Document Comparison
PCI_CP_SR_FAQs_v3_Feb_2026.pdf
→
PCI_Card_Production_SR_FAQs_v3_April_2026.pdf
95% similar
44 → 46
Pages
17448 → 17835
Words
90
Content Changes
Content Changes
90 content changes. 36 administrative changes (dates, page numbers) hidden.
Added
p. 5
Q 6 April 2026 - Several requirements state to contact the Vendor Program Administrator (the applicable payment brand(s)) for approval of any deviation from those requirements. Are those the only requirements that if an entity is not able to be compliant with the requirement as written that require the applicable payment brand(s) approval? A No. PCI SSC is responsible for the Card Production and Provisioning (CPP) Standards and the related CPP Program Guide. However, each payment brand is responsible for any compliance programs associated with the CPP Standards, including whether and which entities are required to validate compliance and which card production and provisioning activities they are approved to perform. Card Production Security Assessors review entities and are responsible to determine compliance with CPP Standards. Then they submit any attestations or reports in accordance with the CPP Program Guide or as directed by the applicable payment brand(s). The outcome of …
Added
p. 8
Q 13 November 2015
• Removable media is subject to a number of restrictions as defined in
• Removable media is subject to a number of restrictions as defined in
Added
p. 12
Q 7 April 2026 - Requirement 4.2.i states that any exception to restricting write permission to any system external to the personalization network except for systems in the dedicated DMZ requires VPA authorization. How does an entity get this approval? A This requirement is under revision. According to CPP requirement 4.1.1, the DMZ must be dedicated to card production/provisioning activities, and the card production and provisioning network must be segregated from other parts of an organization's network. Heretofore, the entity must have controls in place to restrict “write” permission to any system external to the personalization network to only systems in the dedicated DMZ. As part of the revision status, under 4.2.i, pre-approval or authorization by the VPA is no longer included as part of this requirement. Any in-place or not-in-place findings must be reflected in the ROC accordingly.
Added
p. 22
• Gathered as part of the hiring process and periodically thereafter:
• Physical master keys that provide access to card production or provisioning areas
• Agent’s role or responsibility
• 16-gauge metal studs are used with 12inch (305mm) on center
• 0.75inch #9 steel mesh or 3/4inch #9 or 19mm #9
• Thickness 0.120 inches (3mm) 0.01-inch tolerance (0.5mm)
• Card Product and Component Destruction Room(s)
• PIN Mailer Production Room
• Clear plastic flaps hanging from the door
• A separate rack in a server room, or
• Physical master keys that provide access to card production or provisioning areas
• Agent’s role or responsibility
• 16-gauge metal studs are used with 12inch (305mm) on center
• 0.75inch #9 steel mesh or 3/4inch #9 or 19mm #9
• Thickness 0.120 inches (3mm) 0.01-inch tolerance (0.5mm)
• Card Product and Component Destruction Room(s)
• PIN Mailer Production Room
• Clear plastic flaps hanging from the door
• A separate rack in a server room, or
Added
p. 39
• Quality control sheets
• Under dual control, and
• Spoiled or waste card products
• Holographic materials
• Sample and test cards
• Under dual control, and
• Spoiled or waste card products
• Holographic materials
• Sample and test cards
Modified
p. 3
PaymentProductsCertification@aexp.com Discover:
PaymentProductsCertification@aexp.com
Modified
p. 3
DN_CARD_REQUEST@discover.com riskmanagement@info.jcb.co.jp Mastercard:
DN_CARD_REQUEST@discover.com riskmanagement@info.jcb.co.jp
Modified
p. 5
Q 6 October 2014
• If a Chip Card manufacturer sets up a remote personalization service within an Issuer, is the Issuer facility required to be PCI Card Production compliant? A If a third party (vendor) sets up and operates a personalization service inside an issuer's premises, then the issuer facility is required to be approved. If the service is operated by the issuer so that only the issuer has access to card stocks, cardholder data, and keys then it is …
• If a Chip Card manufacturer sets up a remote personalization service within an Issuer, is the Issuer facility required to be PCI Card Production compliant? A If a third party (vendor) sets up and operates a personalization service inside an issuer's premises, then the issuer facility is required to be approved. If the service is operated by the issuer so that only the issuer has access to card stocks, cardholder data, and keys then it is …
Q 7 October 2014
• If a Chip Card manufacturer sets up a remote personalization service within an Issuer, is the Issuer facility required to be PCI Card Production compliant? A If a third party (vendor) sets up and operates a personalization service inside an issuer's premises, then the issuer facility is required to be approved. If the service is operated by the issuer so that only the issuer has access to card stocks, cardholder data, and keys then it is …
• If a Chip Card manufacturer sets up a remote personalization service within an Issuer, is the Issuer facility required to be PCI Card Production compliant? A If a third party (vendor) sets up and operates a personalization service inside an issuer's premises, then the issuer facility is required to be approved. If the service is operated by the issuer so that only the issuer has access to card stocks, cardholder data, and keys then it is …
Modified
p. 5
Q 7 October 2018 − Can a logbook be either manual or electronic? A When the required details are met, including capture of signatures, the logs may be either electronic or manual. Electronic logbooks require additional integrity controls such as digital signatures using hashes of the data that are signed.
