PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

Card_Prod_Security_Rqrmts_FAQs_v2_Nov_2021.pdf PCI_Card_Production_SR_FAQs_v3_October_2025.pdf
75% similar
37 → 43 Pages
14568 → 16680 Words
208 Content Changes

Content Changes

208 content changes. 38 administrative changes (dates, page numbers) hidden.

Added p. 3
PaymentProductsCertification@aexp.com  Discover:

Q 4 April 2024 - Assessors may find requirements that cannot be met due to the requirement conflicting with country, state, or local laws or regulations. In that situation, the country, state, or local law or regulation will supersede any conflicting requirement. Is anything else required in the ROCs? A Yes. Where the assessor finds a requirement that cannot be met due to a legal exception, the assessor must cite in the ROC the relevant conflicting law or regulation, including stating why it is applicable to the specific situation. The requirement must be marked as non- compliant, either as new or open.

Q 5 July 2025 - What are common examples of a claim for legal exception? A Where compliance with a Card production requirement results in a conflict with local or national laws, regulations or statutory requirements, a claim for legal exception requires the assessor to validate the …
Added p. 13
- Injection flaws•e.g., SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws, as well as other injection flaws.

- Insecure cryptographic storage

- Improper error handling

- Insecure communications

- All other discovered “high-risk” network vulnerabilities with criteria for ranking vulnerabilities, including:

• Consideration of the Common Vulnerability Scoring System (CVSS) base score, and/or

• The classification by the vendor, and/or

• Type of systems affected.
Added p. 14
Q 14 July 2015

• The vendor must define procedures for the transfer of key-management roles between individuals. Does "roles" mean a custodian A holder versus a custodian B holder? A No. This is not intended for transfer of roles between existing custodians if it results in a custodian collectively having access to sufficient key components or shares of a secret or private key to reconstruct a cryptographic key.

Q 15 December 2013

• Are there any alternatives to meet this requirement if the authorized custodian is unavailable? A Yes. If the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
Added p. 15
Q 16 October 2014

• What specifically is the requirement regarding the signature of a custodian being placed on the access logs? Does it require the full name (first and last), or can the signature be the first initial and last name or just the initials of the custodians? A Signatures must be sufficient to identify each custodian. Full names or initials or any combination are acceptable as long as it can be positively affirmed who provided the signature.

However, copies of the HSM’s master file key cannot exist off site in any scenario. Storage of keys is a personalization activity so it must take place in the HSA•i.e., at the approved site. Custodians must be employees of the company, not employees of another vendor.

7.9.d All secret and private keys must have a predefined expiry date by which they must be retired from use. No key must be used for a period …
Added p. 17
Section 8

• Key Management: Confidential Data 8.1 General Principles 8.1.g The vendor must generate keys and key components using a random or pseudo-random process using one of the following:

• An approved key-generation function of a PCI

•approved HSM

• An approved key-generation function of a FIPS 140-2 or 140-3 Level 3 (or higher) for physical security HSM

• An approved key-generation function of a FIPS 140-2 or 140-3 Level 3 (or higher) for physical security HSM

• An approved random number generator that has been certified by an independent qualified laboratory according to NIST SP 800-22.

Q 22 October 2025 - In light of NIST clarifying that the purpose and use of the statistical test suite in NIST SP 800-22 (A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic) is not suitable for use in assessing cryptographic random number generators, what is the impact for protection of confidential data? A The vendor …
Added p. 19
Section 1.1

• Card Production Staff 1.1.4.1 Employment Application Forms 1.1.4.1.b The vendor must maintain a personnel file for each individual listed in Section 1.1.2 that includes but is not limited to the following information:

 The visitor must be instructed on its proper use.

 The vendor must program the visitor access badge or card to enable the tracking of movement of all visitors. It should be activated only for areas that the visitor is authorized to enter.

 Visitors must use their access card in the card readers to the room into which they enter.

 Badging to track access must be used.

Q 8 October 2014

• If a facility has a fence around the whole property, is a separate fence still required around the technical machinery? A Yes. Separate access controls are still required. There will be many people who will have access beyond the fence (everyone entering the facility) but are not …
Added p. 24
2.3.2.2.q The vendor must have mechanisms in place to prevent observation of security equipment

2.3.3.1.d With the exception of mobile provisioning, if multiple HSAs are within the same building, they must be contiguous.
Added p. 26
g) All doors and gates to these areas must be contact monitored and fitted with automatic closing or locking devices and audible alarms that sound if the door or gate remains open for more than 30 seconds.

Q 18 December 2022 - Does this requirement allow for the vendor to use either automatic closing devices or automatic locking devices? A This requirement is under revision. The intent of the requirement is to automatically secure the door in a closed position, which requires the use of both an automatic closing device and an automatic locking device. The doors must automatically close and automatically lock in order to support the enforcement of anti-pass-back and person-by-person access control.
Added p. 27
• For purposes of 2.3.5, do elevators, stairwells, closets, and glass- enclosed rooms

•e.g., conference rooms or other room types

•constitute a room? A If an elevator has a door, access to it must be controlled. Stairwells are not a room if they do not have doors. Closets would not be considered a room if a person could not physically enter. However, a storage room with a door is considered a room. Glass-enclosed rooms are also considered rooms for purposes of this requirement.
Added p. 29
 A separate rack in a server room, or  In a provisioning-only entity, housed in a separate room or cage in a data center.

2.3.5.6.b The following must be stored in the vault:

 Cards awaiting personalization  Security components  Materials awaiting destruction  Samples and test cards prior to distribution and after return  Any card that is personalized with production data  If the facility is closed, personalized cards that will not be shipped within the same working day  Products awaiting return to the supplier

Note: EN 1143-1 Secure storage units - Requirements, classification, and methods of test for resistance to burglary - Part 1: Safes, ATM safes, strongroom doors and strongrooms: Grade 6 or higher may be used as equivalent to UL 608 Class 1 Burglary Certification.

•on attempts to enter and also provide full coverage of the walls, ceiling, and floor.

 The vault must be fitted with …
Added p. 34
a) The vendor must document, follow, and maintain procedures for access-control system administration.

b) Access-control systems that allow entry into restricted areas must have a backup electrical power source capable of maintaining the system for 48 hours.

c) Contingency plans must exist for securing card components in the event of an outage greater than 48 hours.

d) For multiple buildings within the same facility, a single central location for an access-control system can administer all buildings. Either a private or public network may be used. If a public network is used, a VPN as defined in the PCI Card Production and Provisioning

• Logical Security Requirements and Test Procedures in conformance with the requirements stipulated therein must be used.

a) Each access-control system administrator uses his or her own user ID and password.

b) Passwords are changed at least every 90 days.

c) User IDs and passwords are assigned to the physical security manager and authorized personnel, …
Added p. 40
g) Proper destruction requires the following:

• Individuals destroying the materials must ensure that they are rendered unusable and unreadable.

• Two card production staff must simultaneously count and shred the material.

• Before leaving the room, both card production staff must ensure that all material has been destroyed and not displaced in the machinery or equipment.

• Card production staff must prepare, sign, and maintain a destruction document.

• Once the destruction process is initiated, the process must not be interrupted.

Q 57 April 2024 - If the destruction of materials requires the use of a vacuum extraction system, are there any associated requirements for use of the system? A If removal of waste material is performed using a vacuum extraction system, the destroyed material may be discharged externally out of the HSA using the following criteria:

 The shredder or granulator meets the DIN66399-P5 standard for shredded material.

 The evacuation system tubing is permanently fixed …
Added p. 42
a) Have access to the names and signatures of individuals who are authorized to collect and deliver shipments.

b) Verify the identity of personnel arriving to collect or deliver shipments.

c) Confirm the identity with the signature list.

d) Place the cartons on a pallet in such a manner that the sides of the carton showing the batch code are visible.

Q 63 October 2023 - Vendors must not release card products or components unless the vendor has access to the names and signatures of the individuals who are authorized to collect and deliver the shipments, the vendor can identify the personnel who arrive to collect or deliver the shipments and can confirm the identity with the signature list. Does this apply to all shipments? A This requirement is under revision. Verification of the identity of personnel arriving to collect or deliver shipments and confirmation of identity with the signature list is required for …
Modified p. 1
Payment Card Industry (PCI) Card Production and Provisioning Security Requirements Technical FAQs for use with Version 2.0
Payment Card Industry (PCI) Card Production and Provisioning Security Requirements Technical FAQs for use with Version 3
Removed p. 3
• American Express: o Miguel.BesoMontaner1@aexp.com
Modified p. 3
Updates: New or questions modified for clarity are in red.
Updates: New questions or those modified for clarity are in red.
Modified p. 3
Q 1 February 2020 - How do I contact the Payment Brands with questions regarding the Card Production and Provisioning Security Requirements? A For information regarding the Security Requirements and any related payment brand program compliance information, contact the payment brand(s) of interest at:
Q 1 October (update) 2024

 How do I contact the Payment Brands with questions regarding the Card Production and Provisioning Security Requirements? A For information regarding the Security Requirements and any related payment brand program compliance information, contact the payment brand(s) of interest at:
Modified p. 3
• Discover: o DN_CARD_REQUEST@discover.com o riskmanagement@info.jcb.co.jp
DN_CARD_REQUEST@discover.com riskmanagement@info.jcb.co.jp  Mastercard:
Modified p. 3
• Mastercard: o GVCP-Helpdesk@mastercard.com o Canada/LAC/US: AVPAmericas@visa.com o AP: vendorcompliance@visa.com o CEMEA: pcicemea@visa.com o VE: VisaEuropeCardVendor@visa.com
GVCP-Helpdesk@mastercard.com Canada/LAC/US: AVPAmericas@visa.com AP: vendorcompliance@visa.com CEMEA: pcicemea@visa.com VE: VisaEuropeCardVendor@visa.com
Modified p. 3
Q 2 November 2021 - Individual payment brands may choose to issue waivers in regard to specific requirements. Should those waivers be taken into consideration for purposes of AOC and ROC reporting? A No. All non-compliance found during an assessment must be reflected in connection with AOC and ROC report findings on a card vendor. Waivers are part of individual payment brands compliance management programs and do not impact non-compliance reporting.
Q 2 November 2021 Individual payment brands may choose to issue waivers in regard to specific requirements. Should those waivers be taken into consideration for purposes of AOC and ROC reporting? A No. All non-compliance found during an assessment must be reflected in connection with AOC and ROC report findings on a card vendor. Waivers are part of individual payment brands compliance management programs and do not impact non-compliance reporting.
Modified p. 4
Q 3 November 2021 - Are remote assessments permitted for Card Production and Provisioning assessments? A While onsite assessments continue to be the preferred method for PCI SSC assessments, the use of remote assessment methods may provide a suitable alternative in legitimate scenarios where an onsite assessment is not feasible. Prior to the engagement of the CPSA, entities must consult with the applicable payment brands’ VPA to confirm whether remote assessments are allowed and any requirements they may have around …
Q 3 November 2021 Are remote assessments permitted for Card Production and Provisioning assessments? A While onsite assessments continue to be the preferred method for PCI SSC assessments, the use of remote assessment methods may provide a suitable alternative in legitimate scenarios where an onsite assessment is not feasible. Prior to the engagement of the CPSA, entities must consult with the applicable payment brands’ VPA to confirm whether remote assessments are allowed and any requirements they may have around …
Removed p. 5
Q 5 October 2018 - Can a logbook be either manual or electronic? A As long as the required details, including capture of signatures are met, the logs may be either electronic or manual. Electronic logbooks require additional integrity controls such as digital signatures using hashes of the data that are signed.
Modified p. 5
Q 4 October 2014 - If a Chip Card manufacturer sets up a remote personalization service within an Issuer, is the Issuer facility required to be PCI Card Production compliant? A If a third party (vendor) sets up and operates a personalization service inside an issuer's premises, then the issuer facility is required to be approved. If the service is operated by the issuer so that only the issuer has access to card stocks, cardholder data and keys then it …
Q 6 October 2014 If a Chip Card manufacturer sets up a remote personalization service within an Issuer, is the Issuer facility required to be PCI Card Production compliant? A If a third party (vendor) sets up and operates a personalization service inside an issuer's premises, then the issuer facility is required to be approved. If the service is operated by the issuer so that only the issuer has access to card stocks, cardholder data, and keys then it …
Modified p. 5
Section 1

