Document Comparison
PCI_Card_Production_Physical_Security_Requirements_v2.pdf
→
PCI%20CP_Physical_SR_TPs%20v3.pdf
38% similar
63 → 190
Pages
21110 → 73731
Words
502
Content Changes
From Revision History
- December 2012 1.x RFC version
Content Changes
502 content changes. 189 administrative changes (dates, page numbers) hidden.
Added
p. 7
• Perform cloud-based or secure element (SE) provisioning services;
• Manage associated cryptographic keys.
Requirements for logical security for personalization are not included in this manual, but can be found in a separate document, Payment Card Industry (PCI) Card Production and Provisioning
• Logical Security Requirements and Test Procedures.
• Manage associated cryptographic keys.
Requirements for logical security for personalization are not included in this manual, but can be found in a separate document, Payment Card Industry (PCI) Card Production and Provisioning
• Logical Security Requirements and Test Procedures.
Added
p. 8
Loss Prevention Vendors are responsible for preventing any unexplained product losses. Vendors are liable for any unexplained loss, theft, deterioration, or destruction of card products or components that may occur while such products are in the vendor’s facility. Vendors are required to carry liability insurance covering all the risks stated above, taking into consideration the plant location, physical conditions and security of the plant, the number and duties of the card production staff, and the nature and volume of the contracted work.
Section 1: Roles and Responsibilities 1.1 Card Production Staff Requirement Test Procedure The following set of requirements applies to all individuals that have access to card products, components, and the high security area (HSA).
Section 1: Roles and Responsibilities 1.1 Card Production Staff Requirement Test Procedure The following set of requirements applies to all individuals that have access to card products, components, and the high security area (HSA).
Added
p. 9
a) Senior management and corporate officers
a) Senior management and corporate officers
a) Senior management and corporate officers
Added
p. 9
c) Acting physical security manager is any qualified individual acting as the physical security manager during any operational period of a facility⎯i.e., there must be such a designated individual accessible on-site during any operational period of the facility.
d) Card production supervisor is any card production staff that fulfills a supervisory role of other staff.
Interview personnel to verify that the following roles are filled by vendor employees:
c) Any qualified individual accessible on-site acting as the physical security manager during any operational period of a facility
d) Card production staff that fulfills a supervisory role of other staff.
Examine the relevant appointment information for these positions.
d) Guards (internal or external) Examine the pre-employment documentation for a sample of each category to verify it includes application documentation and a background check.
d) Card production supervisor is any card production staff that fulfills a supervisory role of other staff.
Interview personnel to verify that the following roles are filled by vendor employees:
c) Any qualified individual accessible on-site acting as the physical security manager during any operational period of a facility
d) Card production staff that fulfills a supervisory role of other staff.
Examine the relevant appointment information for these positions.
d) Guards (internal or external) Examine the pre-employment documentation for a sample of each category to verify it includes application documentation and a background check.
Added
p. 10
b) This information must be available for the inspector during site security reviews.
Examine policies and procedures to verify that all applicant and personnel background information is retained for at least 18 months after termination of the contract of employment.
Examine a sample of documentation from personnel whose contract of employment has been terminated within the last 18 months.
• Details of any “alias” or any other names
• List of their previous addresses or residences for the last seven years
• Previous employers for the last seven years
• Applicants must satisfactorily explain gaps in employment.
Examine a sample of employment applications to verify that they have the minimum information required.
i. Gathered as part of the hiring process:
− Background check results − Verification of aliases (when applicable) − List of previous employers and referral follow-up results − Education history − Social security number or appropriate national identification number − Signed document confirming that the individual has …
Examine policies and procedures to verify that all applicant and personnel background information is retained for at least 18 months after termination of the contract of employment.
Examine a sample of documentation from personnel whose contract of employment has been terminated within the last 18 months.
• Details of any “alias” or any other names
• List of their previous addresses or residences for the last seven years
• Previous employers for the last seven years
• Applicants must satisfactorily explain gaps in employment.
Examine a sample of employment applications to verify that they have the minimum information required.
i. Gathered as part of the hiring process:
− Background check results − Verification of aliases (when applicable) − List of previous employers and referral follow-up results − Education history − Social security number or appropriate national identification number − Signed document confirming that the individual has …
Added
p. 11
Interview appropriate management personnel to verify the process of assigning job responsibility levels to temporary or interim staff (including consultants and contractors), except where the job function is restricted to employees.
Examine policies and procedures to verify that the physical security manager is notified in writing of any personnel’s expected job change prior to taking effect.
Examine a sample of documentation to verify that the security manager is notified in writing prior to an employee’s job change taking effect.
Interview the physical security manager to verify that the access control to restricted areas of any personnel making a job change is modified within one business day after the job change takes effect.
Examine documentation or logs of a sample of such access-control changes were appropriately made.
Interview the physical security manager to verify that all necessary combinations and other applicable access codes previously used by the individual making a job change are modified.
Examine policies and procedures to verify that the physical security manager is notified in writing of any personnel’s expected job change prior to taking effect.
Examine a sample of documentation to verify that the security manager is notified in writing prior to an employee’s job change taking effect.
Interview the physical security manager to verify that the access control to restricted areas of any personnel making a job change is modified within one business day after the job change takes effect.
Examine documentation or logs of a sample of such access-control changes were appropriately made.
Interview the physical security manager to verify that all necessary combinations and other applicable access codes previously used by the individual making a job change are modified.
Added
p. 12
Examine policies and procedures to verify that the physical security manager is notified in writing of any expected termination of personnel prior to it taking effect.
Examine a sample of written notifications to the physical security manager of any termination of personnel to verify that such notifications were made prior to the termination’s taking effect.
Examine policies and procedures to verify that the physical security manager is notified in writing for unscheduled terminations as soon as the decision is made.
c) Upon termination effective date of any personnel the physical security manager or designated representative must:
• Deactivate all access rights.
• Deactivate all access rights.
• Recover the photo ID badge.
• Recover the photo ID badge.
• Recover all company property used in association with card production or provisioning.
• Recover all company property used in association with card production or provisioning.
• Verify completion of the individual’s termination checklist activities in Section 1.1.5.3, below.
• Verify completion of …
Examine a sample of written notifications to the physical security manager of any termination of personnel to verify that such notifications were made prior to the termination’s taking effect.
Examine policies and procedures to verify that the physical security manager is notified in writing for unscheduled terminations as soon as the decision is made.
c) Upon termination effective date of any personnel the physical security manager or designated representative must:
• Deactivate all access rights.
• Deactivate all access rights.
• Recover the photo ID badge.
• Recover the photo ID badge.
• Recover all company property used in association with card production or provisioning.
• Recover all company property used in association with card production or provisioning.
• Verify completion of the individual’s termination checklist activities in Section 1.1.5.3, below.
• Verify completion of …
Added
p. 14
Examine a sample of documentation indicating positive affirmation by card production staff and security personnel of receipt and understanding of responsibilities and obligations under the security policy.
Examine the training materials for card production staff and security personnel to verify that they contain the obligation for card production staff to report any observed breaches of established security procedure.
Examine a sample of documentation to verify the training occurred as stipulated.
Observe key locations within the vendor facility to verify that information concerning security is displayed.
Examine documentation evidencing that the individual with overall security responsibility reports to the board / Senior Executive Committee on a regular basis, any security issues and actions taken as a result. The frequency must be documented in the report.
c) Card production staff authorized to receive or sign for any card components Examine a sample of notifications to the VPA of any personnel changes that directly affect the security of …
Examine the training materials for card production staff and security personnel to verify that they contain the obligation for card production staff to report any observed breaches of established security procedure.
Examine a sample of documentation to verify the training occurred as stipulated.
Observe key locations within the vendor facility to verify that information concerning security is displayed.
Examine documentation evidencing that the individual with overall security responsibility reports to the board / Senior Executive Committee on a regular basis, any security issues and actions taken as a result. The frequency must be documented in the report.
c) Card production staff authorized to receive or sign for any card components Examine a sample of notifications to the VPA of any personnel changes that directly affect the security of …
Added
p. 16
d) Personnel who are pre-designated by management as first responders should have their badges pre-enabled to enter the HSA, even though prohibited under these security requirements. However, any such badge usage to enter the HSA constitutes a high-security event requiring mandatory incident reporting that must be escalated. To be allowed, the access must be automatically flagged by the access control system.
Examine policies and procedures to verify that management has pre-defined first responders to the HSA and that the use of such badge triggers a high-security event and is automatically flagged by the access-control system.
Examine access-control system setting to verify that use of these first-responder access credentials is automatically flagged as a high-security event requiring mandatory incident reporting that must be escalated.
Examine policies and procedures to verify that management has pre-defined first responders to the HSA and that the use of such badge triggers a high-security event and is automatically flagged by the access-control system.
Examine access-control system setting to verify that use of these first-responder access credentials is automatically flagged as a high-security event requiring mandatory incident reporting that must be escalated.
Added
p. 16
a) If an unauthorized access attempt is detected internally or reported by law enforcement agents, the guard must ensure emergency procedures are followed. The vendor must make an assessment of any unauthorized access attempt. Access attempts that are not accidental or testing must be reported to the VPA.
Interview guards and production staff to confirm that they have a clear segregation of duties and independence from the production staff.
Interview guards to confirm that at least one guard occupies the security control room any time activities are performed in the HSA.
Examine a sample of access-control system activity logs, CCTV logs, or other mechanisms to verify that at least one guard is present in the security control room when the HSA is occupied.
Interview guards and production staff to confirm that they have a clear segregation of duties and independence from the production staff.
Interview guards to confirm that at least one guard occupies the security control room any time activities are performed in the HSA.
Examine a sample of access-control system activity logs, CCTV logs, or other mechanisms to verify that at least one guard is present in the security control room when the HSA is occupied.
Added
p. 16
Examine the internal security procedures manual to verify that they contain the following minimum information:
b) Vendor’s security policies
• Vendor’s security policies
• Interaction between production process management, contracted guard or monitoring services, the police, and other emergency services
• Access control at all entry and exit points of the facility, by date and time of activation
• Access-control system and computer monitoring (such as the logging in and out of staff entering or leaving the facility and internal movement at area access points)
• Company policy concerning card production staff, consultant, and visitor access to the facility (both exterior and interior)
j) Property removal
• Property removal
• Response to alarms, including notification to law enforcement in cases of unauthorized access to the facility
• Potential threats
•such as burglary or theft
•to the facility’s external or internal security
• Direct assault by armed felons
• Building evacuation
• Handling of emergencies including but not limited to:
Examine documentation that evidences signed acknowledgement by …
b) Vendor’s security policies
• Vendor’s security policies
• Interaction between production process management, contracted guard or monitoring services, the police, and other emergency services
• Access control at all entry and exit points of the facility, by date and time of activation
• Access-control system and computer monitoring (such as the logging in and out of staff entering or leaving the facility and internal movement at area access points)
• Company policy concerning card production staff, consultant, and visitor access to the facility (both exterior and interior)
j) Property removal
• Property removal
• Response to alarms, including notification to law enforcement in cases of unauthorized access to the facility
• Potential threats
•such as burglary or theft
•to the facility’s external or internal security
• Direct assault by armed felons
• Building evacuation
• Handling of emergencies including but not limited to:
Examine documentation that evidences signed acknowledgement by …
Added
p. 18
Interview guards to confirm that they have been trained and are aware of all of their assigned tasked as defined within the internal security procedures manual and that their training occurs at least every 12 months and prior to the assignment of any new responsibilities.
Examine records evidencing the guards received the training at least annually.
Examine a sample of reports of any exceptional situations not specified within the security procedures manual to verify that they were reported to the physical security manager for appropriate action and possible inclusion into the security procedures manual.
Examine the security procedures manual to verify it contains procedures for how visitors are managed at the vendor facility.
Observe live visitor handling processes to confirm that the procedures are followed.
Examine a sample of documentation evidencing approval by both the physical security manager and the production manager for visitors that required access to the HSA or cloud- based provisioning environment.
Interview …
Examine records evidencing the guards received the training at least annually.
Examine a sample of reports of any exceptional situations not specified within the security procedures manual to verify that they were reported to the physical security manager for appropriate action and possible inclusion into the security procedures manual.
Examine the security procedures manual to verify it contains procedures for how visitors are managed at the vendor facility.
Observe live visitor handling processes to confirm that the procedures are followed.
Examine a sample of documentation evidencing approval by both the physical security manager and the production manager for visitors that required access to the HSA or cloud- based provisioning environment.
Interview …
Added
p. 20
Examine a sample of visitor logs to verify that they are maintained and that if the logs are maintained in a manual logbook, they contain consecutive, pre-numbered, bound pages.
• Name of the visitor, printed and signed
• Number of the official ID document(s) presented and the date and place of issue
• Company the visitor represents (if any)
• Name of the person being visited or in charge of the visitor
• Purpose of the visit
• Visitor badge number
• Date and time of arrival and departure
• Signature of the card production staff member initially assigned to escort the visitor Examine the visitor logs to verify that the entries contain the minimum required information.
e) The vendor must retain visitors’ registration records for at least 90 days. Examine the visitor logs to verify entries go back at least 90 days.
a) At a minimum, the vendor must make visitors aware of vendor security and confidentiality requirements, and …
• Name of the visitor, printed and signed
• Number of the official ID document(s) presented and the date and place of issue
• Company the visitor represents (if any)
• Name of the person being visited or in charge of the visitor
• Purpose of the visit
• Visitor badge number
• Date and time of arrival and departure
• Signature of the card production staff member initially assigned to escort the visitor Examine the visitor logs to verify that the entries contain the minimum required information.
e) The vendor must retain visitors’ registration records for at least 90 days. Examine the visitor logs to verify entries go back at least 90 days.
a) At a minimum, the vendor must make visitors aware of vendor security and confidentiality requirements, and …
Added
p. 21
Observe live visitor processes to verify that visitors entering the facility are issued and wear visibly on their person a security pass or ID badge that identifies them as a non-employee.
Examine the visitor process and the disposable visitor security passes or ID badges handed out to the auditor to verify that the visitor's name, date of entry to the facility, and (if multi-day) the validity period are clearly indicated on the front of the badge.
• The visitor must be instructed on its proper use.
• The vendor must program the visitor access badge or card to enable the tracking of movement of all visitors. It should be activated only for areas that the visitor is authorized to enter.
• Visitors must use their access card in the card readers to the room into which they enter.
• Badging to track access must be used wherever feasible.
Examine documentation to verify that if the security …
Examine the visitor process and the disposable visitor security passes or ID badges handed out to the auditor to verify that the visitor's name, date of entry to the facility, and (if multi-day) the validity period are clearly indicated on the front of the badge.
• The visitor must be instructed on its proper use.
• The vendor must program the visitor access badge or card to enable the tracking of movement of all visitors. It should be activated only for areas that the visitor is authorized to enter.
• Visitors must use their access card in the card readers to the room into which they enter.
• Badging to track access must be used wherever feasible.
Examine documentation to verify that if the security …
Added
p. 22
Examine the security manual to verify that procedures are documented for how third parties are managed at the vendor facility.
Interview personnel to verify that the procedures are followed.
b) The requirements of Section 1.1.2, “Card Production Staff,” of this document have been met by the employer of all suppliers, repair and maintenance staff, and any other external service provider.
Examine documentation to verify that the employers of all suppliers, repair and maintenance staff, and any other external service providers comply with the requirements of Section 1.1.2.
Interview the receptionist and the guard to confirm that one of them receives a pre-approved list of third parties with permitted access to the facility for the preparation of ID badges on a daily or weekly basis.
Examine a sample of such lists against the visitor logs to verify that only those persons with pre-approved ID badges were granted facility access.
Interview the physical security manager or senior management …
Interview personnel to verify that the procedures are followed.
b) The requirements of Section 1.1.2, “Card Production Staff,” of this document have been met by the employer of all suppliers, repair and maintenance staff, and any other external service provider.
Examine documentation to verify that the employers of all suppliers, repair and maintenance staff, and any other external service providers comply with the requirements of Section 1.1.2.
Interview the receptionist and the guard to confirm that one of them receives a pre-approved list of third parties with permitted access to the facility for the preparation of ID badges on a daily or weekly basis.
Examine a sample of such lists against the visitor logs to verify that only those persons with pre-approved ID badges were granted facility access.
Interview the physical security manager or senior management …
Added
p. 25
a) Contact-alarm monitored Observe the exterior entrances and exits to verify they are contact-alarm monitored.
Observe external entrances and exits to determine whether they are reinforced, where applicable, to resist intrusion•e.g., steel or equivalent construction that meets local fire and safety codes.
e) Fitted with a mantrap or interlocking configuration to prevent staff “piggybacking” or tailgating (excluding emergency exits) Observe entrances and exits to determine whether they are fitted with a mantrap or interlocking configuration to prevent staff “piggybacking” or tailgating (excluding emergency exits).
Observe external entrances and exits to determine whether they are reinforced, where applicable, to resist intrusion•e.g., steel or equivalent construction that meets local fire and safety codes.
e) Fitted with a mantrap or interlocking configuration to prevent staff “piggybacking” or tailgating (excluding emergency exits) Observe entrances and exits to determine whether they are fitted with a mantrap or interlocking configuration to prevent staff “piggybacking” or tailgating (excluding emergency exits).
Added
p. 25
a) All exterior walls must be pre-cast or masonry block or material of equivalent strength and penetration resistance. Any openings in the external wall that penetrate the building structure must be secured with security mesh, grating, or metal bars to prevent unauthorized access.
Observe to determine external windows, doors, and other openings are protected against intrusion by mechanisms such as intruder-resistant
•e.g., “burglar-resistant”
•glass, bars, glass-break detectors, or motion or magnetic contact detectors.
c) HSA windows must be non-openable. Observe to determine that all external HSA windows are non-openable.
Observe to determine external windows, doors, and other openings are protected against intrusion by mechanisms such as intruder-resistant
•e.g., “burglar-resistant”
•glass, bars, glass-break detectors, or motion or magnetic contact detectors.
c) HSA windows must be non-openable. Observe to determine that all external HSA windows are non-openable.
Added
p. 25
a) The vendor must not place any device•e.g., carriers, waste containers, and tools•against the external wall protecting the outer perimeter of the vendor’s facility.
Observe vendor facility to verify any devices
•e.g., carriers, waste containers, and tools
•are not against the facility’s external wall.
Interview personnel to determine the vendor facility is located in an area that is serviced on a timely basis by public law enforcement and fire protection services.
Section 2.4.1, “Alarm Systems.” Examine the policy and procedures (or appropriate documentation) to determine the facility is secured with an intrusion alarm system as defined in Section 2.4.1, “Alarm Systems.”
Examine documentation to verify alarm system is equipped with an auxiliary power or battery backup system with capabilities for ensuring operation for a minimum of 48 hours in the event of a power failure.
Observe that the alarm system is equipped with an auxiliary power or battery backup system with capabilities for ensuring operation.
Examine documentation to …
Observe vendor facility to verify any devices
•e.g., carriers, waste containers, and tools
•are not against the facility’s external wall.
Interview personnel to determine the vendor facility is located in an area that is serviced on a timely basis by public law enforcement and fire protection services.
Section 2.4.1, “Alarm Systems.” Examine the policy and procedures (or appropriate documentation) to determine the facility is secured with an intrusion alarm system as defined in Section 2.4.1, “Alarm Systems.”
Examine documentation to verify alarm system is equipped with an auxiliary power or battery backup system with capabilities for ensuring operation for a minimum of 48 hours in the event of a power failure.
Observe that the alarm system is equipped with an auxiliary power or battery backup system with capabilities for ensuring operation.
Examine documentation to …
Added
p. 27
Examine documents to verify emergency doors are used only in the event of an emergency.
Interview personnel to verify that emergency doors are used only in the event of an emergency and not used for any other purpose.
Examine logs to verify security controls are in place for monitoring emergency exits based upon the aforementioned tests.
Examine procedures to verify the central monitoring service responds to alarms during non- business hours when the emergency exit is open and that it summons the local police or onsite guard.
Examine sample documents to verify the central monitoring services responds to emergency- exit alarms and summons the local police or on-site guard to response to the alert.
Observe to verify that emergency exit door hinges have devices installed to prevent their being cut off from the outside and the door opened from the hinge side (hinge-protection bolts, hinge covers, hinged on the inside, etc.).
Observe CCTV footage to verify …
Interview personnel to verify that emergency doors are used only in the event of an emergency and not used for any other purpose.
Examine logs to verify security controls are in place for monitoring emergency exits based upon the aforementioned tests.
Examine procedures to verify the central monitoring service responds to alarms during non- business hours when the emergency exit is open and that it summons the local police or onsite guard.
Examine sample documents to verify the central monitoring services responds to emergency- exit alarms and summons the local police or on-site guard to response to the alert.
Observe to verify that emergency exit door hinges have devices installed to prevent their being cut off from the outside and the door opened from the hinge side (hinge-protection bolts, hinge covers, hinged on the inside, etc.).
Observe CCTV footage to verify …
Added
p. 28
Observe to verify all access points into the building from the roof are locked or otherwise controlled from the inside.
Observe to verify all access points into the building from the roof have magnetic contacts or contact sensors, both of which have monitored access.
Observe all skylights, ventilation, and cooling system ducts that penetrate the building structure are secured with security mesh, grating, or metal bars to prevent unauthorized access.
Observe exterior CCTV cameras to verify they are focused on all entrances and exits to the building and capture legible images of all persons entering or leaving the facility.
Interview personnel to verify that cameras are monitored in the security control room during operational hours.
Observe to verify that cameras are monitored in the security control room during operational hours.
Observe that signage on the exterior of the building neither indicates nor implies that the vendor processes card products.
Observe to verify all access points into the building from the roof have magnetic contacts or contact sensors, both of which have monitored access.
Observe all skylights, ventilation, and cooling system ducts that penetrate the building structure are secured with security mesh, grating, or metal bars to prevent unauthorized access.
Observe exterior CCTV cameras to verify they are focused on all entrances and exits to the building and capture legible images of all persons entering or leaving the facility.
Interview personnel to verify that cameras are monitored in the security control room during operational hours.
Observe to verify that cameras are monitored in the security control room during operational hours.
Observe that signage on the exterior of the building neither indicates nor implies that the vendor processes card products.
Added
p. 29
Observe to verify that the main entrance to the building leads visitors into a reception area that restricts any physical contact between visitor(s) and the receptionist/guard.
Observe that the reception area for visitors is contained within a mantrap.
Observe the receptionist(s) or guard(s) responsible for the entrance and departure of visitors to verify their view of the reception area is unobstructed at all times.
Examine documents to verify visitors are visually inspected in this area to confirm their identity and are issued an identification badge before being admitted into the facility.
Interview personnel to validate visitors are visually inspected in the reception area and:
• Their identity is confirmed.
• They are issued identification badges before being admitted into the facility.
Examine documents to verify procedures are in place describing the process by which visitors are granted access to the facility and they stipulate that:
• Only authorized staff can bring visitors into the facility
• The list is …
Observe that the reception area for visitors is contained within a mantrap.
Observe the receptionist(s) or guard(s) responsible for the entrance and departure of visitors to verify their view of the reception area is unobstructed at all times.
Examine documents to verify visitors are visually inspected in this area to confirm their identity and are issued an identification badge before being admitted into the facility.
Interview personnel to validate visitors are visually inspected in the reception area and:
• Their identity is confirmed.
• They are issued identification badges before being admitted into the facility.
Examine documents to verify procedures are in place describing the process by which visitors are granted access to the facility and they stipulate that:
• Only authorized staff can bring visitors into the facility
• The list is …
Added
p. 30
h) If the control points for operating the external doors are located at the receptionist’s desk, the wall(s) separating the receptionist area from the reception room must be reinforced and fitted with a security window•i.e., a window of bullet-resistant transparent material containing a slot or device that allows the transfer of small packages and documents from the reception area to the receptionist or security guard.
Observe whether the control points for operating the external doors are located at the receptionist’s desk, then verify that the wall(s) separating the receptionist area from the reception room are:
i) The vendor must provide card production staff working in these areas with a telephone and a duress button that activates a silent alarm at a remote, central monitoring service or police station or another vendor facility.
Examine evidence that personnel working in these areas have at a minimum:
Observe that if the receptionist area houses or acts as …
Observe whether the control points for operating the external doors are located at the receptionist’s desk, then verify that the wall(s) separating the receptionist area from the reception room are:
i) The vendor must provide card production staff working in these areas with a telephone and a duress button that activates a silent alarm at a remote, central monitoring service or police station or another vendor facility.
Examine evidence that personnel working in these areas have at a minimum:
Observe that if the receptionist area houses or acts as …
Added
p. 31
a) Staff the room at all times while activity occurs in the HSA. Examine policy and procedures to verify that the room is staffed at all times while activity occurs in the HSA.
Observe random CCTV recordings of the security control room when activity occurs in the HSA.
Examine access-control logs to verify the SCR was not left unoccupied.
Observe the location of the security control room to verify that it is located outside of the HSA and cloud-based provisioning environment.
Observe the build of the security control room to verify it is of concrete block or other material offering similar resistance, if not part of the facility.
Observe the access-control devices to verify the door providing access to the security control room has an in and out card reader access system plus an anti-pass-back software function connected to a computer that records all accesses and exits.
Examine a sample of logs to verify all accesses …
Observe random CCTV recordings of the security control room when activity occurs in the HSA.
Examine access-control logs to verify the SCR was not left unoccupied.
Observe the location of the security control room to verify that it is located outside of the HSA and cloud-based provisioning environment.
Observe the build of the security control room to verify it is of concrete block or other material offering similar resistance, if not part of the facility.
Observe the access-control devices to verify the door providing access to the security control room has an in and out card reader access system plus an anti-pass-back software function connected to a computer that records all accesses and exits.
Examine a sample of logs to verify all accesses …
Added
p. 35
a) At a minimum, the following activities must take place only in an HSA:
• HCE and SE mobile provisioning Examine documentation to verify that the activities listed below only occur within the HSA.
Observe to verify that the activities listed below, at a minimum, take place within the HSA and only within the HSA.
Interview personnel to verify the activities listed below only occur within the HSA.
• HCE and SE mobile provisioning
Examine documentation to verify that card production staff are only allowed to bring in items related to card production and provisioning activity into the HSA.
Observe that card production staff are only allowed to bring items related to card production and provisioning activity into the HSA.
Interview personnel to verify that card production staff are only allowed to bring items related to card production and provisioning activity into the HSA.
Examine documentation of HSA design to verify that if the facility performs multiple production …
• HCE and SE mobile provisioning Examine documentation to verify that the activities listed below only occur within the HSA.
Observe to verify that the activities listed below, at a minimum, take place within the HSA and only within the HSA.
Interview personnel to verify the activities listed below only occur within the HSA.
• HCE and SE mobile provisioning
Examine documentation to verify that card production staff are only allowed to bring in items related to card production and provisioning activity into the HSA.
Observe that card production staff are only allowed to bring items related to card production and provisioning activity into the HSA.
Interview personnel to verify that card production staff are only allowed to bring items related to card production and provisioning activity into the HSA.
Examine documentation of HSA design to verify that if the facility performs multiple production …
Added
p. 37
Examine policy and procedures to verify that access controls to the HSA are in place.
Examine a sample of logs and access-control settings to verify access to the HSA is restricted to authorized persons through an access-control system, working on a strict person-by-person basis.
Observe that access to the HSA is restricted to authorized persons through an access-control system, working on a strict person-by-person basis.
• Always be connected to the computer that monitors and logs all staff and visitor movements.
Examine a sample of logs and access-control settings to verify access to the HSA is restricted to authorized persons through an access-control system, working on a strict person-by-person basis.
Observe that access to the HSA is restricted to authorized persons through an access-control system, working on a strict person-by-person basis.
• Always be connected to the computer that monitors and logs all staff and visitor movements.
Added
p. 37
Examine access-control systems documentation to verify that they:
• Are always connected to the computer that monitors and logs all staff and visitor movements.
• Are always connected to the computer that monitors and logs all staff and visitor movements.
Observe access-control systems to verify that they:
Examine access settings to verify that the vendor has programmed the software access- control system access to a person-by-person basis and is restricted to authorized personnel.
Examine access-control system settings to verify the access-control system will activate an alarm system each time the last person leaves the HSA.
Examine a sample of logs to verify that the access-control system activated the alarm system each time the last person left the HSA.
Observe the HSA and all separate rooms within the HSA to verify they are protected by internal motion detectors, even when no production occurs in the room.
Observe via inspection that every enclosed room has motion detectors installed, and open- …
• Are always connected to the computer that monitors and logs all staff and visitor movements.
• Are always connected to the computer that monitors and logs all staff and visitor movements.
Observe access-control systems to verify that they:
Examine access settings to verify that the vendor has programmed the software access- control system access to a person-by-person basis and is restricted to authorized personnel.
Examine access-control system settings to verify the access-control system will activate an alarm system each time the last person leaves the HSA.
Examine a sample of logs to verify that the access-control system activated the alarm system each time the last person left the HSA.
Observe the HSA and all separate rooms within the HSA to verify they are protected by internal motion detectors, even when no production occurs in the room.
Observe via inspection that every enclosed room has motion detectors installed, and open- …
Added
p. 39
Observe to verify that access is enforced by the use of an air lock, single sluice, or security turnstile.