Q 8 October 2018 − Can a logbook be either manual or electronic? A When the required details are met, including capture of signatures, the logs may be either electronic or manual. Electronic logbooks require additional integrity controls such as digital signatures using hashes of the data that are signed.
Modified
p. 5
Q 8 June 2022 − Can HSMs that have migrated to the NIST CMVP Historical Validation List continue to be used? A Yes. FIPS 140-2 or FIPS 140-3 HSMs that have migrated to the CMVP Historical Validation List can continue to be used if approved at the time of deployment. However, effective January 2023, new deployments
•i.e., additional HSMs and not replacements of existing HSMs with like for like
•of HSMs on the Historical Validation List are not allowed.
•i.e., additional HSMs and not replacements of existing HSMs with like for like
•of HSMs on the Historical Validation List are not allowed.
Q 9 June 2022 − Can HSMs that have migrated to the NIST CMVP Historical Validation List continue to be used? A Yes. FIPS 140-2 or FIPS 140-3 HSMs that have migrated to the CMVP Historical Validation List can continue to be used if approved at the time of deployment. However, effective January 2023, new deployments
•i.e., additional HSMs and not replacements of existing HSMs with like for like
•of HSMs on the Historical Validation List are not allowed.
•i.e., additional HSMs and not replacements of existing HSMs with like for like
•of HSMs on the Historical Validation List are not allowed.
Modified
p. 5 → 6
Q 9 June 2022 − For PCI approved HSMs that have had their approvals expire, can they continue to be used? A For clarification on the usage of PCI approved HSMs for which the approval has expired, contact the payment brand(s) of interest at: https://pcissc.secure.force.com/faq/articles/Frequently Asked Question/How-do-I-contact- the-payment-card-brands.
Q 10 June 2022 − For PCI approved HSMs that have had their approvals expire, can they continue to be used? A For clarification on the usage of PCI approved HSMs for which the approval has expired, contact the payment brand(s) of interest at: https://pcissc.secure.force.com/faq/articles/Frequently Asked Question/How-do-I-contact- the-payment-card-brands.
Removed
p. 6
PAN, expiry, service code, cardholder name, Track 2, or Track 2 equivalent TLS keys Vendor evidence preserving data Authentication credentials for requesting tokens Mobile Station International Subscriber Directory Number (number used to identify a mobile phone number)
Modified
p. 6
Q 10 December 2013
• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
Q 11 December 2013
• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
Modified
p. 6 → 7
Q 11 October 2014
• Does transmission include the file movement between the systems on the data-preparation or personalization or does it apply only to data that is transmitted between organizational entities over a public network? A If the data is going from one system or server to another, it is being transmitted and must be encrypted. It does not matter whether the networks are not Internet- or public-facing. The intention is that data is in the clear only in memory …
• Does transmission include the file movement between the systems on the data-preparation or personalization or does it apply only to data that is transmitted between organizational entities over a public network? A If the data is going from one system or server to another, it is being transmitted and must be encrypted. It does not matter whether the networks are not Internet- or public-facing. The intention is that data is in the clear only in memory …
Q 12 October 2014
• Does transmission include the file movement between the systems on the data-preparation or personalization or does it apply only to data that is transmitted between organizational entities over a public network? A If the data is going from one system or server to another, it is being transmitted and must be encrypted. It does not matter whether the networks are not Internet- or public-facing. The intention is that data is in the clear only in memory …
• Does transmission include the file movement between the systems on the data-preparation or personalization or does it apply only to data that is transmitted between organizational entities over a public network? A If the data is going from one system or server to another, it is being transmitted and must be encrypted. It does not matter whether the networks are not Internet- or public-facing. The intention is that data is in the clear only in memory …
Modified
p. 7 → 8
• Removable media is subject to a number of restrictions as defined in
Requirement 3.6. Are hard drives in desktops, servers, and storage area networks (SANs) considered removable media? A No. Internal hard drives are not considered removable media. Removable electronic media is media that stores digitized data, and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives, and external/portable hard drives.
Modified
p. 9 → 10
a) Maintain a current network topology diagram that includes all system components on the network. The diagram must clearly define the boundaries of all networks.
a) Maintain a current network topology diagram that includes all system components on the network.
Modified
p. 11 → 13
• Quarterly with review after every firewall configuration change.