Scope No FAQ in this section Reserved for future use.
Section 1

Roles and Responsibilities No FAQ in this section - Reserved for future use.
Removed p. 6
Section 2

• Roles and Responsibilities This section defines requirements that apply for the various roles and responsibilities relating to the management of the vendor’s security policies and procedures. These requirements relate to:

• Information security personnel

• Assignment of security duties 2.1 Information Security Personnel

a) The vendor must designate, in writing, a senior manager with adequate security knowledge to be responsible for the vendor’s Information Security Management and security of the cloud-based provisioning platform. These requirements refer to this person as the “Chief Information Security Officer” (“CISO”).

b) The CISO must be an employee of the vendor.

c) The CISO must, on a monthly basis, report to executive management the current status of security compliance and issues that pose potentials risks to the organization.
Removed p. 6
i. Be responsible for compliance to these requirements.

ii. Have sufficient authority to enforce the requirements of this document.

iii. Not perform activities that they have the responsibility for approving.

iv. Designate a back-up person who is qualified and empowered to act upon critical security events in the event the CISO is not available.

v. Identify an IT security manager (if not themselves) responsible for overseeing the vendor’s security environment.

b) When the CISO backup is functioning on behalf of the CISO, the backup must not perform activities for which they have approval responsibility and must not approve activities which they previously performed.

c) Where managers have security compliance responsibilities, the activities for which the manager has responsibility must be clearly defined.

d) Staff responsible for day-to-day production activities must not be assigned security compliance assessment responsibility for the production activities that they perform.

Q 6 November 2015 - The CISO must be an employee of the company. …
Modified p. 7 → 6
Section 4

• Data Security 4.1.2 Confidential Data Confidential data is considered as any information that might provide the vendor with a competitive advantage or could cause business harm or legal exposure if the information is used or disclosed without restriction. Confidential data is data restricted to authorized individuals. This includes cardholder data and the keys used to encrypt cardholder data. These are confidential data and must be managed in accordance with Section 9 of this document, “Key Management: Confidential Data.”
Section 3

• Data Security 3.1 Classifications Confidential Data Confidential data is considered any information that might provide the vendor with a competitive advantage or could cause business harm or legal exposure if the information is used or disclosed without restriction. Confidential data is data restricted to authorized individuals. This includes cardholder data and the keys used to encrypt cardholder data.
Modified p. 7 → 6
Q 7 December 2013

• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
Q 10 December 2013

• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
Modified p. 7 → 6
d) The vendor must only decrypt or translate cardholder data on the data-preparation or personalization or cloud-based provisioning network and not while it is on an Internet or public facing network.
The vendor must only decrypt or translate cardholder data on the data-preparation or personalization or cloud-based provisioning network and not while it is on an Internet or public facing network.
Modified p. 7 → 6
Q 8 October 2014 - Does transmission include the file movement between the systems on the data-preparation or personalization or does it apply only to data that is transmitted between organizational entities over a public network? A If the data is going from one system or server to another then it is being transmitted and must be encrypted. It does not matter if the networks are not internet or public facing. The intention is that data is in clear only …
Q 11 October 2014 Does transmission include the file movement between the systems on the data-preparation or personalization or does it apply only to data that is transmitted between organizational entities over a public network? A If the data is going from one system or server to another, it is being transmitted and must be encrypted. It does not matter whether the networks are not Internet- or public-facing. The intention is that data is in the clear only in …
Modified p. 8 → 7
a) The vendor must have a documented removable-media policy that includes laptops, mobile devices, and removable storage devices•e.g., USB devices, tapes and disks.
a) The vendor must have a documented removable-media policy that includes laptops, mobile devices, and removable storage devices•e.g., USB devices, tapes, and disks.
Modified p. 8 → 7
b) All removable media (e.g., USB devices, tapes, disks) within the HSA must be clearly labeled with a unique identifier and the data classification.
b) All removable media •e.g., USB devices, tapes, disks

•within the HSA must be clearly labeled with a unique identifier and the data classification.
Modified p. 8 → 7
e) A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain:
e) A log must be maintained when media is removed from or returned to its storage location or transferred to the custody of another individual. The log must contain:
Modified p. 8 → 7
Q 9 November 2015 - Removable media is subject to a number of restrictions as defined in requirement 4.6. Are hard drives in desktops, servers and storage area networks (SANs) considered removable media? A No, internal hard drives are not considered removable media. Removable electronic media is media that stores digitized data, and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives and external/portable hard …
Q 12 November 2015 Removable media is subject to a number of restrictions as defined in Requirement 3.6. Are hard drives in desktops, servers, and storage area networks (SANs) considered removable media? A No. Internal hard drives are not considered removable media. Removable electronic media is media that stores digitized data, and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives, and external/portable hard …
Removed p. 9
Section 5

