Document Comparison
Card_Prod_Security_Rqrmts_FAQs_v2_Oct_2020.pdf
→
Card_Prod_Security_Rqrmts_FAQs_v2_Nov_2021.pdf
97% similar
35 → 37
Pages
14169 → 14568
Words
28
Content Changes
Content Changes
28 content changes. 24 administrative changes (dates, page numbers) hidden.
Added
p. 3
Q 2 November 2021 - Individual payment brands may choose to issue waivers in regard to specific requirements. Should those waivers be taken into consideration for purposes of AOC and ROC reporting? A No. All non-compliance found during an assessment must be reflected in connection with AOC and ROC report findings on a card vendor. Waivers are part of individual payment brands compliance management programs and do not impact non-compliance reporting.
Q 3 November 2021 - Are remote assessments permitted for Card Production and Provisioning assessments? A While onsite assessments continue to be the preferred method for PCI SSC assessments, the use of remote assessment methods may provide a suitable alternative in legitimate scenarios where an onsite assessment is not feasible. Prior to the engagement of the CPSA, entities must consult with the applicable payment brands’ VPA to confirm whether remote assessments are allowed and any requirements they may have around …
Q 3 November 2021 - Are remote assessments permitted for Card Production and Provisioning assessments? A While onsite assessments continue to be the preferred method for PCI SSC assessments, the use of remote assessment methods may provide a suitable alternative in legitimate scenarios where an onsite assessment is not feasible. Prior to the engagement of the CPSA, entities must consult with the applicable payment brands’ VPA to confirm whether remote assessments are allowed and any requirements they may have around …
Modified
p. 3
Updates: New questions or those modified for clarity are shown in red. Questions impacted are number 1 General Questions
Updates: New or questions modified for clarity are in red.
Modified
p. 3 → 5
Q 2 October 2014 - If a Chip Card manufacturer sets up a remote personalization service within an Issuer, is the Issuer facility required to be PCI Card Production compliant? A If a third party (vendor) sets up and operates a personalization service inside an issuer's premises, then the issuer facility is required to be approved. If the service is operated by the issuer so that only the issuer has access to card stocks, cardholder data and keys then it …
Q 4 October 2014 - If a Chip Card manufacturer sets up a remote personalization service within an Issuer, is the Issuer facility required to be PCI Card Production compliant? A If a third party (vendor) sets up and operates a personalization service inside an issuer's premises, then the issuer facility is required to be approved. If the service is operated by the issuer so that only the issuer has access to card stocks, cardholder data and keys then it …
Modified
p. 3 → 5
Q 3 October 2018 - Can a logbook be either manual or electronic? A As long as the required details, including capture of signatures are met, the logs may be either electronic or manual. Electronic logbooks require additional integrity controls such as digital signatures using hashes of the data that are signed.
Q 5 October 2018 - Can a logbook be either manual or electronic? A As long as the required details, including capture of signatures are met, the logs may be either electronic or manual. Electronic logbooks require additional integrity controls such as digital signatures using hashes of the data that are signed.
Modified
p. 4 → 6
Q 4 November 2015 - The CISO must be an employee of the company. In the event the CISO is not available, there must be a designated back-up person who is qualified and empowered to act upon critical security events. Must the designated CISO back-up also be an employee? A Yes. Section 3
• Security Policy and Responsibilities No FAQ in this section
• Reserved for future use.
• Security Policy and Responsibilities No FAQ in this section
• Reserved for future use.
Q 6 November 2015 - The CISO must be an employee of the company. In the event the CISO is not available, there must be a designated back-up person who is qualified and empowered to act upon critical security events. Must the designated CISO back-up also be an employee? A Yes. Section 3
• Security Policy and Responsibilities No FAQ in this section
• Reserved for future use.
• Security Policy and Responsibilities No FAQ in this section
• Reserved for future use.