Modified
p. 12 → 14
Q 7 February 2016
• Can a card personalization vendor outsource their card production firewall and router administrative support functions to a third-party company? A Yes. But the third-party administration needs to be included in the card vendor’s compliance administration. This includes not just the VPN, but how changes are requested and how the vendor validates that the correct changes, and only those changes, have been made. The remote access site is subject to the compliance validation process as designated by …
• Can a card personalization vendor outsource their card production firewall and router administrative support functions to a third-party company? A Yes. But the third-party administration needs to be included in the card vendor’s compliance administration. This includes not just the VPN, but how changes are requested and how the vendor validates that the correct changes, and only those changes, have been made. The remote access site is subject to the compliance validation process as designated by …
Q 8 February 2016
• Can a card personalization vendor outsource their card production firewall and router administrative support functions to a third-party company? A Yes. But the third-party administration needs to be included in the card vendor’s compliance administration. This includes not just the VPN, but how changes are requested and how the vendor validates that the correct changes, and only those changes, have been made. The remote access site is subject to the compliance validation process as designated by …
• Can a card personalization vendor outsource their card production firewall and router administrative support functions to a third-party company? A Yes. But the third-party administration needs to be included in the card vendor’s compliance administration. This includes not just the VPN, but how changes are requested and how the vendor validates that the correct changes, and only those changes, have been made. The remote access site is subject to the compliance validation process as designated by …
Modified
p. 12 → 14
Q 8 December 2013
• Section 4.6.2 stipulates criteria that VPNs must meet. Under what circumstances do these criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 4.6. Therefore, they apply to the remote administration of networks and system components that comprise the HSA and do not apply to VPNs that are used for other purposes. For example, the VPN requirements apply to administration of …
• Section 4.6.2 stipulates criteria that VPNs must meet. Under what circumstances do these criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 4.6. Therefore, they apply to the remote administration of networks and system components that comprise the HSA and do not apply to VPNs that are used for other purposes. For example, the VPN requirements apply to administration of …
Q 9 December 2013
• Section 4.6.2 stipulates criteria that VPNs must meet. Under what circumstances do these criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 4.6. Therefore, they apply to the remote administration of networks and system components that comprise the HSA and do not apply to VPNs that are used for other purposes. For example, the VPN requirements apply to administration of …
• Section 4.6.2 stipulates criteria that VPNs must meet. Under what circumstances do these criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 4.6. Therefore, they apply to the remote administration of networks and system components that comprise the HSA and do not apply to VPNs that are used for other purposes. For example, the VPN requirements apply to administration of …
Modified
p. 12 → 14
Q 9 July 2013
• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes. Administration of the network and system components is a critical activity that requires a secure environment that complies …
• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes. Administration of the network and system components is a critical activity that requires a secure environment that complies …
Q 10 July 2013
• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes. Administration of the network and system components is a critical activity that requires a secure environment that complies …
• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes. Administration of the network and system components is a critical activity that requires a secure environment that complies …
Modified
p. 13 → 15
Q 10 December 2017
• Quarterly external network vulnerability scans must be performed using a PCI SSC Approved Scanning Vendor (ASV). Can internal staff perform the analysis of the results and determine the severity of any vulnerabilities found? A No. A PCI SSC ASV has the proper background and experience to perform both the scan and the resulting analyses as specified in the ASV program guide. The remediation actions may be determined by the vendor, but the scoring and ranking, etc. …
• Quarterly external network vulnerability scans must be performed using a PCI SSC Approved Scanning Vendor (ASV). Can internal staff perform the analysis of the results and determine the severity of any vulnerabilities found? A No. A PCI SSC ASV has the proper background and experience to perform both the scan and the resulting analyses as specified in the ASV program guide. The remediation actions may be determined by the vendor, but the scoring and ranking, etc. …
Q 11 December 2017
• Quarterly external network vulnerability scans must be performed using a PCI SSC Approved Scanning Vendor (ASV). Can internal staff perform the analysis of the results and determine the severity of any vulnerabilities found? A No. A PCI SSC ASV has the proper background and experience to perform both the scan and the resulting analyses as specified in the ASV program guide. The remediation actions may be determined by the vendor, but the scoring and ranking, etc. …
• Quarterly external network vulnerability scans must be performed using a PCI SSC Approved Scanning Vendor (ASV). Can internal staff perform the analysis of the results and determine the severity of any vulnerabilities found? A No. A PCI SSC ASV has the proper background and experience to perform both the scan and the resulting analyses as specified in the ASV program guide. The remediation actions may be determined by the vendor, but the scoring and ranking, etc. …
Modified
p. 13 → 15
• Consideration of the Common Vulnerability Scoring System (CVSS) base score, and/or
• Consideration of the Common Vulnerability Scoring System (CVSS) base score,
Modified
p. 13 → 15
Q 11 March 2016
• How must the internal penetration test be conducted? A The internal penetration test must be performed using the criteria defined in this requirement. Additionally, testing must occur in accordance with DSS Requirement 11 with the exception that the coverage must be all HSA systems and the personalization network. The internal penetration test must not require any rule changes to conduct and must originate from systems within the HSA.