• Network Security 5.2 General Requirements The vendor must:
Modified p. 9
a) Maintain a current network topology diagram that includes all system components on the network.
a) Maintain a current network topology diagram that includes all system components on the network. The diagram must clearly define the boundaries of all networks.
Modified p. 9
d) Document the flow of cardholder and cloud-based provisioning data within the environment from the receipt/generation to end of its lifecycle.
d) Document the flow of cardholder and cloud-based provisioning data within the environment from the receipt/generation to end of its lifecycle. The diagram(s) are kept current and updated as needed upon changes to the environment and must undergo an overall review for accuracy at least every 12 months.
Modified p. 9
e) Ensure that the personalization and data-preparation systems are on dedicated network(s) independent of the back office (e.g., accounting, human resources, etc.) and Internet-connected networks. A virtual LAN (VLAN) is not considered a separate network.
e) Ensure that the personalization and data-preparation systems are on dedicated network(s) independent of the back office •e.g., accounting, human resources, etc.
Modified p. 9
f) Systems and applications that make up the cloud-based provisioning network must be physically and logically segregated from other vendor networks and internet-connected networks. For example, in a traditional card vendor environment this could be a separate rack in a server room, or in a provisioning-only entity, housed in a separate room or cage in a data center. It cannot be in the same rack as other servers used for different purposes.
f) Physically and logically segment systems and applications that make up the cloud-based provisioning network from other vendor networks and Internet-connected networks. For example, in a traditional card vendor environment this could be a separate rack in a server room, or in a provisioning-only entity, housed in a separate room or cage in a data center. It cannot be in the same rack as other servers used for different purposes.
Modified p. 9
g) Put controls in place to restrict, prevent, and detect unauthorized access to the cloud-based and personalization networks. Access from within the high security area to anything other than the personalization or cloud-based networks must be “read-only.” h) Be able to immediately assess the impact if any of their critical nodes are compromised.
g) Put controls in place to restrict, prevent, and detect unauthorized access to the cloud-based and personalization networks. Access from within the high security area to anything other than the personalization or cloud-based networks must be “read-only”.
Modified p. 9
j) Control at all times the physical connection points leading into the personalization network and cloud- based provisioning network. k) Prevent data from being tampered with or monitored by protecting the network cabling associated with personalization-data movement.
j) Control at all times the physical connection points leading into the personalization network and cloud-based provisioning network.
Modified p. 9
m) Ensure a process is in place for updates and patches and identification of their criticality, as detailed in Section 6.3.
m) Ensure a process is in place for updates and patches and identification of their criticality, as detailed in Section 5.3, “Configuration and Patch Management.”
Removed p. 10
Q 10 October 2014 - Access from within the high security area to anything other than the personalization network must be read-only. If the data preparation network is also in the high security area, can the personalization network write to the data preparation network? A Yes, if they are separate networks then generally the data preparation network will deposit files for production on the personalization network or the personalization network will read them from the data preparation network. It’s not a problem as long as they are both in the same HSA. If they are in separate HSAs, the communication path must conform to the DMZ security.
Modified p. 10
Q 11 October 2014 - Controls must be in place to restrict write permission to any system external to the personalization network to only pre-approved functions that have been authorized by the VPA and these write functions must not transmit cardholder data. If the data preparation and personalization networks are separate, can the data preparation network have write permissions to a corporate network? A No, the data preparation network must meet the same requirements as the personalization network, data preparation …
Q 3 October 2014 Controls must be in place to restrict write permission to any system external to the personalization network to only pre-approved functions that have been authorized by the VPA, and these write functions must not transmit cardholder data. If the data preparation and personalization networks are separate, can the data preparation network have write permissions to a corporate network? A No. The data preparation network must meet the same requirements as the personalization network, data preparation …
Modified p. 10
Q 12 October 2014 - Inventory and order systems may reside in the HSA on the data preparation and personalization networks. Corporate users may require access to the inventory and order detail updates performed on those systems. However, logical access from outside the HSA to these networks is not allowed, and access from within the HSA to anything other than the personalization network must be read-only How can the corporate users obtain access to this information? A The information needs …
Q 4 October 2014 Inventory and order systems may reside in the HSA on the data preparation and personalization networks. Corporate users may require access to the inventory and order detail updates performed on those systems. However, logical access from outside the HSA to these networks is not allowed, and access from within the HSA to anything other than the personalization network must be read-only. How can the corporate users obtain access to this information? A The information needs …
Modified p. 10
Q 13 June 2016 - For a card vendor that performs both manufacturing and personalization activities, there will be pre-press activities in the high security area which will contain card design files. Many card vendors will employ email communication to submit these card design files to the issuers/payment brands for approval. As pre-press activities must be within the high security area, the computer with email capability will also reside in the high security area. Can email communication be used for …
Q 5 June 2016 For a card vendor that performs both manufacturing and personalization activities, there will be pre-press activities in the high security area which will contain card design files. Many card vendors will employ email communication to submit these card design files to the issuers/payment brands for approval. As pre-press activities must be within the high security area, the computer with e-mail capability will also reside in the high security area. Can e-mail communication be used for …
Modified p. 10
Q 14 November 2018 - Can Voice over Internet Protocol (VoIP) be used within the HSA? A No. VoIP connections allow direct internet access which is prohibited within the HSA. HSA telephony connectivity is restricted to plain old telephone service (POTS), aka public switched telephone network (PSTN). VoIP can be used outside the HSA but must be converted to analog (POTS) via a PSTN adapter outside the HSA before connectivity within the HSA.
Q 6 November 2018 Can Voice over Internet Protocol (VoIP) be used within the HSA? A No. VoIP connections allow direct internet access which is prohibited within the HSA. HSA telephony connectivity is restricted to plain old telephone service (POTS), aka public switched telephone network (PSTN). VoIP can be used outside the HSA but must be converted to analog (POTS) via a PSTN adapter outside the HSA before connectivity within the HSA.
Removed p. 11
e) Utilize physically separate firewalls for the aforementioned.
Modified p. 11
b) Deploy an external firewall outside the HSA to protect the HSA’s DMZ (see figures 2 and 3 above for acceptable configurations).
b) Deploy an external firewall outside the HSA to protect the HSA’s DMZ.
Modified p. 11
f) Have the capability to detect, isolate, and correct abnormal operations on network systems on a real- time basis, 24/7, on the external (DMZ) facing firewall
e) Have the capability to detect, isolate, and correct abnormal operations on network systems on a real-time basis, 24/7, on the external (DMZ) facing firewall.
Modified p. 11
g) Implement appropriate operating-system controls on firewalls.
f) Implement appropriate operating-system controls on firewalls.
Modified p. 11
h) Review firewall rule sets and validate supporting business justification either:
g) Review firewall rule sets and validate supporting business justification either:
Modified p. 11
Quarterly with review after every firewall configuration change.
 Monthly, or  Quarterly with review after every firewall configuration change.
Modified p. 11
i) Restrict physical and logical access to firewalls to only those designated personnel who are authorized to perform firewall or router administration activities.
h) Restrict physical and logical access to firewalls to only those designated personnel who are authorized to perform firewall or router administration activities.
Modified p. 11
j) Ensure the firewall rule set is such that any server only requiring inbound connections (for example, web servers) is prohibited from making outbound connections and vice versa.
i) Ensure the firewall rule set is such that any server only requiring inbound connections (for example, web servers) is prohibited from making outbound connections and vice versa.
Modified p. 11
k) Ensure that only authorized individuals can perform firewall administration.
j) Ensure that only authorized individuals can perform firewall administration.
Modified p. 11
l) Run firewalls on dedicated hardware. All non-firewall-related software such as compilers, editors, and communication software must be deleted or disabled.
k) Run firewalls on dedicated hardware. All non-firewall-related software such as compilers, editors, and communication software must be deleted or disabled.
Modified p. 11
m) Implement daily, automated analysis reports to monitor firewall activity.
l) Implement daily, automated analysis reports to monitor firewall activity.
Modified p. 11
n) Use unique administrator passwords for firewalls used by the personalization system and those passwords used for other network devices in the facility.
m) Use unique administrator passwords for firewalls used by the personalization system as well as those passwords used for other network devices in the facility.
Modified p. 11
o) Implement mechanisms to protect firewall system logs from tampering, and procedures to check the system integrity monthly.
n) Implement both mechanisms to protect firewall and router system logs from tampering, and procedures to check the integrity of the logs monthly.
Modified p. 11
p) Explicitly permit inbound and outbound traffic to the cloud-based provisioning and personalization networks. A rule must be in place to deny all other traffic.
o) Explicitly permit inbound and outbound traffic to the cloud-based provisioning and personalization networks. A rule must be in place to deny all other traffic.
Removed p. 12
a) Perform quarterly external network vulnerability scans using an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC).
Modified p. 12
Q 15 February 2016 - Can a card personalization vendor outsource their card production firewall and router administrative support functions to a third-party company? A Yes, but the third-party administration needs to be included in the card vendor’s compliance administration. This includes not just the VPN, but how changes are requested and how the vendor validates that the correct changes, and only those changes, have been made. The remote access site is subject to the compliance validation process as designated …
Q 7 February 2016 Can a card personalization vendor outsource their card production firewall and router administrative support functions to a third-party company? A Yes. But the third-party administration needs to be included in the card vendor’s compliance administration. This includes not just the VPN, but how changes are requested and how the vendor validates that the correct changes, and only those changes, have been made. The remote access site is subject to the compliance validation process as designated …
Modified p. 12
Q 16 December 2013

• Section 5.6.2 stipulates criteria that VPNs must meet. Under what circumstances does this criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 5.6. Therefore, they apply to the remote administration of networks and system components that comprise the HSA and do not apply to VPNs that are used for other purposes. For example, the VPN requirements apply to administration of …
Q 8 December 2013

• Section 4.6.2 stipulates criteria that VPNs must meet. Under what circumstances do these criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 4.6. Therefore, they apply to the remote administration of networks and system components that comprise the HSA and do not apply to VPNs that are used for other purposes. For example, the VPN requirements apply to administration of …
Modified p. 12
5.6.1.j.iv The vendor must ensure that all remote access locations are included in the facility’s compliance assessment and meet these requirements.
4.6.1.j.iv The vendor must ensure that all remote access locations are included in the facility’s compliance assessment and meet these requirements.
Modified p. 12
Q 17 July 2013

• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes, administration of the network and system components is a critical activity that requires a secure environment that complies …
Q 9 July 2013

• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes. Administration of the network and system components is a critical activity that requires a secure environment that complies …
Modified p. 12 → 13
Q 18 December 2017 - Quarterly external network vulnerability scans must be performed using a PCI SSC Approved Scanning Vendor (ASV). Can internal staff perform the analysis of the results and determine the severity of any vulnerabilities found? A No, a PCI SSC ASV has the proper background and experience to both perform the scan and the resulting analyses as specified in the ASV program guide. The remediation actions may be determined by the vendor, but the scoring and ranking, …
Q 10 December 2017 Quarterly external network vulnerability scans must be performed using a PCI SSC Approved Scanning Vendor (ASV). Can internal staff perform the analysis of the results and determine the severity of any vulnerabilities found? A No. A PCI SSC ASV has the proper background and experience to perform both the scan and the resulting analyses as specified in the ASV program guide. The remediation actions may be determined by the vendor, but the scoring and ranking, …
Removed p. 13
Injection flaws (e.g., SQL injection) Buffer overflow Insecure cryptographic storage Improper error handling All other discovered network vulnerabilities
Modified p. 13
iii. Penetration tests must be performed on the application layer and must include:
iii. Penetration tests must be performed on the application layer and must include at least the following:
Modified p. 13
Q 19 March 2016 - How must the internal penetration test be conducted? A The internal penetration test must be performed using the criteria defined in this requirement. Additionally, testing must occur in accordance with DSS requirement 11 with the exception that the coverage must be all HSA systems and the personalization network. The internal penetration test must not require any rule changes to conduct and must originate from systems within the HSA.
Q 11 March 2016 How must the internal penetration test be conducted? A The internal penetration test must be performed using the criteria defined in this requirement. Additionally, testing must occur in accordance with DSS Requirement 11 with the exception that the coverage must be all HSA systems and the personalization network. The internal penetration test must not require any rule changes to conduct and must originate from systems within the HSA.
Modified p. 13 → 14
Section 6

• System Security 6.1 General Requirements 6.1.g The vendor must ensure that virtual systems do not span different network domains.
Section 5

• System Security 5.1 General Requirements 5.1.g The vendor must ensure that virtual systems do not span different network domains.
Modified p. 13 → 14
Q 20 December 2013

• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
Q 12 December 2013

• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
Modified p. 13 → 14
Section 7

• User Management and System Access Controls 7.2.2 Password

 Characteristics and Usage 7.2.2.c The vendor must ensure “first use” passwords expire if not used within 24 hours of distribution.
Section 6

• User Management and System Access Controls 6.2.2 Characteristics and Usage 6.2.2.c The vendor must ensure “first use” passwords expire if not used within 24 hours of distribution.
Modified p. 13 → 14
Q 21 December 2013

• Some systems are not capable of expiring passwords within 24 hours as required by 7.2.2.c. What alternatives are available? A If a system cannot expire initial passwords that are not used within 24 hours of distribution, then the passwords must not be issued more than 24 hours before expected use. If 24 hours elapses without use, they must be manually expired within that 24-hour period.
Q 13 December 2013

• Some systems are not capable of expiring passwords within 24 hours as required by 6.2.2.c. What alternatives are available? A If a system cannot expire initial passwords that are not used within 24 hours of distribution, then the passwords must not be issued more than 24 hours before expected use. If 24 hours elapses without use, they must be manually expired within that 24-hour period.
Removed p. 14
Q 23 December 2013

• Are there any alternatives to meet this requirement for when the authorized custodian is unavailable? Yes, if the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
Modified p. 14
Section 8

• Key Management: Secret Data 8.4.1 General Requirements 8.4.1.a The vendor must define procedures for the transfer of key-management roles between individuals.
Section 7

• Key Management: Secret Data 7.4.1 General Requirements 7.4.1.a The vendor must define procedures for the transfer of key-management roles between individuals.
Modified p. 14
Q 22 July 2015 - The vendor must define procedures for the transfer of key-management roles between individuals. Does "roles" mean custodian A holder versus a custodian B holder? A No. This is not intended for transfer of roles between existing custodians if it results in a custodian collectively having access to sufficient key components or shares of a secret or private key to reconstruct a cryptographic key. For example, in an m-of-n scheme (which must use a recognized secret-sharing …
For example, in an m-of-n scheme (which must use a recognized secret-sharing scheme such as Shamir), where only two of any three components are required to reconstruct the cryptographic key, a custodian must not have current or prior knowledge of more than one component. If a custodian was previously assigned component A, which was then reassigned, the custodian must not then be assigned component B or C, as this would give them knowledge of two components, which gives them ability …
Removed p. 15
Q 24 October 2014 - What specifically is the requirement regarding the signature of a custodian being placed on the access logs? Does it require the full name (first and last) or can the signature be first initial and last name or only be the initials of the custodians? A Signatures must be sufficient to identify each custodian. Full names or initials or any combination are acceptable as long as it can be positively affirmed who provided the signature.
Modified p. 15 → 16
8.9.b Transport keys used to encrypt other keys for conveyance (e.g., KEK, ZCMK) must be unique per established key zone and, optionally, unique per issuer within that zone. These keys must only be shared between the two communicating entities and must not be shared with any third organization.
7.9.b Key-encipherment keys used to encrypt other keys for conveyance •e.g., KEK, ZCMK

