Document Comparison
PCI_Card_Production_v2.0_Summary_of_Changes.pdf
→
PCI_Card_Production_v3.0_Summary_of_Changes_v2_to_v3.pdf
17% similar
16 → 10
Pages
3936 → 1842
Words
18
Content Changes
Content Changes
18 content changes. 14 administrative changes (dates, page numbers) hidden.
Added
p. 3
Note: The changes above do not include those that are corrections of grammar or typographical errors or other rephrasing of existing statements.
Section 1: Summary of Changes to Physical Security Requirements Reference Change to Physical Security Requirements Type General Added Test Procedures to document. Additional General Renumbered requirements from 2 through 6 to 1 through 5.
Additional General Replaced term, “employee,” throughout document with “personnel,” “individual,” “card production staff,” or “consultant” as applicable.
Additional General Changed badge system to access-control system throughout. Requirement
Requirement 1
• Roles and Responsibilities Vendor Roles Defined roles that must be filled by employees of vendor. Requirement Security Communication and Training Clarified that information concerning security at vendor facilities can be done via posters, notices, or electronic medium.
Requirement Prescreening Allow that, for contracted guards, evidence of prescreening requirements may alternatively be provided by the guarding company, by copies of licenses, etc.; however, the vendor must collect and retain this evidence.
Allow …
Section 1: Summary of Changes to Physical Security Requirements Reference Change to Physical Security Requirements Type General Added Test Procedures to document. Additional General Renumbered requirements from 2 through 6 to 1 through 5.
Additional General Replaced term, “employee,” throughout document with “personnel,” “individual,” “card production staff,” or “consultant” as applicable.
Additional General Changed badge system to access-control system throughout. Requirement
Requirement 1
• Roles and Responsibilities Vendor Roles Defined roles that must be filled by employees of vendor. Requirement Security Communication and Training Clarified that information concerning security at vendor facilities can be done via posters, notices, or electronic medium.
Requirement Prescreening Allow that, for contracted guards, evidence of prescreening requirements may alternatively be provided by the guarding company, by copies of licenses, etc.; however, the vendor must collect and retain this evidence.
Allow …
Added
p. 7
Clarified remote administrative access exception if used in conjunction with an approved SOC.
Added password length requirement exception where system does not support.
Requirement B.2.2 Characteristics and Systems enforce password lengths of at least 12 characters or an equivalent strength.
Requirement Appendix C Appendix C New Section, “Security Operations Center” Requirement Glossary Added glossary definitions for: Card Production Staff, Dual Control, Facility, Participating Payment Brand and Public Network.
Section 2: Summary of Changes to Logical Security Requirements Reference Change to Logical Security Requirements Type General Added Test Procedures to document. Additional Guidance General Renumbered requirements from 2 through 10 to 1 through 9.
Additional Guidance General Replaced term “employee” throughout document with “personnel” or “card production staff” as applicable.
Additional Guidance General Added FIPS 140-3 to wherever 140-2 is required. Requirement General Changed badge system to access-control system throughout.
Requirement 2
• Security Policy and Procedures Information Security Clarified that the information security policy must be disseminated to …
Added password length requirement exception where system does not support.
Requirement B.2.2 Characteristics and Systems enforce password lengths of at least 12 characters or an equivalent strength.
Requirement Appendix C Appendix C New Section, “Security Operations Center” Requirement Glossary Added glossary definitions for: Card Production Staff, Dual Control, Facility, Participating Payment Brand and Public Network.
Section 2: Summary of Changes to Logical Security Requirements Reference Change to Logical Security Requirements Type General Added Test Procedures to document. Additional Guidance General Renumbered requirements from 2 through 10 to 1 through 9.
Additional Guidance General Replaced term “employee” throughout document with “personnel” or “card production staff” as applicable.
Additional Guidance General Added FIPS 140-3 to wherever 140-2 is required. Requirement General Changed badge system to access-control system throughout.
Requirement 2
• Security Policy and Procedures Information Security Clarified that the information security policy must be disseminated to …
Modified
p. 1
Payment Card Industry (PCI) Card Production and Provisioning Security Requirements Summary of Changes from PCI Card Production and Provisioning Version 1.1 to 2.0
Payment Card Industry (PCI) Card Production and Provisioning Security Requirements Summary of Changes from PCI Card Production and Provisioning Version 2.0 to 3.0
Modified
p. 3
Change Types Change Type Definition Additional Guidance Explanation, definition, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Removed
p. 4
Section 2: Summary of Changes Changes to Physical Security Requirements Reference Change to Physical Security Requirements Type General Modified the document title to reflect the change in scope and the addition of requirements to reflect the inclusion of criteria for mobile provisioning. Specifically it includes physical security requirements for vendors that:
Perform cloud-based or secure element (SE) provisioning services; Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or Manage associated cryptographic keys.