• How must the internal penetration test be conducted? A The internal penetration test must be performed using the criteria defined in this requirement. Additionally, testing must occur in accordance with DSS Requirement 11 with the exception that the coverage must be all HSA systems and the personalization network. The internal penetration test must not require any rule changes to conduct and must originate from systems within the HSA.
Q 12 March 2016
• How must the internal penetration test be conducted? A The internal penetration test must be performed using the criteria defined in this requirement. Additionally, testing must occur in accordance with DSS Requirement 11 with the exception that the coverage must be all HSA systems and the personalization network. The internal penetration test must not require any rule changes to conduct and must originate from systems within the HSA.
• How must the internal penetration test be conducted? A The internal penetration test must be performed using the criteria defined in this requirement. Additionally, testing must occur in accordance with DSS Requirement 11 with the exception that the coverage must be all HSA systems and the personalization network. The internal penetration test must not require any rule changes to conduct and must originate from systems within the HSA.
Modified
p. 14 → 16
Q 12 December 2013
• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
Q 13 December 2013
• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
Modified
p. 14 → 16
Q 13 December 2013
• Some systems are not capable of expiring passwords within 24 hours as required by 6.2.2.c. What alternatives are available? A If a system cannot expire initial passwords that are not used within 24 hours of distribution, then the passwords must not be issued more than 24 hours before expected use. If 24 hours elapses without use, they must be manually expired within that 24-hour period.
• Some systems are not capable of expiring passwords within 24 hours as required by 6.2.2.c. What alternatives are available? A If a system cannot expire initial passwords that are not used within 24 hours of distribution, then the passwords must not be issued more than 24 hours before expected use. If 24 hours elapses without use, they must be manually expired within that 24-hour period.
Q 14 December 2013
• Some systems are not capable of expiring passwords within 24 hours as required by 6.2.2.c. What alternatives are available? A If a system cannot expire initial passwords that are not used within 24 hours of distribution, then the passwords must not be issued more than 24 hours before expected use. If 24 hours elapses without use, they must be manually expired within that 24-hour period.
• Some systems are not capable of expiring passwords within 24 hours as required by 6.2.2.c. What alternatives are available? A If a system cannot expire initial passwords that are not used within 24 hours of distribution, then the passwords must not be issued more than 24 hours before expected use. If 24 hours elapses without use, they must be manually expired within that 24-hour period.
Modified
p. 14 → 16
Q 14 July 2015
• The vendor must define procedures for the transfer of key-management roles between individuals. Does "roles" mean a custodian A holder versus a custodian B holder? A No. This is not intended for transfer of roles between existing custodians if it results in a custodian collectively having access to sufficient key components or shares of a secret or private key to reconstruct a cryptographic key.
• The vendor must define procedures for the transfer of key-management roles between individuals. Does "roles" mean a custodian A holder versus a custodian B holder? A No. This is not intended for transfer of roles between existing custodians if it results in a custodian collectively having access to sufficient key components or shares of a secret or private key to reconstruct a cryptographic key.
Q 15 July 2015
• The vendor must define procedures for the transfer of key-management roles between individuals. Does "roles" mean a custodian A holder versus a custodian B holder? A No. This is not intended for transfer of roles between existing custodians if it results in a custodian collectively having access to sufficient key components or shares of a secret or private key to reconstruct a cryptographic key.
• The vendor must define procedures for the transfer of key-management roles between individuals. Does "roles" mean a custodian A holder versus a custodian B holder? A No. This is not intended for transfer of roles between existing custodians if it results in a custodian collectively having access to sufficient key components or shares of a secret or private key to reconstruct a cryptographic key.
Modified
p. 15 → 17
Q 15 December 2013
• Are there any alternatives to meet this requirement if the authorized custodian is unavailable? A Yes. If the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
• Are there any alternatives to meet this requirement if the authorized custodian is unavailable? A Yes. If the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
Q 16 December 2013
• Are there any alternatives to meet this requirement if the authorized custodian is unavailable? A Yes. If the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
• Are there any alternatives to meet this requirement if the authorized custodian is unavailable? A Yes. If the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
Modified
p. 15 → 17
Q 16 October 2014
• What specifically is the requirement regarding the signature of a custodian being placed on the access logs? Does it require the full name (first and last), or can the signature be the first initial and last name or just the initials of the custodians? A Signatures must be sufficient to identify each custodian. Full names or initials or any combination are acceptable as long as it can be positively affirmed who provided the signature.
• What specifically is the requirement regarding the signature of a custodian being placed on the access logs? Does it require the full name (first and last), or can the signature be the first initial and last name or just the initials of the custodians? A Signatures must be sufficient to identify each custodian. Full names or initials or any combination are acceptable as long as it can be positively affirmed who provided the signature.