•must be unique per established key zone and, optionally, unique per issuer within that zone. These keys must only be shared between the two communicating entities and must not be shared with any third organization.
Modified p. 15 → 16
Q 25 July 2014 •Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g. Issuer keys or personalization keys) may exist if there is a contract with that site e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted. For disaster recovery purposes, the same conditions apply. There must be …
Q 17 July 2014 • Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g., issuer keys or personalization keys) may exist if there is a contract with that site•e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted.
Modified p. 15 → 16
Q 26 July 2013

• Can the same transport keys be used between the card vendor and separate locations of another organization? A No, each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
Q 18 July 2013

• Can the same transport keys be used between the card vendor and separate locations of another organization? A No. Each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
Removed p. 16
Section 10

• PIN Distribution via Electronic Methods No FAQ in this section

• Reserved for future use.
Modified p. 16
Q 27 December 2013

• Does 8.9.g apply to all IC keys? A No, it does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
Q 20 December 2013

• Does 7.9.h apply to all IC keys? A No. It does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
Modified p. 16 → 17
Q 28 July 2014

• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not impacted? A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
Q 21 July 2014

• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not impacted? A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
Modified p. 16 → 17
It cannot adversely affect the security features of the product that are relevant to the PCI HSM certification.
It cannot adversely affect the security features of the product that are relevant to the PCI HSM certification.
Modified p. 16 → 17
It cannot modify any of the cryptographic functionality of the HSM or introduce new primitive cryptographic functionality.
It cannot modify any of the cryptographic functionality of the HSM or introduce new primitive cryptographic functionality.
Modified p. 16 → 17
The application is strongly authenticated to the HSM by digital signature.
The application is strongly authenticated to the HSM by digital signature.
Modified p. 16 → 17
The application does not have access to sensitive keys.
The application does not have access to sensitive keys.
Modified p. 16 → 18
Section 9

Key Management: Confidential Data No FAQ in this section

• Reserved for future use.
Section 9

PIN Distribution via Electronic Methods No FAQ in this section

• Reserved for future use.
Removed p. 17
Section 1

• Scope No FAQ in this section

• Reserved for future use.

Section 2

• Personnel 2.1.3.1 Employment Application Forms 2.1.3.1.b The vendor must maintain a personnel file for each employee that includes but is not limited to the following information:

• Gathered as part of the hiring process and periodically thereafter:
Modified p. 17 → 19
Updates: New or questions modified for clarity are in red.
Updates: New questions or those modified for clarity are in red.
Modified p. 17 → 19
Gathered as part of the hiring process:
Gathered as part of the hiring process:
Modified p. 17 → 19
Background check results
- Background check results
Modified p. 17 → 19
Verification of aliases (when applicable)
- Verification of aliases (when applicable)
Modified p. 17 → 19
List of previous employers and referral follow-up results
- List of previous employers and referral follow-up results
Modified p. 17 → 19
Social security number or appropriate national identification number
- Social security number or appropriate national identification number
Modified p. 17 → 19
Signed document confirming that the employee has read and understands the vendor’s security policies and procedures
- Signed document confirming that the employee has read and understands the vendor’s security policies and procedures
Modified p. 17 → 19
Fingerprints and results of search against national and regional criminal records
- Fingerprints and results of search against national and regional criminal records  Gathered as part of the hiring process and periodically thereafter:
Modified p. 17 → 19
Current photograph, updated at least every three years
- Current photograph, updated at least every three years
Modified p. 17 → 19
Record of any arrests or convictions, updated annually
- Record of any arrests or convictions, updated annually
Modified p. 17 → 19
Annual credit checks
- Annual credit checks
Modified p. 17 → 19
Q 1 December 2013

• Drug testing is not required in the PCI Card Production Security Requirements. Is this an oversight? A No, PCI does not require drug testing due to the wide variances in country laws governing where or when drug testing is allowed. However, that does not preclude card vendors from requiring drug testing wherever and whenever they deem necessary.
Q 1 December 2013

• Drug testing is not required in the PCI Card Production Security Requirements. Is this an oversight? A No. PCI does not require drug testing due to the wide variances in country laws governing where or when drug testing is allowed. However, that does not preclude card vendors from requiring drug testing wherever and whenever they deem necessary.
Modified p. 17 → 19
Q 2 July 2013

• Requirement 2.1.3.1 requires annual credit checks. In some countries, only a small fraction of the employees have ever had a credit transaction, so the local credit bureau does not have any record of them. What should happen in these cases? A The intent of the requirement is to determine whether the person is under any financial duress that should be considered for their employment. Even if the credit check is expected to not show anything, it …
Q 2 July 2013

• Requirement 1.1.4.1 requires annual credit checks. In some countries, only a small fraction of the employees have ever had a credit transaction, so the local credit bureau does not have any record of them. What should happen in these cases? A The intent of the requirement is to determine whether the person is under any financial duress that should be considered for their employment. Even if the credit check is expected to not show anything, it …
Removed p. 18
a) Appropriate emergency procedures are followed, and prompt attention to reports of unauthorized access to the premises is received from law enforcement agents, and where necessary the VPA.

Q 5 May 2019 - Should guards report unauthorized access attempts to the VPA? A This requirement is under revision. A guard is expected to protect the building, company assets and staff by maintaining control of security systems, monitoring activities and responding to alarms such as unauthorized access attempts. If an unauthorized access attempt is detected internally or reported by law enforcement the guard must ensure emergency procedures are followed. The vendor must make an assessment of any unauthorized access attempt. Access attempts that are not accidental or testing must be reported to the VPA.
Modified p. 18 → 20
Q 3 August 2015 - Does the card vendor have to use fingerprints to conduct a search against criminal records as part of the background check process? A A criminal background search must be conducted. That search may use fingerprints or any other method or means of identification. If fingerprints are not used (e.g., it is not legally permissible) for this purpose, they do not need to be collected or retained.
Q 3 August 2015 Does the card vendor have to use fingerprints to conduct a search against criminal records as part of the background check process? A A criminal background search must be conducted. That search may use fingerprints or any other method or means of identification. If fingerprints are not used •e.g., it is not legally permissible

•for this purpose, they do not need to be collected or retained.
Modified p. 18 → 20
b) Guards must not have access to: o Employee records o Physical master keys that provide access to card production or provisioning areas o Audit logs o Any restricted areas where the vendor processes, stores, or delivers card products and card components.
Employee records Physical master keys that provide access to card production or provisioning areas Audit logs Any restricted areas where the vendor processes, stores, or delivers card products and card components.
Modified p. 18 → 20
Q 4 October 2020 - In the event of an emergency, e.g., medical, personnel who are designated as first responders (e.g., guards) may not have access to the HSA but may be required to enter the HSA to address the emergency. Can emergency use badges be used to enter the HSA if needed? A Personnel who are pre-designated by management as first responders should have their badges pre-enabled to enter the HSA, even though prohibited under these security requirements. However, …
In the event of an emergency

•e.g., medical

•personnel who are designated as first responders or guards may not have access to the HSA but may be required to enter the HSA to address the emergency. Can emergency use badges be used to enter the HSA if needed? A Personnel who are pre-designated by management as first responders should have their badges pre-enabled to enter the HSA, even though prohibited under these security requirements. However, any such badge usage to enter …
Modified p. 19 → 21
c) If the security pass or ID badge is the access-control type that enables a record to be kept of the visitor’s movement throughout the facility: o The visitor must be instructed on its proper use. o The vendor must program the visitor access badge or card to enable the tracking of movement of all visitors. It should be activated only for areas that the visitor is authorized to enter. o Visitors must use their access card in the card …
c) If the security pass or ID badge is the access-control type that enables a record to be kept of the visitor’s movement throughout the facility:
Modified p. 19 → 21
Q 6 October 2020 - Can visitor badges be pre-enabled to enter the HSA? A No. Badges can be pre-allocated for the portions of the HSA the visitor is allowed access to, but the badges cannot be activated until assigned, which is when the visitor physically arrives.
Q 5 October 2020 Can visitor badges be pre-enabled to enter the HSA? A No. Badges can be pre-allocated for the portions of the HSA to which the visitor is allowed access, but the badges cannot be activated until assigned, which is when the visitor physically arrives.
Modified p. 19 → 21
Q 7 December 2013

• Requirement 2.4.1 states that all third-party service providers (for example, suppliers, repair and maintenance staff, and any other external service providers) must meet the same requirements as employees of the card vendor who have access to card products, components, and the high security area (HSA). This includes pre-employment testing, screening, training, termination checks, etc. Does the card vendor have to directly conduct these reviews? A No. The intent of this objective is to ensure that service …
Q 6 December 2013

• Requirement 1.4.1 states that all third-party service providers (for example, suppliers, repair and maintenance staff, and any other external service providers) must meet the same requirements as employees of the card vendor who have access to card products, components, and the high security area (HSA). This includes pre- employment testing, screening, training, termination checks, etc. Does the card vendor have to directly conduct these reviews? A No. The intent of this objective is to ensure that …
Removed p. 20
• Agent’s role or responsibility

Q 9 October 2014 - If a facility has a fence around the whole property, is a separate fence still required around the technical machinery? A Yes, separate access controls are still required. There will be many people who will have access beyond the fence (everyone entering the facility) but who will not be authorized to access the machinery, nor do they need to have access to the technical machinery. In general, technical machinery is not protected by a fence but by proper locked coverings or doors.
Modified p. 20 → 22
Agent’s name, address, and telephone numbers
Agent’s name, address, and telephone numbers  Agent’s role or responsibility
Modified p. 20 → 22
Q 8 July 2014

• In the context of this requirement, what are card-related activities and what activities are allowed for agents or third parties? A Card related activities such as sales and marketing activities are allowed. Agents and third parties must never produce, own or handle cards.
Q 7 July 2014

• In the context of this requirement, what are card-related activities and what activities are allowed for agents or third parties? A Card related activities such as sales and marketing activities are allowed. Agents and third parties must never produce, own, or handle cards.
Modified p. 20 → 22
Section 3

Premises 3.1 External Structure 3.1.1 External Construction 3.1.1.b The vendor must prevent unauthorized access to buildings, building areas, or structures containing technical machinery or equipment such as the heating system generator, auxiliary power supply, and air conditioning.
Section 2

Facilities 2.1 External Structure 2.1.1 External Construction 2.1.1.b The vendor must prevent unauthorized access to buildings, building areas, or structures containing technical machinery or equipment such as the heating system generator, auxiliary power supply, and air conditioning.
Modified p. 20 → 23
c) Reinforced, where applicable, to resist intrusion (e.g., steel or equivalent construction that meets local fire and safety codes)
c) Reinforced, where applicable, to resist intrusion•e.g., steel or equivalent construction that meets local fire and safety codes
Modified p. 20 → 23
d) Fitted with an access-control device (i.e., card reader or biometric) that automatically activates the locking mechanism
d) Fitted with an access-control device •i.e., card reader or biometric