Requirement General Clarified that the specific applicability of these requirements is up to the individual payment brands; and the payment brand(s) of interest should be contacted for the applicability of these requirements to any card production or provisioning activity.
Requirement 2 Personnel Job and Sensitive Task Allocation Restrictions Stipulated that the vendor is responsible for determining the level of job responsibilities assigned to any temporary or interim staff (including consultants and contractors), except where the job function is …
Perform cloud-based or secure element (SE) provisioning services; Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or Manage associated cryptographic keys.
Requirement General Clarified that the specific applicability of these requirements is up to the individual payment brands; and the payment brand(s) of interest should be contacted for the applicability of these requirements to any card production or provisioning activity.
Requirement 2 Personnel Job and Sensitive Task Allocation Restrictions Stipulated that the vendor is responsible for determining the level of job responsibilities assigned to any temporary or interim staff (including consultants and contractors), except where the job function is …
Removed
p. 5
The vendor must program the visitor access badge or card to enable the tracking of movement of all visitors. It should be activated only for areas that the visitor is authorized to enter.
Visitors must use their access card in the card readers to the room into which they enter.
Badging to track access must be used wherever feasible. Any un-badged access must be recorded in a log. Logs may be electronic and/or manual.
Requirement 3 Premises Internal Structure and Processes - Security Control Room: Definition Clarified that the CCTV and access control servers must be in the security control room or a room with equivalent security and must not be in the HSA.
Additional Guidance High Security Areas (HSAs): Definition Specified that cloud-based systems must exist in either the server room in the HSA or, if the only activity by the vendor, its own room meeting the criteria stipulated in this HSA section.
Clarified …
Visitors must use their access card in the card readers to the room into which they enter.
Badging to track access must be used wherever feasible. Any un-badged access must be recorded in a log. Logs may be electronic and/or manual.
Requirement 3 Premises Internal Structure and Processes - Security Control Room: Definition Clarified that the CCTV and access control servers must be in the security control room or a room with equivalent security and must not be in the HSA.
Additional Guidance High Security Areas (HSAs): Definition Specified that cloud-based systems must exist in either the server room in the HSA or, if the only activity by the vendor, its own room meeting the criteria stipulated in this HSA section.
Clarified …
Modified
p. 5
Requirement Security Controls Clarified that the requirement for bullet-resistant glass or iron bars applies to windows on the exterior wall or door of the building.
Removed
p. 6
Systems and applications that make up the cloud-based provisioning network must be physically segregated from other vendor networks and internet-connected networks. This includes separation of servers, firewall, and HSM. For example, in a traditional card vendor environment this could be a separate rack in a server room, or in a provisioning-only entity, housed in a separate room or cage in a data center. It cannot be in the same rack as other servers used for different purposes.
Requirement Stipulate:
The vault must be protected with sufficient number of intruder-detection devices that provide an early attack indication e.g., seismic, vibration/shock, microphonic wire, microphone, etc. on attempts to enter and also provide full coverage of the walls, ceiling, and floor.
The vault must be fitted with a main steel-reinforced door with a dual-locking mechanism (mechanical and/or logical e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access.
Unsealed boxes are only permitted for stock …
Requirement Stipulate:
The vault must be protected with sufficient number of intruder-detection devices that provide an early attack indication e.g., seismic, vibration/shock, microphonic wire, microphone, etc. on attempts to enter and also provide full coverage of the walls, ceiling, and floor.
The vault must be fitted with a main steel-reinforced door with a dual-locking mechanism (mechanical and/or logical e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access.
Unsealed boxes are only permitted for stock …
Removed
p. 7
For generic administrative accounts that cannot be disabled, the password must be used only for emergency. The password must be changed from the default value and managed under dual control.
Requirement Decommissioning Plan New requirement addressing termination of production activities.
Requirement 4 Production Procedures and Audit Trails Personalization Audit Clarification on who may sign off: Name and signature of an individual other than the operator, who is responsible for verifying the count.
Requirement 6 PIN Printing and Packaging of Non-personalized Prepaid Cards 6 Modified: An employee who is involved in PIN printing must not be involved in the card personalization process or the packaging of the card with the PIN process.
Requirement Appendix A Applicability of Requirements New appendix to define which requirements apply to:
Requirement Decommissioning Plan New requirement addressing termination of production activities.