Examine security settings to verify that access controls are activated by logical means, ensuring strict compliance with the person-by-person mandate.
Observe via demonstration the person-by-person access control, by attempting for two personnel to cross the control point together.
Examine settings to verify activation of the access device is controlled by a card reader that enforces an anti-pass-back function.
Observe via demonstration that activation of the access device is controlled by a card reader that enforces an anti-pass-back function.
Observe to verify the card readers are permanently connected to a computer that centralizes the logging of any card reader activation.
Examine a sample of logs to verify the computer is the centralized mechanism that is logging all card reader activations.
Examine access-control settings to verify that the status of access changes only when the person has successfully completed the …
Examine security settings to verify that access controls are activated by logical means, ensuring strict compliance with the person-by-person mandate.
Observe via demonstration the person-by-person access control, by attempting for two personnel to cross the control point together.
Examine settings to verify activation of the access device is controlled by a card reader that enforces an anti-pass-back function.
Observe via demonstration that activation of the access device is controlled by a card reader that enforces an anti-pass-back function.
Observe to verify the card readers are permanently connected to a computer that centralizes the logging of any card reader activation.
Examine a sample of logs to verify the computer is the centralized mechanism that is logging all card reader activations.
Examine access-control settings to verify that the status of access changes only when the person has successfully completed the …
Added
p. 42
Observe via demonstration the access-control system by requesting that one authorized person authenticates to the access reader:
• If the door opens, does a “single occupancy” alarm sound within a 60-second period?
• If the door does not open, verify that it opens after two authorized authentications have been presented.
Examine HSA documentation to verify separate rooms within the HSA meet all of the HSA requirements with the exception of person-by-person access.
Observe that separate rooms within the HSA meet the HSA requirements with the exception of person-by-person access.
Examine documentation to verify that toilets, if present, are required by local law.
Observe to determine that, if present, the toilet room’s entry/exit ways are camera-monitored.
Observe to verify that any fire doors present in the HSA are normally closed or can be manually closed, and these doors are subject to the same access controls as any other door that provides access to a room.
Observe to verify that …
• If the door opens, does a “single occupancy” alarm sound within a 60-second period?
• If the door does not open, verify that it opens after two authorized authentications have been presented.
Examine HSA documentation to verify separate rooms within the HSA meet all of the HSA requirements with the exception of person-by-person access.
Observe that separate rooms within the HSA meet the HSA requirements with the exception of person-by-person access.
Examine documentation to verify that toilets, if present, are required by local law.
Observe to determine that, if present, the toilet room’s entry/exit ways are camera-monitored.
Observe to verify that any fire doors present in the HSA are normally closed or can be manually closed, and these doors are subject to the same access controls as any other door that provides access to a room.
Observe to verify that …
Added
p. 43
Observe the WIP storage room to verify it is segregated from production and is protected by at a minimum by wire mesh.
Observe to verify that if wire mesh was used in the construction of such areas, it extends from the floor to enclose the entire room on all surfaces, including a top (if below the ceiling).
Observe to verify that the doors to these areas are contact monitored and fitted with an audible alarm that sounds when the door remains open for more than 60 seconds.
Examine construction documentation where reinforced exterior walls are used as part of the perimeter to verify that the walls do not contain any door(s) or window(s).
Observe where reinforced exterior walls are used as part of the perimeter to verify that the walls do not contain any door(s) or window(s).
Observe CCTV surveillance camera video to determine that coverage exists for the entire area, ensuring that there are …
Observe to verify that if wire mesh was used in the construction of such areas, it extends from the floor to enclose the entire room on all surfaces, including a top (if below the ceiling).
Observe to verify that the doors to these areas are contact monitored and fitted with an audible alarm that sounds when the door remains open for more than 60 seconds.
Examine construction documentation where reinforced exterior walls are used as part of the perimeter to verify that the walls do not contain any door(s) or window(s).
Observe where reinforced exterior walls are used as part of the perimeter to verify that the walls do not contain any door(s) or window(s).
Observe CCTV surveillance camera video to determine that coverage exists for the entire area, ensuring that there are …
Added
p. 44
Examine documentation to verify that card production staff involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards, but can perform other non- personalization activities in addition to PIN printing, except for those that give access to cardholder data such as data administration, packaging, or mailing activities.
Interview personnel to determine procedures are followed as stated.
Examine procedures to verify that personnel involved in personalization are never involved in PIN printing of the associated cards.
Interview personnel involved in personalization to verify they are never involved in PIN printing of the associated cards.
Examine documentation to verify PIN mailer procedures exist.
Examine a sample of PIN mailers to verify:
• PIN mailers are printed in such a way that the plaintext PIN cannot be observed until the envelope is opened.
• The envelope displays the minimum data necessary to deliver the …
Interview personnel to determine procedures are followed as stated.
Examine procedures to verify that personnel involved in personalization are never involved in PIN printing of the associated cards.
Interview personnel involved in personalization to verify they are never involved in PIN printing of the associated cards.
Examine documentation to verify PIN mailer procedures exist.
Examine a sample of PIN mailers to verify:
• PIN mailers are printed in such a way that the plaintext PIN cannot be observed until the envelope is opened.
• The envelope displays the minimum data necessary to deliver the …
Added
p. 50
• The person opens the door, introduces the package, and closes the door.
• The person opens the door, introduces the package, and closes the door.
• If no motion is detected in the trap, and the first door has been closed, the second door in the HSA can be opened for someone to take the package.
• If no motion is detected in the trap, and the first door has been closed, the second door in the HSA can be opened for someone to take the package.
Observe good tools trap configuration:
• If a one room configuration is used, perform test procedures for Requirement a).
• If a two-room configuration is used, perform the test procedures for Requirement b) below. Observe the room configuration to verify the goods-tools trap one-room is configured and operated as follows:
• Composed of a unique, closed, solid construction room (goods transfer room) and two doors (inner and external), minimizing …
• The person opens the door, introduces the package, and closes the door.
• If no motion is detected in the trap, and the first door has been closed, the second door in the HSA can be opened for someone to take the package.
• If no motion is detected in the trap, and the first door has been closed, the second door in the HSA can be opened for someone to take the package.
Observe good tools trap configuration:
• If a one room configuration is used, perform test procedures for Requirement a).
• If a two-room configuration is used, perform the test procedures for Requirement b) below. Observe the room configuration to verify the goods-tools trap one-room is configured and operated as follows:
• Composed of a unique, closed, solid construction room (goods transfer room) and two doors (inner and external), minimizing …
Added
p. 51
Note: If existing facilities have used wired enclosures for the outer room, they may continue. All new facilities requiring initial validation against these requirements must comply with the requirement as written⎯i.e., a room that is part of the building structure.
Observe to verify the shipping and delivery areas (loading/unloading) of card components to have at a minimum:
• At least two consecutive enclosed rooms and three doors (external, intermediate, and inner), and
• Minimization of physical contact between the individuals collecting or delivering materials and the shipment/delivery card production staff.
Observe a demonstration of the shipping and delivery processes to verify the shipping and delivery doors operate on an electronic and interlocking basis so that when one of the doors is open the others are electronically locked. Test in multiple configurations with different doors starting in the open position. With all doors closed, try opening multiple doors at the same time•i.e., badging and/or pressing …
Observe to verify the shipping and delivery areas (loading/unloading) of card components to have at a minimum:
• At least two consecutive enclosed rooms and three doors (external, intermediate, and inner), and
• Minimization of physical contact between the individuals collecting or delivering materials and the shipment/delivery card production staff.
Observe a demonstration of the shipping and delivery processes to verify the shipping and delivery doors operate on an electronic and interlocking basis so that when one of the doors is open the others are electronically locked. Test in multiple configurations with different doors starting in the open position. With all doors closed, try opening multiple doors at the same time•i.e., badging and/or pressing …
Added
p. 54
Observe a sample demonstration to verify that local alarms or flashing lights are activated when a door or gate to a restricted area is left open for more than 30 seconds except where otherwise specified in the security requirements.
Examine documentation to verify the alarm system is protected by an auxiliary power or battery backup system with capabilities for ensuring operation for a minimum of 48 hours in the event of a power failure.
Observe the presence of an auxiliary power or battery backup system to verify the alarm system is protected with backup power in the event of a power failure.
Examine documentation to verify a process is in place for the backup system to notify the vendor in real time in the event the backup system is invoked.
Examine a sample of documents
•e.g., logs or alarm testing
•to verify the system notified the vendor in real time when backup systems were invoked.
Interview the …
Examine documentation to verify the alarm system is protected by an auxiliary power or battery backup system with capabilities for ensuring operation for a minimum of 48 hours in the event of a power failure.
Observe the presence of an auxiliary power or battery backup system to verify the alarm system is protected with backup power in the event of a power failure.
Examine documentation to verify a process is in place for the backup system to notify the vendor in real time in the event the backup system is invoked.
Examine a sample of documents
•e.g., logs or alarm testing
•to verify the system notified the vendor in real time when backup systems were invoked.
Interview the …
Added
p. 55
i. A specific procedure must be established to ensure quick corrective action in case an alarm is not activated in accordance with pre-arranged alarm time settings.
Examine documentation to verify that a specific procedure has been established to ensure quick corrective action in case an alarm is not activated in accordance with pre-arranged alarm time settings.
Interview personnel to verify they are knowledgeable of and able to execute the procedure.
ii. Alarm activation and deactivation codes must be known only by guards or security team members authorized to use them.
Interview personnel to verify alarm activation and deactivation codes are known only by the guards or security team members authorized to use them.
Examine documentation to verify alarm activation and deactivation codes are known only by the card production staff authorized to use them.
iii. Codes must be deactivated upon termination of any guards or security team members with knowledge of the code.
Interview personnel to verify …
Examine documentation to verify that a specific procedure has been established to ensure quick corrective action in case an alarm is not activated in accordance with pre-arranged alarm time settings.
Interview personnel to verify they are knowledgeable of and able to execute the procedure.
ii. Alarm activation and deactivation codes must be known only by guards or security team members authorized to use them.
Interview personnel to verify alarm activation and deactivation codes are known only by the guards or security team members authorized to use them.
Examine documentation to verify alarm activation and deactivation codes are known only by the card production staff authorized to use them.
iii. Codes must be deactivated upon termination of any guards or security team members with knowledge of the code.
Interview personnel to verify …
Added
p. 56
Examine badging administration documentation to verify procedures are defined for managing ID badges.
Examine a sample of logs to verify procedures are followed in managing ID badges.
Examine documented procedures to verify the vendor issues a photo identification badge to each card production staff member and consultant.
Examine a sample of logs to verify badge issuance to card production staff and consultants.
c) ID badges and lanyards must not be imprinted with the company name or logo and are not allowed to be imprinted with any information that may identify the vendor’s name or location.
Observe to verify that ID badges and lanyards do not contain the corporate name or logo or any information that may identify the vendor’s name or location.
Examine access-control procedures to verify that the access credentials (which may be the ID badge) are programmed only for the access required based on job function.
Examine to verify a sample of access credentials (which …
Examine a sample of logs to verify procedures are followed in managing ID badges.
Examine documented procedures to verify the vendor issues a photo identification badge to each card production staff member and consultant.
Examine a sample of logs to verify badge issuance to card production staff and consultants.
c) ID badges and lanyards must not be imprinted with the company name or logo and are not allowed to be imprinted with any information that may identify the vendor’s name or location.
Observe to verify that ID badges and lanyards do not contain the corporate name or logo or any information that may identify the vendor’s name or location.
Examine access-control procedures to verify that the access credentials (which may be the ID badge) are programmed only for the access required based on job function.
Examine to verify a sample of access credentials (which …
Added
p. 59
Examine documentation to verify access-control procedures exist and are current.
Interview the access-control system administrator to validate access documents are current.
b) The access-control system must log sufficient information to produce the daily card activity reports detailed below:
• Card identification
• Card identification
• Access attempts results
• Access attempts results
• Unauthorized attempts
• Unauthorized attempts
• Anti-pass-back violation and corrective actions taken
• Anti-pass-back violation and corrective actions taken
• Access-control system changes describing:
• Access-control system changes describing:
− The date and time of the change, − The reasons for the change, and − The person who made the change.
− The date and time of the change, − The reasons for the change, and − The person who made the change.
Examine a sample of access-control system logs to verify they contain the following information at a minimum:
• Date and time of access
Examine access-control system setting to verify that audit trails are enabled and are kept for three months.
Examine a …
Interview the access-control system administrator to validate access documents are current.
b) The access-control system must log sufficient information to produce the daily card activity reports detailed below:
• Card identification
• Card identification
• Access attempts results
• Access attempts results
• Unauthorized attempts
• Unauthorized attempts
• Anti-pass-back violation and corrective actions taken
• Anti-pass-back violation and corrective actions taken
• Access-control system changes describing:
• Access-control system changes describing:
− The date and time of the change, − The reasons for the change, and − The person who made the change.
− The date and time of the change, − The reasons for the change, and − The person who made the change.
Examine a sample of access-control system logs to verify they contain the following information at a minimum:
• Date and time of access
Examine access-control system setting to verify that audit trails are enabled and are kept for three months.
Examine a …
Added
p. 61
a) Offsite access to the access-control system is not permitted. Examine documentation to verify that the remote-access requirements listed below are met where system administration is performed remotely.
Examine a sample of reports to verify system administrators follow requirements for remote access as stipulated below.
Examine documentation to verify vendor facilities not subject to logical security audits have a written statement that requirements are being met.
Interview personnel to verify that the following remote-access requirements are met where system administration is performed remotely:
• Access-control system data must be backed up on a weekly basis.
• Access-control systems administration must be performed from within the security control room.
• For generic administrative accounts that cannot be disabled, the password must be used only for emergency. The password must be changed from the default value and managed under dual control.
• In addition, the access-control system must meet the logical security requirements in Appendix B.
Examine a sample of reports to verify system administrators follow requirements for remote access as stipulated below.
Examine documentation to verify vendor facilities not subject to logical security audits have a written statement that requirements are being met.
Interview personnel to verify that the following remote-access requirements are met where system administration is performed remotely:
• Access-control system data must be backed up on a weekly basis.
• Access-control systems administration must be performed from within the security control room.
• For generic administrative accounts that cannot be disabled, the password must be used only for emergency. The password must be changed from the default value and managed under dual control.
• In addition, the access-control system must meet the logical security requirements in Appendix B.
Added
p. 62
• Security control room
• Shipping and delivery area
• Every card production staff entrance
Examine a sample of past events or of testing documentation to demonstrate when a duress button is activated the following occurs but not limited to:
• A warning or emergency signal is sent to an on-site security control room.
• A remote central monitoring station, or the local police station.
• The anticipated initial response
•i.e., event verification
•is within two minutes.
• Time and date when the duress button was activated
• Time and date when the duress button was activated
• Time taken by the remote central monitoring service to respond
• Time taken by the remote central monitoring service to respond
• Time taken by the police or other help to respond/arrive on site
• Time taken by the police or other help to respond/arrive on site
• Chronology of all related activities, including names of personnel involved
• Chronology of all related activities, including names of personnel …
• Shipping and delivery area
• Every card production staff entrance
Examine a sample of past events or of testing documentation to demonstrate when a duress button is activated the following occurs but not limited to:
• A warning or emergency signal is sent to an on-site security control room.
• A remote central monitoring station, or the local police station.
• The anticipated initial response
•i.e., event verification
•is within two minutes.
• Time and date when the duress button was activated
• Time and date when the duress button was activated
• Time taken by the remote central monitoring service to respond
• Time taken by the remote central monitoring service to respond
• Time taken by the police or other help to respond/arrive on site
• Time taken by the police or other help to respond/arrive on site
• Chronology of all related activities, including names of personnel involved
• Chronology of all related activities, including names of personnel …
Added
p. 63
a) All duress buttons must be tested, and the results documented on a quarterly basis.
Examine a sample of logs to verify quarterly tests are performed on all duress buttons and that the results are documented.
Interview personnel to verify that key-management procedures are known and are followed.
Examine sample documents to validate key-management procedures are followed.
Examine procedures for issuance of keys and the requirement that they be entrusted to authorized personnel.
Examine evidence to verify those who are issued keys have signed a consent form indicating they received keys and they understand they are entrusted these keys and the keys cannot be accessed by unauthorized individuals.
Examine policy and procedures that all unissued keys, master keys, and duplicate keys are maintained under dual control in a safe or secure cabinet.
Interview personnel to verify unissued keys, master keys, and duplicate keys are maintained under dual control.
Observe storage of all unissued keys, master keys, and duplicate …
Examine a sample of logs to verify quarterly tests are performed on all duress buttons and that the results are documented.
Interview personnel to verify that key-management procedures are known and are followed.
Examine sample documents to validate key-management procedures are followed.
Examine procedures for issuance of keys and the requirement that they be entrusted to authorized personnel.
Examine evidence to verify those who are issued keys have signed a consent form indicating they received keys and they understand they are entrusted these keys and the keys cannot be accessed by unauthorized individuals.
Examine policy and procedures that all unissued keys, master keys, and duplicate keys are maintained under dual control in a safe or secure cabinet.
Interview personnel to verify unissued keys, master keys, and duplicate keys are maintained under dual control.
Observe storage of all unissued keys, master keys, and duplicate …
Added
p. 64
• The locks each key operates Examine documentation to verify that a process exists for the physical security manager to review the following for keys issued that allow access to sensitive materials.
• The locks each key operates Examine evidence that for keys that allow access to sensitive materials, the physical security manager performed a quarterly review of:
• The locks each key operates
Examine documentation to verify a process is in place for the physical security manager to, at a minimum:
• Sign and date each of the key control documents; and
• Attest that the review process was completed.
Examine a sample of records to verify the physical security manager performed the key control process as noted above.
Examine documentation to verify that the physical security manager and executive managers are the only employees authorized to possess master or overriding keys to restricted areas.
Examine a sample of logs to verify the physical security manager and …
• The locks each key operates Examine evidence that for keys that allow access to sensitive materials, the physical security manager performed a quarterly review of:
• The locks each key operates
Examine documentation to verify a process is in place for the physical security manager to, at a minimum:
• Sign and date each of the key control documents; and
• Attest that the review process was completed.
Examine a sample of records to verify the physical security manager performed the key control process as noted above.
Examine documentation to verify that the physical security manager and executive managers are the only employees authorized to possess master or overriding keys to restricted areas.
Examine a sample of logs to verify the physical security manager and …
Added
p. 65
Examine documentation to verify that combinations for any combination locks where a combination holder had access must be changed when a combination holder is removed from the list of authorized combination holders.
Examine a sample of logs to verify that combinations for any combination locks where a combination holder had access was changed when a combination holder was removed from the list of authorized combination holders.
Examine documentation to verify CCTV procedures are documented.
Interview personnel to verify they are aware of and follow the CCTV procedures.
Examine a sample of documents to verify CCTV media are managed per the policy.
Examine documentation to verify a process for all CCTV cameras to be tested and the images displayed by the monitors checked for clear visibility at least monthly; and that a maintenance record is retained on file for a minimum of two years.
Observe CCTV footage from different times of day (including nighttime) to verify that …
Examine a sample of logs to verify that combinations for any combination locks where a combination holder had access was changed when a combination holder was removed from the list of authorized combination holders.
Examine documentation to verify CCTV procedures are documented.
Interview personnel to verify they are aware of and follow the CCTV procedures.
Examine a sample of documents to verify CCTV media are managed per the policy.
Examine documentation to verify a process for all CCTV cameras to be tested and the images displayed by the monitors checked for clear visibility at least monthly; and that a maintenance record is retained on file for a minimum of two years.
Observe CCTV footage from different times of day (including nighttime) to verify that …
Added
p. 68
Examine documentation and a sample of archived video to verify CCTV images are:
• Kept for at least 90 days;
• Backed up daily; and that
• Both primary and backup copies exist for a minimum of 90 days.
Examine documentation to verify backup recording and storage requirements exist.
Observe to verify that backup recordings are stored in a separate, secured location within the facility or stored in other facilities via techniques such as disk mirroring in accordance with the retention policy requirements.
Interview personnel to verify that segregation of duties exists between the users and the system administrators.
• Kept for at least 90 days;
• Backed up daily; and that
• Both primary and backup copies exist for a minimum of 90 days.
Examine documentation to verify backup recording and storage requirements exist.
Observe to verify that backup recordings are stored in a separate, secured location within the facility or stored in other facilities via techniques such as disk mirroring in accordance with the retention policy requirements.
Interview personnel to verify that segregation of duties exists between the users and the system administrators.
Added
p. 69
• Access-control system
• Access-control system
• Window and door contacts
• Window and door contacts
• Glass-break detectors
• Glass-break detectors
• Emergency door alarms
• Emergency door alarms
• Passive infrared detectors
• Passive infrared detectors
• CCTV image recorders Examine documentation to verify inspections on all security devices and hardware were performed at least semi-annually and include but were not limited to:
• CCTV image recorders
Examine sample documents to verify security inspections are performed by a qualified external organization.
This inspection report must list all devices within the Security Systems installed on site, the inspection conducted, results of the test, and evidence of any remediation required.
Examine a sample of documents to verify a copy of the inspection reports is retained for at least 18 months. This inspection report must list all devices within the Security Systems installed on site, the inspection conducted, results of the test, and evidence of any remediation required.
Examine documentation to verify there is a process …
• Access-control system
• Window and door contacts
• Window and door contacts
• Glass-break detectors
• Glass-break detectors
• Emergency door alarms
• Emergency door alarms
• Passive infrared detectors
• Passive infrared detectors
• CCTV image recorders Examine documentation to verify inspections on all security devices and hardware were performed at least semi-annually and include but were not limited to:
• CCTV image recorders
Examine sample documents to verify security inspections are performed by a qualified external organization.
This inspection report must list all devices within the Security Systems installed on site, the inspection conducted, results of the test, and evidence of any remediation required.
Examine a sample of documents to verify a copy of the inspection reports is retained for at least 18 months. This inspection report must list all devices within the Security Systems installed on site, the inspection conducted, results of the test, and evidence of any remediation required.
Examine documentation to verify there is a process …
Added
p. 70
Interview personnel to validate they understand the process of the contingency plans to guarantee that security for card components, products, and data are maintained in case of critical business interruption.
Examine the vendor’s policy and procedures to verify they include that assets associated with card production and provisioning activities are secured in the event production activities are terminated.
Examine procedures to verify the process identifies and secures all of the following but not limited to:
• Card design materials
• Hardware utilized for production activities
Examine the vendor’s policy and procedures to verify they include the disposition expectations for each identified item.
Section 3: Production Procedures and Audit Trails 3.1 Order Limitations Requirement Test Procedure
Examine the documented procedures in place when vendor starts production of card products or component runs regarding specific orders.
Examine a sample of signed work orders to verify:
• The order is signed by representative of the payment brand, issuer, or issuer’s authorized agent.
• …
Examine the vendor’s policy and procedures to verify they include that assets associated with card production and provisioning activities are secured in the event production activities are terminated.
Examine procedures to verify the process identifies and secures all of the following but not limited to:
• Card design materials
• Hardware utilized for production activities
Examine the vendor’s policy and procedures to verify they include the disposition expectations for each identified item.
Section 3: Production Procedures and Audit Trails 3.1 Order Limitations Requirement Test Procedure
Examine the documented procedures in place when vendor starts production of card products or component runs regarding specific orders.
Examine a sample of signed work orders to verify:
• The order is signed by representative of the payment brand, issuer, or issuer’s authorized agent.
• …
Added
p. 72
a) The vendor must follow submission procedures mandated by the appropriate payment brand to receive approval for the card design in order to confirm the design’s compliance to the applicable payment brand standards.
Examine the various card-design approval processes to verify that payment brand reviews are appropriately understood and documented by the design team.
Examine documentation with vendor to verify that all mandated approvals have been received and are on file to be reviewed upon request.
Examine the various card-design approval processes to verify that payment brand reviews are appropriately understood and documented by the design team.
Examine documentation with vendor to verify that all mandated approvals have been received and are on file to be reviewed upon request.
Added
p. 72
Interview production management to verify what controls are in place to verify vendor only starts a manufacturing run after approvals have been received.
Examine a sample of artwork approval timeframes compared with production runs to verify approval has occurred prior to production.
Examine a sample of artwork approval timeframes compared with production runs to verify approval has occurred prior to production.
Added
p. 73
c) A portion of a printed sheet Examine a sample of production run retentions to verify they each include a portion of a printed sheet.
Added
p. 73
a) When requested by the payment brand, the vendor must send samples of the finished cards or components from each production run before shipping the finished card products. These samples must be functionally inoperative, and it must be visibly apparent that they are not live cards.
Examine policies/procedures to verify that when requested by the payment brand, the vendor sends samples of the finished cards or components from each production run before shipping the finished card products.
Examine a sample of payment brand requests for samples to verify the samples are functionally inoperative and it is visibly apparent that they are not live cards.
Examine policies/procedures to verify restricted access exists where film, plates, or electronic media are produced.
Observe that restricted access is in place for any room or area that includes the film, plates, or electronic media.
Examine a sample of physical access-control logs to verify that authorized personnel are only allowed within …
Examine policies/procedures to verify that when requested by the payment brand, the vendor sends samples of the finished cards or components from each production run before shipping the finished card products.
Examine a sample of payment brand requests for samples to verify the samples are functionally inoperative and it is visibly apparent that they are not live cards.
Examine policies/procedures to verify restricted access exists where film, plates, or electronic media are produced.
Observe that restricted access is in place for any room or area that includes the film, plates, or electronic media.
Examine a sample of physical access-control logs to verify that authorized personnel are only allowed within …
Added
p. 74
Interview printing department staff to verify how often, by whom, and what documentation is in place regarding the inventory of films, printing plates, and duplicates issued and returned to the printing department.
Observe security controls in place for films and printing plates and verify there are dual-control storage requirements when films and printing plates are not in use.
Examine what materials are in place within the production area.
Observe production staff and verify what procedures are in place to ensure proper levels of materials are maintained on hand for the last production runs of particular card types.
Observe security controls in place for films and printing plates and verify there are dual-control storage requirements when films and printing plates are not in use.
Examine what materials are in place within the production area.
Observe production staff and verify what procedures are in place to ensure proper levels of materials are maintained on hand for the last production runs of particular card types.
Added
p. 75
Examine destruction logbook on final use for films and printing plates and verify that two persons are simultaneously signing the destruction log.
Examine documentation and verify security controls are in place such that all discrepancies are documented and immediately reported to management.
Examine a sample of documentation to verify that any loss or theft is reported to the VPA within 24 hours of discovery.
Observe the material/production regimen for allocation of core sheets for production runs to verify existence.
Examine documentation to verify that the WIP storage room is utilized for storage longer than one week.
Observe storage controls in place by vendor for both partially and fully printed sheets.
• Quality control sheets
• Quality control sheets
• Unused core sheets Examine a sample of orders processed and validate that audit or accountability forms for core sheets contain:
Examine set-up sheet system used by vendor to verify it is in compliance with this section, restricting sheets unless clearly …
Examine documentation and verify security controls are in place such that all discrepancies are documented and immediately reported to management.
Examine a sample of documentation to verify that any loss or theft is reported to the VPA within 24 hours of discovery.
Observe the material/production regimen for allocation of core sheets for production runs to verify existence.
Examine documentation to verify that the WIP storage room is utilized for storage longer than one week.
Observe storage controls in place by vendor for both partially and fully printed sheets.
• Quality control sheets
• Quality control sheets
• Unused core sheets Examine a sample of orders processed and validate that audit or accountability forms for core sheets contain:
Examine set-up sheet system used by vendor to verify it is in compliance with this section, restricting sheets unless clearly …
Added
p. 76
Observe to verify cards stored outside the vault are stored in secure, locked containers in the HSA under dual controls.
Examine procedures for use of the WIP area to verify that partially finished cards are stored properly in the HSA.
Examine documentation to determine what supplier the vendor is receiving proprietary components from, and whether they are authorized suppliers.
Examine sample orders to verify that the vendor provided the supplier with both the street and mailing addresses of the vendor’s facility, as well as names and signatures of the vendor’s authorized representatives that are allowed to order components.
Examine procedures for use of the WIP area to verify that partially finished cards are stored properly in the HSA.
Examine documentation to determine what supplier the vendor is receiving proprietary components from, and whether they are authorized suppliers.
Examine sample orders to verify that the vendor provided the supplier with both the street and mailing addresses of the vendor’s facility, as well as names and signatures of the vendor’s authorized representatives that are allowed to order components.
Added
p. 77
Examine policies/procedures to verify audit controls and an audit trail are in place for each job/batch and production step.
Examine a complete job run to verify procedures are followed.
Observe a sample production job/run and validate that all card products and components
•both good and rejected, including samples
•are counted and reconciled prior to any transfer of responsibility.
Examine a complete job run to verify procedures are followed.
Observe a sample production job/run and validate that all card products and components
•both good and rejected, including samples
•are counted and reconciled prior to any transfer of responsibility.