•that automatically activates the locking mechanism
Modified p. 20 → 23
Q 10 May 2017 - For a facility located in a shared building, is it accepted that the entrance to the facility be internal to the building? This means that employees will firstly enter the main building entrance used by multiple tenants and subsequently enter the facility entrance. The facility entrance has interlocked doors, card access, CCTV, etc. A Yes, the facility entrance may be internal to the building if the building is shared by multiple tenants. For security compliance, …
Q 9 May 2017 For a facility located in a shared building, is it accepted that the entrance to the facility be internal to the building? This means that employees will first enter the main building entrance used by multiple tenants and subsequently enter the facility entrance. The facility entrance has interlocked doors, card access, CCTV, etc. A Yes. The facility entrance may be internal to the building if the building is shared by multiple tenants. For security compliance, …
Removed p. 21
Q 11 May 2017 - For a facility located in a shared building, is it required for the main building entrance to comply with the security requirements in section 3.1.2 Exterior Entrances and Exits. A No, the main building entrance that leads to multiple tenants does not need to comply with the requirements for exterior entrances and exists. Instead, the entrance to the building segment occupied by the card production vendor is considered the building entrance and must comply with the requirements defined for exterior entrances and exists.
Removed p. 21
• 16-gauge metal studs are used with 12inch (305mm) on center

• 0.75inch #9 steel mesh or 3/4inch #9 or 19mm #9

• Thickness 0.120 inches (3mm) 0.01-inch tolerance (0.5mm)
Modified p. 21 → 24
a) All exterior walls must be pre-cast or masonry block or material of equivalent strength and penetration resistance.
a) All exterior walls must be pre-cast or masonry block or material of equivalent strength and penetration resistance. Any openings in the external wall that penetrate the building structure must be secured with security mesh, grating, or metal bars to prevent unauthorized access.
Modified p. 21 → 24
b) Windows, doors, and other openings must be protected against intrusion by mechanisms such as intruder-resistant (e.g., “burglar-resistant”) glass, bars, glass-break detectors, or motion or magnetic contact detectors.
b) Windows, doors, and other openings must be protected against intrusion by mechanisms such as intruder-resistant •e.g., “burglar-resistant”

•glass, bars, glass-break detectors, or motion or magnetic contact detectors.
Modified p. 21 → 24
Q 12 December 2015 - If a card vendor is using a hosted or other type of shared facility, there may be a combination of real external concrete walls of the building and walls inside the facility that would be considered ‘external’ to the card vendor, or only interior perimeter walls. For interior walls that form the ‘exterior’ for the card vendor, it may not be feasible to use pre-cast or masonry block material for the construction due to legal, …
Q 11 December 2015 If a card vendor is using a hosted or other type of shared facility, there may be a combination of real external concrete walls of the building and walls inside the facility that would be considered ‘external’ to the card vendor, or only interior perimeter walls. For interior walls that form the ‘exterior’ for the card vendor, it may not be feasible to use pre-cast or masonry block material for the construction due to legal, …
Modified p. 21 → 24
Expanded metal mesh is anchored to the stud with vendor supplied mesh anchors every 12 inches (305mm) and installed per the manufacturer’s requirements.
 16-gauge metal studs are used with 12inch (305mm) on center  0.75inch #9 steel mesh or 3/4inch #9 or 19mm #9  Thickness 0.120 inches (3mm) 0.01-inch tolerance (0.5mm)  Expanded metal mesh is anchored to the stud with vendor supplied mesh anchors every 12 inches (305mm) and installed per the manufacturer’s requirements.
Removed p. 22
Q 15 January 2015 - Only card production-related activities shall take place within the HSA.
Modified p. 22 → 24
Q 13 December 2013 - Are any methods of covering security control room windows allowed, other than those described in 3.3.2.2.q? A Yes. Other mechanisms may be used as long as they achieve the same result of preventing observation to inside the security control room to view the security equipment•e.g., CCTV images.
Q 12 December 2013 Are any methods of covering security control room windows allowed, other than those described in 2.3.2.2.q? A Yes. Other mechanisms may be used when they achieve the same result of preventing observation to inside the security control room to view the security equipment•e.g., CCTV images.
Modified p. 22 → 25
Q 14 May 2017 - Under what circumstances, if any, can DVRs be located in the HSA? Be protected from access by unauthorized personnel. For example, they are installed in:
Q 13 May 2017 Under what circumstances, if any, can DVRs be located in the HSA? Be protected from access by unauthorized personnel. For example, they are installed in:
Modified p. 22 → 25
1. The HSA server room under normal dual access control restricted to authorized personnel, and the DVR’s are installed in lockable racks only accessible by authorized staff, or
1. The HSA server room under normal dual-access control restricted to authorized personnel, and the DVRs are installed in lockable racks only accessible by authorized staff, or
Modified p. 22 → 25
2. A dedicated HSA Security Equipment Room under dual access control
2. A dedicated HSA Security Equipment Room under dual-access control.
Modified p. 22 → 25
Either not have network capability, or if present, policies and procedures must exist to prevent the enablement or usage of the network capability.
Either not have network capability or, if present, policies and procedures must exist to prevent the enablement or usage of the network capability.
Modified p. 22 → 25
Does this preclude the existence of test and non-production servers and HSMs from existing in the HSA? A Equipment that is purely associated with test activities is not allowed in the HSA. Test (non- production) keys and test (non-production) data cannot be used with production equipment. Cards used for testing that use production keys and/or data must be produced using production equipment.
Q 14 January 2015

• Only card production related activities shall take place within the HSA. Does this preclude the existence of test and non-production servers and HSMs from existing in the HSA? A Equipment that is purely associated with test activities is not allowed in the HSA. Test (non- production) keys and test (non-production) data cannot be used with production equipment. Cards for testing that use production keys and/or data must be produced using production equipment.
Removed p. 23
3.3.4.1.h No one is allowed to bring personal items (for example, packages, lunch containers, purses) or any electronic devices (including but not limited to mobile telephones, photo cameras, and PDAs), into the high security area. Medical items such as medications and tissues are acceptable if in clear containers that can be examined. No food or beverages are allowed.

Q 18 March 2016 - Is it OK for a company to provide water stations with disposable cups or disposable bottles inside the HSA for hydration and/or medication purposes as long as the disposable cups or disposable bottles are discarded in the trash before exiting the HSA? A Yes, if company provided. These must be brought in/out through the goods/tools trap 3.3.4.1i If the access-control server is not located in the security control room it must be located in a room of equivalent security. The access-control server cannot be located in the HSA

a) …
Modified p. 23 → 25
Q 16 December 2013

• Areas in production facilities where card products, components, or data are stored or processed are called high security areas. Section 3.3.3 states that these HSAs must be contiguous if they are within the same building. In some building designs these areas are non-contiguous and retrofitting is prohibitively expensive. Are there any other options? A Yes. HSAs in the same building that are not contiguous may exist provided they are treated physically and logically as separate facilities•i.e., …
Q 15 December 2013

• Areas in production facilities where card products, components, or data are stored or processed are called high security areas. Section 2.3.3 states that these HSAs must be contiguous if they are within the same building. In some building designs these areas are non-contiguous and retrofitting is prohibitively expensive. Are there any other options? A Yes. HSAs in the same building that are not contiguous may exist provided they are treated physically and logically as separate facilities•i.e., …
Modified p. 23 → 25
Q 17 December 2013

• Does this requirement apply to chemical storage areas, cleaner cupboards, and other maintenance/supplies storage? A A space within the HSA may be defined as a cupboard or similar which does not require motion detection if it is not possible for an individual to walk into the space and no longer be visible.
Q 16 December 2013

• Does this requirement apply to chemical storage areas, cleaner cupboards, and other maintenance/supplies storage? A A space within the HSA may be defined as a cupboard or similar area which does not require motion detection if it is not possible for an individual to walk into the space and no longer be visible.
Modified p. 23 → 26
Q 19 January (update) 2015 - Is the Access Control Server located in the Security Control Room or in the Server Room? A The activities in the HSA are restricted to card production activities and therefore the access control server cannot be located in the HSA where the Server Room is required to be because for networked systems, only servers directly related to data preparation and personalization are allowed within the HSA.
Q 17 January (update) 2015 Is the Access-Control Server located in the Security Control Room or in the Server Room? A The activities in the HSA are restricted to card production activities. Therefore, the access - control server cannot be located in the HSA where the Server Room is required to be because, for networked systems, only servers directly related to data preparation and personalization are allowed within the HSA.
Removed p. 24
• Card Product and Component Destruction Room(s)

• PIN Mailer Production Room

Q 24 December 2013

• For purposes of 3.3.5, do elevators, stairwells, closets and glass- enclosed rooms (e.g., conference rooms or other room types) constitute a room? A If an elevator has a door, access to it must be controlled. Stairwells are not a room if they do not have doors. Closets would not be considered a room if a person could not physically enter. However, a storage room with a door is considered a room. Glass-enclosed rooms are also considered rooms for purposes of this requirement.
Modified p. 24 → 26
Q 21 July 2013

• Requirement 3.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA), and Requirement 3.3.5 specifies the following as rooms that may exist within the HSA as:

• Work in Progress (WIP) Storage Room
Q 19 July 2013

• Requirement 2.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA) and Requirement 2.3.5 specifies the following as rooms that may exist within the HSA:
Modified p. 24 → 26
Server Room & Key Management Room Do the controls specified apply to other rooms within the HSA? A Yes, they apply to all rooms in the HSA. Non-compliant rooms must be either closed off or reconfigured to no longer be separate rooms.
 Pre-Press Room  Work in Progress (WIP) Storage Room  Card Product and Component Destruction Room(s)  PIN Mailer Production Room  Server Room & Key Management Room Do the controls specified apply to other rooms within the HSA? A Yes. They apply to all rooms in the HSA. Non-compliant rooms must be either closed off or reconfigured to no longer be separate rooms.
Modified p. 24 → 27
Q 22 December 2013 - Local regulations or other safety considerations may require the presence of fire doors in the HSA. Are there any special considerations? A Yes. If the HSA contains fire doors and these doors are normally closed or can be manually closed, these doors are subject to the same access controls as any other door that provides access to a room.
Q 20 December 2013 Local regulations or other safety considerations may require the presence of fire doors in the HSA. Are there any special considerations? A Yes. If the HSA contains fire doors and these doors are normally closed or can be manually closed, these doors are subject to the same access controls as any other door that provides access to a room. If the HSA contains fire doors and these doors are locked open and only closed automatically …
Modified p. 24 → 27
Section 3.3.4, with the exception of person-by-person access. If a room cannot or will not be made to meet these requirements, what options exist? A The card vendor has three options:
Q 21 December 2013