Modified
p. 5 → 7
Q 5 December 2013
• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
Q 7 December 2013
• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
Modified
p. 5 → 7
Q 6 October 2014 - Does transmission include the file movement between the systems on the data-preparation or personalization or does it apply only to data that is transmitted between organizational entities over a public network? A If the data is going from one system or server to another then it is being transmitted and must be encrypted. It does not matter if the networks are not internet or public facing. The intention is that data is in clear only …
Q 8 October 2014 - Does transmission include the file movement between the systems on the data-preparation or personalization or does it apply only to data that is transmitted between organizational entities over a public network? A If the data is going from one system or server to another then it is being transmitted and must be encrypted. It does not matter if the networks are not internet or public facing. The intention is that data is in clear only …
Modified
p. 6 → 8
Q 7 November 2015 - Removable media is subject to a number of restrictions as defined in requirement 4.6. Are hard drives in desktops, servers and storage area networks (SANs) considered removable media? A No, internal hard drives are not considered removable media. Removable electronic media is media that stores digitized data, and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives and external/portable hard …
Q 9 November 2015 - Removable media is subject to a number of restrictions as defined in requirement 4.6. Are hard drives in desktops, servers and storage area networks (SANs) considered removable media? A No, internal hard drives are not considered removable media. Removable electronic media is media that stores digitized data, and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives and external/portable hard …
Modified
p. 8 → 10
Q 8 October 2014 - Access from within the high security area to anything other than the personalization network must be read-only. If the data preparation network is also in the high security area, can the personalization network write to the data preparation network? A Yes, if they are separate networks then generally the data preparation network will deposit files for production on the personalization network or the personalization network will read them from the data preparation network. It’s not …
Q 10 October 2014 - Access from within the high security area to anything other than the personalization network must be read-only. If the data preparation network is also in the high security area, can the personalization network write to the data preparation network? A Yes, if they are separate networks then generally the data preparation network will deposit files for production on the personalization network or the personalization network will read them from the data preparation network. It’s not …
Modified
p. 8 → 10
Q 9 October 2014 - Controls must be in place to restrict write permission to any system external to the personalization network to only pre-approved functions that have been authorized by the VPA and these write functions must not transmit cardholder data. If the data preparation and personalization networks are separate, can the data preparation network have write permissions to a corporate network? A No, the data preparation network must meet the same requirements as the personalization network, data preparation …
Q 11 October 2014 - Controls must be in place to restrict write permission to any system external to the personalization network to only pre-approved functions that have been authorized by the VPA and these write functions must not transmit cardholder data. If the data preparation and personalization networks are separate, can the data preparation network have write permissions to a corporate network? A No, the data preparation network must meet the same requirements as the personalization network, data preparation …
Modified
p. 8 → 10
Q 10 October 2014 - Inventory and order systems may reside in the HSA on the data preparation and personalization networks. Corporate users may require access to the inventory and order detail updates performed on those systems. However, logical access from outside the HSA to these networks is not allowed, and access from within the HSA to anything other than the personalization network must be read-only How can the corporate users obtain access to this information? A The information needs …
Q 12 October 2014 - Inventory and order systems may reside in the HSA on the data preparation and personalization networks. Corporate users may require access to the inventory and order detail updates performed on those systems. However, logical access from outside the HSA to these networks is not allowed, and access from within the HSA to anything other than the personalization network must be read-only How can the corporate users obtain access to this information? A The information needs …
Modified
p. 8 → 10
Q 11 June 2016 - For a card vendor that performs both manufacturing and personalization activities, there will be pre-press activities in the high security area which will contain card design files. Many card vendors will employ email communication to submit these card design files to the issuers/payment brands for approval. As pre-press activities must be within the high security area, the computer with email capability will also reside in the high security area. Can email communication be used for …
Q 13 June 2016 - For a card vendor that performs both manufacturing and personalization activities, there will be pre-press activities in the high security area which will contain card design files. Many card vendors will employ email communication to submit these card design files to the issuers/payment brands for approval. As pre-press activities must be within the high security area, the computer with email capability will also reside in the high security area. Can email communication be used for …
Modified
p. 8 → 10
Q 12 November 2018 - Can Voice over Internet Protocol (VoIP) be used within the HSA? A No. VoIP connections allow direct internet access which is prohibited within the HSA. HSA telephony connectivity is restricted to plain old telephone service (POTS), aka public switched telephone network (PSTN). VoIP can be used outside the HSA but must be converted to analog (POTS) via a PSTN adapter outside the HSA before connectivity within the HSA.
Q 14 November 2018 - Can Voice over Internet Protocol (VoIP) be used within the HSA? A No. VoIP connections allow direct internet access which is prohibited within the HSA. HSA telephony connectivity is restricted to plain old telephone service (POTS), aka public switched telephone network (PSTN). VoIP can be used outside the HSA but must be converted to analog (POTS) via a PSTN adapter outside the HSA before connectivity within the HSA.