Q 17 October 2014
• What specifically is the requirement regarding the signature of a custodian being placed on the access logs? Does it require the full name (first and last), or can the signature be the first initial and last name or just the initials of the custodians? A Signatures must be sufficient to identify each custodian. Full names or initials or any combination are acceptable as long as it can be positively affirmed who provided the signature.
• What specifically is the requirement regarding the signature of a custodian being placed on the access logs? Does it require the full name (first and last), or can the signature be the first initial and last name or just the initials of the custodians? A Signatures must be sufficient to identify each custodian. Full names or initials or any combination are acceptable as long as it can be positively affirmed who provided the signature.
Modified
p. 16 → 18
Q 17 July 2014
• Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g., issuer keys or personalization keys) may exist if there is a contract with that site•e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted.
• Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g., issuer keys or personalization keys) may exist if there is a contract with that site•e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted.
Q 18 July 2014
• Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g., issuer keys or personalization keys) may exist if there is a contract with that site•e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted.
• Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g., issuer keys or personalization keys) may exist if there is a contract with that site•e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted.
Modified
p. 16 → 18
Q 18 July 2013
• Can the same transport keys be used between the card vendor and separate locations of another organization? A No. Each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
• Can the same transport keys be used between the card vendor and separate locations of another organization? A No. Each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
Q 19 July 2013
• Can the same transport keys be used between the card vendor and separate locations of another organization? A No. Each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
• Can the same transport keys be used between the card vendor and separate locations of another organization? A No. Each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
Modified
p. 16 → 18
Q 19 August 2023 - Key usage stipulates: All secret and private keys must have a predefined expiry date by which they must be retired from use. No key must be used for a period longer than the designated life span of that key. Issuer keys must not be used for longer than the issuer-specified expiry date. Are issuers required to provide an expiration date for their keys, such as those used for PIN or Card verification? A No. The …
Q 20 August 2023 - Key usage stipulates: All secret and private keys must have a predefined expiry date by which they must be retired from use. No key must be used for a period longer than the designated life span of that key. Issuer keys must not be used for longer than the issuer-specified expiry date. Are issuers required to provide an expiration date for their keys, such as those used for PIN or Card verification? A No. The …
Modified
p. 16 → 18
Q 20 December 2013
• Does 7.9.h apply to all IC keys? A No. It does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
• Does 7.9.h apply to all IC keys? A No. It does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
Q 21 December 2013
• Does 7.9.h apply to all IC keys? A No. It does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
• Does 7.9.h apply to all IC keys? A No. It does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
Modified
p. 17 → 19
Q 21 July 2014
• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not impacted? A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not impacted? A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
Q 22 July 2014
• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not impacted? A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not impacted? A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
Modified
p. 17 → 19
• It cannot adversely affect the security features of the product that are relevant to the PCI HSM certification.
Modified
p. 17 → 19
• It cannot modify any of the cryptographic functionality of the HSM or introduce new primitive cryptographic functionality.
Modified
p. 17 → 19
• The application is strongly authenticated to the HSM by digital signature.
Modified
p. 17 → 19
• The application does not have access to sensitive keys.
Modified
p. 17 → 19
Q 22 October 2025 - In light of NIST clarifying that the purpose and use of the statistical test suite in NIST SP 800-22 (A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic) is not suitable for use in assessing cryptographic random number generators, what is the impact for protection of confidential data? A The vendor must generate keys and key components using a random or pseudo-random process in one of the following:
Q 23 October 2025 - In light of NIST clarifying that the purpose and use of the statistical test suite in NIST SP 800-22 (A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic) is not suitable for use in assessing cryptographic random number generators, what is the impact for protection of confidential data? A The vendor must generate keys and key components using a random or pseudo-random process in one of the following:
Modified
p. 19 → 21
Q 23 February 2026 - For third-party entities engaged in providing PINs to end users after the initial distribution, is the distribution mechanisms subject to the PCI Card Production and Provisioning (CPP) Security Requirements? A Initial PIN distribution and any subsequent distribution performed by a third-party on behalf of the issuer is subject to the Card Production and Provisioning Security Requirements. The entity providing the service must have this process evaluated against the CPP Security Requirements. Additionally, payment brands may …
Q 24 February 2026 - For third-party entities engaged in providing PINs to end users after the initial distribution, is the distribution mechanisms subject to the PCI Card Production and Provisioning (CPP) Security Requirements? A Initial PIN distribution and any subsequent distribution performed by a third-party on behalf of the issuer is subject to the Card Production and Provisioning Security Requirements. The entity providing the service must have this process evaluated against the CPP Security Requirements. Additionally, payment brands may …
Modified
p. 19 → 21
Q 24 February 2026 - For PIN distribution using electronic methods, the PIN distribution system must:
• Not communicate with any other system where associated cardholder data is stored or processed.