• Separate rooms within the HSA must meet all the requirements in Section 2.3.4, with the exception of person-by-person access. If a room cannot or will not be made to meet these requirements, what options exist? A The card vendor has three options:
Modified p. 24 → 27
Close off the room from accessibility to anyone with HSA access.
Close off the room from accessibility to anyone with HSA access.
Modified p. 24 → 27
Reconfigure smaller rooms into a larger room meeting the requirements.
Reconfigure smaller rooms into a larger room meeting the requirements.
Modified p. 24 → 27
Convert non-compliant rooms into spaces within an HSA that are no longer fully enclosed

•e.g., by removing doors.
Convert non-compliant rooms into spaces within an HSA that are no longer fully enclosed•e.g., by removing doors.
Modified p. 24 → 27
Q 25 October 2014 - If curtains or similar are used to segment the HSA in subareas, do those subareas constitute rooms for purposes of these requirements. A If visibility into the segmented area is not impaired from the general HSA area (for example: use of clear curtains), then the sub area does not constitute a room and therefore, any requirements pertaining to rooms do not apply for these subareas. When visibility is obstructed (for example: use of opaque curtains) …
Q 23 October 2014 If curtains or something similar are used to segment the HSA into subareas, do those subareas constitute rooms for purposes of these requirements? A If visibility into the segmented area is not impaired from the general HSA area (for example, use of clear curtains), then the sub area does not constitute a room and therefore any requirements pertaining to rooms do not apply for these subareas. When visibility is obstructed (for example, use of opaque …
Removed p. 25
• Clear plastic flaps hanging from the door

• Printing the plastic cards designs/rough copies with your company logo on a printer;
Modified p. 25 → 27
Q 26 October 2014 - If the walls and/or door (s) of the room are glass such that the view is not restricted, does that constitute a room? A Yes, it is a room. While glass allows visibility it still restricts access.
Q 24 October 2014 If the walls and/or door(s) of the room are glass such that the view is not restricted, does that constitute a room? A Yes. It is a room. While glass allows visibility it still restricts access.
Modified p. 25 → 28
Q 27 October 2014 - Are any of these options acceptable to implement in lieu of implementing the controls for separate rooms under this section such as:

• Glass doors without locks and a fully lit room
Q 25 October 2014 Are any of these options acceptable to implement in lieu of implementing the controls for separate rooms under this section:
Modified p. 25 → 28
Swinging or sliding glass doors that do not have any type of closure mechanism A Glass doors without locks and swinging or sliding doors are not acceptable. Clear plastic flaps hanging from the door or no door at all are the only viable options.
 Glass doors without locks and a fully lit room  Clear plastic flaps hanging from the door  Swinging or sliding glass doors that do not have any type of closure mechanism? A Glass doors without locks and swinging or sliding doors are not acceptable. Clear plastic flaps hanging from the door or no door at all are the only viable options.
Modified p. 25 → 28
3.3.5.b Toilet rooms are prohibited except where required by local law. Where used, the entry/exit way must be camera-monitored.
2.3.5.b Toilet rooms are prohibited except where required by local law. Where used, the entry/exit way must be camera-monitored.
Modified p. 25 → 28
Q 28 October (update) 2016 •What is the rationale for Requirement 3.3.5.b? A The intent is to prevent any single individual being unobserved or restrict access while within any room within the HSA. This is not a new requirement and was in place under the prior individual payment brand requirements so there should be limited impact on card vendors previously held to payment brand criteria. Toilet rooms that are not fully enclosed and are accessible without opening the door (i.e.,
Q 26 October (update) 2016 • What is the rationale for Requirement 2.3.5.b? A The intent is to prevent an individual from being unobserved, and to restrict access while in any room within the HSA. This is not a new requirement and was in place under the prior individual payment brand requirements so there should be limited impact on card vendors previously held to payment brand criteria. Toilet rooms that are not fully enclosed and are accessible without opening the …
Modified p. 25 → 28
Q 29 March 2015 - Can the following processes be performed in the rooms outside the high security areas: • Design development (external graphical view) of a plastic card;
Q 27 March 2015 Can the following processes be performed in the rooms outside the high security areas:
Modified p. 25 → 28
Preparation of a file containing the plastic card design for output to CTP devices (not an output itself, but only the preparation) A Work that is purely design work does not need to occur in the HSA. But where the machinery is present that enables the production of the design, e.g., the plates or the printing of high-resolution images and any pre-production samples, it must be in the HSA.
 Design development (external graphical view) of a plastic card,  Printing the plastic cards designs/rough copies with your company logo on a printer,  Preparation of a file containing the plastic card design for output to CTP devices (not an output itself, but only the preparation)? A Work that is purely design work does not need to occur in the HSA. But where the machinery is present that enables the production of the design

•e.g., the plates or the printing …
Modified p. 25 → 28
Q 30 October 2014 - In the Card Production Physical Security Requirements it states that card destruction must occur in a separate room within the HSA. Would the Vault be considered a separate room or does in need to be in a secured room within the Vault? A A dedicated room must be used for destruction. This room must be in the HSA and may optionally be a secured room within the vault. This room must meet all room requirements. …
Q 28 October 2014 In the Card Production Physical Security Requirements it states that card destruction must occur in a separate room within the HSA. Would the Vault be considered a separate room or does it need to be in a secured room within the Vault? A A dedicated room must be used for destruction. This room must be in the HSA and may optionally be a secured room within the vault. This room must meet all room requirements. …
Modified p. 26 → 29
Q 31 October 2014 - Sheet and card destruction must take place in a separate room within the HSA that is dedicated for destruction. Does this apply to other materials such as used tipping foil, holographic materials and signature panels? A Yes. 3.3.5.4 PIN Mailer Production Room 3.3.5.4 b Employees involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards. Individuals may perform other …
Q 29 October 2014 Sheet and card destruction must take place in a separate room within the HSA that is dedicated for destruction. Does this apply to other materials such as used tipping foil, holographic materials, and signature panels? A Yes. 2.3.5.4 PIN Mailer Production Room 2.3.5.4.b Card production staff involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards. Individuals may perform …
Modified p. 26 → 29
Q 32 July 2014 - If PIN printing and mailing, and personalization, encoding and embossing take place in an open area, how can this requirement be met? A PIN printing must occur in a separate room except as delineated in PIN Printing and Packaging of Non-personalized Prepaid Cards. Documented procedures must exist that restrict personnel involved in PIN printing and mailing from being involved in the personalization, encoding and embossing of the related cards.
Q 30 July 2014 If PIN printing and mailing, and personalization, encoding, and embossing take place in an open area, how can this requirement be met? A PIN printing must occur in a separate room except as delineated in PIN Printing and Packaging of Non-personalized Prepaid Cards. Documented procedures must exist that restrict personnel involved in PIN printing and mailing from being involved in the personalization, encoding, and embossing of the related cards.
Modified p. 26 → 29
Q 33 March (update) 2017 - Employees involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards. Does this mean that operators who only work in the Vault, Warehouse, Dispatch, or any other role located outside the HSA, can perform PIN printing / mailing services? A The intent is to prevent staff that personalize those specific cards from also having access to the PINs …
Q 31 March (update) 2017 Employees involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards. Does this mean that operators who only work in the vault, warehouse, dispatch, or any other role located outside the HSA, can perform PIN printing/mailing services? A The intent is to prevent staff that personalize those specific cards from also having access to the PINs during generation …
Removed p. 27
3.3.5.6.b The following must be stored in the vault: o Cards awaiting personalization o Security components o Materials awaiting destruction o Samples and test cards prior to distribution and after return o Any card that is personalized with production data o If the facility is closed, personalized cards that will not be shipped within the same working day o Products awaiting return to the supplier
Modified p. 27 → 29
3.3.5.5.b Systems and applications that make up the cloud-based provisioning network must be physically segregated from other vendor networks and internet-connected networks. This includes separation of servers, firewall, and HSM. For example, in a traditional card vendor environment this could be a separate rack in a server room, or in a provisioning-only entity, housed in a separate room or cage in a data center. It cannot be in the same rack as other servers used for different purposes.
2.3.5.5.b Systems and applications that make up the cloud-based provisioning network must be physically segregated from other vendor networks and internet-connected networks. This includes separation of servers, firewall, and HSM. For example, in a traditional card vendor environment this could be:
Modified p. 27 → 29
3.3.5.5.c An internal CCTV camera must be installed to cover the access to this room and provide an overview of the room whenever there is activity within it. The camera must not have zoom or scanning functionality and must not be positioned in such a manner as to allow observation of keystroke entry or the monitoring of the screen.
2.3.5.5.c An internal CCTV camera must be installed to cover the access to this room and provide an overview of the room whenever there is activity within it.
Modified p. 27 → 30
Q 34 October 2014 - Server processing and key management must be performed in a separate room within the personalization HSA. What is considered 'server processing'? A This applies to servers used for data preparation and personalization. It does not apply to DMZ based components.
Q 32 October 2014 Server processing and key management must be performed in a separate room within the personalization HSA. What is considered “server processing”? A This applies to servers used for data preparation and personalization. It does not apply to DMZ based components.
Modified p. 27 → 30
Q 35 February 2020 - How must test cards be protected? A There are generally two types of test cards and how they need to be protected depends on the type. The first type is a plain card (e.g., white plastic) or otherwise clearly identified as usable only for testing. These cards do not need to be protected. The other type closely resembles a card to be issued and may have a card design, brand marks, personalization data or security …
Q 33 February 2020 How must test cards be protected? A There are generally two types of test cards and how they need to be protected depends on the type. The first type is a plain card •e.g., white plastic

•or otherwise clearly identified as usable only for testing. These cards do not need to be protected. The other type closely resembles a card to be issued and may have a card design, brand marks, personalization data, or security features. …
Removed p. 28
• The vault must be fitted with a main steel-reinforced door with a dual-locking mechanism (mechanical and/or logical

•e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access. The access mechanism requires that access occurs under dual control and does not allow entry by a single individual

•i.e., it is not feasible for a single individual to use credentials belonging to someone else to simulate dual access.
Modified p. 28 → 31
An outside wall of the building must not be used as a wall of the vault.
An outside wall of the building must not be used as a wall of the vault.
Modified p. 28 → 31
If the construction of the vault leaves a small (dead) space between the vault and the outside wall, this space must be constantly monitored for intrusion