Added
p. 78
• Description of the component or card product(s) being transferred
• Description of the component or card product(s) being transferred
• Name and signature of the individual releasing the component or card product(s)
• Name and signature of the individual releasing the component or card product(s)
• Name and signature of the individual receiving the component or card product(s)
• Name and signature of the individual receiving the component or card product(s)
• Number of components or card products transferred
• Number of components or card products transferred
• Number of components used
• Number of components used
• Number returned to vault or WIP storage
• Number returned to vault or WIP storage
• Number rejected or damaged
• Number rejected or damaged
• Number to be destroyed
• Number to be destroyed
• Name and signature of supervisor
• Name and signature of supervisor
• Signatures of persons inventorying components Examine a sample of audit logs used during a production runs to verify that they contain:
• …
• Description of the component or card product(s) being transferred
• Name and signature of the individual releasing the component or card product(s)
• Name and signature of the individual releasing the component or card product(s)
• Name and signature of the individual receiving the component or card product(s)
• Name and signature of the individual receiving the component or card product(s)
• Number of components or card products transferred
• Number of components or card products transferred
• Number of components used
• Number of components used
• Number returned to vault or WIP storage
• Number returned to vault or WIP storage
• Number rejected or damaged
• Number rejected or damaged
• Number to be destroyed
• Number to be destroyed
• Name and signature of supervisor
• Name and signature of supervisor
• Signatures of persons inventorying components Examine a sample of audit logs used during a production runs to verify that they contain:
• …
Added
p. 81
• Number of cards originally placed in inventory
• Number of cards originally placed in inventory
• Reason for transaction
•e.g., job number
• Reason for transaction
•e.g., job number
• Number of cards removed from inventory
• Number of cards removed from inventory
• Number of cards returned to inventory
• Number of cards returned to inventory
• Balance remaining in the vault
• Balance remaining in the vault
• Date and time of activity
• Date and time of activity
• Names and signatures of the card production staff who handled the transaction Examine the vault log to verify that at a minimum it contains:
• Names and signatures of the card production staff who handled the transaction Observe items being logged in and out of the vault to verify that proper documentation is accurately completed.
Examine a sample of monthly inventory to verify that an inventory of cards and card components is being completed on a monthly basis by two card production staff.
Interview …
• Number of cards originally placed in inventory
• Reason for transaction
•e.g., job number
• Reason for transaction
•e.g., job number
• Number of cards removed from inventory
• Number of cards removed from inventory
• Number of cards returned to inventory
• Number of cards returned to inventory
• Balance remaining in the vault
• Balance remaining in the vault
• Date and time of activity
• Date and time of activity
• Names and signatures of the card production staff who handled the transaction Examine the vault log to verify that at a minimum it contains:
• Names and signatures of the card production staff who handled the transaction Observe items being logged in and out of the vault to verify that proper documentation is accurately completed.
Examine a sample of monthly inventory to verify that an inventory of cards and card components is being completed on a monthly basis by two card production staff.
Interview …
Added
p. 82
• Name and signature of an individual other than the operator, who is responsible for verifying the count
• Name and signature of an individual other than the operator, who is responsible for verifying the count
• Number of card carriers printed
• Number of card carriers printed
• Number of carriers wasted
• Number of carriers wasted
• Number of envelopes that contain cards
• Number of envelopes that contain cards
• Number of mailers to be printed
• Number of mailers to be printed
• Number of mailers actually printed
• Number of mailers actually printed
• Wasted mailers that have been printed
• Wasted mailers that have been printed
• Number of mailers transferred to the mailing area/room
• Number of mailers transferred to the mailing area/room
• Name and signature of an individual other than the operator, who is responsible for verifying the count 3.8 Production Equipment and Card Components Requirement Test Procedure 3.8.1 Personalization Equipment
a) The vendor must maintain a log …
• Name and signature of an individual other than the operator, who is responsible for verifying the count
• Number of card carriers printed
• Number of card carriers printed
• Number of carriers wasted
• Number of carriers wasted
• Number of envelopes that contain cards
• Number of envelopes that contain cards
• Number of mailers to be printed
• Number of mailers to be printed
• Number of mailers actually printed
• Number of mailers actually printed
• Wasted mailers that have been printed
• Wasted mailers that have been printed
• Number of mailers transferred to the mailing area/room
• Number of mailers transferred to the mailing area/room
• Name and signature of an individual other than the operator, who is responsible for verifying the count 3.8 Production Equipment and Card Components Requirement Test Procedure 3.8.1 Personalization Equipment
a) The vendor must maintain a log …
Added
p. 84
Examine polices/procedures to verify they exist to destroy, under dual control, payment system proprietary typefaces within indent-printing modules that are no longer to be used.
c) Record the destruction of modules. Examine a sample of documentation to verify that a record of this destruction is maintained.
a) The vendor must shred completely used tipping foil reels containing cardholder data as follows:
• In-house⎯i.e., within the facility,
• Under dual control, and
Examine policies and procedures for handling completely used tipping foil reels to verify they require the destruction of tipping foil reels containing cardholder data, with dual-control handling requirements, in-house, within the HSA.
Examine a sample of destruction logs to verify that destruction is occurring at a minimum on a weekly basis, in house, under dual control, and within the HSA.
Examine documentation to verify it requires that tipping foil be removed during non-production hours.
Observe procedure of removal of tipping foil to verify it is followed by …
c) Record the destruction of modules. Examine a sample of documentation to verify that a record of this destruction is maintained.
a) The vendor must shred completely used tipping foil reels containing cardholder data as follows:
• In-house⎯i.e., within the facility,
• Under dual control, and
Examine policies and procedures for handling completely used tipping foil reels to verify they require the destruction of tipping foil reels containing cardholder data, with dual-control handling requirements, in-house, within the HSA.
Examine a sample of destruction logs to verify that destruction is occurring at a minimum on a weekly basis, in house, under dual control, and within the HSA.
Examine documentation to verify it requires that tipping foil be removed during non-production hours.
Observe procedure of removal of tipping foil to verify it is followed by …
Added
p. 85
Note: The following requirements apply ONLY to thermal transfer foil reels/cassettes used within a production environment to apply cardholder data•e.g., those used in personalization or PIN printing processes.
a) Prior to use, thermal transfer foil reels/cassettes must be marked with a unique, tamper-evident security identifier.
Examine documented processes and procedures for the handling of thermal transfer foil reels/cassettes and tracking thermal.
b) Records must be maintained pertaining to the reel/cassette for tracking purposes from first use through destruction.
Examine documented processes and procedures for the tracking thermal transfer foil reels/ cassettes.
c) The vendor must shred completely used thermal transfer foil reels/cassettes containing cardholder data as follows:
• The destruction can occur as frequently as the vendor deems necessary but
•in all cases
•weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA.
Examine policies and procedures for handling completely used thermal …
a) Prior to use, thermal transfer foil reels/cassettes must be marked with a unique, tamper-evident security identifier.
Examine documented processes and procedures for the handling of thermal transfer foil reels/cassettes and tracking thermal.
b) Records must be maintained pertaining to the reel/cassette for tracking purposes from first use through destruction.
Examine documented processes and procedures for the tracking thermal transfer foil reels/ cassettes.
c) The vendor must shred completely used thermal transfer foil reels/cassettes containing cardholder data as follows:
• The destruction can occur as frequently as the vendor deems necessary but
•in all cases
•weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA.
Examine policies and procedures for handling completely used thermal …
Added
p. 86
f) Prior to destruction
•e.g., shredding
•the foil must be stored within the HSA under dual access control.
Observe security controls are in place to store thermal transfer foil under dual control within the HSA prior to destruction.
g) When destroyed the results must be non-readable and non-recoverable. Examine a sample of waste to verify proper destruction of materials is being followed.
h) An inventory of the number of used reels and/or cassettes must be maintained and reconciled with the number of used reels and/or cassettes destroyed.
Examine a sample of inventory logs to verify the number of used reels and/or cassettes is maintained and reconciled with the number of reels and/or cassettes destroyed.
i) A log, pre-numbered and bound, of the destruction of the thermal transfer foil must be maintained and include at a minimum:
• Number of reels and/or cassettes
•partial or full. All used foil must be accounted for and destroyed.
• Number of reels and/or cassettes
•partial …
•e.g., shredding
•the foil must be stored within the HSA under dual access control.
Observe security controls are in place to store thermal transfer foil under dual control within the HSA prior to destruction.
g) When destroyed the results must be non-readable and non-recoverable. Examine a sample of waste to verify proper destruction of materials is being followed.
h) An inventory of the number of used reels and/or cassettes must be maintained and reconciled with the number of used reels and/or cassettes destroyed.
Examine a sample of inventory logs to verify the number of used reels and/or cassettes is maintained and reconciled with the number of reels and/or cassettes destroyed.
i) A log, pre-numbered and bound, of the destruction of the thermal transfer foil must be maintained and include at a minimum:
• Number of reels and/or cassettes
•partial or full. All used foil must be accounted for and destroyed.
• Number of reels and/or cassettes
•partial …
Added
p. 87
Section 3.10, “Destruction and Audit Procedures.” Examine polices/procedures to verify returned cards are either sent to the issuer or destroyed according to “Destruction and Audit Procedures.” Interview personnel to verify procedures are known and followed.
Interview personnel to identify third-party providers with access to PIN mailers.
Observe that the method and container utilized by the vendor for the collection of cards from a third-party location are handled under dual controls.
Examine documentation to verify the opening of the container and an accounting of the number of envelopes/cards takes place under dual control immediately upon receipt at the personalization facility.
• Written initials of both card production staff counting the cards,
• Written initials of both card production staff counting the cards,
• The issuer name, and
• The issuer name, and
− The card type − The number of envelopes − The number of cards Examine a sample of logs to verify they contain at a minimum:
− The …
Interview personnel to identify third-party providers with access to PIN mailers.
Observe that the method and container utilized by the vendor for the collection of cards from a third-party location are handled under dual controls.
Examine documentation to verify the opening of the container and an accounting of the number of envelopes/cards takes place under dual control immediately upon receipt at the personalization facility.
• Written initials of both card production staff counting the cards,
• Written initials of both card production staff counting the cards,
• The issuer name, and
• The issuer name, and
− The card type − The number of envelopes − The number of cards Examine a sample of logs to verify they contain at a minimum:
− The …
Added
p. 89
g) Proper destruction requires the following:
• Individuals destroying the materials must ensure that they are rendered unusable and unreadable.
• Two card production staff must simultaneously count and shred the material.
• Before leaving the room, both card production staff must ensure that all material has been destroyed and not displaced in the machinery or equipment.
• Card production staff must prepare, sign, and maintain a destruction document.
• Once the destruction process is initiated, the process must not be interrupted.
Examine destruction process by reviewing the destruction logbook, destroyed materials in a waste bin, and CCTV coverage of the destruction occurring to verify it requires the following:
• Individuals destroying the materials ensure they are rendered unusable and unreadable.
• Two card production staff simultaneously count and shred the material.
• Before leaving the room, both card production staff ensure that all material has been destroyed and not displaced in the machinery or equipment.
• Card production staff …
• Individuals destroying the materials must ensure that they are rendered unusable and unreadable.
• Two card production staff must simultaneously count and shred the material.
• Before leaving the room, both card production staff must ensure that all material has been destroyed and not displaced in the machinery or equipment.
• Card production staff must prepare, sign, and maintain a destruction document.
• Once the destruction process is initiated, the process must not be interrupted.
Examine destruction process by reviewing the destruction logbook, destroyed materials in a waste bin, and CCTV coverage of the destruction occurring to verify it requires the following:
• Individuals destroying the materials ensure they are rendered unusable and unreadable.
• Two card production staff simultaneously count and shred the material.
• Before leaving the room, both card production staff ensure that all material has been destroyed and not displaced in the machinery or equipment.
• Card production staff …
Added
p. 93
a) If the vendor has subcontracted the manufacturing process to another approved vendor, the subcontracting vendor must assume responsibility during transportation for the loss/theft/misplacement of the cards and/or materials.
Examine a sample of the vendor’s agreements with subcontracting manufacturing vendors to verify that they contain language stating that the subcontracting vendor assumes responsibility during transportation for the loss/theft/misplacement of the cards and/or materials.
• Manifest number Examine a sample of shipment labels to verify they contain the minimum information required:
Examine policies and procedures to verify that a process is in place to report to the VPA when a shipment request is not in compliance with Requirements 5a) and b) and that shipment is withheld until instruction from VPA is received.
a) Count all card products under dual control. Observe an example (live or recorded previous count if live not available) of a count to verify that counts of all card products are performed …
Examine a sample of the vendor’s agreements with subcontracting manufacturing vendors to verify that they contain language stating that the subcontracting vendor assumes responsibility during transportation for the loss/theft/misplacement of the cards and/or materials.
• Manifest number Examine a sample of shipment labels to verify they contain the minimum information required:
Examine policies and procedures to verify that a process is in place to report to the VPA when a shipment request is not in compliance with Requirements 5a) and b) and that shipment is withheld until instruction from VPA is received.
a) Count all card products under dual control. Observe an example (live or recorded previous count if live not available) of a count to verify that counts of all card products are performed …
Added
p. 94
Observe an example to verify the use of packaging materials of sufficient strength to minimize breakage during shipment.
Observe an example to verify the packaging does not indicate or imply the nature of the contents.
Observe an example to verify the tape used for sealing the packaging is reinforced, tamper-evident, unique, and color-coded.
Examine evidence to verify that the packaging used for un-enveloped cards shipped in bulk are in double-walled cartons that have a bursting strength capable of handling a minimum 250 pounds (112 kgs) of pressure.
Observe an example to verify that each carton that contains shipments of cards has:
• The number of cards contained therein printed on the carton.
• The batch/shipment details of which it forms part.
Interview shipping personnel to verify that polices/procedures exist for card products awaiting shipment to be stored in an access-controlled area within the HSA or the vault when the facility is closed.
Observe the area where cards are …
Observe an example to verify the packaging does not indicate or imply the nature of the contents.
Observe an example to verify the tape used for sealing the packaging is reinforced, tamper-evident, unique, and color-coded.
Examine evidence to verify that the packaging used for un-enveloped cards shipped in bulk are in double-walled cartons that have a bursting strength capable of handling a minimum 250 pounds (112 kgs) of pressure.
Observe an example to verify that each carton that contains shipments of cards has:
• The number of cards contained therein printed on the carton.
• The batch/shipment details of which it forms part.
Interview shipping personnel to verify that polices/procedures exist for card products awaiting shipment to be stored in an access-controlled area within the HSA or the vault when the facility is closed.
Observe the area where cards are …
Added
p. 95
a) Except for cards delivered directly to individual cardholders, all shipments must be to the issuer, an approved vendor, or (with written issuer and VPA consent) to another destination.
Interview personnel to verify that except for cards delivered directly to individual cardholders, all shipments are to the issuer, an approved vendor, or (with written issuer and VPA consent) to another destination.
Examine a sample of shipping logs to verify that except for cards delivered directly to individual cardholders, all shipments are to the issuer, an approved vendor, or (with written issuer and VPA consent) to another destination.
Interview personnel to verify that except for cards delivered directly to individual cardholders, all shipments are to the issuer, an approved vendor, or (with written issuer and VPA consent) to another destination.
Examine a sample of shipping logs to verify that except for cards delivered directly to individual cardholders, all shipments are to the issuer, an approved vendor, or (with written issuer and VPA consent) to another destination.
Added
p. 96
b) Sending payment cards to a destination other than the cardholder, issuer, or an approved vendor requires issuer authorization and VPA approval. A copy of the issuer’s authorization letter
•i.e., release of liability signed by an issuer corporate officer
•must be provided to the VPA when requesting shipping approval from the VPA. The issuer authorization letter must be signed by a corporate officer indicating the destination of the card shipment and acceptance of liability for any loss, theft, or misplacement of cards during transport.
Interview personnel to verify that sending payment cards to a destination other than the cardholder, issuer or an approved vendor requires issuer authorization and VPA approval.
Examine documentation for a sample of shipments of payments cards to a destination other than the cardholder, issuer or an approved vendor to verify that:
• An issuer authorization letter exists, and
• The letter is signed by a corporate officer indicating the destination of the …
•i.e., release of liability signed by an issuer corporate officer
•must be provided to the VPA when requesting shipping approval from the VPA. The issuer authorization letter must be signed by a corporate officer indicating the destination of the card shipment and acceptance of liability for any loss, theft, or misplacement of cards during transport.
Interview personnel to verify that sending payment cards to a destination other than the cardholder, issuer or an approved vendor requires issuer authorization and VPA approval.
Examine documentation for a sample of shipments of payments cards to a destination other than the cardholder, issuer or an approved vendor to verify that:
• An issuer authorization letter exists, and
• The letter is signed by a corporate officer indicating the destination of the …
Added
p. 97
iii. The contents are secured with tamper-evident straps and checked upon delivery.
Examine vendor policies and procedures to verify the contents are secured with tamper-evident straps and checked upon delivery.
iv. The vehicle is loaded using dual control and locked during transport.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the card transport vehicle is loaded using dual control and locked during transport.
v. Vehicle drivers do not have a key or access to contents. Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the card transport vehicle drivers do not have a key or access to contents.
vi. Two persons are in the vehicle equipped with a device to communicate with the security control room.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that two persons are in the …
Examine vendor policies and procedures to verify the contents are secured with tamper-evident straps and checked upon delivery.
iv. The vehicle is loaded using dual control and locked during transport.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the card transport vehicle is loaded using dual control and locked during transport.
v. Vehicle drivers do not have a key or access to contents. Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the card transport vehicle drivers do not have a key or access to contents.
vi. Two persons are in the vehicle equipped with a device to communicate with the security control room.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that two persons are in the …
Added
p. 98
a) Vendors may include the PIN with the mailing of emergency cards only with written approval from the issuer. Card vendors will be responsible for ensuring an appropriate officer of the card issuer has signed the authorization letter and that a copy of the letter is maintained in their files. The authorization letter must acknowledge that the issuer accepts all risk inherent in shipping cards and PINs together and must confirm that the expedited process is permitted only for emergency card replacement orders. Issuers may provide the card vendor with a standing letter of instruction and do not need to approve each emergency card replacement order.
Added
p. 98
• The inclusion of the PIN with the mailing of emergency cards is allowed only with written approval from the issuer;
• An appropriate officer of the card issuer is required to sign the authorization letter for emergency card replacement orders;
• Such letters contain acknowledgment from the issuer accepting all risk inherent in shipping cards and PINs together;
• Such letters confirm that the expedited process is permitted only for emergency card replacement orders; and
• The issuer may issue a standing letter of instruction and does not need to approve each emergency card replacement order.
Examine a sample of mail awaiting delivery to verify that it is in tamper-evident packaging and/or strapped to prevent the removal of envelopes or placed in locked carts.
Examine a sample of mail trays to verify that their packaging is the same as that used by the local mail service.
c) Labels on packages sent to the postal service or …
• An appropriate officer of the card issuer is required to sign the authorization letter for emergency card replacement orders;
• Such letters contain acknowledgment from the issuer accepting all risk inherent in shipping cards and PINs together;
• Such letters confirm that the expedited process is permitted only for emergency card replacement orders; and
• The issuer may issue a standing letter of instruction and does not need to approve each emergency card replacement order.
Examine a sample of mail awaiting delivery to verify that it is in tamper-evident packaging and/or strapped to prevent the removal of envelopes or placed in locked carts.
Examine a sample of mail trays to verify that their packaging is the same as that used by the local mail service.
c) Labels on packages sent to the postal service or …
Added
p. 100
Examine evidence of VPA guidance for whether specific requirements apply to its geographic locations.
b) Secure transport originates at the vendor or issuer and must terminate at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.
Examine policies and procedures to verify secure transport originates at the vendor or issuer and terminates at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.
Observe a sample of shipping logs to verify that secure transport originates at the vendor or issuer and terminates at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.
c) Secure transport must occur in one of the following manners: armored vehicle, unarmored vehicle, air freight, sea freight, or rail freight, as outlined below.
b) Secure transport originates at the vendor or issuer and must terminate at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.
Examine policies and procedures to verify secure transport originates at the vendor or issuer and terminates at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.
Observe a sample of shipping logs to verify that secure transport originates at the vendor or issuer and terminates at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.
c) Secure transport must occur in one of the following manners: armored vehicle, unarmored vehicle, air freight, sea freight, or rail freight, as outlined below.
Added
p. 101
a) This service must be carried out under dual control. Examine the agreement(s) with the armored transport service to verify it contains language that ensures that armored services used employ dual control during card transport.
Examine the agreement(s) with the armored transport service to verify it contains language that ensures that card transport vehicles do not carry any signs or logos indicating they belong to a card vendor.
i. The cargo must never be left unattended unless the cargo area is armored.
Examine the agreement(s) with the armored transport service to verify it contains language that ensures the card transport vehicle’s cargo must never be left unattended unless the cargo area is armored.
Examine the agreement(s) with the armored transport service to verify it contains language that ensures the card transport vehicles are always under dual control
•e.g., a driver accompanied by a guard
•and never left unattended during any trips if the cargo area of …
Examine the agreement(s) with the armored transport service to verify it contains language that ensures that card transport vehicles do not carry any signs or logos indicating they belong to a card vendor.
i. The cargo must never be left unattended unless the cargo area is armored.
Examine the agreement(s) with the armored transport service to verify it contains language that ensures the card transport vehicle’s cargo must never be left unattended unless the cargo area is armored.
Examine the agreement(s) with the armored transport service to verify it contains language that ensures the card transport vehicles are always under dual control
•e.g., a driver accompanied by a guard
•and never left unattended during any trips if the cargo area of …
Added
p. 101
a) The card transport vehicle must not carry any signs or logos indicating it belong to a card vendor.
Examine vendor policies and procedures, if done in-house⎯i.e., using internal staff⎯or service provider agreement language if outsourced, to verify that any unarmored vehicle used for deliveries does not carry any signs or logos indicating it belongs to a card vendor.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement if outsourced, to verify that any unarmored vehicle used for deliveries is accompanied by another vehicle that is not used for card transport.
c) The cards transport vehicle used between the vendor facility and the destination must be under dual control at all times (a driver accompanied by a guard) and never left unattended during the trip until the shipment enters a controlled environment at the destination.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement …
Examine vendor policies and procedures, if done in-house⎯i.e., using internal staff⎯or service provider agreement language if outsourced, to verify that any unarmored vehicle used for deliveries does not carry any signs or logos indicating it belongs to a card vendor.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement if outsourced, to verify that any unarmored vehicle used for deliveries is accompanied by another vehicle that is not used for card transport.
c) The cards transport vehicle used between the vendor facility and the destination must be under dual control at all times (a driver accompanied by a guard) and never left unattended during the trip until the shipment enters a controlled environment at the destination.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement …
Added
p. 102
e) The card transport vehicle used between the vendor facility and the air freight facility must be under dual control at all times (a driver accompanied by a guard) and never left unattended during transfer until the shipment enters a customs or other controlled environment at the air freight facility⎯both sending and receiving.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the card transport vehicle is under dual control at all times (a driver accompanied by a guard) and never left unattended during the transfer until the shipment enters a customs or other controlled environment at the air freight terminal.
g) The card transport vehicle must be equipped with a communication device that enables two-way contact with the security controller.
Examine service provider agreement language to verify that the integrity of the shipment remains intact if intermediate stops are made during air transport.
i) An …
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the card transport vehicle is under dual control at all times (a driver accompanied by a guard) and never left unattended during the transfer until the shipment enters a customs or other controlled environment at the air freight terminal.
g) The card transport vehicle must be equipped with a communication device that enables two-way contact with the security controller.
Examine service provider agreement language to verify that the integrity of the shipment remains intact if intermediate stops are made during air transport.
i) An …
Added
p. 104
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the shipping container transport vehicle is under dual control at all times (a driver accompanied by a guard) and never left unattended during the transfer until the container enters a customs or other controlled environment at the dock yard.
The transport between the vendor location and the port facility must be nonstop⎯both sending and receiving•i.e., non-emergency stops are not permitted.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that transport between the vendor location and the port facility terminal is nonstop - both sending and receiving.
A direct route sea transport is required whenever possible. Examine service provider agreement language to verify that all sea transports are required to be nonstop whenever possible.
The container transport vehicle must be equipped with a communication device that enables two-way contact …
•i.e., using internal staff
•or service provider agreement language to verify the shipping container transport vehicle is under dual control at all times (a driver accompanied by a guard) and never left unattended during the transfer until the container enters a customs or other controlled environment at the dock yard.
The transport between the vendor location and the port facility must be nonstop⎯both sending and receiving•i.e., non-emergency stops are not permitted.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that transport between the vendor location and the port facility terminal is nonstop - both sending and receiving.
A direct route sea transport is required whenever possible. Examine service provider agreement language to verify that all sea transports are required to be nonstop whenever possible.
The container transport vehicle must be equipped with a communication device that enables two-way contact …
Added
p. 105
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that upon arrival at the destination port facility, the container is collected as soon as possible and delivered to the final destination address.
The locked shipping container must be delivered to an issuer or certified vendor facility prior to opening and further distribution of the card shipment.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that the locked shipping container is delivered to an issuer or certified vendor facility prior to opening and further distribution of the card shipment.
c) The hand-carry of goods is strictly prohibited. . Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that the hand-carrying of goods is strictly prohibited.
•i.e., using internal staff
•or service provider agreement language to verify that upon arrival at the destination port facility, the container is collected as soon as possible and delivered to the final destination address.
The locked shipping container must be delivered to an issuer or certified vendor facility prior to opening and further distribution of the card shipment.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that the locked shipping container is delivered to an issuer or certified vendor facility prior to opening and further distribution of the card shipment.
c) The hand-carry of goods is strictly prohibited. . Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that the hand-carrying of goods is strictly prohibited.
Added
p. 105
Goods registered as consolidated cargo are not permitted. . Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that goods registered as consolidated cargo are not permitted.
The rail shipping container must be locked while in the vendor’s shipping area using a tamper-evident, high-security locking mechanism.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the rail shipping container is locked while in the vendor’s shipping area using a tamper-evident, high-security locking mechanism.
The shipping container transport vehicle used between the vendor facility and the rail facility must be under dual control at all times (a driver accompanied by a guard) and never left unattended during transfer until the container enters a customs or other controlled environment at the rail yard⎯both sending and receiving.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement …
•i.e., using internal staff
•or service provider agreement language to verify that goods registered as consolidated cargo are not permitted.
The rail shipping container must be locked while in the vendor’s shipping area using a tamper-evident, high-security locking mechanism.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the rail shipping container is locked while in the vendor’s shipping area using a tamper-evident, high-security locking mechanism.
The shipping container transport vehicle used between the vendor facility and the rail facility must be under dual control at all times (a driver accompanied by a guard) and never left unattended during transfer until the container enters a customs or other controlled environment at the rail yard⎯both sending and receiving.
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement …
Added
p. 106
Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that transport between the vendor location and the rail facility terminal is nonstop - both sending and receiving.
A direct route rail transport is required whenever possible. Examine service provider agreement language to verify that all rail transports are required to be nonstop whenever possible.
The rail shipping container must be fitted with a GPS monitoring system that provides real-time tracking of the container location.
Examine service provider agreement language to verify the rail shipping container is fitted with a GPS monitoring system that provides real-time tracking of the container.
Examine service provider agreement language to verify the rail shipping container tracking system provides real-time alerts in the event exception conditions are detected that affect container integrity including door opening, lighting changes, internal motion, and impacts.
If intermediate stops are made during rail transport, the vendor must ensure …
•i.e., using internal staff
•or service provider agreement language to verify that transport between the vendor location and the rail facility terminal is nonstop - both sending and receiving.
A direct route rail transport is required whenever possible. Examine service provider agreement language to verify that all rail transports are required to be nonstop whenever possible.
The rail shipping container must be fitted with a GPS monitoring system that provides real-time tracking of the container location.
Examine service provider agreement language to verify the rail shipping container is fitted with a GPS monitoring system that provides real-time tracking of the container.
Examine service provider agreement language to verify the rail shipping container tracking system provides real-time alerts in the event exception conditions are detected that affect container integrity including door opening, lighting changes, internal motion, and impacts.
If intermediate stops are made during rail transport, the vendor must ensure …
Added
p. 107
The hand-carry of goods on rail freight solutions is strictly prohibited. Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that hand-carry of goods on rail freight solutions is strictly prohibited.
Examine policies and procedures to verify that the vendor has the names and signatures of individuals who are authorized to collect and deliver shipments.
b) Verify the identity of personnel arriving to collect or deliver shipments. Examine policies and procedures to verify that the vendor confirms the identity of personnel arriving to collect or deliver shipments.
c) Confirm the identity with the signature list. Examine policies and procedures to verify that the vendor confirms the identity of individuals with the signature list.
d) Place the cartons on a pallet in such a manner that the sides of the carton showing the batch code are visible.
Examine policies and procedures to verify that the vendor places the …
•i.e., using internal staff
•or service provider agreement language to verify that hand-carry of goods on rail freight solutions is strictly prohibited.
Examine policies and procedures to verify that the vendor has the names and signatures of individuals who are authorized to collect and deliver shipments.
b) Verify the identity of personnel arriving to collect or deliver shipments. Examine policies and procedures to verify that the vendor confirms the identity of personnel arriving to collect or deliver shipments.
c) Confirm the identity with the signature list. Examine policies and procedures to verify that the vendor confirms the identity of individuals with the signature list.
d) Place the cartons on a pallet in such a manner that the sides of the carton showing the batch code are visible.