• Not communicate with any other system where associated cardholder data is stored or processed.
Q 25 February 2026 - For PIN distribution using electronic methods, the PIN distribution system
• Not communicate with any other system where associated cardholder data is stored or processed.
• Not communicate with any other system where associated cardholder data is stored or processed.
Modified
p. 20 → 22
• Gathered as part of the hiring process:
Modified
p. 20 → 22
- Fingerprints and results of search against national and regional criminal records Gathered as part of the hiring process and periodically thereafter:
- Fingerprints and results of search against national and regional criminal records
Modified
p. 21 → 23
• Any restricted areas where the vendor processes, stores, or delivers card products and card components.
Modified
p. 22 → 24
• The visitor must be instructed on its proper use.
Modified
p. 22 → 24
• The vendor must program the visitor access badge or card to enable the tracking of movement of all visitors. It should be activated only for areas that the visitor is authorized to enter.
Modified
p. 22 → 24
• Visitors must use their access card in the card readers to the room into which they enter.
Modified
p. 22 → 24
• Badging to track access must be used.
Modified
p. 23 → 25
• Agent’s name, address, and telephone numbers
Modified
p. 24 → 26
Q 10 May 2017
• For a facility located in a shared building, is it required for the main building entrance to comply with the security requirements in section 2.1.2 Exterior Entrances and Exits? A No. The main building entrance that leads to multiple tenants does not need to comply with the requirements for exterior entrances andexists. Specifically, the entrance to the building segment occupied by the card production vendor is considered the building entrance and must comply with the …
• For a facility located in a shared building, is it required for the main building entrance to comply with the security requirements in section 2.1.2 Exterior Entrances and Exits? A No. The main building entrance that leads to multiple tenants does not need to comply with the requirements for exterior entrances and
Q 10 May 2017
• For a facility located in a shared building, is it required for the main building entrance to comply with the security requirements in section 2.1.2 Exterior Entrances and Exits? A No. The main building entrance that leads to multiple tenants does not need to comply with the requirements for exterior entrances and exits. Specifically, the entrance to the building segment occupied by the card production vendor is considered the building entrance and must comply with the …
• For a facility located in a shared building, is it required for the main building entrance to comply with the security requirements in section 2.1.2 Exterior Entrances and Exits? A No. The main building entrance that leads to multiple tenants does not need to comply with the requirements for exterior entrances and exits. Specifically, the entrance to the building segment occupied by the card production vendor is considered the building entrance and must comply with the …
Removed
p. 25
• e.g., CCTV monitors
•inside the security control room. One example would be covering all security control room windows with a one-way mirror film or other material preventing viewing from outside.
•inside the security control room. One example would be covering all security control room windows with a one-way mirror film or other material preventing viewing from outside.
Modified
p. 25 → 27
• Expanded metal mesh is anchored to the stud with vendor supplied mesh anchors every 12 inches (305mm) and installed per the manufacturer’s requirements.
Modified
p. 25 → 27
2.3.2.2.q The vendor must have mechanisms in place to prevent observation of security equipment
2.3.2.2.q The vendor must have mechanisms in place to prevent observation of security equipment• e.g., CCTV monitors•inside the security control room. One example would be covering all security control room windows with a one-way mirror film or other material preventing viewing from outside.
Modified
p. 26 → 28
Q 13 May 2017
• Under what circumstances, if any, can DVRs be located in the HSA? Be protected from access by unauthorized personnel. For example, they are installed in:
• Under what circumstances, if any, can DVRs be located in the HSA?
Q 13 May 2017
• Under what circumstances, if any, can DVRs be located in the HSA? • Be protected from access by unauthorized personnel. For example, they are installed in:
• Under what circumstances, if any, can DVRs be located in the HSA? • Be protected from access by unauthorized personnel. For example, they are installed in:
Modified
p. 26 → 28
• Either not have network capability or, if present, policies and procedures must exist to prevent the enablement or usage of the network capability.
Modified
p. 27 → 29
Q 19 July 2013
• Requirement 2.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA) and Requirement 2.3.5 specifies the following as rooms that may exist within the HSA:
• Requirement 2.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA) and Requirement 2.3.5 specifies the following as rooms that may exist within the HSA:
Q 19 July 2013
• Requirement 2.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA) and Requirement 2.3.5 specifies the following as rooms that may exist within the HSA: • Work in Progress (WIP) Storage Room
• Requirement 2.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA) and Requirement 2.3.5 specifies the following as rooms that may exist within the HSA: • Work in Progress (WIP) Storage Room
Modified
p. 27 → 29
• Server Room & Key Management Room Do the controls specified apply to other rooms within the HSA? A Yes. They apply to all rooms in the HSA. Non-compliant rooms must be either closed off or reconfigured to no longer be separate rooms.