•e.g., via motion sensors.
If the construction of the vault leaves a small (dead) space between the vault and the outside wall, this space must be constantly monitored for intrusion•e.g., via motion sensors.
Modified p. 28 → 31
No windows are permitted.
No windows are permitted.
Modified p. 28 → 31
There must be no access to the vault except through the vault doors and gate configurations meeting these requirements. The vault must be protected with a sufficient number of intruder-detection devices that provide an early attack indication (e.g., seismic, vibration/shock, microphonic wire, microphone, etc.) on attempts to enter and also provide full coverage of the walls, ceiling, and floor.
There must be no access to the vault except through the vault doors and gate configurations meeting these requirements. The vault must be protected with a sufficient number of intruder-detection devices that provide an early attack indication •e.g., seismic, vibration/shock, microphonic wire, microphone, etc.
Modified p. 28 → 31
Q 36 January 2015 - Is it permissible to have more than one entry/exit to the vault from the HSA if each door meets the strength requirement for a vault door and is alarmed and meets all other required controls for a vault door, including anti-passback, etc. A Yes.
Q 34 January 2015 Is it permissible to have more than one entry/exit to the vault from the HSA if each door meets the strength requirement for a vault door and is alarmed and meets all other required controls for a vault door, including anti-passback, etc.? A Yes.
Modified p. 28 → 31
Q 37 January 2015 - Is it permissible to have an emergency exit from the vault to the HSA if the emergency door meets the strength requirement for a vault door, is alarmed and was not openable from outside? A Yes.
Q 35 January 2015 Is it permissible to have an emergency exit from the vault to the HSA if the emergency door meets the strength requirement for a vault door, is alarmed, and was not openable from outside? A Yes.
Modified p. 28 → 31
Q 38 July 2015 - Can security mesh be used for vault construction in lieu of reinforced concrete as equivalent to the Underwriters Laboratories (UL) Class 1 Burglary Certification Standard, which provides for at least 30 minutes of penetration resistance? A A) Security mesh is unacceptable unless direct evidence can be provided that it meets the UL 608 Standard for Burglary Resistant Vault Doors and Modular Panels Class 1 criteria. Other UL certifications, such as for fire resistance, are not …
Q 36 July 2015 Can security mesh be used for vault construction in lieu of reinforced concrete as equivalent to the Underwriters Laboratories (UL) Class 1 Burglary Certification Standard, which provides for at least 30 minutes of penetration resistance? A Security mesh is unacceptable unless direct evidence can be provided that it meets the UL 608 Standard for Burglary Resistant Vault Doors and Modular Panels Class 1 criteria. Other UL certifications, such as for fire resistance, are not acceptable …
Modified p. 28 → 32
Q 39 February 2017 - Does the use of alternate materials in lieu of reinforced concrete comply with the vault construction requirement? A Alternate materials other than reinforced concrete can be used if they meet the Underwriters Laboratories Class I Burglary Certification Standard for 30 minutes of penetration resistance. For example, expanded metal mesh may meet the criteria. In general, materials such as steel mesh are unlikely to meet this requirement. The vendor must provide evidence that the material has …
Q 37 February 2017 Does the use of alternate materials in lieu of reinforced concrete comply with the vault construction requirement? A Alternate materials other than reinforced concrete can be used if they meet the Underwriters Laboratories Class I Burglary Certification Standard for 30 minutes of penetration resistance. For example, expanded metal mesh may meet the criteria. In general, materials such as steel mesh are unlikely to meet this requirement.
Removed p. 29
e) The inner shipping/delivery area door must have access control installed to restrict access to authorized users and to record usage. The logging at a minimum must include each opening and closing of the door.
Modified p. 29 → 32
Q 40 February 2017 - Can new technology such as advanced intrusion detection systems that provide early warnings of potential intrusion satisfy the 30-minute penetration resistance defined in the vault construction requirement? For example, systems that combine laser scan technology and enhanced CCTV? A Active monitoring systems provide notification that an intrusion may be in progress but do not restrict or delay access. The penetration resistance provided by concrete or other compliant construction materials provides a physical barrier that delays …
Q 38 February 2017 Can new technology such as advanced intrusion detection systems that provide early warnings of potential intrusion satisfy the 30-minute penetration resistance defined in the vault construction requirement? For example, systems that combine laser scan technology and enhanced CCTV? A Active monitoring systems provide notification that an intrusion may be in progress but do not restrict or delay access. The penetration resistance provided by concrete or other compliant construction materials provides a physical barrier that delays …
Modified p. 29 → 32
Vaults existing prior to the March 2015 publication date that do not meet the requirement must comply with the following:
Vaults existing prior to the March 2015 publication date that do not meet the requirement must comply with the following:
Modified p. 29 → 32
1. Any major renovation to the facility must include constructing the vault in accordance with the requirement. 2. Become compliant within five years from the publication of this FAQ. 3. Have and actively maintain a management action plan that demonstrates the intent to adhere with the latest version of the PCI Card Production and Provisioning Physical Security Requirements. This plan must be reassessed at least annually.
3. Have and actively maintain a management action plan that demonstrates the intent to adhere with the latest version of the PCI Card Production and Provisioning Physical Security Requirements. This plan must be reassessed at least annually.
Modified p. 29 → 32
Q 42 August 2020 - Vaults must be constructed of reinforced concrete (minimum 15 centimeters or 6 inches) or at least meet the Underwriters Laboratories Class 1 Burglary Certification Standard (e.g., UL 608), which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces•i.e., vault doors, walls, floors and ceilings. Can materials certified to the European Standard EN 1143-1 Secure storage units - Requirements, classification and methods of test for resistance to burglary …
Vaults must be constructed of reinforced concrete (minimum 15 centimeters or 6 inches) or at least meet the Underwriters Laboratories Class 1 Burglary Certification Standard (e.g., UL 608), which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces

•i.e., vault doors, walls, floors and ceilings. Can materials certified to the European Standard EN 1143-1 Secure storage units - Requirements, classification and methods of test for resistance to burglary - Part 1: Safes, …
Modified p. 29 → 33
Q 43 December 2017 - Does this require the presence of a reader for ‘”in” access and a reader for “out” access i.e., either side of the door? A No, this is not intended as an access control mechanism. The requirement is intended to track each opening and closing of the door so that there is full control and traceability of the process.
Q 41 December 2017 Does this require the presence of a reader for “in” access and a reader for “out” access•i.e., either side of the door? A No. This is not intended as an access control mechanism. The requirement is intended to track each opening and closing of the door so that there is full control and traceability of the process.
Removed p. 30
Q 42 May 2017 - ID badges cannot be imprinted with a company name or logo. Can badges be imprinted with other information, such as the vendor’s street or mailing address? A This requirement is under revision. Badges are not allowed to be imprinted with any information that may identify the vendor name or location.

3.4.3.2. System Administration
Modified p. 30 → 33
b) The vendor must issue a photo identification (ID) badge to each employee.
b) The vendor must issue a photo identification (ID) badge to each card production staff member and consultant. A temporary badge valid ONLY for the work shift does not need to contain a picture.
Modified p. 30 → 33
c) The ID badge must not be imprinted with the company name or logo.
c) ID badges and lanyards must not be imprinted with the company name or logo and are not allowed to be imprinted with any information that may identify the vendor’s name or location.
Modified p. 30 → 33
Q 41 March (update) 2017 - If an employee does not have their photo identification (ID) badge with them upon arrival, what are the consequences? A A defined process must exist that requires the employee to provide alternate identification equivalent to what a visitor would need to provide to gain access. The identity and employment status of the employee must be verified. Their access must be explicitly authorized by someone who has ability to validate employment status and access qualifications. …
Q 41 March (update) 2017 If an employee does not have their photo identification (ID) badge with them upon arrival, what are the consequences? A A defined process must exist that requires the employee to provide alternate identification equivalent to what a visitor would need to gain access. The identity and employment status of the employee must be verified. Their access must be explicitly authorized by someone who has ability to validate employment status and access qualifications. If access …
Modified p. 30 → 34
Q 43 July 2014 - Can a company have a badge access system that services multiple buildings on a single premises and/or multiple buildings throughout the world as long as the system is on its own segregated/dedicated network and all system changes are made on-site within a PCI compliant/secure room? A For multiple buildings within the same facility, a single central location can administer all buildings. However, a central facility cannot administer multiple separate facilities. The badge access system must …
Q 42 July 2014 Can a company have a badge access system that services multiple buildings on a single premises and/or multiple buildings throughout the world as long as the system is on its own segregated/dedicated network and all system changes are made on-site within a PCI compliant/secure room? A For multiple buildings within the same facility, a single central location can administer all buildings. However, a central facility cannot administer multiple separate facilities. The badge access system must …
Modified p. 30 → 34
Q 44 May 2017 - Is it permissible to use a central site for remote monitoring of CCTV and access control system logging of multiple facilities? A No. Centralized Administration, including monitoring is inappropriate because physical systems require more onsite presence to take timely corrective actions and for the validation of appropriateness of implementations. E.g., the ability to validate during onsite inspections, the correcting of camera dead spots and local facility knowledge.
Q 43 May 2017 Is it permissible to use a central site for remote monitoring of CCTV and access control system logging of multiple facilities? A No. Centralized Administration, including monitoring is inappropriate because physical systems require more onsite presence to take timely corrective actions and for the validation of appropriateness of implementations•e.g., the ability to validate during onsite inspections, the correcting of camera dead spots, and local facility knowledge.
Removed p. 31
Q 45 May 2018 - For multiple buildings within the same facility, a single central location for a badge access system can administer all buildings. What other conditions exist? A This requirement is under revision. Either a private or public network may be used. If a public network is used, a VPN as defined in the PCI Card Production and Provisioning

• Logical Security Requirements in conformance with the requirements stipulated in the Logical Security Requirements must be used. A private network is defined as a network established by an organization that uses a private IP address space. Private networks are commonly designed as local area networks. Private network access from public networks should be properly protected with the use of firewalls and routers. A public network is defined as a network established and operated by a third-party telecommunications provider for specific purpose of providing data transmission services for the public. …
Modified p. 31 → 35
Q 46 July 2014

• Backups must be kept for at least 90 days and must occur daily. Does each daily back up need to occur for at least 90 days and does the 90 days only pertain to backups? A Standard back-up policies using full/incremental - daily/weekly/monthly

• can be used. Both primary and back-up copies must be kept for a minimum of the most recent 90 days.
Q 45 July 2014

• Backups must be kept for at least 90 days and must occur daily. Does each daily back up need to occur for at least 90 days and does the 90 days only pertain to backups? A Standard back-up policies using full/incremental - daily/weekly/monthly

• can be used. Both primary and back-up copies must be kept for a minimum of the most recent 90 days.
Modified p. 31 → 35
3.4.6.4.b The backup recording must be stored in a separate, secure location within the facility and must ensure segregation of duties between the users and administrators of the system. Backups may also be stored in other facilities via techniques such as disk mirroring, provided the storage is secure in accordance with these requirements.
2.4.6.4.b The backup recording or mirror image must be stored in a separate, secure location within the facility and must ensure segregation of duties between the users and administrators of the system. Backups may also be stored in other approved facilities of the card vendor via techniques such as disk mirroring, provided the storage is secure in accordance with these requirements. An approved facility is one evaluated as compliant to these requirements and is participating in the applicable card brand …
Modified p. 31 → 35
Q 47 December 2013

• Does the use of RAID technology meet the criteria for separate backup recordings? A No. RAID technology is a storage technique that divides and replicates data among multiple physical drive in order to provide reliability, availability, performance and capacity. It is not a mechanism for backing up data.
Q 46 December 2013