Examine policies and procedures to verify that the vendor places the …
Added
p. 108
Examine shipping activity logs to verify establishment of a pre-arranged method of identification between the vendor and destination party to verify the authority and identity of the carrier to receive the shipment before release of the consignment.
Examine shipping activity logs to verify that the consignment is inspected to confirm the integrity of all locks and seals at each point where custody and possession of the consignment changes from one entity to another.
Examine shipping activity logs to verify that a written receipt is completed under dual control at each point of transfer, confirming the integrity of consignment.
Examine shipping activity logs to verify that
•in situations where evidence exists that a container has been tampered with, is missing, or is not received as scheduled at its final destination
•the requirements for loss or theft of card products are followed and that no further movement of the shipment is made without notification to the issuer …
Examine shipping activity logs to verify that the consignment is inspected to confirm the integrity of all locks and seals at each point where custody and possession of the consignment changes from one entity to another.
Examine shipping activity logs to verify that a written receipt is completed under dual control at each point of transfer, confirming the integrity of consignment.
Examine shipping activity logs to verify that
•in situations where evidence exists that a container has been tampered with, is missing, or is not received as scheduled at its final destination
•the requirements for loss or theft of card products are followed and that no further movement of the shipment is made without notification to the issuer …
Added
p. 109
• Sequential identification numbers (if applicable)
• Sequential identification numbers (if applicable)
• Reel numbers (if applicable)
• Reel numbers (if applicable)
• Total quantity returned
• Total quantity returned
• Recipient name and signatures
• Recipient name and signatures
• Destination or origination address
• Destination or origination address
• Shipping or receipt date and time Examine shipping activity logs to verify that documentation of the shipments is maintained for 24 months and includes:
• Shipping or receipt date and time
Examine shipping activity logs to verify that the names and signatures of the authorized recipients of returned card components are recorded prior to shipment.
Examine shipping activity logs to verify that the authorized signatures are verified prior to transfer at shipment.
• Sequential identification numbers (if applicable)
• Reel numbers (if applicable)
• Reel numbers (if applicable)
• Total quantity returned
• Total quantity returned
• Recipient name and signatures
• Recipient name and signatures
• Destination or origination address
• Destination or origination address
• Shipping or receipt date and time Examine shipping activity logs to verify that documentation of the shipments is maintained for 24 months and includes:
• Shipping or receipt date and time
Examine shipping activity logs to verify that the names and signatures of the authorized recipients of returned card components are recorded prior to shipment.
Examine shipping activity logs to verify that the authorized signatures are verified prior to transfer at shipment.
Added
p. 109
Examine a sample of agreements with issuers to verify that they contain language indicating that the transfer of shipment responsibility occurs at the point at which the vendor has delivered cards.
Section 5: PIN Printing and Packaging of Non-personalized Prepaid Cards 5 PIN Printing and Packaging of Non-personalized Prepaid Cards Requirement Test Procedure The following requirements apply only for non-personalized, prepaid cards. All other preceding requirements apply unless explicitly superseded in this section.
Cards will not be activated or loaded with a stored value until they have reached their destination, and The issuer accepts all risk inherent in shipping or mailing cards and PINs together.
Examine policies/procedures to verify they require written authorization from the issuer for packaging, shipping, or mailing the card and PIN together to include confirmation that:
Examine a sample of written authorizations from issuers to verify that procedures are followed.
Examine a sample of authorization letters to verify that:
• An appropriate …
Section 5: PIN Printing and Packaging of Non-personalized Prepaid Cards 5 PIN Printing and Packaging of Non-personalized Prepaid Cards Requirement Test Procedure The following requirements apply only for non-personalized, prepaid cards. All other preceding requirements apply unless explicitly superseded in this section.
Cards will not be activated or loaded with a stored value until they have reached their destination, and The issuer accepts all risk inherent in shipping or mailing cards and PINs together.
Examine policies/procedures to verify they require written authorization from the issuer for packaging, shipping, or mailing the card and PIN together to include confirmation that:
Examine a sample of written authorizations from issuers to verify that procedures are followed.
Examine a sample of authorization letters to verify that:
• An appropriate …
Added
p. 111
Interview the network administrator to have them validate that clear-text PINs must never be available on any system on the personalization network.
Observe DB tables containing PIN data retrieved by the network administrator to verify PINs are not in clear text.
Examine network diagrams to verify that PIN-printing systems are either on:
• A network physically separate from the personalization network, or
• A logically separated subnet dedicated for PIN printing, which is protected by a dedicated firewall.
Examine firewall rules to verify the aforementioned.
Addressed in review conducted under the PCI Card Production and Provisioning Logical Security Requirements.
Examine documentation to identify the controls in place to verify that PINs are deleted from the PIN-printing system immediately after use via:
• A secure erasure tool that prevents recovery of the PIN using forensic techniques, or
• Off-the-shelf recovery software.
• Interview the PIN production manager to verify secure erasure of PINs after printing.
Observe PIN-printing process and verify that PINs …
Observe DB tables containing PIN data retrieved by the network administrator to verify PINs are not in clear text.
Examine network diagrams to verify that PIN-printing systems are either on:
• A network physically separate from the personalization network, or
• A logically separated subnet dedicated for PIN printing, which is protected by a dedicated firewall.
Examine firewall rules to verify the aforementioned.
Addressed in review conducted under the PCI Card Production and Provisioning Logical Security Requirements.
Examine documentation to identify the controls in place to verify that PINs are deleted from the PIN-printing system immediately after use via:
• A secure erasure tool that prevents recovery of the PIN using forensic techniques, or
• Off-the-shelf recovery software.
• Interview the PIN production manager to verify secure erasure of PINs after printing.
Observe PIN-printing process and verify that PINs …
Added
p. 112
Be in a dedicated PIN-printing room as defined in the Section 2.3.5.4 of this document, “PIN Mailer Production Room”; and Examine architecture documentation to verify that the PIN-printing room is in a dedicated room as defined in Section 2.3.5.4.
Interview the owner of the PIN-printing process to verify whether clear-text PINs are available outside of the printer and to identify locations.
Observe cabling to confirm no evidence of tampering.
Observe how it is secured above ceiling or below flooring and the procedure for gaining access to cabling.
Observe the process for how the PIN is concealed in tamper-evident packaging immediately after printing.
The personalization HSA Examine documentation to verify that clear-text PINs only exist within a single integrated device.
Observe that this occurs within the personalization HSA; or A dedicated PIN printing room within the personalization HSA Observe that that the activity occurs in a room dedicated to only PIN printing; or A separate HSA that …
Interview the owner of the PIN-printing process to verify whether clear-text PINs are available outside of the printer and to identify locations.
Observe cabling to confirm no evidence of tampering.
Observe how it is secured above ceiling or below flooring and the procedure for gaining access to cabling.
Observe the process for how the PIN is concealed in tamper-evident packaging immediately after printing.
The personalization HSA Examine documentation to verify that clear-text PINs only exist within a single integrated device.
Observe that this occurs within the personalization HSA; or A dedicated PIN printing room within the personalization HSA Observe that that the activity occurs in a room dedicated to only PIN printing; or A separate HSA that …
Added
p. 113
Observe the PIN process to verify that clear-text PINs are only available inside a securely locked and covered area of the machine, for the minimum time required printing, and are never stored.
Interview the owner of the PIN-printing process to validate that no storage of the clear-text PINs is allowed.
Observe the PIN-printing process to verify that:
• No visibility of the PIN is possible from outside the machine.
• The covers on the machine are locked in place with dual control locks.
Observe the PIN-printing process to verify that the PIN is concealed in tamper-evident packaging:
• Immediately after printing, and
• Before leaving the secured confines of the printer.
These criteria apply to all systems commonly impacted by malicious software and similar vulnerabilities, such as personal computers and servers. Additionally, all user management controls, including password controls, are implemented except where the platform does not support that degree of granularity. Regardless, controls will be implemented to …
Interview the owner of the PIN-printing process to validate that no storage of the clear-text PINs is allowed.
Observe the PIN-printing process to verify that:
• No visibility of the PIN is possible from outside the machine.
• The covers on the machine are locked in place with dual control locks.
Observe the PIN-printing process to verify that the PIN is concealed in tamper-evident packaging:
• Immediately after printing, and
• Before leaving the secured confines of the printer.
These criteria apply to all systems commonly impacted by malicious software and similar vulnerabilities, such as personal computers and servers. Additionally, all user management controls, including password controls, are implemented except where the platform does not support that degree of granularity. Regardless, controls will be implemented to …
Added
p. 116
Interview administrator to determine names of people with administrative access.
Interview management of systems to determine if the number of people with administrative access is the minimum number of individuals required for management of the system.
Examine configurations for remote access technologies to verify that remote access sessions are not enabled, except as used in conjunction with an approved SOC.
Examine documentation to verify that group, shared, and generic accounts and passwords are disabled wherever the system supports unique values.
Examine documentation to determine if generic administrative accounts are enabled.
If generic administrative accounts are enabled, examine documentation to verify that such accounts are used only:
• When unique administrator sign-on credentials are not possible, and
Examine documentation to verify that when generic administrative accounts are used:
• The password is managed under dual control where no individual has access to the full password; and
• Each component of the password complies with the password control requirements in the …
Interview management of systems to determine if the number of people with administrative access is the minimum number of individuals required for management of the system.
Examine configurations for remote access technologies to verify that remote access sessions are not enabled, except as used in conjunction with an approved SOC.
Examine documentation to verify that group, shared, and generic accounts and passwords are disabled wherever the system supports unique values.
Examine documentation to determine if generic administrative accounts are enabled.
If generic administrative accounts are enabled, examine documentation to verify that such accounts are used only:
• When unique administrator sign-on credentials are not possible, and
Examine documentation to verify that when generic administrative accounts are used:
• The password is managed under dual control where no individual has access to the full password; and
• Each component of the password complies with the password control requirements in the …
Added
p. 118
e) Not store passwords in clear text. Observe data tables containing passwords and verify (on screen) that none of the entries are in clear text.
f) Change all default passwords. Observe system administrator log onto the system and validate that all default passwords have been changed.
Examine system configuration settings to verify that password parameters are set to require that newly issued and reset passwords are set to a unique value for each user.
c) “First use” passwords expire if not used within 24 hours of distribution.
Examine system configuration settings to verify that “first use” passwords expire if not used within 24 hours of distribution.
Examine system configuration settings to verify that systems enforce password lengths of at least 12 characters.
• Special characters Examine system configuration settings to verify that password configuration parameters consist of a combination of at least three of the following:
f) Passwords are not the same as the user ID. Examine …
f) Change all default passwords. Observe system administrator log onto the system and validate that all default passwords have been changed.
Examine system configuration settings to verify that password parameters are set to require that newly issued and reset passwords are set to a unique value for each user.
c) “First use” passwords expire if not used within 24 hours of distribution.
Examine system configuration settings to verify that “first use” passwords expire if not used within 24 hours of distribution.
Examine system configuration settings to verify that systems enforce password lengths of at least 12 characters.
• Special characters Examine system configuration settings to verify that password configuration parameters consist of a combination of at least three of the following:
f) Passwords are not the same as the user ID. Examine …
Added
p. 119
Examine documentation to verify that passwords are encrypted during transmission and rendered unreadable when stored.
Examine a sample of password data repositories to verify the password field is rendered unreadable (that is, not stored in plaintext).
Examine system configuration settings to verify that passwords have a maximum life not to exceed 90 days and a minimum life of at least one day.
Examine system configuration settings to verify that when updating passwords, the system prevents users from using a password that is the same as one of their previous four passwords.
k) The user’s identity is verified prior to resetting a user password. Examine polices/procedures for password resets to identify the process for validating the user identity prior to reset.
Observe security personnel to verify that, if a user requests a reset of an authentication credential by phone, e-mail, web, or other non-face-to-face method, the user’s identity is verified before the authentication credential is modified.
Examine …
Examine a sample of password data repositories to verify the password field is rendered unreadable (that is, not stored in plaintext).
Examine system configuration settings to verify that passwords have a maximum life not to exceed 90 days and a minimum life of at least one day.
Examine system configuration settings to verify that when updating passwords, the system prevents users from using a password that is the same as one of their previous four passwords.
k) The user’s identity is verified prior to resetting a user password. Examine polices/procedures for password resets to identify the process for validating the user identity prior to reset.
Observe security personnel to verify that, if a user requests a reset of an authentication credential by phone, e-mail, web, or other non-face-to-face method, the user’s identity is verified before the authentication credential is modified.
Examine …
Added
p. 120
Examine a sample of user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.
Examine system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.
Examine documentation to validate that locked accounts must only be unlocked by the security administrator or via an automated password reset mechanism.
Examine documentation where systems utilize unlocking via automated password reset mechanisms and validate the following:
• Challenge questions with answers that only the individual user would know must be used.
• The questions are designed such that the answers are not information that is available elsewhere in the organization, such as in the Human Resources Department.
Examine a sample of password resets to verify that the above procedures are followed.
d) A user’s account must be locked immediately upon that user leaving the vendor’s employment until it …
Examine system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.
Examine documentation to validate that locked accounts must only be unlocked by the security administrator or via an automated password reset mechanism.
Examine documentation where systems utilize unlocking via automated password reset mechanisms and validate the following:
• Challenge questions with answers that only the individual user would know must be used.
• The questions are designed such that the answers are not information that is available elsewhere in the organization, such as in the Human Resources Department.
Examine a sample of password resets to verify that the above procedures are followed.
d) A user’s account must be locked immediately upon that user leaving the vendor’s employment until it …
Added
p. 121
• Inventory of current systems in the environment including information about installed software components and about running services Examine anti-virus policies/procedures to verify that the following are defined and that corresponding procedures exist for each:
• Inventory of current systems in the environment including information about installed software components and about running services
Examine a sample of system components including all operating system types commonly affected by malicious software, and verify that anti-virus software is deployed if applicable anti-virus technology exists.
Examine vendor documentation and examine anti-virus configurations to verify that anti-virus programs:
• Detect all known types of malicious software;
• Remove all known types of malicious software; and
• Protect against all known types of malicious software.
Examples of types of malicious software include viruses, Trojans, worms, spyware, adware, and rootkits.
• Inventory of current systems in the environment including information about installed software components and about running services
Examine a sample of system components including all operating system types commonly affected by malicious software, and verify that anti-virus software is deployed if applicable anti-virus technology exists.
Examine vendor documentation and examine anti-virus configurations to verify that anti-virus programs:
• Detect all known types of malicious software;
• Remove all known types of malicious software; and
• Protect against all known types of malicious software.
Examples of types of malicious software include viruses, Trojans, worms, spyware, adware, and rootkits.
Added
p. 122
Examine policies and procedures to verify that anti-virus software and definitions are required to be kept up to date.
Examine anti-virus configurations, including the master installation of the software to verify anti-virus mechanisms are:
• Configured to perform automatic updates, and
• Configured to perform periodic scans.
Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that:
• The anti-virus software and definitions are current.
• Periodic scans are performed.
Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that anti-virus software log generation is enabled.
Examine patch management documentation to verify that:
• Anti-virus is updated at least daily.
• Updates are installed in a manner consistent with patch management guidelines.
• A process exists to document why any updates were not made.
Interview the system administrator to verify that anti-virus updates are applied at least daily, and updates are installed in a …
Examine anti-virus configurations, including the master installation of the software to verify anti-virus mechanisms are:
• Configured to perform automatic updates, and
• Configured to perform periodic scans.
Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that:
• The anti-virus software and definitions are current.
• Periodic scans are performed.
Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that anti-virus software log generation is enabled.
Examine patch management documentation to verify that:
• Anti-virus is updated at least daily.
• Updates are installed in a manner consistent with patch management guidelines.
• A process exists to document why any updates were not made.
Interview the system administrator to verify that anti-virus updates are applied at least daily, and updates are installed in a …
Added
p. 123
• Identifying and evaluating newly discovered security vulnerabilities, and
• Identifying and evaluating security patches from software vendors.
Interview the system administrator to verify that procedures are implemented to identify and evaluate newly discovered security vulnerabilities and security patches from software vendors.
Examine documentation to verify that secure configuration standards are established for all system components.
Interview the system administrator to verify that a secure configuration standard exists and that there is a documented configuration standard for all system components.
Examine the organization’s system configuration standards for all types of system components and verify that the standard addresses:
• The removing of all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
Examine documentation to verify that there is a process in place to validate security configurations monthly for ACS and CCTV systems against the authorized configuration.
Examine a sample of the ACS and CCTV systems to verify that the security configuration file …
• Identifying and evaluating security patches from software vendors.
Interview the system administrator to verify that procedures are implemented to identify and evaluate newly discovered security vulnerabilities and security patches from software vendors.
Examine documentation to verify that secure configuration standards are established for all system components.
Interview the system administrator to verify that a secure configuration standard exists and that there is a documented configuration standard for all system components.
Examine the organization’s system configuration standards for all types of system components and verify that the standard addresses:
• The removing of all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
Examine documentation to verify that there is a process in place to validate security configurations monthly for ACS and CCTV systems against the authorized configuration.
Examine a sample of the ACS and CCTV systems to verify that the security configuration file …
Added
p. 124
• Evaluating and installing the latest security-relevant patches for all system components within 30 days of their release (if they pass validation tests).
Examine a sample of recently implemented security relevant patches to verify they were:
• Approved for install, and
• Applied within a 30-day cycle of their release.
• Verifying the integrity and quality of the patches before application, including source authenticity.
Examine a sample of recently implemented security relevant patches to verify they were applied after first having the relevant system backed-up prior to the patch being applied.
• Implementing critical patches to all Internet-facing system components within seven business days of release.
• Documenting exceptions for when this is not possible.
• The exceptions process, which includes the CISO, IT security manager, and IT director documenting that they understand that a critical patch is required and authorize its implementation within a maximum of 30 business days.
Examine a sample of recent critical patches to verify …
Examine a sample of recently implemented security relevant patches to verify they were:
• Approved for install, and
• Applied within a 30-day cycle of their release.
• Verifying the integrity and quality of the patches before application, including source authenticity.
Examine a sample of recently implemented security relevant patches to verify they were applied after first having the relevant system backed-up prior to the patch being applied.
• Implementing critical patches to all Internet-facing system components within seven business days of release.
• Documenting exceptions for when this is not possible.
• The exceptions process, which includes the CISO, IT security manager, and IT director documenting that they understand that a critical patch is required and authorize its implementation within a maximum of 30 business days.
Examine a sample of recent critical patches to verify …
Added
p. 125
Examine a sample of audit logs to verify they exist for the CCTV and access-control systems and they include:
• Operating system logs,
• Security software logs or
• Application logs containing security events
• Changes in access privileges Examine a sample of audit logs and verify that they include at least the following components:
• Operating system logs,
• Security software logs or
• Application logs containing security events
• Changes in access privileges Examine a sample of audit logs and verify that they include at least the following components:
Added
p. 125
Examine documentation to validate that procedures exist, they are documented, and they are followed for:
• Audit log review and
• Reporting of unusual activity; and
• Log reviews are either automated or manual; and
• Reviews occur on a frequency that is at least monthly.
Examine documentation to verify that at least once a month all systems are meeting log requirements as defined in this section (B.7, “Audit Logs”).
• Audit log review and
• Reporting of unusual activity; and
• Log reviews are either automated or manual; and
• Reviews occur on a frequency that is at least monthly.
Examine documentation to verify that at least once a month all systems are meeting log requirements as defined in this section (B.7, “Audit Logs”).
Added
p. 126
Examine documentation to verify that audit logs are backed up daily, secured, and retained for at least one year. Verify that the logs are accessible for at least three months online and one year offline.
Examine a sample of logs to verify that they are:
• Backed up daily, secured, and retained for at least one year
• Accessible for at least three months online and one year offline
Examine documentation to verify audit logs are protected from unauthorized modifications via access- control mechanisms, physical segregation, network segregation, encryption, or hashing.
Examine documentation to verify that security-incident and event-logging are implemented within the organization.
Examine a sample of logs to verify that they are:
• Backed up daily, secured, and retained for at least one year
• Accessible for at least three months online and one year offline
Examine documentation to verify audit logs are protected from unauthorized modifications via access- control mechanisms, physical segregation, network segregation, encryption, or hashing.
Examine documentation to verify that security-incident and event-logging are implemented within the organization.
Added
p. 127
When a SOC controls the security activities of multiple facilities, a local Security Control Room (SRC) is maintained at each facility for backup purposes in the event the SOC loses connectivity or otherwise becomes non-operational. Therefore, a local SCR is present at each facility managed by a SOC except for the facility at which the SOC is located where it is optional. The local SCR contains fully functional security control systems, but the day-to-day operations are performed by the SOC. Security guards that would normally perform SCR activities and other security functions that do not require a physical presence at the local facility may perform these activities from the SOC. When a SOC is temporarily not operational, local guards and predefined staff members at the affected facilities are expected to perform all tasks necessary to ensure continuous compliance with the security standard.
The SOC security requirements in this section duplicate many …
The SOC security requirements in this section duplicate many …
Added
p. 128
Note: SCR activities are not required to occur within the SOC environment.
Observe to verify that only activities related to SOC and SCR operations occur within the SOC perimeter.
Interview personnel to verify that only activities related to SOC and SCR operations occur within the SOC perimeter.
SOCs must only monitor facilities that are owned and operated by the card vendor who operates the SOC.
Examine documentation to verify that facilities monitored are owned and operated by the card vendor who operates the SOC.
Interview personnel to verify that the SOC only monitors facilities that are owned and operated by the card vendor who operates the SOC.
SOCs must only monitor card production facilities that are either VPA-approved or are seeking VPA approval.
Examine documentation to identify which vendor facilities are VPA-approved and list them for VPA review.
There must be a shared, common spoken language between all SOCs and managed vendor facilities that all SOC personnel and …
Observe to verify that only activities related to SOC and SCR operations occur within the SOC perimeter.
Interview personnel to verify that only activities related to SOC and SCR operations occur within the SOC perimeter.
SOCs must only monitor facilities that are owned and operated by the card vendor who operates the SOC.
Examine documentation to verify that facilities monitored are owned and operated by the card vendor who operates the SOC.
Interview personnel to verify that the SOC only monitors facilities that are owned and operated by the card vendor who operates the SOC.
SOCs must only monitor card production facilities that are either VPA-approved or are seeking VPA approval.
Examine documentation to identify which vendor facilities are VPA-approved and list them for VPA review.
There must be a shared, common spoken language between all SOCs and managed vendor facilities that all SOC personnel and …
Added
p. 129
• Local security manager
• Local security manager
• Security Responder(s) This must be reviewed on a monthly basis by the Local Security Manager and provided to the SOC. The SMS must be updated with this information within 48 hours of receipt.
Examine policies and procedures to verify information is provided to SOC personnel of who contact whenever a facility is operational and that this includes:
• Security Responder(s) Interview a sample of SOC personnel to verify their awareness of the aforementioned.
Examine policies and procedures to verify that the contact information is reviewed on a monthly basis by the Local Security Manager and provided to the SOC.
Examine policies and procedures to verify the security management system is updated within 48 hours of receipt of this information.
All staff that have access to a managed vendor facility must be able to contact the SOC.
Interview a sample of staff with access to a managed vendor facility to …
• Local security manager
• Security Responder(s) This must be reviewed on a monthly basis by the Local Security Manager and provided to the SOC. The SMS must be updated with this information within 48 hours of receipt.
Examine policies and procedures to verify information is provided to SOC personnel of who contact whenever a facility is operational and that this includes:
• Security Responder(s) Interview a sample of SOC personnel to verify their awareness of the aforementioned.
Examine policies and procedures to verify that the contact information is reviewed on a monthly basis by the Local Security Manager and provided to the SOC.
Examine policies and procedures to verify the security management system is updated within 48 hours of receipt of this information.
All staff that have access to a managed vendor facility must be able to contact the SOC.
Interview a sample of staff with access to a managed vendor facility to …
Added
p. 130
C.2.1 SOC location The vendor must ensure the SOC:
Is located at a VPA-approved facility. Observe that the SOC is located in a VPA-approved facility Is outside of the high security area (HSA) of the facility and the cloud-based provisioning environment and is segregated from the Security Control Room (SCR), either in a separate room, or a fully segregated room within the SCR, or a stand-alone building.
Observe the location of the SOC to verify that it is located outside of the HSA and cloud- based provisioning environment and is segregated from the SCR either in a separate room or a fully segregated room within the SCR, or a stand-alone building.
Is in a building with low risk of fire, explosion, flooding, vandalism, and exposure hazards from other buildings, and the vendor has performed an analysis to demonstrate that mitigation. The building must be protected against the effects of lightning strikes.
Examine the vendor’s …
Is located at a VPA-approved facility. Observe that the SOC is located in a VPA-approved facility Is outside of the high security area (HSA) of the facility and the cloud-based provisioning environment and is segregated from the Security Control Room (SCR), either in a separate room, or a fully segregated room within the SCR, or a stand-alone building.
Observe the location of the SOC to verify that it is located outside of the HSA and cloud- based provisioning environment and is segregated from the SCR either in a separate room or a fully segregated room within the SCR, or a stand-alone building.
Is in a building with low risk of fire, explosion, flooding, vandalism, and exposure hazards from other buildings, and the vendor has performed an analysis to demonstrate that mitigation. The building must be protected against the effects of lightning strikes.
Examine the vendor’s …
Added
p. 131
• Location of the SOC in relation to distance from vehicular access points.
• Walls existing between the SOC and the road.
• Installation of HVM Barriers.
The vendor must ensure the following:
• All risks identified that could result in a breach of the SOC are remediated.
• Assessment is reviewed on an annual basis.
Examine documentation of the HVM risk assessment to verify controls mitigating the risk of a vehicle penetrating the SOC have been considered.
Examine evidence that the assessment is reviewed on an annual basis.
Interview a local security manager to verify that all risks identified that could result in a breach of the SOC are remediated and that the assessment is reviewed on an annual basis.
All external windows are to be physically secure from external attack•e.g., non- opening, bullet-resistant, or equipped with metal bars. Windows will be mirrored or use material such as opaque film to prevent sight into buildings.
Observe to determine external …
• Walls existing between the SOC and the road.
• Installation of HVM Barriers.
The vendor must ensure the following:
• All risks identified that could result in a breach of the SOC are remediated.
• Assessment is reviewed on an annual basis.
Examine documentation of the HVM risk assessment to verify controls mitigating the risk of a vehicle penetrating the SOC have been considered.
Examine evidence that the assessment is reviewed on an annual basis.
Interview a local security manager to verify that all risks identified that could result in a breach of the SOC are remediated and that the assessment is reviewed on an annual basis.
All external windows are to be physically secure from external attack•e.g., non- opening, bullet-resistant, or equipped with metal bars. Windows will be mirrored or use material such as opaque film to prevent sight into buildings.
Observe to determine external …
Added
p. 132
Observe the SOC and all separate rooms within the SOC to verify they are protected by internal motion detectors that must be activated in zones when no staff are present.
Observe via inspection that every zone has motion detectors installed, and open-plan areas have sufficient devices installed to ensure motion will be detected by someone walking through the area (100% coverage is not required).
C.2.3 Equipment within the SOC The SOC has the equipment that is sufficient to adequately monitor the sites that that are under SOC control, with the capability to expand if and when required. The number of operators and workstations needed will be determined by the time required to manage all events from the sights monitored by the SOC.
At a minimum, each SOC must have:
Sufficient operator workstations and monitors to address the following:
• Displaying at a minimum:
− Event management − Standard operating procedures
• Ability from a single console to …
Observe via inspection that every zone has motion detectors installed, and open-plan areas have sufficient devices installed to ensure motion will be detected by someone walking through the area (100% coverage is not required).
C.2.3 Equipment within the SOC The SOC has the equipment that is sufficient to adequately monitor the sites that that are under SOC control, with the capability to expand if and when required. The number of operators and workstations needed will be determined by the time required to manage all events from the sights monitored by the SOC.
At a minimum, each SOC must have:
Sufficient operator workstations and monitors to address the following:
• Displaying at a minimum:
− Event management − Standard operating procedures
• Ability from a single console to …
Added
p. 133
There are at a minimum three main areas as shown in the examples below.
Mantrap Entrance The mantrap controls access to the SOC and minimizes disruption to critical business activities.
Monitoring room The main purpose of the monitoring room is to provide a well-managed, ergonomic area for SOC operators to effectively manage all security system events across the managed vendor facilities. The monitoring room will:
• Provide effective access control and monitoring of PCI CPP regulated areas.
• Provide resilience and redundancy of critical SMS.
• Initiate appropriate and timely security response to incidents.
• Oversee security responses until resolved and provide post-incident reporting.
Investigation room There is dedicated investigations room, separate from the SOC monitoring room.
Without disturbing the day-to-day operations, the purpose of this area is to:
• Provide a quiet area to concentrate on high-level event management.
• Host third parties as part of an investigation.
• Host third parties for the purpose of auditing.
A mantrap entrance to …
Mantrap Entrance The mantrap controls access to the SOC and minimizes disruption to critical business activities.