Modified
p. 28 → 30
• Separate rooms within the HSA must meet all the requirements in
Section 2.3.4, with the exception of person-by-person access. If a room cannot or will not be made to meet these requirements, what options exist? A The card vendor has three options:
Modified
p. 28 → 30
• Close off the room from accessibility to anyone with HSA access.
Modified
p. 28 → 30
• Reconfigure smaller rooms into a larger room meeting the requirements.
Modified
p. 28 → 30
• Convert non-compliant rooms into spaces within an HSA that are no longer fully enclosed
•e.g., by removing doors.
•e.g., by removing doors.
Modified
p. 28 → 30
• For purposes of 2.3.5, do elevators, stairwells, closets, and glass- enclosed rooms
•e.g., conference rooms or other room types
•constitute a room? A If an elevator has a door, access to it must be controlled. Stairwells are not a room if they do not have doors. Closets would not be considered a room if a person could not physically enter. However, a storage room with a door is considered a room. Glass-enclosed rooms are also considered rooms for purposes of this …
•e.g., conference rooms or other room types
•constitute a room? A If an elevator has a door, access to it must be controlled. Stairwells are not a room if they do not have doors. Closets would not be considered a room if a person could not physically enter. However, a storage room with a door is considered a room. Glass-enclosed rooms are also considered rooms for purposes of this …
Q 22 December 2013
• For purposes of 2.3.5, do elevators, stairwells, closets, and glass- enclosed rooms
•e.g., conference rooms or other room types
•constitute a room? A If an elevator has a door, access to it must be controlled. Stairwells are not a room if they do not have doors. Closets would not be considered a room if a person could not physically enter. However, a storage room with a door is considered a room. Glass-enclosed rooms are also considered rooms for …
• For purposes of 2.3.5, do elevators, stairwells, closets, and glass- enclosed rooms
•e.g., conference rooms or other room types
•constitute a room? A If an elevator has a door, access to it must be controlled. Stairwells are not a room if they do not have doors. Closets would not be considered a room if a person could not physically enter. However, a storage room with a door is considered a room. Glass-enclosed rooms are also considered rooms for …
Modified
p. 29 → 31
Q 25 October 2014 − Are any of these options acceptable to implement in lieu of implementing the controls for separate rooms under this section:
Q 25 October 2014 − Are any of these options acceptable to implement in lieu of implementing the controls for separate rooms under this section: • Glass doors without locks and a fully lit room
Modified
p. 29 → 31
• Swinging or sliding glass doors that do not have any type of closure mechanism? A Glass doors without locks and swinging or sliding doors are not acceptable. Clear plastic flaps hanging from the door or no door at all are the only viable options.
Modified
p. 29 → 31
Q 27 March 2015
• Can the following processes be performed in the rooms outside the high security areas:
• Can the following processes be performed in the rooms outside the high security areas:
Q 27 March 2015
• Can the following processes be performed in the rooms outside the high security areas: • Design development (external graphical view) of a plastic card,
• Can the following processes be performed in the rooms outside the high security areas: • Design development (external graphical view) of a plastic card,
Modified
p. 29 → 31
•e.g., the plates or the printing …
• Printing the plastic cards designs/rough copies with your company logo on a printer, • Preparation of a file containing the plastic card design for output to CTP devices (not an output itself, but only the preparation)? A Work that is purely design work does not need to occur in the HSA. But where the machinery is present that enables the production of the design
•e.g., the plates or the printing of high- resolution images and any pre-production samples
•it must be …
•e.g., the plates or the printing of high- resolution images and any pre-production samples
•it must be …
Modified
p. 30 → 32
• In a provisioning-only entity, housed in a separate room or cage in a data center.
Modified
p. 31 → 33
• Cards awaiting personalization • Security components • Materials awaiting destruction • Samples and test cards prior to distribution and after return • Any card that is personalized with production data • If the facility is closed, personalized cards that will not be shipped within the same working day • Products awaiting return to the supplier
Modified
p. 32 → 34
• An outside wall of the building must not be used as a wall of the vault.
Modified
p. 32 → 34
• If the construction of the vault leaves a small (dead) space between the vault and the outside wall, this space must be constantly monitored for intrusion
•e.g., via motion sensors.
•e.g., via motion sensors.
Modified
p. 32 → 34
• No windows are permitted.
Modified
p. 32 → 34
•e.g., seismic, vibration/shock, microphonic wire, microphone, etc.
• There must be no access to the vault except through the vault doors and gate configurations meeting these requirements. The vault must be protected with a sufficient number of intruder-detection devices that provide an early attack indication
•e.g., seismic, vibration/shock, microphonic wire, microphone, etc.
•e.g., seismic, vibration/shock, microphonic wire, microphone, etc.
Modified
p. 32 → 34
•e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access. The access mechanism requires that access occurs under dual control and does not allow entry by a single individual
•i.e., it is not feasible for a single individual to use credentials belonging to someone else to simulate dual access.