• Does the use of RAID technology meet the criteria for separate backup recordings? A No. RAID technology is a storage technique that divides and replicates data among multiple physical drives in order to provide reliability, availability, performance, and capacity. It is not a mechanism for backing up data.
Removed p. 32
• Quality control sheets
Modified p. 32 → 36
Section 4

• Production Procedures and Audit Trails 4.5.1.2 Core Sheets / Partially or Fully Printed Sheets 4.5.1.2.b Audit or accountability forms for core sheets must provide the following information for every order processed:
Section 3

• Production Procedures and Audit Trails 3.5.1.2 Core Sheets / Partially or Fully Printed Sheets 3.5.1.2.b Audit or accountability forms for core sheets must provide the following information for every order processed:
Modified p. 32 → 36
Q 48 December 2013

• Does this requirement apply to core sheets used at the facility? A It applies only to production quality core sheets printed with the payment system brand or issuer design and not to blank sheets.
Q 47 December 2013

• Does this requirement apply to core sheets used at the facility? A It applies only to production quality core sheets printed with the payment system brand or issuer design and not to blank sheets.
Modified p. 32 → 36
Q 49 September 2016 - Accountability forms must be used to account for information regarding core sheets used for each order. Specifically: • Quality control sheets
Q 48 September 2016 Accountability forms must be used to account for information regarding core sheets used for each order. Specifically:
Modified p. 32 → 36
Unused core sheets Does this apply to ‘make ready’ sheets? A The audit or accountability forms only apply to make ready sheets if they are of the same quality as production sheets. Make ready sheets are normally lower quality sheets not suitable for production. E.g., make ready sheets are typically uniquely colored and are made from a sub-grade material and are used to get the press running, and stabilize the flow of ink within the machine. The material cannot …
 Good sheets  Rejected sheets  Set-up sheets  Quality control sheets  Unused core sheets Does this apply to “make ready” sheets? A The audit or accountability forms only apply to make ready sheets if they are of the same quality as production sheets. Make ready sheets are normally lower quality sheets not suitable for production•e.g., make ready sheets are typically uniquely colored and are made from a sub-grade material and are used to get the press running
Removed p. 33
• Description of the component or card product(s) being transferred

• Name and signature of the individual receiving the component or card product(s)

• Number of components or card products transferred

• Number of components used

• Number returned to vault or WIP storage

• Number rejected or damaged

• Number to be destroyed

• Date and time of transfer

• Name and signature of supervisor

• Signatures of persons inventorying components
Modified p. 33 → 37
Q 50 December 2013

• Audit controls for manufacturing include tracking the number returned to the vault or WIP storage. Does this require that finished products that are already packed in containers or cartons prior to shipment be recounted before storage in the vault or WIP storage? A Finished products that have been previously counted in a controlled manner and sealed in tamper-evident packaging do not require recounting; however, they must still be part of the audit trail log.
Q 49 December 2013

• Audit controls for manufacturing include tracking the number returned to the vault or WIP storage. Does this require that finished products that are already packed in containers or cartons prior to shipment be recounted before storage in the vault or WIP storage? A Finished products that have been previously counted in a controlled manner and sealed in tamper-evident packaging do not require recounting; however, they must still be part of the audit trail log.
Modified p. 33 → 37
4.7.1.i During the processing of card products (encoding, embossing, and personalizing), only the minimum number of boxes or sleeves required may be opened at one time. The contents of partially used boxes or sleeves must be verified against the inventory control documents. Before additional boxes or sleeves are opened, any partially used boxes or sleeves must be fully used. The number of cards in partially used boxes and sleeves must be verified, and each box or sleeve must be rewrapped …
3.7.1.i During the processing of card products (encoding, embossing, and personalizing), only the minimum number of boxes or sleeves required may be opened at one time. The contents of partially used boxes or sleeves must be verified against the inventory control documents. Before additional boxes or sleeves are opened, any partially used boxes or sleeves must be fully used. The number of cards in partially used boxes and sleeves must be verified, and each box or sleeve must be rewrapped …
Modified p. 33 → 37
Q 51 February 2016 - Must all partially used boxes be sealed? A Unsealed boxes are only permitted for stock that requires multiple pulls per day. Unsealed boxes must be in a centralized area within the vault. The counting process must be applied during the pull process and an inventory count under dual control must be performed for each unsealed box at the end of each shift.
Q 50 February 2016 Must all partially used boxes be sealed? A Unsealed boxes are only permitted for stock that requires multiple pulls per day. Unsealed boxes must be in a centralized area within the vault. The counting process must be applied during the pull process and an inventory count under dual control must be performed for each unsealed box at the end of each shift.
Modified p. 33 → 42
• Name and signature of the individual releasing the component or card product(s)
e) Record the name and signature of individual collecting or delivering the shipment.
Removed p. 34
• Number of mailers to be printed

• Number of mailers actually printed

• Wasted mailers that have been printed

• Number of mailers transferred to the mailing area/room

• Operator name and signature

• Name and signature of an individual other than the operator, who is responsible for verifying the count.

• Under dual control, and
Modified p. 34 → 38
Q 52 December 2013

• What happens if a supervisor or auditor is not available to sign off on the various required counts? A For purposes of this requirement, the terms “operator,” “supervisor,” and “auditor” do not mean a formal job title, but rather define a function. Specifically, supervisor/auditor refers to the function of the individual who verifies the count, while operator refers to the individual who conducts the count.
Q 51 December 2013

• What happens if a supervisor or auditor is not available to sign off on the various required counts? A For purposes of this requirement, the terms “operator,” “supervisor,” and “auditor” do not mean a formal job title, but rather define a function. Specifically, supervisor/auditor refers to the function of the individual who verifies the count, while operator refers to the individual who conducts the count.
Modified p. 34 → 38
The destruction can occur as frequently as the vendor deems necessary but

•in all cases weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA
 In-house,  Under dual control, and  The destruction can occur as frequently as the vendor deems necessary but

•in all cases •weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA
Modified p. 34 → 38
Q 53 October (update) 2014

• Many facilities use portable/mobile shredding equipment managed by third-party service providers. How is this accommodated to meet 4.8.2.a? A The HSA includes the loading bay. The used foil can be destroyed there using portable/mobile equipment provided any access points (e.g., doors) from outside the HSA are closed and properly secured. This can also be applied to other secure materials that require destruction, such as scrap cards, return mail cards, and vault destroy requests.
Q 53 October (update) 2014

• Many facilities use portable/mobile shredding equipment managed by third-party service providers. How is this accommodated to meet 3.8.3.a? A The HSA includes the loading bay. The used foil can be destroyed there using portable/mobile equipment provided any access points •e.g., doors

•from outside the HSA are closed and properly secured. This can also be applied to other secure materials that require destruction, such as scrap cards, return mail cards, and vault destroy requests.
Modified p. 34 → 38
Q 55 July (update) 2014

• How is this requirement applied? A Payment system proprietary typefaces within Indent-printing modules cannot be used for other purposes than payment cards. Proprietary indent printing characters are destroyed at the end of usage.
Q 52 July (update) 2014

• How is this requirement applied? A Payment system proprietary typefaces within indent-printing modules cannot be used for purposes other than payment cards. Proprietary indent-printing characters are destroyed at the end of usage.
Modified p. 34 → 39
Q 54 January 2015 - What materials are required to be destroyed in the destruction room? A Remnants/residues of holograms from a post splitting process, signature panels and any materials required to be stored in the vault.
Q 54 January 2015 What materials are required to be destroyed in the destruction room? A Remnants/residues of holograms from a post splitting process, signature panels, and any materials required to be stored in the vault.
Removed p. 35
• Spoiled or waste card products

• Holographic materials

• Sample and test cards

• Destruction of chips, modules, or chip cards must ensure that the chip itself is destroyed.
Modified p. 35 → 39
Any other sensitive card component material or courier material related to any phase of the card production and personalization process.
 Spoiled or waste card products  Holographic materials  Signature panels  Sample and test cards  Any other sensitive card component material or courier material related to any phase of the card production and personalization process.
Modified p. 35 → 39
Q 56 July 2014 - 4.10 requires that materials must be destroyed on a batch basis. Does this mean materials must be destroyed at the conclusion of each job? A No, multiple jobs can be grouped together to form a batch.
Q 56 July 2014 • 3.10 requires that materials must be destroyed on a batch basis. Does this mean materials must be destroyed at the conclusion of each job? A No. Multiple jobs can be grouped together to form a batch.
Removed p. 36
Q 57 October 2014 - The acceptable methods of shipping personalized cards are:

(1) Secure shipment in unlimited quantities (2) Courier Shipment in unlimited quantities For shipping personalized cards to a pre-sort facility prior to mailing, are there any other acceptable options? A Yes. For transfer to the mail facility, personalized cards may be transported using a company vehicle with the following security controls:

• A GPS tracking device is used and monitored during transport from within the security control room.

• The contents are secured with tamper evident straps and checked upon delivery.

• The vehicle is loaded using dual control and locked during transport

• Vehicle drivers do not have a key or access to contents

• Two persons are in the vehicle equipped with a device to communicate with the security control room.

Q 58 October (update) 2018 - Under what conditions is card delivery by courier service acceptable? A This requirement is under …
Modified p. 36 → 40
Section 5

• Packaging and Delivery Requirements
Section 4

• Packaging and Delivery Requirements 4.5.1 Card Mailing
Removed p. 37
Q 59 February (update) 2020 - Issuer approval is required for anytime payment cards not mailed to the applicable cardholder are shipped to a destination other than the issuer or an approved vendor. Prior to version 2, specific criteria was stated for the issuer approval. Does this criteria still apply? A This requirement is under revision. Sending payment cards to a destination other than the cardholder, issuer or an approved vendor requires issuer authorization and VPA approval. A copy of the issuer’s authorization letter (i.e., release of liability signed by an issuer corporate officer) must be provided to the VPA when requesting shipping approval from the VPA. The issuer authorization letter must be signed by a corporate officer indicating the destination of the card shipment and acceptance of liability for any loss, theft or misplacement of cards during transport.
Removed p. 37
a) Personalized cards must be placed in envelopes that are nondescript (e.g., envelopes must not contain any brand marks) and the same size and color as other envelopes with which they may be presorted or delivered to the postal service.

b) After applying postage and sealing, the envelopes must be counted under dual control and placed in locked or sealed containers or bags.

c) A receipt of delivery must be signed by a representative of the receiving organization, and a signed copy of the receipt must be retained by the vendor.

Q 60 February (update) 2020 - Does the statement “(…envelopes must not contain any brand marks)…” refer to Bank Logos or Payment Brand Logos? A This requirement is under revision. There must be no visual or implied indication there is a card inside. The envelopes may utilize similar marking as all other issuer and/or co-brand communications. Envelopes, whether conveyed by courier or …