Monitoring room The main purpose of the monitoring room is to provide a well-managed, ergonomic area for SOC operators to effectively manage all security system events across the managed vendor facilities. The monitoring room will:
• Provide effective access control and monitoring of PCI CPP regulated areas.
• Provide resilience and redundancy of critical SMS.
• Initiate appropriate and timely security response to incidents.
• Oversee security responses until resolved and provide post-incident reporting.
Investigation room There is dedicated investigations room, separate from the SOC monitoring room.
Without disturbing the day-to-day operations, the purpose of this area is to:
• Provide a quiet area to concentrate on high-level event management.
• Host third parties as part of an investigation.
• Host third parties for the purpose of auditing.
A mantrap entrance to …
Added
p. 136
C.3.1 SMS Provisions The SMS must provide: Observe to verify that the SMS provides for:
Visual verification of alarms when possible, to identify nuisance alarms or to initiate an appropriate and balanced response to an actual incident.
• Visual verification of alarms to identify nuisance alarms or to initiate a response to an actual incident.
Events must be monitored using a video wall in combination with SOC operator workstations.
• Events are monitored using a video wall in combination with SOC operator workstations.
Single graphical user interface (GUI) to allow the global estate, sites and buildings to be fully monitored.
• Single graphical user interface (GUI) to allow the global estate, sites and buildings to be fully monitored.
Display pertinent information displayed to aid SOC monitoring and allow a quicker response to incidents.
• Pertinent information displayed to aid SOC monitoring and allow a quicker response to incidents.
Collection of system data for reports and to provide intelligence to …
Visual verification of alarms when possible, to identify nuisance alarms or to initiate an appropriate and balanced response to an actual incident.
• Visual verification of alarms to identify nuisance alarms or to initiate a response to an actual incident.
Events must be monitored using a video wall in combination with SOC operator workstations.
• Events are monitored using a video wall in combination with SOC operator workstations.
Single graphical user interface (GUI) to allow the global estate, sites and buildings to be fully monitored.
• Single graphical user interface (GUI) to allow the global estate, sites and buildings to be fully monitored.
Display pertinent information displayed to aid SOC monitoring and allow a quicker response to incidents.
• Pertinent information displayed to aid SOC monitoring and allow a quicker response to incidents.
Collection of system data for reports and to provide intelligence to …
Added
p. 137
• Supports secure individual log-on with configurable user privileges Provide search functions for reporting and audit purposes to include, but not limited to event logs, user transactions and alarms.
• Provides search functions for reporting and auditing, including event logs, user transactions and alarms Allow viewing of system events when required.
• Allows viewing of system events when required.
The CCTV system must be able to:
• View both live and recorded CCTV footage.
• View both live and recorded CCTV footage.
• Automatically display live CCTV footage associated to an event.
• Automatically display live CCTV footage associated to an event.
• Display recorded CCTV footage that is marked at the event ready for playback.
Examine documentation to verify the CCTV system can
• Display recorded CCTV footage that is marked at the event ready for playback Observe to verify that the aforementioned CCTV system characteristics exist.
Each SOC must have sufficient bandwidth to manage the security systems.
• Minimum requirements …
• Provides search functions for reporting and auditing, including event logs, user transactions and alarms Allow viewing of system events when required.
• Allows viewing of system events when required.
The CCTV system must be able to:
• View both live and recorded CCTV footage.
• View both live and recorded CCTV footage.
• Automatically display live CCTV footage associated to an event.
• Automatically display live CCTV footage associated to an event.
• Display recorded CCTV footage that is marked at the event ready for playback.
Examine documentation to verify the CCTV system can
• Display recorded CCTV footage that is marked at the event ready for playback Observe to verify that the aforementioned CCTV system characteristics exist.
Each SOC must have sufficient bandwidth to manage the security systems.
• Minimum requirements …
Added
p. 138
C.3.3.1 Security System Events The following events must be logged: Examine a sample of security system event logs to verify they contain the following information at a minimum:
Unauthorized access attempts Unauthorized access attempts Access (successful or failed) attempts results Access attempts results Anti-pass-back violations Anti-pass-back violations Door-open-too-long alarm Door-open-too-long alarm Forced door Forced door Occupancy violations such as:
• Occupancy greater or equal to one, with no motion detected within 15 or fewer minutes
• Occupancy greater or equal to one, with no motion detected within 15 or fewer minutes
• Motion detected when occupancy equals zero
• Motion detected when occupancy equals zero
• Motion detected inside the inner room of the loading bay when both intermediate and inner doors are closed Occupancy violations such as:
• Motion detected inside the inner room of the loading bay when both intermediate and inner doors are closed Duress Alarm activation Duress Alarm activation 24/7 monitored intruder alarm …
Unauthorized access attempts Unauthorized access attempts Access (successful or failed) attempts results Access attempts results Anti-pass-back violations Anti-pass-back violations Door-open-too-long alarm Door-open-too-long alarm Forced door Forced door Occupancy violations such as:
• Occupancy greater or equal to one, with no motion detected within 15 or fewer minutes
• Occupancy greater or equal to one, with no motion detected within 15 or fewer minutes
• Motion detected when occupancy equals zero
• Motion detected when occupancy equals zero
• Motion detected inside the inner room of the loading bay when both intermediate and inner doors are closed Occupancy violations such as:
• Motion detected inside the inner room of the loading bay when both intermediate and inner doors are closed Duress Alarm activation Duress Alarm activation 24/7 monitored intruder alarm …
Added
p. 139
The Access Credential Management Process must include:
• A request for updating access credentials is made.
• A request for updating access credentials is made.
• The local security manager or other authorized personnel within each managed vendor facility approves the change.
• The local security manager or other authorized personnel within each managed vendor facility approves the change.
• The request is sent to the SOC, and SOC personnel modify the access credential assignment under dual control.
• The request is sent to the SOC, and SOC personnel modify the access credential assignment under dual control.
• All changes to the system must be logged.
Examine policies and procedures to verify the following processes exist
• All changes to the system are logged.
Examine a sample of creation and updating of access credentials to verify the aforementioned process is followed.
C.3.3.3 Event Management Steps An “Event matrix” must be created. The matrix must:
• List all possible events for each system …
• A request for updating access credentials is made.
• A request for updating access credentials is made.
• The local security manager or other authorized personnel within each managed vendor facility approves the change.
• The local security manager or other authorized personnel within each managed vendor facility approves the change.
• The request is sent to the SOC, and SOC personnel modify the access credential assignment under dual control.
• The request is sent to the SOC, and SOC personnel modify the access credential assignment under dual control.
• All changes to the system must be logged.
Examine policies and procedures to verify the following processes exist
• All changes to the system are logged.
Examine a sample of creation and updating of access credentials to verify the aforementioned process is followed.
C.3.3.3 Event Management Steps An “Event matrix” must be created. The matrix must:
• List all possible events for each system …
Added
p. 140
• Escalate as necessary.
• Take necessary corrective actions within prescribed time frames.
Examine documentation of standard operating procedures to verify they contain guidance for SOC operator actions required to contain events and prevent their escalation.
Observe that SOC operators have systems available in front of them to contain an event, including blocking access rights or alerting the local security manager.
Examine documentation of standard operating procedures to verify they contain guidance for SOC operators on necessary corrective actions.
The system must help generate a report by automatically pulling the relevant data into one template.
Examine a sample of medium- and high-security events to verify that the security system automatically generates a report pulling the relevant data into one template.
Documented procedures must require that all actions taken for medium- and high-security events are reviewed to ensure that the preventative actions are sufficient to prevent reoccurrence.
Examine policies and procedures of to verify that medium- and high-security events …
• Take necessary corrective actions within prescribed time frames.
Examine documentation of standard operating procedures to verify they contain guidance for SOC operator actions required to contain events and prevent their escalation.
Observe that SOC operators have systems available in front of them to contain an event, including blocking access rights or alerting the local security manager.
Examine documentation of standard operating procedures to verify they contain guidance for SOC operators on necessary corrective actions.
The system must help generate a report by automatically pulling the relevant data into one template.
Examine a sample of medium- and high-security events to verify that the security system automatically generates a report pulling the relevant data into one template.
Documented procedures must require that all actions taken for medium- and high-security events are reviewed to ensure that the preventative actions are sufficient to prevent reoccurrence.
Examine policies and procedures of to verify that medium- and high-security events …
Added
p. 142
All security system events must be addressed within the following timeframes:
• N/A events are simply registered without action.
• N/A events are simply registered without action.
• Low priority events must be addressed within 30 minutes.
• Medium priority events must be addressed within 10 minutes.
• High priority events must be addressed within 6 minutes.
Examine policies and procedures to verify they require that security system events are contained according to the following timeframes:
• Low priority events are addressed within 30 minutes.
• Medium priority events are addressed within 10 minutes.
• High priority events are addressed within 6 minutes.
Examine a sample of low, medium, and high priority events to verify they are addressed within the prescribed timeframes.
C.3.4.1 Performance Management Ongoing performance must be monitored and reported, ensuring:
• The event matrix is accurate and kept up to date.
• Events are managed correctly within the SLA’s defined in the event matrix.
• The Corporate Security Director reports the …
• N/A events are simply registered without action.
• N/A events are simply registered without action.
• Low priority events must be addressed within 30 minutes.
• Medium priority events must be addressed within 10 minutes.
• High priority events must be addressed within 6 minutes.
Examine policies and procedures to verify they require that security system events are contained according to the following timeframes:
• Low priority events are addressed within 30 minutes.
• Medium priority events are addressed within 10 minutes.
• High priority events are addressed within 6 minutes.
Examine a sample of low, medium, and high priority events to verify they are addressed within the prescribed timeframes.
C.3.4.1 Performance Management Ongoing performance must be monitored and reported, ensuring:
• The event matrix is accurate and kept up to date.
• Events are managed correctly within the SLA’s defined in the event matrix.
• The Corporate Security Director reports the …
Added
p. 143
This position is responsible for ensuring that:
• The SOCs are appropriately resourced.
• The SOCs are appropriately resourced.
• The SOCs fulfil their responsibility for the remote monitoring and administration of all managed vendor facilities.
• The SOCs fulfil their responsibility for the remote monitoring and administration of all managed vendor facilities.
• The corporate security director must report to senior management the status and performance of the SOCs on a quarterly basis.
Examine applicable policies and procedures to verify that a senior manager has been designated as corporate security director to ensure oversight and continuity between all SOCs of the vendor.
Interview the corporate security director to determine their understanding of their roles and responsibilities, which include:
• Reporting to senior management the status and performance of the SOCs on a quarterly basis.
The corporate security director must be an employee of the vendor. Examine employment documentation to verify employment and position.
A CISO must be designated to …
• The SOCs are appropriately resourced.
• The SOCs are appropriately resourced.
• The SOCs fulfil their responsibility for the remote monitoring and administration of all managed vendor facilities.
• The SOCs fulfil their responsibility for the remote monitoring and administration of all managed vendor facilities.
• The corporate security director must report to senior management the status and performance of the SOCs on a quarterly basis.
Examine applicable policies and procedures to verify that a senior manager has been designated as corporate security director to ensure oversight and continuity between all SOCs of the vendor.
Interview the corporate security director to determine their understanding of their roles and responsibilities, which include:
• Reporting to senior management the status and performance of the SOCs on a quarterly basis.
The corporate security director must be an employee of the vendor. Examine employment documentation to verify employment and position.
A CISO must be designated to …
Added
p. 144
• Any restricted areas where the vendor processes, stores, or ships or receives card products and card components Examine applicable policies and procedures to verify that supervisors and SOC operators are not permitted to perform any functions normally associated with the production of card products or card components including access to:
• Any restricted areas where the vendor processes, stores, or ships or receives card products and card components Interview a sample of supervisors and SOC operators to determine their understanding of their roles and responsibilities which DO NOT include access to:
• Any restricted areas where the vendor processes, stores, or ships or receives card products and card components.
• Any restricted areas where the vendor processes, stores, or ships or receives card products and card components Interview a sample of supervisors and SOC operators to determine their understanding of their roles and responsibilities which DO NOT include access to:
• Any restricted areas where the vendor processes, stores, or ships or receives card products and card components.
Added
p. 145
Use authorized locations and equipment to be defined and managed accordingly.
Examine policies and procedures to verify that only authorized locations and equipment are used.
Use strong cryptography and security protocols to safeguard security system data during transmission over open, public networks, including the following:
• Only trusted keys and certificates are accepted.
• Only trusted keys and certificates are accepted.
• The protocol in use only supports secure versions or configurations.
• The protocol in use only supports secure versions or configurations.
• The encryption strength is appropriate for the encryption methodology in use.
• The encryption strength is appropriate for the encryption methodology in use.
Examine documentation and system settings to verify that only strong cryptography and security protocols as defined in PCI DSS are used for transmission of security system data over open, public networks. This includes:
Examine policies and procedures to verify that only authorized locations and equipment are used.
Use strong cryptography and security protocols to safeguard security system data during transmission over open, public networks, including the following:
• Only trusted keys and certificates are accepted.
• Only trusted keys and certificates are accepted.
• The protocol in use only supports secure versions or configurations.
• The protocol in use only supports secure versions or configurations.
• The encryption strength is appropriate for the encryption methodology in use.
• The encryption strength is appropriate for the encryption methodology in use.
Examine documentation and system settings to verify that only strong cryptography and security protocols as defined in PCI DSS are used for transmission of security system data over open, public networks. This includes:
Added
p. 146
Secure transmission of security system data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt security system data. Connection requests from systems that do not support the required encryption strength and would result in an insecure connection should not be accepted.
Note that some protocol implementations (such as SSL, SSH v1.0, and TLS 1.0 or 1.1) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection•e.g., using only trusted certificates and supporting strong encryption, not weaker, insecure protocols or methods.
Verifying that certificates are trusted⎯e.g., have not expired and are issued from a trusted source⎯helps ensure the integrity of the secure connection.
Generally, the web page URL should begin with "HTTPS" and/or the web browser with a padlock icon …
Note that some protocol implementations (such as SSL, SSH v1.0, and TLS 1.0 or 1.1) have known vulnerabilities that an attacker can use to gain control of the affected system. Whichever security protocol is used, ensure it is configured to use only secure versions and configurations to prevent use of an insecure connection•e.g., using only trusted certificates and supporting strong encryption, not weaker, insecure protocols or methods.
Verifying that certificates are trusted⎯e.g., have not expired and are issued from a trusted source⎯helps ensure the integrity of the secure connection.
Generally, the web page URL should begin with "HTTPS" and/or the web browser with a padlock icon …
Added
p. 147
Examine documentation to verify that the SMS is on dedicated network(s) independent of the back office.
Put controls in place to restrict, prevent, and detect unauthorized access to the security system networks.
Examine policies and procedures to verify that access to the security system networks is restricted, and unauthorized access is prevented and detected.
Examine a sample of access rules to verify that access to the security system networks is restricted, and unauthorized access is prevented and detected.
Be able to immediately assess the impact if any of its critical connecting points are compromised.
Examine documented incident response procedures to verify processes are in place that allow for immediate assessment of the impact of any compromise of critical connecting points Control at all times the physical connection points leading into the security system network.
Observe physical connection points leading into the security system network to verify they are controlled at all times.
Prevent data from being tampered …
Put controls in place to restrict, prevent, and detect unauthorized access to the security system networks.
Examine policies and procedures to verify that access to the security system networks is restricted, and unauthorized access is prevented and detected.
Examine a sample of access rules to verify that access to the security system networks is restricted, and unauthorized access is prevented and detected.
Be able to immediately assess the impact if any of its critical connecting points are compromised.
Examine documented incident response procedures to verify processes are in place that allow for immediate assessment of the impact of any compromise of critical connecting points Control at all times the physical connection points leading into the security system network.
Observe physical connection points leading into the security system network to verify they are controlled at all times.
Prevent data from being tampered …
Added
p. 149
Document the process to authorize all changes to network devices and protocols.
Examine policies and procedures to verify a process is in place to authorize all changes to network devices and protocols prior to implementation.
Examine a sample of change-management logs for network devices and protocols to verify the changes are authorized.
Document the current network device configuration settings, rules set and justification for each device.
Examine a sample of network device documentation to verify configuration settings, rulesets, and their justifications are documented.
Interview personnel to verify they are familiar with the documentation and process by which the documentation is updated.
Ensure all available services are approved by an authorized security manager.
Interview personnel to identify available services.
Examine evidence that available services were approved by an authorized security manager.
Implement logical and physical security controls that protect the integrity of network devices used.
Examine documentation of logical and physical security controls that protect the integrity of network devices used …
Examine policies and procedures to verify a process is in place to authorize all changes to network devices and protocols prior to implementation.
Examine a sample of change-management logs for network devices and protocols to verify the changes are authorized.
Document the current network device configuration settings, rules set and justification for each device.
Examine a sample of network device documentation to verify configuration settings, rulesets, and their justifications are documented.
Interview personnel to verify they are familiar with the documentation and process by which the documentation is updated.
Ensure all available services are approved by an authorized security manager.
Interview personnel to identify available services.
Examine evidence that available services were approved by an authorized security manager.
Implement logical and physical security controls that protect the integrity of network devices used.
Examine documentation of logical and physical security controls that protect the integrity of network devices used …
Added
p. 150
Examine change-control documentation to verify there is a process for backing up network devices prior to any changes to those devices.
Examine procedures for backups and managing backup media to verify media are securely stored and managed.
Observe the media storage location to verify it provides a secure storage environment.
Implement a mechanism to ensure that only authorized changes are made to network devices.
Examine network device change logs to verify that changes to network devices were authorized before implementation.
C.5.4 Firewalls The requirements in this section apply to firewalls protecting the security system networks.
C.5.4.1 General The vendor must:
Ensure all documents relating to firewall configurations are stored securely.
Observe the firewall configuration documentation storage area to verify:
• Hard copy and non-digital documentation are stored in locked/secured areas with access only to authorized personnel.
• Digital records are stored in a secure directory with access limited to authorized personnel.
Deploy an external firewall outside the SOC to protect the …
Examine procedures for backups and managing backup media to verify media are securely stored and managed.
Observe the media storage location to verify it provides a secure storage environment.
Implement a mechanism to ensure that only authorized changes are made to network devices.
Examine network device change logs to verify that changes to network devices were authorized before implementation.
C.5.4 Firewalls The requirements in this section apply to firewalls protecting the security system networks.
C.5.4.1 General The vendor must:
Ensure all documents relating to firewall configurations are stored securely.
Observe the firewall configuration documentation storage area to verify:
• Hard copy and non-digital documentation are stored in locked/secured areas with access only to authorized personnel.
• Digital records are stored in a secure directory with access limited to authorized personnel.
Deploy an external firewall outside the SOC to protect the …
Added
p. 151
Examine documentation to verify that abnormal operations on network systems can be:
• Corrected on a real-time, 24/7, basis.
• Corrected on a real-time, 24/7, basis.
Examine a sample of logs to verify that abnormal operations on network systems are:
Implement appropriate operating-system controls on firewalls. Examine configurations to verify that appropriate operating-system controls are implemented on firewalls.
Review firewall rule sets and validate supporting business justification either monthly, or quarterly, with review after every firewall configuration change.
Examine evidence that firewall rule sets have been validated either:
• After every firewall configuration change and every 3 months Examine a sample of firewall rule sets to verify that their business justification is documented.
Restrict physical and logical access to firewalls to only those designated personnel who are authorized to perform firewall or router administration activities.
Observe the firewall/router environment to verify that that physical access to firewalls is limited to only those designated personnel who are authorized to perform …
• Corrected on a real-time, 24/7, basis.
• Corrected on a real-time, 24/7, basis.
Examine a sample of logs to verify that abnormal operations on network systems are:
Implement appropriate operating-system controls on firewalls. Examine configurations to verify that appropriate operating-system controls are implemented on firewalls.
Review firewall rule sets and validate supporting business justification either monthly, or quarterly, with review after every firewall configuration change.
Examine evidence that firewall rule sets have been validated either:
• After every firewall configuration change and every 3 months Examine a sample of firewall rule sets to verify that their business justification is documented.
Restrict physical and logical access to firewalls to only those designated personnel who are authorized to perform firewall or router administration activities.
Observe the firewall/router environment to verify that that physical access to firewalls is limited to only those designated personnel who are authorized to perform …
Added
p. 152
Examine documentation to verify that non-firewall related software is deleted or disabled from firewalls and routers.
Examine a sample of firewalls and routers to verify they are dedicated hardware from which all non- firewall related software has been deleted or disabled.
Implement daily, automated analysis reports to monitor firewall activity.
Examine evidence that automated tools exist to monitor and analyze firewall activity.
Observe a sample of firewall analysis reports to verify that automated analysis is in place and that daily reports are produced.
Use unique administrator passwords for firewalls used by the both the security system and other network devices in the facility.
Examine authentication policies and procedures to verify passwords for firewall administration are different than passwords used for other network devices.
Interview personnel to verify that unique passwords are established for firewall administration.
Implement mechanisms to protect firewall and router system logs from tampering and to check the system integrity monthly.
Examine evidence that firewall and router …
Examine a sample of firewalls and routers to verify they are dedicated hardware from which all non- firewall related software has been deleted or disabled.
Implement daily, automated analysis reports to monitor firewall activity.
Examine evidence that automated tools exist to monitor and analyze firewall activity.
Observe a sample of firewall analysis reports to verify that automated analysis is in place and that daily reports are produced.
Use unique administrator passwords for firewalls used by the both the security system and other network devices in the facility.
Examine authentication policies and procedures to verify passwords for firewall administration are different than passwords used for other network devices.
Interview personnel to verify that unique passwords are established for firewall administration.
Implement mechanisms to protect firewall and router system logs from tampering and to check the system integrity monthly.
Examine evidence that firewall and router …
Added
p. 153
Examine policies and procedures for prohibiting direct public access between any external networks and any system component that stores cardholder data to verify existence.
Examine a sample of firewall and router configurations to verify there is no direct access between the Internet and system components that store cardholder data.
Implement IP masquerading or Network Address Translation (NAT) on the firewall between the DMZ and security system networks.
Examine policies and procedures for implementing IP masquerading or Network Address Translation (NAT) on the firewall between the DMZ and the security system networks to verify existence.
Examine a sample of firewall and router configurations to verify that methods are in place on the firewall between the DMZ and the security system networks to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet.
If managed remotely, be managed according to Section 4.6, “Remote Access,” of the PCI CPP Logical Security Requirements.
If …
Examine a sample of firewall and router configurations to verify there is no direct access between the Internet and system components that store cardholder data.
Implement IP masquerading or Network Address Translation (NAT) on the firewall between the DMZ and security system networks.
Examine policies and procedures for implementing IP masquerading or Network Address Translation (NAT) on the firewall between the DMZ and the security system networks to verify existence.
Examine a sample of firewall and router configurations to verify that methods are in place on the firewall between the DMZ and the security system networks to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet.
If managed remotely, be managed according to Section 4.6, “Remote Access,” of the PCI CPP Logical Security Requirements.
If …
Added
p. 154
• Center for Internet Security (CIS).
• International Organization for Standardization (ISO).
• SysAdmin Audit Network Security (SANS) Institute.
• National Institute of Standards Technology (NIST).
• At a minimum, baseline configuration must address:
• User and group access security
• User and group access security
• File and directory security
• File and directory security
• Restricted services
• Restricted services
• System update and installation standards
• System update and installation standards
• Installed security software Examine policies and procedures to verify that a baseline configuration has been established for the organization’s system components and addresses at a minimum, but not limited to:
• Installed security software Interview personnel to verify the baseline configuration standard is based on an industry standard.
The vendor must perform baseline security configuration checks in the SOC environment monthly or quarterly, with review after every configuration change.
Examine evidence to verify that the baseline security configuration was validated either:
• Quarterly with review after each configuration change.
• Quarterly with review …
• International Organization for Standardization (ISO).
• SysAdmin Audit Network Security (SANS) Institute.
• National Institute of Standards Technology (NIST).
• At a minimum, baseline configuration must address:
• User and group access security
• User and group access security
• File and directory security
• File and directory security
• Restricted services
• Restricted services
• System update and installation standards
• System update and installation standards
• Installed security software Examine policies and procedures to verify that a baseline configuration has been established for the organization’s system components and addresses at a minimum, but not limited to:
• Installed security software Interview personnel to verify the baseline configuration standard is based on an industry standard.
The vendor must perform baseline security configuration checks in the SOC environment monthly or quarterly, with review after every configuration change.
Examine evidence to verify that the baseline security configuration was validated either:
• Quarterly with review after each configuration change.
• Quarterly with review …
Added
p. 155
• Identification of security alerts⎯e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT).
• Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components.
• Inventory of current systems in the environment including information about installed software components and running services.
Examine policies and procedures documentation to verify coverage of:
• Inventory of current systems in the environment including information about installed software components and about running services Interview personnel to ensure procedures are known and followed.
Deploy anti-virus software on all systems potentially affected by malicious software⎯e.g., personal computers and servers.
Examine a sample of system components potentially affected by malicious software to verify that anti- virus software is deployed.
Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.
Examine a sample of system components to verify that:
• Anti-virus software is present and running.
• Activity logs are generated.
Check …
• Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components.
• Inventory of current systems in the environment including information about installed software components and running services.
Examine policies and procedures documentation to verify coverage of:
• Inventory of current systems in the environment including information about installed software components and about running services Interview personnel to ensure procedures are known and followed.
Deploy anti-virus software on all systems potentially affected by malicious software⎯e.g., personal computers and servers.
Examine a sample of system components potentially affected by malicious software to verify that anti- virus software is deployed.
Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.
Examine a sample of system components to verify that:
• Anti-virus software is present and running.
• Activity logs are generated.
Check …
Added
p. 156
C.5.6.1 Remote Connection Methods A managed vendor facility security system can only be connected to the SOC.
Note: A managed vendor facility is not permitted to be connected to the security system of another managed vendor facility.
Examine network topology diagrams to verify that only a managed vendor facility can be connected to the SOC Event Monitoring:
• Where a SOC is used for Event Monitoring, the SOC will be connected to the managed vendor facility security system and where applicable, to another SOC or SOCs of the same operational type using HTTPS/TLS secure communications.
• System administration of the managed vendor facility’s security system is not permitted over this type of remote connection.
Examine policies and procedures to verify that remote access is NOT permitted for the administration of the managed vendor facility’s security system.
Administration Services:
• Administration Services can be managed from a SOC or a location that meets the requirements of a Security …
Note: A managed vendor facility is not permitted to be connected to the security system of another managed vendor facility.
Examine network topology diagrams to verify that only a managed vendor facility can be connected to the SOC Event Monitoring:
• Where a SOC is used for Event Monitoring, the SOC will be connected to the managed vendor facility security system and where applicable, to another SOC or SOCs of the same operational type using HTTPS/TLS secure communications.
• System administration of the managed vendor facility’s security system is not permitted over this type of remote connection.
Examine policies and procedures to verify that remote access is NOT permitted for the administration of the managed vendor facility’s security system.
Administration Services:
• Administration Services can be managed from a SOC or a location that meets the requirements of a Security …
Added
p. 157
Examine policies and procedures to verify that remote access is permitted only for the administration of the network or system components.
Examine a sample of users with remote access to verify such access is permitted only for the administration of the network or system components.
Remote access for administration services is permitted only from pre-determined and authorized locations using vendor-approved systems.
Examine a sample of remote access system configurations and access logs to verify access is accepted only from pre-determined and authorized locations using vendor-approved systems.
Access using personally owned hardware is prohibited. Examine policies and procedures to verify that remote access using a personally owned device is prohibited.
Examine a sample of remote access system configurations and access logs to verify that remote access from personally owned devices is not permitted.
Remote access is not permitted where qualified personnel are temporarily off-site and remote access is a convenience.
Examine policies and procedures to verify that remote …
Examine a sample of users with remote access to verify such access is permitted only for the administration of the network or system components.
Remote access for administration services is permitted only from pre-determined and authorized locations using vendor-approved systems.
Examine a sample of remote access system configurations and access logs to verify access is accepted only from pre-determined and authorized locations using vendor-approved systems.
Access using personally owned hardware is prohibited. Examine policies and procedures to verify that remote access using a personally owned device is prohibited.
Examine a sample of remote access system configurations and access logs to verify that remote access from personally owned devices is not permitted.
Remote access is not permitted where qualified personnel are temporarily off-site and remote access is a convenience.
Examine policies and procedures to verify that remote …
Added
p. 158
iii. Ensure remote changes comply with change-management requirements as outlined in Section C.6.13, “Change Management.” Remote changes comply with change-management requirements as outlined in Section C.6.13, “Change Management.”
iv. Ensure that all remote access locations are included in the facility assessment and meet these requirements.
All remote access locations are included in the facility’s compliance assessment and meet these requirements.
v. Be able to provide evidence of compliance validation for any remote access location.
The vendor is able to provide evidence of compliance validation for any remote access location.
vi. Ensure that non-vendor staff performing remote administration maintains liability insurance to cover potential losses. All personnel performing remote administration must meet the same pre-screening qualification requirements as employees working in high-security areas.
Interview a sample of non-vendor staff performing remote administration and verify that they maintain liability insurance to cover potential losses.
Examine policies and procedures to verify that personnel performing remote administration must meet the same …
iv. Ensure that all remote access locations are included in the facility assessment and meet these requirements.