Modified
p. 10 → 12
Q 13 February 2016 - Can a card personalization vendor outsource their card production firewall and router administrative support functions to a third-party company? A Yes, but the third-party administration needs to be included in the card vendor’s compliance administration. This includes not just the VPN, but how changes are requested and how the vendor validates that the correct changes, and only those changes, have been made. The remote access site is subject to the compliance validation process as designated …
Q 15 February 2016 - Can a card personalization vendor outsource their card production firewall and router administrative support functions to a third-party company? A Yes, but the third-party administration needs to be included in the card vendor’s compliance administration. This includes not just the VPN, but how changes are requested and how the vendor validates that the correct changes, and only those changes, have been made. The remote access site is subject to the compliance validation process as designated …
Modified
p. 10 → 12
Q 14 December 2013
• Section 5.6.2 stipulates criteria that VPNs must meet. Under what circumstances does this criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 5.6. Therefore, they apply to the remote administration of networks and system components that comprise the HSA and do not apply to VPNs that are used for other purposes. For example, the VPN requirements apply to administration of …
• Section 5.6.2 stipulates criteria that VPNs must meet. Under what circumstances does this criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 5.6. Therefore, they apply to the remote administration of networks and system components that comprise the HSA and do not apply to VPNs that are used for other purposes. For example, the VPN requirements apply to administration of …
Q 16 December 2013
• Section 5.6.2 stipulates criteria that VPNs must meet. Under what circumstances does this criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 5.6. Therefore, they apply to the remote administration of networks and system components that comprise the HSA and do not apply to VPNs that are used for other purposes. For example, the VPN requirements apply to administration of …
• Section 5.6.2 stipulates criteria that VPNs must meet. Under what circumstances does this criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 5.6. Therefore, they apply to the remote administration of networks and system components that comprise the HSA and do not apply to VPNs that are used for other purposes. For example, the VPN requirements apply to administration of …
Modified
p. 10 → 12
Q 15 July 2013
• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes, administration of the network and system components is a critical activity that requires a secure environment that complies …
• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes, administration of the network and system components is a critical activity that requires a secure environment that complies …
Q 17 July 2013
• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes, administration of the network and system components is a critical activity that requires a secure environment that complies …
• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes, administration of the network and system components is a critical activity that requires a secure environment that complies …
Modified
p. 10 → 12
Q 16 December 2017 - Quarterly external network vulnerability scans must be performed using a PCI SSC Approved Scanning Vendor (ASV). Can internal staff perform the analysis of the results and determine the severity of any vulnerabilities found? A No, a PCI SSC ASV has the proper background and experience to both perform the scan and the resulting analyses as specified in the ASV program guide. The remediation actions may be determined by the vendor, but the scoring and ranking, …
Q 18 December 2017 - Quarterly external network vulnerability scans must be performed using a PCI SSC Approved Scanning Vendor (ASV). Can internal staff perform the analysis of the results and determine the severity of any vulnerabilities found? A No, a PCI SSC ASV has the proper background and experience to both perform the scan and the resulting analyses as specified in the ASV program guide. The remediation actions may be determined by the vendor, but the scoring and ranking, …
Modified
p. 11 → 13
Q 17 March 2016 - How must the internal penetration test be conducted? A The internal penetration test must be performed using the criteria defined in this requirement. Additionally, testing must occur in accordance with DSS requirement 11 with the exception that the coverage must be all HSA systems and the personalization network. The internal penetration test must not require any rule changes to conduct and must originate from systems within the HSA.
Q 19 March 2016 - How must the internal penetration test be conducted? A The internal penetration test must be performed using the criteria defined in this requirement. Additionally, testing must occur in accordance with DSS requirement 11 with the exception that the coverage must be all HSA systems and the personalization network. The internal penetration test must not require any rule changes to conduct and must originate from systems within the HSA.
Modified
p. 11 → 13
Q 18 December 2013
• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
Q 20 December 2013
• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
Modified
p. 11 → 13
Q 19 December 2013
• Some systems are not capable of expiring passwords within 24 hours as required by 7.2.2.c. What alternatives are available? A If a system cannot expire initial passwords that are not used within 24 hours of distribution, then the passwords must not be issued more than 24 hours before expected use. If 24 hours elapses without use, they must be manually expired within that 24-hour period.
• Some systems are not capable of expiring passwords within 24 hours as required by 7.2.2.c. What alternatives are available? A If a system cannot expire initial passwords that are not used within 24 hours of distribution, then the passwords must not be issued more than 24 hours before expected use. If 24 hours elapses without use, they must be manually expired within that 24-hour period.