• The vault must be fitted with a main steel-reinforced door with a dual-locking mechanism (mechanical and/or logical
•e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access. The access mechanism requires that access occurs under dual control and does not allow entry by a single individual
•i.e., it is not feasible for a single individual to use credentials belonging to someone else to simulate dual access.
•e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access. The access mechanism requires that access occurs under dual control and does not allow entry by a single individual
•i.e., it is not feasible for a single individual to use credentials belonging to someone else to simulate dual access.
Modified
p. 33 → 35
• Vaults existing prior to the March 2015 publication date that do not meet the requirement must comply with the following:
Modified
p. 33 → 35
• Vaults must be constructed of reinforced concrete (minimum 15 centimeters or 6 inches) or at least meet the Underwriters Laboratories Class 1 Burglary Certification Standard (e.g., UL 608), which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces
•i.e., vault doors, walls, floors and ceilings. Can materials certified to the European Standard EN 1143-1 Secure storage units - Requirements, classification and methods of test for resistance to burglary - Part 1: Safes, …
•i.e.,
Q 40 August 2020
• Vaults must be constructed of reinforced concrete (minimum 15 centimeters or 6 inches) or at least meet the Underwriters Laboratories Class 1 Burglary Certification Standard (e.g., UL 608), which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces•i.e., vault doors, walls, floors and ceilings. Can materials certified to the European Standard EN 1143-1 Secure storage units - Requirements, classification and methods of test for resistance to burglary - …
• Vaults must be constructed of reinforced concrete (minimum 15 centimeters or 6 inches) or at least meet the Underwriters Laboratories Class 1 Burglary Certification Standard (e.g., UL 608), which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces•i.e., vault doors, walls, floors and ceilings. Can materials certified to the European Standard EN 1143-1 Secure storage units - Requirements, classification and methods of test for resistance to burglary - …
Removed
p. 37
Good sheets Rejected sheets Set-up sheets Quality control sheets Unused core sheets
Modified
p. 37 → 39
Q 48 September 2016
• Accountability forms must be used to account for information regarding core sheets used for each order. Specifically:
• Accountability forms must be used to account for information regarding core sheets used for each order. Specifically:
Q 48 September 2016
• Accountability forms must be used to account for information regarding core sheets used for each order. Specifically: • Quality control sheets
• Accountability forms must be used to account for information regarding core sheets used for each order. Specifically: • Quality control sheets
Modified
p. 37 → 39
• Unused core sheets Does this apply to “make ready” sheets? A The audit or accountability forms only apply to make ready sheets if they are of the same quality as production sheets. Make ready sheets are normally lower quality sheets not suitable for production•e.g., make ready sheets are typically uniquely colored and are made from a sub-grade material and are used to get the press running and stabilize the flow of ink within the machine. The material cannot be …
Modified
p. 38 → 40
• Description of the component or card product(s) being transferred • Name and signature of the individual releasing the component or card product(s) • Name and signature of the individual receiving the component or card product(s) • Number of components or card products transferred • Number of components used • Number returned to vault or WIP storage • Number rejected or damaged • Number to be destroyed • Date and time of transfer • Name and signature of supervisor • …
Modified
p. 39 → 41
• Number of mailers to be printed • Number of mailers actually printed • Wasted mailers that have been printed • Number of mailers transferred to the mailing area/room • Operator name and signature • Name and signature of an individual other than the operator who is responsible for verifying the count.
Modified
p. 39 → 41
•in all cases
•weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA
• The destruction can occur as frequently as the vendor deems necessary but
•in all cases
•weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA
•in all cases
•weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA
Modified
p. 40 → 42
• Any other sensitive card component material or courier material related to any phase of the card production and personalization process.
Modified
p. 41 → 43
• The shredder or granulator meets the DIN66399-P5 standard for shredded material.
Modified
p. 41 → 43
• The evacuation system tubing is permanently fixed to the HSA wall.
Modified
p. 41 → 43
• The aperture of the security mesh protecting the opening through the HSA wall must prevent the pass-through of material larger than material shredded to DIN66399-P5. The mesh holes must not exceed 3cm on the square, which will not allow larger particles of cards through, but will not disrupt the flow of compliant shredded material, to prevent the blockage of the tube.
Modified
p. 41 → 43
• The vendor must review the output at least weekly to verify that the output is completely shredded to at least a P5 level and document that review. This must be validated by the assessor as part of their review.
Modified
p. 44 → 46
• Housed within a facility certified to the PCI Card Production and Provisioning Standard.
Modified
p. 44 → 46
• Housed within a location that meets the requirements defined for a Security Control Room within the PCI Card Production and Provisioning Physical Security Requirements.
Modified
p. 44 → 46
• Housed within the SOC.
Modified
p. 44 → 46
• Housed in a separated room under access control.
Modified
p. 44 → 46
• Monitored by CCTV surveillance.