All remote access locations are included in the facility’s compliance assessment and meet these requirements.
v. Be able to provide evidence of compliance validation for any remote access location.
The vendor is able to provide evidence of compliance validation for any remote access location.
vi. Ensure that non-vendor staff performing remote administration maintains liability insurance to cover potential losses. All personnel performing remote administration must meet the same pre-screening qualification requirements as employees working in high-security areas.
Interview a sample of non-vendor staff performing remote administration and verify that they maintain liability insurance to cover potential losses.
Examine policies and procedures to verify that personnel performing remote administration must meet the same …
Added
p. 159
Examine a sample of VPN configuration files and change-control settings to verify they are protected from unauthorized modifications using mechanisms such as digital signatures and checksums.
Multi-factor authentication must be used for all VPN connections. Examine a sample of VPN system documentation and configuration settings to verify multi-factor authentication is used for VPN connections.
Observe a sample of VPN access processes to verify multi-factor authentication is used.
Access must be declined after three consecutive unsuccessful access attempts.
Examine a sample of system component configuration setting to verify that authentication parameters are set to require that user accounts be locked out after not more than three consecutive invalid logon attempts.
Access counters may only be reset by an authorized individual after user validation by another authorized individual.
Examine documentation for access counter resets to verify that it is only reset by an authorized individual after user validation by another authorized individual.
The connection must time out within five …
Multi-factor authentication must be used for all VPN connections. Examine a sample of VPN system documentation and configuration settings to verify multi-factor authentication is used for VPN connections.
Observe a sample of VPN access processes to verify multi-factor authentication is used.
Access must be declined after three consecutive unsuccessful access attempts.
Examine a sample of system component configuration setting to verify that authentication parameters are set to require that user accounts be locked out after not more than three consecutive invalid logon attempts.
Access counters may only be reset by an authorized individual after user validation by another authorized individual.
Examine documentation for access counter resets to verify that it is only reset by an authorized individual after user validation by another authorized individual.
The connection must time out within five …
Added
p. 160
C.5.7.1 PCI CP Certified Vendor Location, external to the SOC IT Equipment that manages the SOC must be:
• Housed within a facility certified to the PCI Card Production and Provisioning Standard.
• Housed within a facility certified to the PCI Card Production and Provisioning Standard.
• Housed within a location that meets the requirements defined for a Security Control Room within the PCI Card Production and Provisioning Physical Security Requirements.
• Housed within a location that meets the requirements defined for a Security Control Room within the PCI Card Production and Provisioning Physical Security Requirements.
Examine documentation to verify that IT Equipment that manages the SOC is:
Examine documentation to verify that IT Equipment that manages the SOC is:
• Housed within a facility certified to the PCI Card Production and Provisioning Standard and is housed within a location that meets the requirements defined for a Security Control Room within the PCI Card Production and Provisioning …
• Housed within a facility certified to the PCI Card Production and Provisioning Standard.
• Housed within a facility certified to the PCI Card Production and Provisioning Standard.
• Housed within a location that meets the requirements defined for a Security Control Room within the PCI Card Production and Provisioning Physical Security Requirements.
• Housed within a location that meets the requirements defined for a Security Control Room within the PCI Card Production and Provisioning Physical Security Requirements.
Examine documentation to verify that IT Equipment that manages the SOC is:
Examine documentation to verify that IT Equipment that manages the SOC is:
• Housed within a facility certified to the PCI Card Production and Provisioning Standard and is housed within a location that meets the requirements defined for a Security Control Room within the PCI Card Production and Provisioning …
Added
p. 161
Implement a documented policy regarding wireless communications and clearly communicate this policy to all employees.
Examine usage policies to verify that they address wireless communications.
Interview a sample of personnel and validate that the policy is clearly communicated to all card production staff.
Identify, analyze, and document all connections. Analysis must include purpose, risk assessment, and action to be taken.
Examine a sample of connections to verify that connections are identified, analyzed, and documented including purpose, risk assessment, and action to be taken.
Use a wireless intrusion-detection system (WIDS) capable of detecting hidden and spoofed networks for all authorized wireless networks.
Examine output from recent wireless scans to verify that, at a minimum:
• The scan is performed for all wireless networks.
• Hidden and spoofed networks can be detected.
When using a wireless network, use the WIDS to conduct random scans within the SOC environments at least monthly to detect rogue and hidden wireless networks.
Examine output from recent …
Examine usage policies to verify that they address wireless communications.
Interview a sample of personnel and validate that the policy is clearly communicated to all card production staff.
Identify, analyze, and document all connections. Analysis must include purpose, risk assessment, and action to be taken.
Examine a sample of connections to verify that connections are identified, analyzed, and documented including purpose, risk assessment, and action to be taken.
Use a wireless intrusion-detection system (WIDS) capable of detecting hidden and spoofed networks for all authorized wireless networks.
Examine output from recent wireless scans to verify that, at a minimum:
• The scan is performed for all wireless networks.
• Hidden and spoofed networks can be detected.
When using a wireless network, use the WIDS to conduct random scans within the SOC environments at least monthly to detect rogue and hidden wireless networks.
Examine output from recent …
Added
p. 162
Default SSID must be changed upon installation and must be at least 8 characters.
Examine vendor documentation to verify that default SSIDs are not used and new passwords are at least 8 characters.
Observe a sample via using the system administrator’s help to verify that default SSIDs have been changed and the new passwords are at least 8 characters.
A log of media access-control addresses and associated devices (including make, model, owner, and reason for access) must be maintained, and a check of authorized media access-control addresses on the access point (AP) must be conducted at least quarterly.
Examine a sample of logs of media access-control addresses and associated devices to verify they include at least the make, model, owner, and reason for access.
Interview personnel to verify that a check of authorized media access-control addresses on the access point (AP) is conducted at least quarterly.
Examine a sample of scan reports and verify that checks …
Examine vendor documentation to verify that default SSIDs are not used and new passwords are at least 8 characters.
Observe a sample via using the system administrator’s help to verify that default SSIDs have been changed and the new passwords are at least 8 characters.
A log of media access-control addresses and associated devices (including make, model, owner, and reason for access) must be maintained, and a check of authorized media access-control addresses on the access point (AP) must be conducted at least quarterly.
Examine a sample of logs of media access-control addresses and associated devices to verify they include at least the make, model, owner, and reason for access.
Interview personnel to verify that a check of authorized media access-control addresses on the access point (AP) is conducted at least quarterly.
Examine a sample of scan reports and verify that checks …
Added
p. 163
Examine the vendor’s policies and procedures for removable media documentation to verify it exists and includes devices such as laptops, mobile devices, USB devices, tapes, and disks.
All removable media⎯e.g., USB devices, tapes, disks⎯within the SOC must be clearly labelled with a unique identifier and the data classification.
Observe a sample of removable media within the HSA to verify it is clearly labeled with a unique identifier and data classification.
All removable media must be securely stored, controlled, and tracked.
Observe the removable media storage location to verify the area is secure.
Examine the removable media check-in/out process to verify an audit trail is maintained and that it provides an accurate record of media possession.
All removable media within the SOC must be in the custody of an authorized individual, and that individual must not have the ability to decrypt any sensitive or confidential data contained within that media.
Examine a sample of checked-out, removable media within …
All removable media⎯e.g., USB devices, tapes, disks⎯within the SOC must be clearly labelled with a unique identifier and the data classification.
Observe a sample of removable media within the HSA to verify it is clearly labeled with a unique identifier and data classification.
All removable media must be securely stored, controlled, and tracked.
Observe the removable media storage location to verify the area is secure.
Examine the removable media check-in/out process to verify an audit trail is maintained and that it provides an accurate record of media possession.
All removable media within the SOC must be in the custody of an authorized individual, and that individual must not have the ability to decrypt any sensitive or confidential data contained within that media.
Examine a sample of checked-out, removable media within …
Added
p. 164
Examine evidence that media containing secret or confidential media is destroyed in a manner that makes it impossible to recover the data.
C.5.10 Security Testing and Monitoring C.5.10.1 Vulnerability The vendor must:
Perform quarterly external network vulnerability scans using an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC).
Examine policies and procedures to verify that quarterly external network vulnerability scans using an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC) are required.
Examine a sample of external vulnerability scans and verify that quarterly external vulnerability scans occurred in the most recent 12-month period and were completed by a PCI SSC Approved Scanning Vendor (ASV).
Perform internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system-component installations, changes in network topology, firewall-rule modifications, product upgrades). Scans after changes may be performed …
C.5.10 Security Testing and Monitoring C.5.10.1 Vulnerability The vendor must:
Perform quarterly external network vulnerability scans using an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC).
Examine policies and procedures to verify that quarterly external network vulnerability scans using an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC) are required.
Examine a sample of external vulnerability scans and verify that quarterly external vulnerability scans occurred in the most recent 12-month period and were completed by a PCI SSC Approved Scanning Vendor (ASV).
Perform internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system-component installations, changes in network topology, firewall-rule modifications, product upgrades). Scans after changes may be performed …
Added
p. 165
Perform internal and external penetration tests at least once a year and after any significant infrastructure changes.
Examine policies and procedures to verify that internal and external penetration tests are performed at least once a year and after any significant infrastructure changes.
Examine the most recent internal and external penetration tests to verify that the following requirements, at a minimum, were met:
i. The internal penetration test must not be performed remotely. The internal penetration test was not performed remotely.
ii. Penetration tests must be performed on the network layer and include all SOC network components as well as operating systems.
Penetration tests were performed on the network layer and included all personalization network components as well as operating systems.
Penetration tests must be performed on the application layer and must include:
• Injection flaws⎯e.g., SQL injection
• Insecure cryptographic storage
• Insecure cryptographic storage
• Improper error handling
• Improper error handling
• All other discovered network vulnerabilities Penetration tests were …
Examine policies and procedures to verify that internal and external penetration tests are performed at least once a year and after any significant infrastructure changes.
Examine the most recent internal and external penetration tests to verify that the following requirements, at a minimum, were met:
i. The internal penetration test must not be performed remotely. The internal penetration test was not performed remotely.
ii. Penetration tests must be performed on the network layer and include all SOC network components as well as operating systems.
Penetration tests were performed on the network layer and included all personalization network components as well as operating systems.
Penetration tests must be performed on the application layer and must include:
• Injection flaws⎯e.g., SQL injection
• Insecure cryptographic storage
• Insecure cryptographic storage
• Improper error handling
• Improper error handling
• All other discovered network vulnerabilities Penetration tests were …
Added
p. 166
Use intrusion-detection systems (IDS) for network traffic analysis.
IDS may be implemented as part of an intrusion-prevention system (IPS) if an IPS is used. These must be deployed, managed, and maintained across the vendor networks not only for intrusion detection and prevention but also to monitor all SOC network traffic.
Examine policies and procedures to verify that intrusion-detection systems are in place to monitor all traffic across the vendor networks, generated by machines within the perimeter, all SOC network traffic.
Examine a sample of system configurations and network diagrams to verify that intrusion-detection systems are in place to monitor all traffic across the vendor networks, generated by machines within the perimeter, all SOC network traffic.
Ensure the IDS alerts personnel to suspicious activity in real time. Interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises in real time.
Examine a sample of records to verify the IDS alerts personnel to …
IDS may be implemented as part of an intrusion-prevention system (IPS) if an IPS is used. These must be deployed, managed, and maintained across the vendor networks not only for intrusion detection and prevention but also to monitor all SOC network traffic.
Examine policies and procedures to verify that intrusion-detection systems are in place to monitor all traffic across the vendor networks, generated by machines within the perimeter, all SOC network traffic.
Examine a sample of system configurations and network diagrams to verify that intrusion-detection systems are in place to monitor all traffic across the vendor networks, generated by machines within the perimeter, all SOC network traffic.
Ensure the IDS alerts personnel to suspicious activity in real time. Interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises in real time.
Examine a sample of records to verify the IDS alerts personnel to …
Added
p. 167
Examine a sample of changes to network and system components to verify changes follow the documented change-management process.
Examine documentation and supporting evidence to verify that the change-management process is validated at least every 12 months.
Ensure all changes are approved by the CISO or authorized individual prior to deployment.
Examine a sample of changes to network and system components to verify changes were approved by the CISO or authorized individual before deployment.
Ensure that the change-management process includes procedures for emergency changes.
Interview personnel and review documentation to verify that the change-management process includes procedures for emergency changes.
Examine a sample (if applicable) of emergency changes to verify they followed procedures.
Implement version identification and control for all software and documentation.
Examine documentation to verify the organization’s change-management policies and procedures include requirements for version control and identification.
Ensure that the version identification is updated when a change is released or published.
Examine documentation to verify that version identification …
Examine documentation and supporting evidence to verify that the change-management process is validated at least every 12 months.
Ensure all changes are approved by the CISO or authorized individual prior to deployment.
Examine a sample of changes to network and system components to verify changes were approved by the CISO or authorized individual before deployment.
Ensure that the change-management process includes procedures for emergency changes.
Interview personnel and review documentation to verify that the change-management process includes procedures for emergency changes.
Examine a sample (if applicable) of emergency changes to verify they followed procedures.
Implement version identification and control for all software and documentation.
Examine documentation to verify the organization’s change-management policies and procedures include requirements for version control and identification.
Ensure that the version identification is updated when a change is released or published.
Examine documentation to verify that version identification …
Added
p. 168
Examine documentation to verify that processes are defined to identify new security vulnerabilities and obtain security patches from appropriate software vendors.
Ensure that secure configuration standards are established for all system components.
Ensure that the configuration standards include system hardening by removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
Examine configuration standards and verify there are requirements to remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
Ensure that the configuration of all system components associated with data transmission, storage, and SOC activities is validated against the authorized configuration monthly.
Examine documentation to verify all system components associated with data transmission, storage, and personalization are validated against the authorized configuration monthly.
Ensure all systems used in support of the SOC networks are actively supported in the form of regular updates.
Examine documentation to verify that all systems used in support of the …
Ensure that secure configuration standards are established for all system components.
Ensure that the configuration standards include system hardening by removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
Examine configuration standards and verify there are requirements to remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
Ensure that the configuration of all system components associated with data transmission, storage, and SOC activities is validated against the authorized configuration monthly.
Examine documentation to verify all system components associated with data transmission, storage, and personalization are validated against the authorized configuration monthly.
Ensure all systems used in support of the SOC networks are actively supported in the form of regular updates.
Examine documentation to verify that all systems used in support of the …
Added
p. 169
Examine policies and procedures related to security-patch installation to verify processes are defined for installation of critical patches to Internet-facing system components within 7 business days of release.
Examine a sample of Internet-facing system components and compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify that:
• Applicable, critical vendor-supplied security patches are installed within 7 days of release. OR
• Supporting documentation is in place recording that the CISO, IT security manager, and IT director understand and accept the risk and ensure implementation occurs within 30 business days.
Ensure that emergency hardware and software implementations comply with the procedures and validation requirements established for emergency implementations.
Examine the documented procedures for emergency hardware and software implementation.
Examine a sample of emergency and hardware and software changes to verify they follow documented procedures.
Ensure that emergency hardware and software implementations follow the configuration and patch management requirements …
Examine a sample of Internet-facing system components and compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify that:
• Applicable, critical vendor-supplied security patches are installed within 7 days of release. OR
• Supporting documentation is in place recording that the CISO, IT security manager, and IT director understand and accept the risk and ensure implementation occurs within 30 business days.
Ensure that emergency hardware and software implementations comply with the procedures and validation requirements established for emergency implementations.
Examine the documented procedures for emergency hardware and software implementation.
Examine a sample of emergency and hardware and software changes to verify they follow documented procedures.
Ensure that emergency hardware and software implementations follow the configuration and patch management requirements …
Added
p. 170
• Changes in access privileges Examine the audit logs to ensure they contain the required components.
• Changes in access privileges Ensure that procedures are documented and followed for audit log review and reporting of unusual activity. Log reviews may be automated or manual and must include authentication, authorization, and directory servers. At a minimum, log review frequency must adhere to the following:
• Immediate (real time) response to threats designated as alerts for high risk associated events
• Daily review of IDS and IPS systems
• Weekly review for wireless access points and authentication servers
• Monthly review for routers
• Monthly review of user account audit logs for databases, application, and operating systems.
Examine policies and procedures to verify that procedures are defined for reviewing and reporting of unusual activity and include requirements for log frequency as stated in the requirement.
Examine a sample of each log type and frequency and obtain evidence that log review …
• Changes in access privileges Ensure that procedures are documented and followed for audit log review and reporting of unusual activity. Log reviews may be automated or manual and must include authentication, authorization, and directory servers. At a minimum, log review frequency must adhere to the following:
• Immediate (real time) response to threats designated as alerts for high risk associated events
• Daily review of IDS and IPS systems
• Weekly review for wireless access points and authentication servers
• Monthly review for routers
• Monthly review of user account audit logs for databases, application, and operating systems.
Examine policies and procedures to verify that procedures are defined for reviewing and reporting of unusual activity and include requirements for log frequency as stated in the requirement.
Examine a sample of each log type and frequency and obtain evidence that log review …
Added
p. 171
Examine logs for critical systems to:
• Verify that logs are securely backed up daily.
• Verify that logs are accessible online for at least three months.
• Verify that logs are retained offline for one year.
For both online and backed-up audit logs, review relevant security controls to ensure access is appropriate.
Protect and maintain the integrity of the audit logs from any form of modification.
Examine relevant security controls for both online and backed-up audit logs to ensure the ability to modify or delete audit logs is prohibited.
Implement a security-incident and event-logging framework for its organization.
Examine documentation to ensure existence of an incident-response process. interview personnel to verify they are aware of their security-incident and event-logging framework.
Examine log entries to verify framework is active and in use.
C.5.15 Backup and Recovery for SOC Networks The backup and recovery procedures for SOC environments must be documented.
Examine documentation to verify existence of procedures supporting the backup and …
• Verify that logs are securely backed up daily.
• Verify that logs are accessible online for at least three months.
• Verify that logs are retained offline for one year.
For both online and backed-up audit logs, review relevant security controls to ensure access is appropriate.
Protect and maintain the integrity of the audit logs from any form of modification.
Examine relevant security controls for both online and backed-up audit logs to ensure the ability to modify or delete audit logs is prohibited.
Implement a security-incident and event-logging framework for its organization.
Examine documentation to ensure existence of an incident-response process. interview personnel to verify they are aware of their security-incident and event-logging framework.
Examine log entries to verify framework is active and in use.
C.5.15 Backup and Recovery for SOC Networks The backup and recovery procedures for SOC environments must be documented.
Examine documentation to verify existence of procedures supporting the backup and …
Added
p. 172
Examine existing security controls to verify they prohibit the creation of unauthorized backups.
If the recovery procedures include an alternate processing site, the alternate site must be VPA-approved for SOC activities before any SOC activity service may begin at the alternate site.
Interview personnel and review documentation to identify alternate processing sites.
Examine documentation to verify that the alternate site has been VPA-approved to perform provisioning services before the provisioning occurs.
C.6 Software Design and Development Requirement Test Procedure C.6.1 General The vendor must:
Document the design, development, and maintenance processes. Examine documentation of design, development, and maintenance processes to verify existence.
Ensure these activities are based on industry standards and security is an integral part of the software lifecycle process. Web applications must be developed based on secure coding guidelines such as the OWASP Guide, SANS CWE Top 25, and CERT Secure Coding.
• The software life cycle process aligns with industry standards; and
• Web application …
If the recovery procedures include an alternate processing site, the alternate site must be VPA-approved for SOC activities before any SOC activity service may begin at the alternate site.
Interview personnel and review documentation to identify alternate processing sites.
Examine documentation to verify that the alternate site has been VPA-approved to perform provisioning services before the provisioning occurs.
C.6 Software Design and Development Requirement Test Procedure C.6.1 General The vendor must:
Document the design, development, and maintenance processes. Examine documentation of design, development, and maintenance processes to verify existence.
Ensure these activities are based on industry standards and security is an integral part of the software lifecycle process. Web applications must be developed based on secure coding guidelines such as the OWASP Guide, SANS CWE Top 25, and CERT Secure Coding.
• The software life cycle process aligns with industry standards; and
• Web application …
Added
p. 173
Ensure access to source code for applications used on the SOC network is restricted to authorized personnel only.
Interview personnel to identify locations of application source code.
Examine system configuration and access-control lists to identify users and processes that have access to source code components.
Examine system configuration and access-control lists to identify users and processes that have access to source code components.
Examine approval records to ensure access to source code was authorized.
Ensure separation of duties exists between the staff assigned to the development environment and those assigned to the SOC environment.
Examine policies and procedures to verify a separation of duties between personnel assigned to the development/test environments and those assigned to the SOC environment.
Examine access-control settings to verify that access controls are in place to enforce separation of personnel assigned to the development/test environments and the SOC environment(s).
Ensure that software source code is restricted to only authorized staff. Staff access of source …
Interview personnel to identify locations of application source code.
Examine system configuration and access-control lists to identify users and processes that have access to source code components.
Examine system configuration and access-control lists to identify users and processes that have access to source code components.
Examine approval records to ensure access to source code was authorized.
Ensure separation of duties exists between the staff assigned to the development environment and those assigned to the SOC environment.
Examine policies and procedures to verify a separation of duties between personnel assigned to the development/test environments and those assigned to the SOC environment.
Examine access-control settings to verify that access controls are in place to enforce separation of personnel assigned to the development/test environments and the SOC environment(s).
Ensure that software source code is restricted to only authorized staff. Staff access of source …
Added
p. 174
Examine policies/procedures to identify testing processes for internally developed software.
Examine documentation to verify it addresses removing temporary code, hard-coded keys, and suspicious code.
Examine a sample of recent internally developed software updates and verify steps to remove temporary code, hard-coded keys, and suspicious code were performed.
Ensure all software implementation complies with Section C.6.13, “Change Management.” Examine a sample of recent software updates to verify they comply with Section C.6.13, “Change Management.” Test software prior to implementation to ensure correct operation. Examine a sample of recent software updates and verify evidence exists that testing software prior to implementation was performed.
All testing must be done on a dedicated test environment. Interview personnel to identify the controls in place to prevent debugging in the production environment.
Examine policies/procedures to verify they address prevention of debugging within production environment.
Test and live environments must be segregated. Examine policies and procedures to verify that test and live environments …
Examine documentation to verify it addresses removing temporary code, hard-coded keys, and suspicious code.
Examine a sample of recent internally developed software updates and verify steps to remove temporary code, hard-coded keys, and suspicious code were performed.
Ensure all software implementation complies with Section C.6.13, “Change Management.” Examine a sample of recent software updates to verify they comply with Section C.6.13, “Change Management.” Test software prior to implementation to ensure correct operation. Examine a sample of recent software updates and verify evidence exists that testing software prior to implementation was performed.
All testing must be done on a dedicated test environment. Interview personnel to identify the controls in place to prevent debugging in the production environment.
Examine policies/procedures to verify they address prevention of debugging within production environment.
Test and live environments must be segregated. Examine policies and procedures to verify that test and live environments …
Added
p. 175
Ensure that procedures are documented and followed by security personnel responsible for granting access to vendor’s networks, applications, and information.
Interview personnel to identify those authorized to perform and processes followed for granting access to vendor’s network, applications, and information.
Examine documented procedures to ensure they address granting access to vendor’s networks, applications, and information.
Examine a sample of recent access requests to verify they were processed by authorized personnel and in accordance with documented procedures.
Restrict approval and level of access to staff with documented business need before access is granted. At a minimum, documented approvals must be retained while the account is active.
Examine policies/procedures to ensure they address that:
• Approval and level of access must be restricted to those with a documented business need before access is granted; and
• Documented approvals of access in place must be retained while the account is active.
Restrict systems access by unique user ID to only those …
Interview personnel to identify those authorized to perform and processes followed for granting access to vendor’s network, applications, and information.
Examine documented procedures to ensure they address granting access to vendor’s networks, applications, and information.
Examine a sample of recent access requests to verify they were processed by authorized personnel and in accordance with documented procedures.
Restrict approval and level of access to staff with documented business need before access is granted. At a minimum, documented approvals must be retained while the account is active.
Examine policies/procedures to ensure they address that:
• Approval and level of access must be restricted to those with a documented business need before access is granted; and
• Documented approvals of access in place must be retained while the account is active.
Restrict systems access by unique user ID to only those …
Added
p. 176
Interview management to understand the minimum number of administrative user resources required to support the personalization environment.
Examine user ID lists and security privileges to identify users with administrative access and verify the number of users with administrative access aligns with management’s expectations.
Ensure that group, shared, and generic accounts and passwords are disabled wherever the system supports unique values.
Examine polices/procedures to verify they require that group, shared, and generic accounts and passwords are disabled wherever the system supports unique values.
Examine a sample of system components and user ID lists to verify group, shared, and generic accounts and passwords are disabled.
Ensure that where generic administrative accounts cannot be disabled, these accounts are used only when unique administrator sign-on credentials are not possible and only in an emergency.
Interview system administration personnel to identify existence of generic accounts and how their usage is controlled.
Examine policies/procedures for the management of generic administrative accounts that cannot …
Examine user ID lists and security privileges to identify users with administrative access and verify the number of users with administrative access aligns with management’s expectations.
Ensure that group, shared, and generic accounts and passwords are disabled wherever the system supports unique values.
Examine polices/procedures to verify they require that group, shared, and generic accounts and passwords are disabled wherever the system supports unique values.
Examine a sample of system components and user ID lists to verify group, shared, and generic accounts and passwords are disabled.
Ensure that where generic administrative accounts cannot be disabled, these accounts are used only when unique administrator sign-on credentials are not possible and only in an emergency.
Interview system administration personnel to identify existence of generic accounts and how their usage is controlled.
Examine policies/procedures for the management of generic administrative accounts that cannot …
Added
p. 177
Interview personnel to identify controls that limit privileged or administrative access.
Examine access-control settings to ensure access confirms to stated policies.
Examine a sample of administrative-access requests and verify access was approved by the user’s manager and IT Security Manager.
Establish management oversight of privileged access to ensure compliance with segregation of duties.
Interview personnel to identify controls that provide oversight of privileged access and compliance with segregation of duties policies.
Examine policies/procedures to verify they require oversight of privileged access that ensures compliance with segregation of duties.
Examine evidence
•e.g., audit logs
•to verify management oversight is performed.
Ensure that all privileged administrative access is logged and reviewed weekly.
Examine policies/procedures to verify that they require weekly review of privileged administrative access.
Examine evidence
•e.g., access logs
•to verify reviews are performed according to policies and procedures.
C.7.2 Password Control C.7.2.1 General The vendor must:
Implement a policy and detailed procedures relating to the generation, use, renewal, and distribution of passwords.
Examine policy and detailed …
Examine access-control settings to ensure access confirms to stated policies.
Examine a sample of administrative-access requests and verify access was approved by the user’s manager and IT Security Manager.
Establish management oversight of privileged access to ensure compliance with segregation of duties.
Interview personnel to identify controls that provide oversight of privileged access and compliance with segregation of duties policies.
Examine policies/procedures to verify they require oversight of privileged access that ensures compliance with segregation of duties.
Examine evidence
•e.g., audit logs
•to verify management oversight is performed.
Ensure that all privileged administrative access is logged and reviewed weekly.
Examine policies/procedures to verify that they require weekly review of privileged administrative access.
Examine evidence
•e.g., access logs
•to verify reviews are performed according to policies and procedures.
C.7.2 Password Control C.7.2.1 General The vendor must:
Implement a policy and detailed procedures relating to the generation, use, renewal, and distribution of passwords.
Examine policy and detailed …
Added
p. 178
Examine procedures for managing user IDs and verify that only users with administrative privileges can administer user passwords.
Observe a sample of user password resets and verify only users with administrative privileges can perform a reset.
Not store passwords in clear text. Examine system documentation and configuration settings to verify that passwords are not stored in clear text.
Examine a sample of system components and their password files to verify that passwords are unreadable during storage. Change all default passwords.
Change all default passwords. Examine a sample of system components and attempts to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) C.7.2.2 Characteristics and Usage The vendor must ensure that:
Systems are configured so that newly issued and reset passwords are set to a unique …
Observe a sample of user password resets and verify only users with administrative privileges can perform a reset.
Not store passwords in clear text. Examine system documentation and configuration settings to verify that passwords are not stored in clear text.
Examine a sample of system components and their password files to verify that passwords are unreadable during storage. Change all default passwords.
Change all default passwords. Examine a sample of system components and attempts to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) C.7.2.2 Characteristics and Usage The vendor must ensure that:
Systems are configured so that newly issued and reset passwords are set to a unique …
Added
p. 179
• Special characters Examine the system configuration settings for a sample of system components to verify that user passwords are set to require at least the following strength/complexity:
• Special characters Passwords are not the same as user IDs. Examine the system configuration settings for a sample of system components to verify passwords cannot be the same as the user ID.
Passwords are not displayed during entry. Observe authentication procedures for entering a password and verify the password is not displayed as it is entered.
Passwords are encrypted during transmission and rendered unreadable when stored.
Examine password configurations to verify passwords are encrypted during transmission and rendered unreadable when stored.
Examine a sample of passwords in transit and in storage to verify password values are not in clear text.
Passwords have a maximum life not to exceed 90 days and a minimum life of at least one day.