Requirement 4 Production Procedures and Audit Trails Personalization Audit Clarification on who may sign off: Name and signature of an individual other than the operator, who is responsible for verifying the count.
Requirement 6 PIN Printing and Packaging of Non-personalized Prepaid Cards 6 Modified: An employee who is involved in PIN printing must not be involved in the card personalization process or the packaging of the card with the PIN process.
Requirement Appendix A Applicability of Requirements New appendix to define which requirements apply to:
Modified
p. 7 → 6
Requirement 5 Packaging and Delivery Requirements 5 Modification of stipulations for courier delivery. Requirement Secure Transport Modifications to criteria for both armored and unarmored vehicles.
Requirement 4
• Packaging and Delivery Requirements 4 Modified stipulations for courier delivery.
• Packaging and Delivery Requirements 4 Modified stipulations for courier delivery.
Removed
p. 8
• Added glossary definitions for: Cloud-Based Provisioning, COTS, Host Card Emulation, Mobile Provisioning, OTA, OTI, Secure Element, and Segregation of Duties.
• Modified definitions for Armored Vehicle, Card Products, High Security Areas (HSAs).
• Modified definitions for Armored Vehicle, Card Products, High Security Areas (HSAs).
Removed
p. 9
Perform cloud-based or secure element (SE) provisioning services; Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or Manage associated cryptographic keys.
Requirement General Clarified that the specific applicability of these requirements is up to the individual payment brands; and the payment brand(s) of interest should be contacted for the applicability of these requirements to any card production or provisioning activity.
Requirement 3 Security Policy and Procedures Information Security Clarified that evidence of staff review and acceptance of ISP must be maintained.
Requirement Incident Response Plans and Forensics documented incident response plan for known or suspected compromise of any classified data must be communicated to relevant parties.
Requirement 4 Data Security Confidential Data Added example of Confidential Information: Mobile Station International Subscriber Directory Number (number used to identify a mobile phone number).
Requirement General Clarified that the specific applicability of these requirements is up to the individual payment brands; and the payment brand(s) of interest should be contacted for the applicability of these requirements to any card production or provisioning activity.
Requirement 3 Security Policy and Procedures Information Security Clarified that evidence of staff review and acceptance of ISP must be maintained.
Requirement Incident Response Plans and Forensics documented incident response plan for known or suspected compromise of any classified data must be communicated to relevant parties.
Requirement 4 Data Security Confidential Data Added example of Confidential Information: Mobile Station International Subscriber Directory Number (number used to identify a mobile phone number).
Modified
p. 9 → 8
Requirement 2 Roles and Responsibilities Assignment of Security Added requirement that the CISO must identify a security environment Requirement
Requirement 1
• Roles and Responsibilities Assignment of Security Specified that the back-up CISO and the IT Security Manager must be employees of the vendor.
• Roles and Responsibilities Assignment of Security Specified that the back-up CISO and the IT Security Manager must be employees of the vendor.
Removed
p. 10
Requirement Decommissioning Plan New requirement addressing termination of production activities.
Protections Added requirements to have Documented security requirements defining the protection controls commensurate to the data classification scheme.
All payment data assigned an identifiable owner who is responsible for classification and for ensuring protection controls are implemented and working.
Requirement Access to Cardholder Clarified that business requirements from the issuer must exist regarding the masking of PANs when displayed or printed and that PANs must be encrypted at all other times and decrypted only for the minimum time required for processing.
Specified that Only authorized database administrators have the ability to directly access cardholder or cloud-based provisioning databases. Other user access and user queries must be through programmatic methods.
Direct access to databases is restricted to authorized database administrators. Systems logs for database administrator access must exist and be reviewed weekly.
Application (program) IDs used for cloud-based processes are used only for their intended purposes and …
Protections Added requirements to have Documented security requirements defining the protection controls commensurate to the data classification scheme.
All payment data assigned an identifiable owner who is responsible for classification and for ensuring protection controls are implemented and working.
Requirement Access to Cardholder Clarified that business requirements from the issuer must exist regarding the masking of PANs when displayed or printed and that PANs must be encrypted at all other times and decrypted only for the minimum time required for processing.
Specified that Only authorized database administrators have the ability to directly access cardholder or cloud-based provisioning databases. Other user access and user queries must be through programmatic methods.
Direct access to databases is restricted to authorized database administrators. Systems logs for database administrator access must exist and be reviewed weekly.
Application (program) IDs used for cloud-based processes are used only for their intended purposes and …
Removed
p. 11
Requirement 5 Network Security Typical Vendor Network:
Card Production DMZ Specified that all connections to and from the personalization network must be through a system in the DMZ and that the DMZ must be dedicated to card production/provisioning activities.