Q 21 December 2013
• Some systems are not capable of expiring passwords within 24 hours as required by 7.2.2.c. What alternatives are available? A If a system cannot expire initial passwords that are not used within 24 hours of distribution, then the passwords must not be issued more than 24 hours before expected use. If 24 hours elapses without use, they must be manually expired within that 24-hour period.
• Some systems are not capable of expiring passwords within 24 hours as required by 7.2.2.c. What alternatives are available? A If a system cannot expire initial passwords that are not used within 24 hours of distribution, then the passwords must not be issued more than 24 hours before expected use. If 24 hours elapses without use, they must be manually expired within that 24-hour period.
Modified
p. 12 → 14
Q 20 July 2015 - The vendor must define procedures for the transfer of key-management roles between individuals. Does "roles" mean custodian A holder versus a custodian B holder? A No. This is not intended for transfer of roles between existing custodians if it results in a custodian collectively having access to sufficient key components or shares of a secret or private key to reconstruct a cryptographic key. For example, in an m-of-n scheme (which must use a recognized secret-sharing …
Q 22 July 2015 - The vendor must define procedures for the transfer of key-management roles between individuals. Does "roles" mean custodian A holder versus a custodian B holder? A No. This is not intended for transfer of roles between existing custodians if it results in a custodian collectively having access to sufficient key components or shares of a secret or private key to reconstruct a cryptographic key. For example, in an m-of-n scheme (which must use a recognized secret-sharing …
Modified
p. 12 → 14
Q 21 December 2013
• Are there any alternatives to meet this requirement for when the authorized custodian is unavailable? Yes, if the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
• Are there any alternatives to meet this requirement for when the authorized custodian is unavailable? Yes, if the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
Q 23 December 2013
• Are there any alternatives to meet this requirement for when the authorized custodian is unavailable? Yes, if the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
• Are there any alternatives to meet this requirement for when the authorized custodian is unavailable? Yes, if the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
Modified
p. 13 → 15
Q 22 October 2014 - What specifically is the requirement regarding the signature of a custodian being placed on the access logs? Does it require the full name (first and last) or can the signature be first initial and last name or only be the initials of the custodians? A Signatures must be sufficient to identify each custodian. Full names or initials or any combination are acceptable as long as it can be positively affirmed who provided the signature.
Q 24 October 2014 - What specifically is the requirement regarding the signature of a custodian being placed on the access logs? Does it require the full name (first and last) or can the signature be first initial and last name or only be the initials of the custodians? A Signatures must be sufficient to identify each custodian. Full names or initials or any combination are acceptable as long as it can be positively affirmed who provided the signature.
Modified
p. 13 → 15
Q 23 July 2014
•Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g. Issuer keys or personalization keys) may exist if there is a contract with that site e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted. For disaster recovery purposes, the same conditions apply. There must be a …
•Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g. Issuer keys or personalization keys) may exist if there is a contract with that site e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted. For disaster recovery purposes, the same conditions apply. There must be a …
Q 25 July 2014
•Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g. Issuer keys or personalization keys) may exist if there is a contract with that site e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted. For disaster recovery purposes, the same conditions apply. There must be a …
•Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g. Issuer keys or personalization keys) may exist if there is a contract with that site e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted. For disaster recovery purposes, the same conditions apply. There must be a …
Modified
p. 13 → 15
Q 24 July 2013
• Can the same transport keys be used between the card vendor and separate locations of another organization? A No, each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
• Can the same transport keys be used between the card vendor and separate locations of another organization? A No, each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
Q 26 July 2013
• Can the same transport keys be used between the card vendor and separate locations of another organization? A No, each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
• Can the same transport keys be used between the card vendor and separate locations of another organization? A No, each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
Modified
p. 14 → 16
Q 25 December 2013
• Does 8.9.g apply to all IC keys? A No, it does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
• Does 8.9.g apply to all IC keys? A No, it does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
Q 27 December 2013
• Does 8.9.g apply to all IC keys? A No, it does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
• Does 8.9.g apply to all IC keys? A No, it does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
Modified
p. 14 → 16
Q 26 July 2014
• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not impacted? A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not impacted? A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
Q 28 July 2014
• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not impacted? A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not impacted? A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
Modified
p. 15 → 17
Updates: New or questions modified for clarity are in red. Questions impacted are #’s 33, 59 and 60.
Updates: New or questions modified for clarity are in red.