Examine the system configuration settings for a sample of …
• Special characters Passwords are not the same as user IDs. Examine the system configuration settings for a sample of system components to verify passwords cannot be the same as the user ID.
Passwords are not displayed during entry. Observe authentication procedures for entering a password and verify the password is not displayed as it is entered.
Passwords are encrypted during transmission and rendered unreadable when stored.
Examine password configurations to verify passwords are encrypted during transmission and rendered unreadable when stored.
Examine a sample of passwords in transit and in storage to verify password values are not in clear text.
Passwords have a maximum life not to exceed 90 days and a minimum life of at least one day.
Examine the system configuration settings for a sample of …
Added
p. 180
Examine the system configuration settings for a sample of system components to verify that system/session inactivity time out has been set to 15 minutes or less.
Observe a user session to verify the user is logged out after 15 minutes, if the system does not permit session locking.
C.7.2.4 Account Locking Accounts that have been inactive for a specified period (with a maximum of 90 days) must be removed from the system.
Examine user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.
Systems must enforce the locking of a user account after a maximum of six unsuccessful authentication attempts.
Examine the system configuration settings for a sample of system components to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.
Examine documented procedures to verify that accounts can only be unlocked by either the security …
Observe a user session to verify the user is logged out after 15 minutes, if the system does not permit session locking.
C.7.2.4 Account Locking Accounts that have been inactive for a specified period (with a maximum of 90 days) must be removed from the system.
Examine user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.
Systems must enforce the locking of a user account after a maximum of six unsuccessful authentication attempts.
Examine the system configuration settings for a sample of system components to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.
Examine documented procedures to verify that accounts can only be unlocked by either the security …
Added
p. 181
• Application Examine the system configuration settings and audit logs for a sample of system components to verify that lock-out activity is logged.
Examine documented procedures to verify access logs are reviewed at least weekly to identify suspicious activity.
C.8 Continuity of Service Requirement Test Procedure C.8.1 General Requirements The vendor must have a documented contingency plan to guarantee the continuation of service provided by the SOC and each defined managed vendor facility.
Examine documentation to verify existence of a contingency plan to provide for the continuation of service provided by the SOC and each defined managed vendor facility.
SOC and defined managed vendor facilities data must be backed up for recovery purposes in case of critical business interruption.
Examine documentation to verify that SOC and defined managed vendor facilities data must be backed up for recovery purposes in case of critical business interruption.
Interview personnel to verify that data backup occurs as defined in the …
Examine documented procedures to verify access logs are reviewed at least weekly to identify suspicious activity.
C.8 Continuity of Service Requirement Test Procedure C.8.1 General Requirements The vendor must have a documented contingency plan to guarantee the continuation of service provided by the SOC and each defined managed vendor facility.
Examine documentation to verify existence of a contingency plan to provide for the continuation of service provided by the SOC and each defined managed vendor facility.
SOC and defined managed vendor facilities data must be backed up for recovery purposes in case of critical business interruption.
Examine documentation to verify that SOC and defined managed vendor facilities data must be backed up for recovery purposes in case of critical business interruption.
Interview personnel to verify that data backup occurs as defined in the …
Added
p. 182
Examine documentation to verify that each SOC location has auxiliary power or battery backup system to ensure all associated equipment used by the SOC is fully supported at all times.
Recovery point objectives must be defined as part of SLAs to ensure minimal data loss at SOC. Source data at local site remains under the control of current requirements.
Examine documentation to verify that recovery point objectives are defined as part of SLAs to ensure minimal data loss at SOC.
C.8.3 Performance Testing Each SOC must test quarterly to ensure that the level of resilience and redundancy is of sufficient adequacy to ensure continued operation for the support of the defined managed vendor facilities. The testing must include, but not limited to:
• Application performance when switched between SOCs and/or the defined managed vendor facilities.
• Application performance when switched between SOCs and/or the defined managed vendor facilities.
• Hardware performance to ensure appropriate levels of …
Recovery point objectives must be defined as part of SLAs to ensure minimal data loss at SOC. Source data at local site remains under the control of current requirements.
Examine documentation to verify that recovery point objectives are defined as part of SLAs to ensure minimal data loss at SOC.
C.8.3 Performance Testing Each SOC must test quarterly to ensure that the level of resilience and redundancy is of sufficient adequacy to ensure continued operation for the support of the defined managed vendor facilities. The testing must include, but not limited to:
• Application performance when switched between SOCs and/or the defined managed vendor facilities.
• Application performance when switched between SOCs and/or the defined managed vendor facilities.
• Hardware performance to ensure appropriate levels of …
Added
p. 183
Examine documentation to verify that each reported issue must be categorized and suitable timescales applied, as defined in the vendor policies.
The Corporate Security Director must review each report on completion.
Interview personnel to verify the Corporate Security Director reviews each report upon completions.
The Corporate Security Director must review each report on completion.
Interview personnel to verify the Corporate Security Director reviews each report upon completions.
Added
p. 185
f) Hologram and signature panel hot stamping Card Production Staff Employees and contractors of the Card Vendor.
Added
p. 186
Dual Control A process of utilizing two or more separate persons operating together to protect sensitive functions or information whereby no single person is able to access or utilize the materials⎯e.g., a cryptographic key.
Added
p. 187
1. Unauthorized access attempts
2. Access attempts results
3. Anti-pass-back violations
4. Door open too long alarm
6. Occupancy violations
b) Occupancy is greater or equal to one, with no motion detected within 15 or fewer minutes
c) Motion detected when occupancy equals zero
d) Motion detected inside the inner room of the loading bay when both intermediate and inner doors are closed
7. Duress Alarm activation 8. 24/7 monitored Intruder alarm device activation
9. Activations from managed vendor facilities where Intruder Alarm Systems
10. Intruder alarm system not set or unset within a scheduled time
11. Fire alarm activation
12. Auxiliary power or battery backup system is invoked
13. CCTV involuntary or voluntary disconnection Event Management Management of all security systems events from any managed vendor facility the under SOC responsibility.
Facility Facility includes external and internal structures subject to the requirements of Section 2, “Facilities,” even if the vendor is leasing the space.
Investigation room Location for thorough event investigation and for non-SOC …
2. Access attempts results
3. Anti-pass-back violations
4. Door open too long alarm
6. Occupancy violations
b) Occupancy is greater or equal to one, with no motion detected within 15 or fewer minutes
c) Motion detected when occupancy equals zero
d) Motion detected inside the inner room of the loading bay when both intermediate and inner doors are closed
7. Duress Alarm activation 8. 24/7 monitored Intruder alarm device activation
9. Activations from managed vendor facilities where Intruder Alarm Systems
10. Intruder alarm system not set or unset within a scheduled time
11. Fire alarm activation
12. Auxiliary power or battery backup system is invoked
13. CCTV involuntary or voluntary disconnection Event Management Management of all security systems events from any managed vendor facility the under SOC responsibility.
Facility Facility includes external and internal structures subject to the requirements of Section 2, “Facilities,” even if the vendor is leasing the space.
Investigation room Location for thorough event investigation and for non-SOC …
Added
p. 189
Physical Security Manager Manager designated with the overall responsibility for physical security for the card production and provisioning facility. The physical security manager must not report to the production manager or director. There must also be a nominated deputy physical security manager to cover when the physical security manager is not on site.
Public Network Network established and operated by a third-party telecommunications provider for the specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/or diverted while in transit. Examples of public networks include, but are not limited to:
• Wireless technologies, including 802.11 and Bluetooth,
• Cellular technologies, for example, Global System for Mobile, communications (GSM), code division multiple access (CDMA),
• General Packet Radio Service (GPRS),
• Satellite communications.
Security Manager See Physical Security Manager.
Security Management System (SMS) Command and control software to manage all managed vendor facility security systems.
Security Operation Center (SOC) High-security …
Public Network Network established and operated by a third-party telecommunications provider for the specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/or diverted while in transit. Examples of public networks include, but are not limited to:
• Wireless technologies, including 802.11 and Bluetooth,
• Cellular technologies, for example, Global System for Mobile, communications (GSM), code division multiple access (CDMA),
• General Packet Radio Service (GPRS),
• Satellite communications.
Security Manager See Physical Security Manager.
Security Management System (SMS) Command and control software to manage all managed vendor facility security systems.
Security Operation Center (SOC) High-security …
Modified
p. 1
Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements Version 2.0
Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements and Test Procedures Version 3.0
Modified
p. 3 → 2
December 2012 1.x PCI RFC version
December 2012 1.x RFC version
Modified
p. 3 → 2
May 2013 1.0 PCI Initial Release
May 2013 1.0 Initial Release
Modified
p. 3 → 2
March 2015 1.1 PCI Enhancements for clarification
March 2015 1.1 Enhancements for clarification
Modified
p. 3 → 2
July 2016 2.x PCI RFC version
July 2016 2.x RFC version
Removed
p. 7
Unless prohibited by law, all entities undertaking any or all of the above activities must adopt the security control procedures and security devices specified in this manual as the minimum requirements accepted by the founding payment brands of PCI. Entities may adopt additional security controls as they deem appropriate, provided they are in addition to and enhance the procedures set forth in this manual.
Modified
p. 7
• Fulfillment In addition to the card production activities above this document defines the physical security requirements and test procedures for entities that:
Modified
p. 7
• Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or
Modified
p. 7
It does not apply to providers who are only performing the distribution of secure elements Requirements for logical security for personalization are not included in this manual, but can be found in a separate document, Payment Card Industry (PCI) Card Production and Provisioning Logical Security Requirements.
It does not apply to providers who are only performing the distribution of secure elements.
Modified
p. 7
Appendix A: Applicability of Requirements makes further refinement at the requirement level for physical cards and mobile provisioning.
Appendix A, “Applicability of Requirements,” makes further refinement at the requirement level for physical cards and mobile provisioning.
Modified
p. 7
Although this document frequently states “vendor,” the specific applicability of these requirements is up to the individual payment brands; and the payment brand(s) of interest should be contacted for the applicability of these requirements to any card production or provisioning activity.
Removed
p. 9
- Background check results
- Verification of aliases (when applicable)
- List of previous employers and referral follow-up results
- Social security number or appropriate national identification number
- Signed document confirming that the employee has read and understands
- Fingerprints and results of search against national and regional criminal records
- Verification of aliases (when applicable)
- List of previous employers and referral follow-up results
- Social security number or appropriate national identification number
- Signed document confirming that the employee has read and understands
- Fingerprints and results of search against national and regional criminal records
Modified
p. 9 → 10
a) The vendor must retain all personnel’s background information on file for at least 18 months after termination of the contract of employment.
Modified
p. 9 → 10
a) The vendor must use employment application forms that include the following detail relating to past: o D s. o List of their previous addresses or residences for the last seven years o Previous employers for the last seven years o Applicants must satisfactorily explain gaps in employment.
a) The vendor must use employment application forms that include the following detail relating to the applicant’s past:
Modified
p. 9 → 10
b) The vendor must maintain a personnel file for each employee that includes but is not limited to the following information: o Gathered as part of the hiring process:
b) The vendor must maintain a personnel file for each individual listed in Section 1.1.2 that includes but is not limited to the following information:
Removed
p. 10
c) Upon termination effective date of the employee the security manager or designated representative must: o Deactivate all access rights. o Recover the photo ID badge. o Change all applicable vault combinations and other applicable access codes known to or utilized by employee. o Recover all company property used in association with card production or provisioning. o Verify completion of the employee termination checklist activities, below.
Modified
p. 10 → 11
• Current photograph, updated at least every three years
Modified
p. 10 → 11
• Record of any arrests or convictions, updated annually
Modified
p. 10 → 11
• Annual credit checks
Modified
p. 10 → 11
c) These files must be available to the security inspectors during site reviews.
c) These files must be available to the security inspectors during site reviews. See above.
Modified
p. 10 → 11
a) The security manager prior to the change taking effect.
a) The physical security manager is notified in writing of any personnel’s expected job change prior to the change taking effect.
Modified
p. 10 → 11
b) The security manager adapts the access control to restricted areas within one business day.
b) The physical security manager must adapt the access control to restricted areas within one business day.
Modified
p. 10 → 11
c) Where necessary, all combinations and other applicable access codes known to or utilized by employee are changed.
c) Where necessary, all combinations and other applicable access codes known to or utilized by the individual are changed.
Modified
p. 10 → 12
a) If termination of employment is a planned event, the security manager must be notified in writing prior to termination.
a) If termination of employment is a planned event, the physical security manager must be notified in writing prior to termination.
Modified
p. 10 → 12
b) If termination of employment is an unscheduled event, the security manager must be notified in writing as soon as the decision is made.
b) If termination of employment is an unscheduled event⎯e.g., termination or extended medical leave⎯the physical security manager must be notified in writing as soon as the decision is made.
Modified
p. 10 → 12
a) Disable or remove computer user IDs and passwords from all applicable systems.
a) Disable or remove the individual’s computer user IDs and passwords from all applicable systems.
Modified
p. 10 → 12
b) Retrieve all software programs and documentation distributed to employee.
b) Retrieve all software programs and documentation distributed to the individual.
Removed
p. 11
c) Disable access to computer data and applications.
e) badge and photo identification and deactivate employee access to the facility.
The security manual must include the following sections: o Administration o Security requirements and guidelines o Procedures that employees must follow while working in the secure facility o Specific requirements as they pertain to the cloud-based provisioning platforms and systems
e) badge and photo identification and deactivate employee access to the facility.
The security manual must include the following sections: o Administration o Security requirements and guidelines o Procedures that employees must follow while working in the secure facility o Specific requirements as they pertain to the cloud-based provisioning platforms and systems
Modified
p. 11 → 12
• Change all applicable vault combinations and other applicable access codes known to or utilized by individual.
Modified
p. 11 → 13
d) Retrieve all company keys distributed to employee.
d) Retrieve all company keys, badges, and company photo identification distributed to the individual.
Modified
p. 11 → 13
a) Designating an individual (e.g., the CISO) responsible for all security matters and concerns, reporting to a senior company executive.
a) Designating an individual •e.g., the CISO
•responsible for all security matters and concerns, reporting to a senior company executive.
•responsible for all security matters and concerns, reporting to a senior company executive.
Modified
p. 11 → 13
b) Ensuring that individuals performing or managing tasks requiring access to card components or data or support the cloud-based provisioning processes and/or environment have a signed employment agreement with the vendor. The agreement includes stipulating that the employee complies with company polices and rules.
b) Ensuring that individuals performing or managing tasks requiring access to card components or data or support the cloud-based provisioning processes and/or environment have a signed employment agreement with the vendor. The agreement includes stipulating that the card production staff complies with company polices and rules.
Modified
p. 11 → 13
c) Providing a copy of internal security manual to all employees and security personnel.
c) Providing a copy of vendor’s internal security manual to all card production staff and security personnel.
Modified
p. 11 → 14
d) Evidence of positive affirmation by the employee of receipt and understanding of responsibilities and obligations under the security policy.
d) Evidence of positive affirmation by the card production staff of receipt and understanding of responsibilities and obligations under the security policy.
Modified
p. 11 → 14
e) Ensuring that vendor staff security training incorporates the obligation for employees to report any observed breaches of established security procedure.
e) Ensuring that vendor staff security training incorporates the obligation for card production staff to report any observed breaches of established security procedure.
Modified
p. 11 → 14
f) Conducting mandatory training sessions at least annually. These sessions must include understanding the company security policies and the their adherence to security policies.
f) Conducting mandatory training sessions at least annually. These sessions must include understanding the company security policies and the card production staff’s responsibilities and their adherence to security policies.
Modified
p. 11 → 14
g) Displaying posters and notices concerning security at key locations within the vendor facility.
g) Displaying information concerning security at key locations within the vendor facility via posters, notices, or electronic medium•e.g., monitors.
Modified
p. 11 → 14
• Card production staff authorized to receive or sign for any card components
Removed
p. 12
b) Guards must not have access to: o Employee records o Physical master keys that provide access to card production or provisioning areas o Audit logs o Any restricted areas where the vendor processes, stores, or delivers card products and card components.
Modified
p. 12 → 15
a) In-house or contracted guards must meet the same prescreening qualification requirements as employees working in HSAs.
a) In-house or contracted guards must meet the same prescreening qualification requirements as card production staff working in HSAs. For contracted guards, evidence of prescreening requirements may alternatively be provided by the guarding company, by copies of licenses, etc. The vendor must collect and retain this evidence provided by the guarding company.
Modified
p. 12 → 15
b) The vendor must ensure that any guard service contracted from an outside source maintains liability insurance to cover potential losses.
b) The vendor must ensure that any guard service contracted from an outside source maintains liability insurance to cover potential losses, or ensure that the vendor’s own insurance policies provide suitable coverage.
Modified
p. 12 → 15
Guards must be prevented from modifying or altering the internal configuration settings on access system controls, intrusion alarm system, closed circuit television (CCTV).
Modified
p. 12 → 16
Interview guards to confirm that they follow appropriate emergency procedures and give prompt attention to reports of unauthorized access to the facility received from law enforcement agents, and where necessary the VPA.
Modified
p. 13 → 16
a) Guard s responsibilities, procedures, and activities by position b)
a) Guard’s responsibilities, procedures, and activities by position • Guard’s responsibilities, procedures, and activities by position
Modified
p. 13 → 17
d) Access control at all entry and exit points of the premises, by date and time of activation
d) Access control at all entry and exit points of the facility, by date and time of activation
Modified
p. 13 → 17
e) External resource response activities
e) External resource response activities • External resource response activities
Modified
p. 13 → 17
f) CCTV monitoring and video or digital recordings
f) CCTV monitoring and video or digital recordings • CCTV monitoring and video or digital recordings
Modified
p. 13 → 17
g) Administration of access cards and photo ID badges
g) Administration of access credentials and photo ID badges • Administration of access credentials and photo ID badges
Modified
p. 13 → 17
h) Badge access system and computer monitoring (such as the logging in and out of staff entering or leaving the premises and internal movement at area access points)
h) Access-control system and computer monitoring (such as the logging in and out of staff entering or leaving the facility and internal movement at area access points)
Modified
p. 13 → 17
i) Company policy concerning employee and visitor access to the facility (both exterior and interior)
i) Company policy concerning card production staff, consultant, and visitor access to the facility (both exterior and interior)
Modified
p. 13 → 17
k) Shipping and receiving
k) Shipping and receiving • Shipping and receiving
Modified
p. 13 → 17
l) Alarm activation procedures
l) Alarm activation procedures • Alarm activation procedures
Modified
p. 13 → 17
m) Response to alarms, including notification to law enforcement in cases of unauthorized access to the premises
m) Response to alarms, including notification to law enforcement in cases of unauthorized access to the facility
Modified
p. 13 → 17
n) Daily activity and immediate incident report
n) Daily activity and immediate incident report • Daily activity and immediate incident report
Modified
p. 13 → 17
o) Potential threats such as burglary or theft to the premises external or internal security
o) Potential threats •such as burglary or theft •to the facility’s external or internal security
Modified
p. 13 → 18
− Fire − Earthquakes − Severe weather − Direct assault by armed felons − Bomb threats − Civil disturbances − Building evacuation − Ransom demands − Hostages − Kidnapping 1.2.3.2 Guard Attestation of Security Procedures Manual Contents
Modified
p. 13 → 18
a) All guards, whether employees or contract, must sign a document indicating that they have read and fully understand the contents of this manual.
Modified
p. 13 → 18
a) Procedures must be reviewed, validated and if necessary, updated annually. Examine documentation to verify updates occur annually as necessary.
Modified
p. 13 → 18
b) Exceptional situations not specified within these manuals must be reported immediately to the security manager for appropriate action and possible inclusion into the manuals.
b) Exceptional situations not specified within these manuals must be reported immediately to the physical security manager for appropriate action and possible inclusion into the manuals.
Removed
p. 14
d) The following information must be recorded in the logbook: o Name of the visitor, printed and signed o Number of the official ID document(s) presented and the date and place of issue o Company the visitor represents (if any) o Name of the person being visited or in charge of the visitor o Purpose of the visit o Visitor badge number o Date and time of arrival and departure o Signature of the employee initially assigned to escort the visitor
e) The vendor must retain v t least 90 days.
e) The vendor must retain v t least 90 days.
Modified
p. 14 → 19
b) All visitors to the facility must be registered ahead of their arrival.
b) All visitors to the facility must be registered ahead of their arrival. Examine a sample of registration documentation to verify that all visitors are registered ahead of their arrival.
Modified
p. 14 → 19
c) The registration must include name and company they represent.
c) The registration must include name and company they represent. Examine a sample of registration documentation to verify that registration entries contain the visitor’s name and the company they represent.
Modified
p. 14 → 19
d) If the visitor requires access to the HSA or cloud-based provisioning environment, this must be approved by both the Security Manager and the Production Manager.
d) If the visitor requires access to the HSA or cloud-based provisioning environment, this must be approved by both the physical security manager and the production manager.
Modified
p. 14 → 19
e) Any unsolicited visitors must be turned away.
e) Any unsolicited visitors must be turned away. Examine CCTV recordings or interview guards to verify that unsolicited visitors are turned away.
Modified
p. 14 → 19
f) An authorized employee must accompany all visitors at all times while they are in the facility.
f) An authorized card production staff member must accompany all visitors at all times while they are in the facility.
Modified
p. 14 → 19
g) Visitors must enter through the reception area.
g) Visitors must enter through the reception area. Observe live visitor entry processes to verify that all visitors are required to enter through the reception area.
Modified
p. 14 → 19
a) The vendor must apply the same registration procedures to all visitors entering their facility. These procedures must include the following: o Confirmation of previously agreed appointment o Verification of identification against an official, government issued picture ID
a) The vendor must apply the same registration procedures to all visitors entering their facility. These procedures must include the following:
Modified
p. 14 → 20
c) All logs must be protected from modification.
c) All logs must be protected from modification. Examine the visitor logs to verify that they have protection from modification.
Modified
p. 15 → 21
a) Each visitor entering the facility must be issued with and must wear visibly on their person a security pass or ID badge that identifies them as a non-employee.
a) Each visitor entering the facility must be issued with and must wear visibly on their person a security pass or ID badge that identifies them as a non- employee.
Modified
p. 15 → 21
b) the facility and, if multi-day, the validity period must be clearly indicated on the front of the badge.
b) If the security pass or ID badge is disposable, the visitor’s name and date of entry to the facility and, if multi-day, the validity period must be clearly indicated on the front of the badge.
Modified
p. 15 → 21
c) If the security pass or ID badge is the access-control type that enables a record to be o The visitor must be instructed on its proper use. o The vendor must program the visitor access badge or card to enable the tracking of movement of all visitors. It should be activated only for areas that the visitor is authorized to enter. o Visitors must use their access card in the card readers to the room into which they enter. …
c) If the security pass or ID badge is the access-control type that enables a record to be kept of the visitor’s movement throughout the facility:
Modified
p. 15 → 21
d) Unissued visitor access badges must be securely stored.
d) Unissued visitor access badges must be securely stored. Observe the location where unissued visitor access badges are stored to verify that it is a secure location.
Modified
p. 15 → 21
f) Employees responsible for escorting visitors while they are inside the facility must ensure that the visitor surrenders their ID badge to the receptionist or guard before leaving the building.
f) Card production staff responsible for escorting visitors while they are inside the facility must ensure that the visitor surrenders their ID badge to the receptionist or guard before leaving the building.
Modified
p. 15 → 22
a) Procedures that define how third parties are managed at the vendor facility are documented and followed. b) employer of all suppliers, repair and maintenance staff, and any other external service provider.
a) Procedures that define how third parties are managed at the vendor facility are documented and followed.
Modified
p. 15 → 22
c) A pre-approved list of third parties is made available to the receptionist or to the guard on a daily or weekly basis for the preparation of ID badges. Only those persons with pre- approved ID badges may be granted facility access. The security manager or senior management must approve in writing any exceptions to this requirement.
c) A pre-approved list of third parties is made available to the receptionist or to the guard on a daily or weekly basis for the preparation of ID badges. Only those persons with pre-approved ID badges may be granted facility access. The physical security manager or senior management must approve in writing any exceptions to this requirement.
Modified
p. 15 → 22
d) An employee accompanies all external service providers at all times while they are in the HSA(s).
d) An authorized card production staff member accompanies all external service providers at all times while they are in the HSA(s).
Modified
p. 16 → 22
f) staff requiring access to restricted or HSAs follow the visitor- registration procedures.
f) External service providers’ staff requiring access to restricted or HSAs follow the visitor-registration procedures.
Modified
p. 16 → 23
a) Prior to conducting any business with an agent or third party regarding card-related activities, the vendor must register the agent with the VPA and obtain the following information: o Agent s name, address, and telephone numbers o Agent s role or responsibility
a) Prior to conducting any business with an agent or third-party regarding card- related activities, the vendor must register the agent with the VPA and obtain the following information:
Modified
p. 17 → 24
e) The vendor must keep a log of the disabling of the alarm and the key exchange, describing at least: o Person(s) needing access o Purpose of the access 3.1.2 Exterior Entrances and Exits All non-emergency exterior entrances and exits to the facility must be:
e) The vendor must keep a log of the disabling of the alarm and the key exchange, describing at least:
Modified
p. 17 → 25
b) Locked or electronically controlled at all times
b) Locked or electronically controlled at all times Observe that all exterior entrances and exits are locked and are controlled at all times.
Modified
p. 17 → 25
c) Reinforced, where applicable, to resist intrusion (e.g., steel or equivalent construction that meets local fire and safety codes)
c) Reinforced, where applicable, to resist intrusion•e.g., steel or equivalent construction that meets local fire and safety codes.
Modified
p. 17 → 25
d) Fitted with an access-control device (i.e., card reader or biometric) that automatically activates the locking mechanism e) tailgating (excluding emergency exits) 3.1.3 External Walls, Doors and Windows
d) Fitted with an access-control device •i.e., card reader or biometric automatically activates the locking mechanism Observe entrances and exits to determine whether they are fitted with an access-control device
•i.e., card reader or biometric
•that automatically activates the locking mechanism.
•i.e., card reader or biometric
•that automatically activates the locking mechanism.
Modified
p. 17 → 25
Observe or examine documentation to determine all external walls, doors and windows are pre-cast or masonry block or material of equivalent strength and penetration resistance.
Modified
p. 17 → 25
b) Windows, doors, and other openings must be protected against intrusion by mechanisms such as intruder- burglar-resistant glass, bars, glass-break detectors, or motion or magnetic contact detectors.
b) Windows, doors, and other openings must be protected against intrusion by mechanisms such as intruder-resistant
•e.g., “burglar-resistant”
•glass, bars, glass-break detectors, or motion or magnetic contact detectors.
•e.g., “burglar-resistant”
•glass, bars, glass-break detectors, or motion or magnetic contact detectors.
Modified
p. 18 → 26
a) The vendor premises must be located in an area serviced by public law enforcement and fire protection services in a timely manner.
a) The vendor facility must be located in an area serviced by public law enforcement and fire protection services in a timely manner.
Modified
p. 18 → 26
b) The facility must be secured with an intrusion alarm system as defined in Section 3.4.1,
b) The facility must be secured with an intrusion alarm system as defined in
Modified
p. 18 → 26
e) All external entry and exit points, including those for freight and maintenance, must be equipped with a peep-hole, a security window, or external CCTV that allows security personnel visual inspection of the immediate area, thus allowing action to be taken in the event of unauthorized access.
e) All external entry and exit points, including those for freight and maintenance, must be equipped with a peephole, a security window, or external CCTV that allows security personnel visual inspection of the immediate area, thus allowing action to be taken in the event of unauthorized access.
Modified
p. 18 → 26
f) Alarms on external doors must be tested every three months.
f) Alarms on external doors must be tested every three months. Examine a sample of evidentiary matter to verify external doors alarms have been tested every three months.
Modified
p. 18 → 26
a) All emergency exits must be fitted with local audible alarms and monitored 24 hours a .
a) All emergency exits must be fitted with local audible alarms and monitored 24 hours a day and also must display a sign indicating “emergency exit door with alarm.” Interview personnel to verify that emergency exits are monitored 24 hours a day.
Modified
p. 18 → 26
b) Emergency exit doors must be fitted with an automatic closer to ensure self-latching of the door after being opened.
b) Emergency exit doors must be fitted with an automatic closer to ensure self- latching of the door after being opened.
Modified
p. 18 → 26
c) Emergency exit doors must be contact-alarm monitored.
c) Emergency exit doors must be contact alarm monitored.
Modified
p. 18 → 27
f) During non-business hours, the activation of an emergency-exit alarm must summon the local police or a guard response directed by central monitoring service or on-site security control.
f) During non-business hours, the activation of an emergency-exit alarm must summon the local police, or a guard response directed by central monitoring service or on-site security control.
Modified
p. 18 → 27
g) Emergency exit doors must not be capable of being opened from the outside.
g) Emergency exit doors must not be capable of being opened from the outside. Observe all emergency exit doors to verify they cannot be opened from the outside.
Modified
p. 18 → 27
h) Emergency exits must not lead to a higher security area.
h) Emergency exits must not lead to a higher security area. Observe that all emergency exits do not lead to a higher security area.