Requirement Mobile Provisioning Host Card Emulation provisioning must be on its own network, secure element-based provisioning can co-exist with other personalization activities.
Requirement General Requirements Clarified that cloud-based provisioning network must be physically and logically segregated from other vendor networks and Internet-connected networks and cannot be in the same rack as other servers used for different purposes.
Requirement Firewalls: General Specified that a firewall must be deployed between the external network and the DMZ and between the DMZ and the cloud-based provisioning network.
Modified requirement to allow firewall rule sets to be reviewed either monthly or quarterly with review after every firewall configuration change.
Requirement Configuration Clarified that authorized services must be documented with a business justification …
Card Production DMZ Specified that all connections to and from the personalization network must be through a system in the DMZ and that the DMZ must be dedicated to card production/provisioning activities.
Requirement Mobile Provisioning Host Card Emulation provisioning must be on its own network, secure element-based provisioning can co-exist with other personalization activities.
Requirement General Requirements Clarified that cloud-based provisioning network must be physically and logically segregated from other vendor networks and Internet-connected networks and cannot be in the same rack as other servers used for different purposes.
Requirement Firewalls: General Specified that a firewall must be deployed between the external network and the DMZ and between the DMZ and the cloud-based provisioning network.
Modified requirement to allow firewall rule sets to be reviewed either monthly or quarterly with review after every firewall configuration change.
Requirement Configuration Clarified that authorized services must be documented with a business justification …
Removed
p. 12
Identification of security alerts e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT) Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components Inventory of current systems in the environment including information about installed software components and about running services Requirement Remote Access Clarified that this section applies to remote administration by the vendor, and not issuer connections.
Additional Guidance Remote Access: Virtual Private Network (VPN) Added criteria:
For remote access, VPNs must start from the originating device e.g., PC or off-the-shelf device specifically designed for secure remote access and terminate at either the target device or the personalization firewall. If the termination point is the firewall, it must use at least a TLS connection in accordance with PCI Data Security Requirement 4.1 to the target device.
For remote access to DMZ components, the VPN must terminate at …
Additional Guidance Remote Access: Virtual Private Network (VPN) Added criteria:
For remote access, VPNs must start from the originating device e.g., PC or off-the-shelf device specifically designed for secure remote access and terminate at either the target device or the personalization firewall. If the termination point is the firewall, it must use at least a TLS connection in accordance with PCI Data Security Requirement 4.1 to the target device.
For remote access to DMZ components, the VPN must terminate at …
Removed
p. 14
Development Specified that the vendor must:
Ensure separation of duties exists between the staff assigned to the development environment and those assigned to the production environment.
Ensure that software source code is restricted to only authorized staff. Staff access of source code must follow a documented process. The authorizations and approvals must be documented.
Requirement Use of Web Services for Issuer Interfaces Added a new section regarding the use of web services for issuer interfaces for cloud-based implementations.
Requirement 7 User Management and System Access Control User Management Specified that the vendor must:
Ensure that procedures are documented and followed by security personnel responsible for granting access Restrict approval and level of access to staff with a documented business need before access is granted. At a minimum, documented approvals must be retained while the account is active.
Ensure that access controls enforce segregation of duties.
For cloud-based provisioning, restrict issuer access and privileges to only t Strictly …
Ensure separation of duties exists between the staff assigned to the development environment and those assigned to the production environment.
Ensure that software source code is restricted to only authorized staff. Staff access of source code must follow a documented process. The authorizations and approvals must be documented.
Requirement Use of Web Services for Issuer Interfaces Added a new section regarding the use of web services for issuer interfaces for cloud-based implementations.
Requirement 7 User Management and System Access Control User Management Specified that the vendor must:
Ensure that procedures are documented and followed by security personnel responsible for granting access Restrict approval and level of access to staff with a documented business need before access is granted. At a minimum, documented approvals must be retained while the account is active.
Ensure that access controls enforce segregation of duties.
For cloud-based provisioning, restrict issuer access and privileges to only t Strictly …
Removed
p. 16
Physical cards SE based provisioning HCE provisioning Additional Guidance Appendix B Topology Section New appendix to illustrate acceptable examples of network topologies Additional Guidance Glossary of Acronyms and Terms Glossary of Acronyms Added glossary definitions for: Cardholder Data, Cloud- Based Provisioning, COTS, Host Card Emulation, Mobile Provisioning, OTA, OTI, Remote Access, Secure Element, Segregation of Duties, Stand-Alone Network, Trusted Certification Authority, and Virtual Private Network.