring separation of duties regarding PIN printing and card personalization is maintained. Examine physical access-control system access lists for authorized individuals provided entry into the PIN-printing area and compare with those authorized to enter personalization areas. Observe process to verify that restricted access is being …
Modified p. 127
When a SOC controls the security activities of multiple facilities, a local Security Control Room (SRC) is maintained at each facility for backup purposes in the event the SOC loses connectivity or otherwise becomes non-operational. Therefore, a local SCR is present at each facility managed by a SOC except for the facility at which the SOC is located where it is optional. The local SCR contains fully functional security control systems, but the day-to-day operations are performed by the SOC. …
When a SOC controls the security activities of multiple facilities, a local Security Control Room (SCR) is maintained at each facility for backup purposes in the event the SOC loses connectivity or otherwise becomes non-operational. Therefore, a local SCR is present at each facility managed by a SOC except for the facility at which the SOC is located where it is optional. The local SCR contains fully functional security control systems, but the day-to-day operations are performed by the SOC. …
Modified p. 160
C.5.7.1 PCI CP Certified Vendor Location, external to the SOC IT Equipment that manages the SOC must be:
C.5.7.2 PCI CP Certified Vendor Location, external to the SOC IT Equipment that manages the SOC must be:
Modified p. 160
C.5.7.2 PCI CP Certified Vendor Location, internal to the SOC.
C.5.7.3 PCI CP Certified Vendor Location, internal to the SOC.
Modified p. 185
f) Hologram and signature panel hot stamping Card Production Staff Employees and contractors of the Card Vendor.
f) Hologram and signature panel hot stamping Card Production Staff Employees and contractors of the Card Vendor. Card Production Staff applies to any employees or contractors who are involved in card production-related activities that could impact security, including administration, support activities, and IT infrastructure.