Modified
p. 19 → 28
a) Exterior CCTV cameras must focus on all entrances and exits to the building, and capture legible images of all persons entering or leaving the facility.
a) Exterior CCTV cameras must focus on all entrances and exits to the building and capture legible images of all persons entering or leaving the facility.
Modified
p. 19 → 29
b) The reception area must be contained within a mantrap.
b) The reception area must be within a mantrap.
Modified
p. 19 → 29
g) The electronic control points for operating this system must be located at the
g) The electronic control points for operating this system must be located at the receptionist’s desk or in the security control room.
Modified
p. 20 → 30
• A duress button that activates a silent alarm at a remote, central monitoring service or police station.
Modified
p. 20 → 30
j) If the receptionist area houses or acts as a security control room, the requirements as defined in Section ecurity Control Room
j) If the receptionist area houses or acts as a security control room, the requirements as defined in Section 2.3.2, “Security Control Room,” must be met.
Modified
p. 20 → 30
k) Outside working hours, all security protection devices (including alarm activation and deactivation) must be monitored electronically by either an in-house security monitoring system or a private central monitoring company.
k) Outside working hours, all security protection devices (including alarm activation and deactivation) must be monitored electronically by either an in- house security monitoring system or a private central monitoring company.
Modified
p. 20 → 30
Observe the external entrance doors of the building to verify that it does not lead directly to the entrance of the HSA or the cloud-based provisioning area.
Modified
p. 20 → 31
Interview personnel to verify that the room is staffed at all times while activity occurs in the HSA.
Modified
p. 20 → 31
d) Protect the room by an internal motion detector.
d) Protect the room by an internal motion detector. Observe the security control room to determine it is protected by an internal motion detector.
Modified
p. 21 → 32
i) Fit the door with an automatic closing device. The opening of the door for more than 30 seconds must automatically activate a sound alarm. The access-control system must be programmed, whereby access is on a person-by-person basis and restricted to authorized personnel only. Person-by-person access may be fulfilled through a procedural control.
i) Fit the door with an automatic closing device. The opening of the door for more than 30 seconds must automatically activate a sound alarm. The access-control system must be programmed, whereby access is on a person- by-person basis •e.g., a full mantrap, turnstile, or similar that prevents more than one person entering at a time
•and restricted to authorized personnel only. Person-by-person access may be fulfilled through a procedural control.
•and restricted to authorized personnel only. Person-by-person access may be fulfilled through a procedural control.
Modified
p. 21 → 33
l) Ensure that the badge access-control monitor permanently displays the access card transactions on a real-time basis. Guards must be able to cross-check the access- control records with the CCTV images.
l) Ensure that the access-control monitor permanently displays the access transactions on a real-time basis. Guards must be able to cross-check the access-control records with the CCTV images.
Modified
p. 21 → 33
m) Train guards in the security control room in the effective use of badge access-control system and CCTV system facilities.
m) Train guards in the security control room in the effective use of the access- control system and CCTV system facility.
Modified
p. 21 → 33
n) Ensure that a security guard is assigned to watch all real-time CCTV images on the monitors.
n) Ensure that a security guard is assigned to watch real-time CCTV images on the monitors.
Modified
p. 21 → 33
q) Have mechanisms in place to prevent observation of security equipment (e.g., CCTV monitors) inside the security control room for example, by covering all security control room windows with a one-way mirror film or other material preventing viewing from outside.
q) Have mechanisms in place to prevent observation of security equipment• e.g., CCTV monitors
•inside the security control room •for example, by covering all security control room windows with a one-way mirror film or other material preventing viewing from outside.
•inside the security control room •for example, by covering all security control room windows with a one-way mirror film or other material preventing viewing from outside.
Modified
p. 21 → 34
r) Ensure all other windows within the security control room are protected by unbreakable glass or iron bars and are protected against intrusion by at least one of the following: burglar-resistant glass, glass-break detectors, or motion or magnetic contact detectors.
r) Ensure all other windows within the security control room are protected against intrusion by at least one of the following: iron bars, burglar-resistant glass, glass-break detectors, or motion detectors.
Modified
p. 21 → 34
t) Ensure that when the room is used for reception control, the conditions outlined in Section 2.3.1, “Reception,” apply.
Modified
p. 21 → 34
u) The CCTV and access-control servers must be in the security control room or a room with equivalent security. The servers must not be in the HSA.
Removed
p. 22
b) Access-control systems must: o Always be connected to the computer that monitors and logs all staff and visitor movements. o Prevent employees from piggybacking. o Enforce person-by-person access. o Implement anti-pass-back mechanisms. o Enforce dual presence. If the number of authorized employees is less than two for more than a minute, the alarm must be activated.
Modified
p. 22 → 35
b) Card production staff may only bring items related to card production and provisioning activity into the HSA.
Modified
p. 22 → 35
c) If a facility performs multiple production activities⎯e.g., card manufacturing and personalization⎯these activities must be performed in separate areas within the HSA.
Modified
p. 22 → 36
d) With the exception of mobile provisioning, if multiple HSAs are within the same building, they must be contiguous.
Modified
p. 22 → 36
e) Equipment that is purely associated with test activities is not allowed in the HSA.
Modified
p. 22 → 36
f) A mobile provisioning system must exist in either a server room in the HSA or, if the only activity by the vendor, its own room meeting the criteria for an HSA.
Modified
p. 23 → 38
f) The motion detector must generate an alarm if movement is detected inside the HSA or rooms within the HSA when the access-control system indicates (e.g., the software counter is zero nobody registered in the room) the room is not occupied.
f) The motion detector must generate an alarm if movement is detected inside the HSA or rooms within the HSA when the access-control system indicates the room is not occupied
•e.g., the software counter is zero •nobody registered in the room.
•e.g., the software counter is zero •nobody registered in the room.
Modified
p. 23 → 38
g) The warning must be a local sound alarm and notification (silent alarm) within the security control room. Additionally, after working hours, a simultaneous alarm to the local external security company or local police must occur.
g) The warning must be a local sound alarm and notification (silent and/or audible alarm) within the security control room. Additionally, after working hours, a simultaneous alarm to the local external security company or local police must occur.
Modified
p. 23 → 39
h) No one is allowed to bring personal items (for example, packages, lunch containers, purses) or any electronic devices (including but not limited to mobile telephones, photo cameras, and PDAs), into the high security area. Medical items such as medications and tissues are acceptable if in clear containers that can be examined. No food or beverages are allowed.
h) No one is allowed to bring personal items (for example, packages, lunch containers, purses) or any electronic devices (including but not limited to mobile telephones, photo cameras, and PDAs) into the high security area. Medical items such as medications and tissues are acceptable if in clear containers that can be examined. No external food or beverages are allowed. Company may provide water stations with disposable bottles and cups. These must be brought in/out through the goods/tools trap and be …
Modified
p. 23 → 39
i) If the access-control server is not located in the security control room it must be located in a room of equivalent security. The access-control server cannot be located in the HSA 3.3.4.2 Person-by-Person Access Control and Anti-pass-back Software
i) If the access-control server is not located in the security control room it must be located in a room of equivalent security. The access-control server cannot be located in the HSA but must be located in the same facility.
Modified
p. 23 → 39
a) Access must be enforced by the use of an air lock, single sluice, or security turnstile, which must be controlled by logical means, ensuring strict compliance with the person- by-person mandate.
a) Access must be enforced by the use of an air lock, single sluice, or security turnstile, which must be controlled by logical means, ensuring strict compliance with the person-by-person mandate.
Modified
p. 23 → 40
a) All materials required for production must be transferred to the HSA through either a goods-tools trap or the shipping and delivery area.
a) All physical materials required for production must be transferred to the HSA through either a goods-tools trap or the shipping and delivery area.
Modified
p. 23 → 40
b) A goods-tools trap may be used to transfer materials between different areas within the HSA.
b) A goods-tools trap or a shipping and delivery area must be used to transfer physical materials between different HSAs within the same facility.
Modified
p. 23 → 40
Observe that bullet-resistant glass or iron bars are used to protect all windows in HSAs.
Modified
p. 23 → 40
b) It must not be possible to view activities in the HSA from the exterior of the building e.g., by use of opaque or non-transparent glass.
b) It must not be possible to view activities in the HSA from the exterior of the building•e.g., by use of opaque or non-transparent glass.
Modified
p. 23 → 40
c) Walls and ceilings must be constructed around the HSA consistent with the enforcement of dual presence e.g., prevention of access via false ceilings or raised floors.
c) Walls and ceilings must be constructed around the HSA consistent with the enforcement of dual presence•e.g., prevention of access via false ceilings or raised floors.
Modified
p. 23 → 40
d) All access points (e.g., electrical conduits, opening windows and ventilation shafts) in HSAs must have physical barriers.
d) All access points•e.g., electrical conduits, opening windows, and ventilation shafts•in HSAs must have physical barriers.
Modified
p. 24 → 41
h) All doors must be fitted with an in and out card reader access system plus an anti- pass-back function connected to a computer that records all movements. i) emergency exit doors.
h) All doors must be fitted with an in and out card reader access system plus an anti-pass-back function connected to a computer that records all movements.
Modified
p. 24 → 41
j) Emergency exits must be fitted with local audible alarms and monitored 24 hours a da .
j) Emergency exits must be fitted with local audible alarms and monitored 24 hours a day and also must display a sign indicating “emergency exit door with alarm.” Observe emergency exits to verify they:
Modified
p. 24 → 42
a) The pre-press process must be performed in a separate room within the HSA.
a) The pre-press process must be performed in a separate room within the HSA. Observe to verify that the pre-press process is performed in a separate room within the HSA.
Removed
p. 25
e) PIN mailers must be mailed Delivery
k) All waste material from the PIN printing process must be destroyed as defined in t Trails.
k) All waste material from the PIN printing process must be destroyed as defined in t Trails.
Modified
p. 25 → 44
a) PIN mailer production must be performed in a separate room within the HSA.
a) PIN mailer production must be performed in a separate room within the HSA. Observe to verify that PIN mailer production is performed in a separate room within the HSA.
Modified
p. 25 → 44
b) Employees involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards. Individuals may perform other non-personalization activities in addition to PIN printing, except for those that give access to cardholder data such as data administration, packaging, or mailing activities.
b) Card production staff involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards. Individuals may perform other non-personalization activities in addition to PIN printing, except for those that give access to cardholder data such as data administration, packaging, or mailing activities.
Modified
p. 25 → 44
d) PIN mailers must be printed in such a way that the plaintext PIN cannot be observed until the envelope is opened. The envelope must display the minimum data necessary to deliver the PIN mailer to the correct customer. PIN mailers must be tamper evident so that it is highly likely that accidental or fraudulent opening will be obvious to the customer.
d) PIN mailers must be printed in such a way that the plaintext PIN cannot be observed until the envelope is opened. The envelope must display the minimum data necessary to deliver the PIN mailer to the correct customer. PIN mailers must be tamper-evident so that it is highly likely that accidental or fraudulent opening will be obvious to the customer.
Modified
p. 25 → 44
Observe to verify that no activity other than PIN mailer production takes place in the room.
Modified
p. 25 → 45
h) Reports and PIN mailers must not display printed PIN data in the clear.
h) Reports and PIN mailers must not display printed PIN data in the clear. Examine a sample of Reports and PIN mailers to verify that printed PIN data is not displayed in the clear.
Modified
p. 25 → 45
i) PIN mailers must not contain the associated cardholder account number
i) PIN mailers must not contain the associated cardholder account number. Examine a sample of PIN mailers to verify that they do not contain the associated cardholder account number.
Modified
p. 25 → 45
a) Server processing and key management must be performed in a separate room within the personalization HSA. Data preparation must occur here. Server processing and key management may occur in the same room or each in a separate room
a) Server processing and key management must be performed in a separate room within the personalization HSA. Data preparation must occur here. Server processing and key management may occur in the same room or each in a separate room.
Modified
p. 25 → 45
b) Systems and applications that make up the cloud-based provisioning network must be physically segregated from other vendor networks and internet-connected networks. This includes separation of servers, firewall, and HSM. For example, in a traditional card vendor environment this could be a separate rack in a server room, or in a
b) Systems and applications that make up the cloud-based provisioning network must be physically segregated from other vendor networks and Internet- connected networks. This includes separation of servers, firewall, and HSM. For example, in a traditional card vendor environment this could be:
Removed
p. 26
a) The following must be stored in the vault: o Cards awaiting personalization o Security components o Materials awaiting destruction o Samples and test cards prior to distribution and after return o Any card that is personalized with production data o If the facility is closed, personalized cards that will not be shipped within the same working day o Products awaiting return to the supplier
b) Vaults must be constructed of reinforced concrete (minimum 15 centimeters or 6 inches) or at least meet the Underwriters Laboratories Class I Burglary Certification Standard (e.g., UL 608), which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces i.e., vault doors, walls, floors and ceilings. o An outside wall of the building must not be used as a wall of the vault. o If the construction of the vault leaves a small (dead) space between the vault …
b) Vaults must be constructed of reinforced concrete (minimum 15 centimeters or 6 inches) or at least meet the Underwriters Laboratories Class I Burglary Certification Standard (e.g., UL 608), which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces i.e., vault doors, walls, floors and ceilings. o An outside wall of the building must not be used as a wall of the vault. o If the construction of the vault leaves a small (dead) space between the vault …
Modified
p. 26 → 46
e) The camera must not have zoom or scanning functionality and must not be positioned in such a manner as to allow observation of keystroke entry or the monitoring of the screen.
Modified
p. 27 → 48
g) Card components being taken in or out must be recorded in a vault log and confirmed by at least two employees.
g) Card components being taken in or out must be recorded in a vault log and confirmed by at least two card production staff.
Modified
p. 27 → 48
h) Maintenance of these audit control logs is mandatory as defined in Section 4.7.2, These logs must be retained for the longer of five years or the oldest card in the vault.
h) Maintenance of these audit control logs is mandatory as defined in Section 3.7.2, “Vault Audit Controls.” These logs must be retained for the longer of five years or the oldest card in the vault.
Modified
p. 27 → 49
i) If the vault also is used to store non-payment products, it must be physically segregated (e.g., stored on dedicated aisles or shelves) to create a physical separation between payment products and other card types.
i) If the vault also is used to store non-payment products, it must be physically segregated •e.g., stored on dedicated aisles or shelves
•to create a physical separation between payment products and other card types.
•to create a physical separation between payment products and other card types.
Modified
p. 27 → 49
j) All boxes with payment cards must have a label, visibly attached, describing the product type, a unique product identifier number, the quantity of cards contained in the box, and the date of control.
j) All boxes with payment cards must have a label, visibly attached, describing the product type, a unique product identifier number, the quantity of cards contained in the box and the date of control.
Modified
p. 27 → 49
• Unsealed boxes are only permitted for stock that requires multiple pulls per day.
Modified
p. 27 → 49
Unsealed boxes must be in a centralized area within the vault. The counting process must be applied during the pull process, and an inventory count under dual control must be performed for each unsealed box at the end of each shift. All other boxes must be sealed.
k) Unsealed boxes are only permitted for stock that requires multiple pulls per day. Unsealed boxes must be in a centralized area within the vault. The counting process must be applied during the pull process, and an inventory count under dual control must be performed for each unsealed box at the end of each shift. All other boxes must be sealed.
Modified
p. 27 → 50
a) One-room configuration The goods-tools trap is composed of a unique, closed, solid construction room (goods transfer room) and two doors (inner and external) minimizing the physical contact between the individuals collecting or delivering materials and the HSA staff.
a) One-room configuration The goods-tools trap is composed of a unique, closed, solid construction room (goods transfer room) and two doors (inner and external) minimizing the physical contact between the individuals collecting or delivering materials and the HSA staff. In this configuration, the goods-tools trap must be operated as follows:
Modified
p. 27 → 50
• The movement detector is deactivated when someone swipes the access card in the card reader.
Modified
p. 28 → 50
• In this configuration, the goods-tools trap is composed of two consecutive rooms, similar to the classical shipping and delivery room configuration.
Modified
p. 28 → 50
Security requirements, protection devices, and access procedures are the same as for the standard shipping and delivering area configuration, as defined below.
• Security requirements, protection devices, and access procedures are the same as for the standard shipping and delivering area configuration, as defined below.
Modified
p. 28 → 51
a) To facilitate the shipment and delivery of card components, the loading/unloading area must be composed of at least two consecutive enclosed rooms and three doors (external, intermediate, and inner), which minimizes physical contact between the individuals collecting or delivering materials and the shipment/delivery employees and card production staff.
a) To facilitate the shipment and delivery of card components, the loading/unloading area must be composed of at least two consecutive enclosed rooms and three doors (external, intermediate, and inner), which minimizes physical contact between the individuals collecting or delivering materials and the shipment/delivery card production staff.
Modified
p. 28 → 51
d) One of the rooms in the shipping area must contain a solution to allow the exchange of control documents without coming into contact with external personnel, as well as being able to communicate with and visually identify them e.g., a security window, video intercom, CCTV monitors etc.
d) One of the rooms in the shipping area must contain a solution to allow the exchange of control documents without coming into contact with external personnel, as well as being able to communicate with and visually identify them•e.g., a security window, video intercom, CCTV monitors, etc.
Modified
p. 28 → 52
h) To liberate a person detected inside the room and stop the alarm, the software monitoring the access-control system must only allow the opening of the last activated door. A logical (software) and physical (alarm report book) log of the event must permanently be kept.
h) To liberate a person detected inside the room and stop the alarm, the software monitoring the access-control system must only allow the opening of the last activated door. Either a logical (software) or physical (alarm report book) log of the event must be kept for at least two years.
Modified
p. 28 → 52
i) The vendor must install CCTV cameras and orient the cameras to cover the external and inner access doors to the shipping and delivery areas, and capture all activities during shipping and delivery operations.
i) The vendor must install CCTV cameras and orient the cameras to cover the external and inner access doors to the shipping and delivery areas and capture all activities during shipping and delivery operations.
Removed
p. 29
j) The vendor must install at least: o One external CCTV camera covering the external shipping and delivery area door and its environment o Two CCTV cameras inside the outer room covering all sides of the vehicle o One CCTV camera inside the inner room covering the shipping and delivery operations
Removed
p. 29
c) The ID badge must not be imprinted with the company name or logo.
Modified
p. 29 → 54
d) The alarm activation and deactivation must be checked and confirmed by an electronic device, guards, private security company, or local police force to ensure that the pre- arranged alarm time settings have been respected. The alarm deactivation process must allow for the generation of a fast, silent alarm in case of threat. o A specific procedure must be established to ensure quick corrective action in case an alarm is not activated in accordance with pre-arranged alarm time settings. o …
d) The alarm activation and deactivation must be checked and confirmed by an electronic device, guards, private security company, or local police force to ensure that the pre-arranged alarm time settings have been respected. The alarm deactivation process must allow for the generation of a fast, silent alarm in case of threat.
Modified
p. 29 → 55
e) Access contacts and motion detectors must be activated in zones where no staff are present (e.g., vault, storage, production areas, shipping and delivery areas).
e) Access contacts and motion detectors must be activated in zones where no staff are present•e.g., vault, storage, production areas, shipping and delivery areas.
Modified
p. 29 → 56
b) The vendor must issue a photo identification (ID) badge to each employee.
b) The vendor must issue a photo identification (ID) badge to each card production staff member and consultant. A temporary badge is valid ONLY for the work shift does not need to contain picture.
Removed
p. 30
b) The badge access system must log sufficient information to produce the daily card activity reports detailed below: o Card reader o Card reader status o Card identification o Date and time of access o Access attempts results o Unauthorized attempts o Anti-pass-back violation and corrective actions taken
Modified
p. 30 → 56
a) The access-control system must grant physical access to employees only during authorized working hours functions.
a) The access-control system must grant physical access to card production staff or consultants only during authorized working hours, and only to those areas required by the card production staff or consultants’ job functions.
Modified
p. 30 → 56
b) Employees must display their ID badges at all times while in the facility.
b) Personnel must display their ID badges at all times while in the facility. Observe that personnel display their ID badges at all times while in the facility.
Modified
p. 30 → 57
c) Employees are responsible for their ID and access badges and must report any lost/ stolen or broken badges to the Security Manager immediately.
c) Card production staff and consultants are responsible for their ID and access badges and must report any lost/stolen or broken badges to the physical security manager immediately.
Modified
p. 30 → 57
a) Maintain an inventory of unassigned ID badges.
a) Maintain an inventory of unassigned ID badges. Examine the unassigned badge inventory log to verify completeness.
Modified
p. 30 → 57
b) Ensure dual control exists for badge access and assignment.
b) Ensure dual control exists for badge access and distribution to individuals.
Modified
p. 30 → 57
c) Ensure ID badges are retrieved from terminated employees prior to their departure from the premises.
c) Ensure ID badges are retrieved from terminated individuals prior to their departure from the facility.
Modified
p. 30 → 57
d) Ensure all access rights are immediately deactivated.
d) Ensure all access rights are immediately deactivated. Examine procedures to validate a process is in place to deactivate all access rights immediately on a departure of an individual.
Modified
p. 30 → 58
e) Maintain precise documentation accounting for all lost badges.
e) Maintain precise documentation accounting for all lost badges. Examine documentation to verify a process is in place to maintain documentation to account for all lost badges.
Modified
p. 30 → 58
a) The vendor must document, follow, and maintain procedures for ID badge administration.
a) The vendor must document, follow, and maintain procedures for access-control system administration.
Modified
p. 30 → 58
b) Badge access systems that allow entry into restricted areas must have a backup electrical power source capable of maintaining the system for 48 hours.
b) Access-control systems that allow entry into restricted areas must have a backup electrical power source capable of maintaining the system for 48 hours.
Modified
p. 30 → 59
a) All procedures for badge access must be documented and kept current.
a) All procedures for access control must be documented and kept current.
Removed
p. 31
ii. The reasons for the change, and
iii. The person who made the change.
iii. The person who made the change.
Removed
p. 31
g) Systems administration (this does not include badge administration) must follow the requirements for onsite remote access if performed remotely. Vendor facilities that are not subject to logical security audits must confirm in writing that the following requirements are met:
Modified
p. 31 → 59
• Date and time of access
Modified
p. 31 → 59
c) The security manager must review these reports weekly.
c) The physical security manager must review these reports weekly. Examine evidence that the physical security manager is reviewing reports weekly.
Modified
p. 31 → 59
d) The badge access system audit trail must be maintained for at least three months.
d) The access-control system audit trail must be maintained for at least three months.
Modified
p. 31 → 60
a) Each badge access system administrator uses his or her own user ID and password.
a) Each access-control system administrator uses his or her own user ID and password.
Modified
p. 31 → 60
Interview personnel to verify that passwords are changed at least every 90 days.
Modified
p. 31 → 60
c) User IDs and passwords are assigned to the security manager and authorized personnel.
c) User IDs and passwords are assigned to the physical security manager and authorized personnel, who must be employees.
Modified
p. 31 → 60
Examine a sample of logs to verify the physical security manager and other authorized personnel are the only individuals who modified the access-control system controls.
Modified
p. 31 → 61
f) All changes to card production, provisioning and security-relevant systems are recorded and reviewed monthly by a senior manager who is not the individual initially involved in changing the system.
f) All changes to card production, provisioning, and security-relevant systems are recorded and reviewed monthly by a senior manager who is not the individual initially involved in changing the system.
Modified
p. 31 → 61
g) Access-control systems are physically and logically isolated on a dedicated network from the main office network.
Modified
p. 31 → 61
• Offsite access to the access-control system is not permitted.
Modified
p. 31 → 61
b) Access-control system data must be backed up on a weekly basis.
Modified
p. 31 → 61
c) Access-control systems administration must be performed from within the security control room.
Modified
p. 31 → 61
d) For generic administrative accounts that cannot be disabled, the password must be used only for emergency. The password must be changed from the default value and managed under dual control.
Modified
p. 31 → 61
e) In addition, the access-control system must meet the logical security requirements in Appendix B.
Removed
p. 32
a) The key logbook must have consecutive, pre-numbered, bound pages and must contain at least the following information: o Key identification number o Date and time the key is issued (transfer of responsibility) o Name and signature of the employee issuing the key o Name and signature of the authorized recipient o Date and time the key is returned (transfer of responsibility) o Name and signature of the authorized individual returning the key o Name and signature of the employee receiving the key
Modified
p. 32 → 62
e) Every employee entrance 3.4.4.2 Activation
e) Every card production staff entrance 2.4.4.2 Activation
Modified
p. 32 → 62
a) When a duress button is activated, a warning or emergency signal must be sent to the security control room, a remote central monitoring station, or the local police station. The anticipated initial response (i.e., event verification) must be within two minutes.
a) When a duress button is activated, a warning or emergency signal must be sent to an on-site security control room, a remote central monitoring station, or the local police station. The anticipated initial response •i.e., event verification
•must be within two minutes.
•must be within two minutes.
Modified
p. 32 → 62
b) All details relating to the activation of the duress button and the response by the remote central monitoring service or the local police must be recorded in the control log, including the following: o Time and date when the duress button was activated o Time taken by the remote central monitoring service to respond o Time taken by the police or other help to respond/arrive on site o Chronology of all related activities, including names of personnel involved o …
b) All details relating to the activation of the duress button and the response by the remote central monitoring service or the local police must be recorded in the control log, including the following:
Modified
p. 32 → 63
a) Procedures for managing keys must be documented and followed
a) Procedures for managing keys must be documented and followed. Examine documentation to verify that key-management procedures exist and are followed.
Modified
p. 32 → 63
b) Employees who are issued keys must sign a consent form indicating they received such keys and that they will ensure that the key(s) entrusted to them cannot be accessed by unauthorized individuals.
b) Card production staff who are issued keys must sign a consent form indicating they received such keys and that they will ensure that the key(s) entrusted to them cannot be accessed by unauthorized individuals.
Modified
p. 33 → 64
c) For keys that allow access to sensitive materials, the security manager must conduct a quarterly review of: o The key logbook o The list of employees authorized to hold keys o The locks each key operates
c) For keys that allow access to sensitive materials, the physical security manager must conduct a quarterly review of:
Modified
p. 33 → 65
d) The security manager must sign and date each of the key control documents, attesting that the review process was completed.
d) The physical security manager must sign and date each of the key control documents, attesting that the review process was completed.
Modified
p. 33 → 65
a) Procedures for managing the facilit CCTV must be documented and followed.
a) Procedures for managing the facility’s CCTV must be documented and followed.
Modified
p. 33 → 66
c) In case of CCTV involuntary or voluntary disconnectio displayed by the monitors located in the security control room must be accompanied by a sound alarm.
c) In case of CCTV disconnection, the “video loss” notification displayed by the monitors located in the security control room must be accompanied by a sound alarm.
Removed
p. 34
d) CCTV cameras must be connected at all times to: o Monitors located in the control room o An alarm system that will generate an alarm if the CCTV is disrupted o An active image-recording device 3.4.6.3 View Requirements
Modified
p. 34 → 67
b) CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activation. The recording must capture any motion at least 10 seconds before and after the detected motion.
b) CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activation. The recording must capture any motion at least five seconds before and after the detected motion.
Modified
p. 34 → 67
b) The recording must capture sufficient images to identify the individual (e.g., head and shoulders view) as well as the activity being performed.
b) The recording must capture sufficient images to identify the individual• e.g., head and shoulder’s view•as well as the activity being performed.
Modified
p. 34 → 68
b) The backup recording must be stored in a separate, secure location within the facility and must ensure segregation of duties between the users and administrators of the system. Backups may also be stored in other facilities via techniques such as disk mirroring, provided the storage is secure in accordance with these requirements.
b) The backup recording or mirror image must be stored in a separate, secure location within the facility and must ensure segregation of duties between the users and administrators of the system. Backups may also be stored in other approved facilities of the card vendor via techniques such as disk mirroring, provided the storage is secure in accordance with these requirements. An approved facility is one evaluated as compliant to these requirements and is participating in the applicable card brand …
Modified
p. 34 → 69
a) A semi-annual inspection must be conducted on all security devices and hardware including but not limited to: o Alarm system o Access-control system o Window and door contacts
a) A semi-annual inspection and testing must be conducted on all security devices and hardware including but not limited to:
Modified
p. 35 → 69
a) Batteries used in local alarms must be tested at minimum monthly and replaced annually (or in accordance with technical specifications provided by the supplier, if testing is more frequent).
a) Batteries used in local alarms must be tested at least monthly. Batteries must be replaced annually or in accordance with technical specifications provided by the manufacturer or if failing testing.
Modified
p. 35 → 69
b) Evidence (logs) must be retained for this testing for at least 18 months.
b) Evidence (logs) must be retained for this testing for at least 18 months. Examine evidence (logs) to verify battery test logs have been retained for at least 18 months.
Modified
p. 35 → 70
c) The disposition expectations for each identified item must be defined. For example, items may be returned to the owner, transported to an authorized user, or destroyed.
c) The disposition expectations for each identified item must be defined.
Modified
p. 36 → 71
a) The vendor must only manufacture card products or components in response to a specific, signed order from a representative of the payment brand, issuer, or i
a) The vendor must only manufacture card products or components in response to a specific, signed order from a representative of the payment brand, issuer, or issuer’s authorized agent.
Modified
p. 36 → 73
a) All records of approval for the job from the applicable payment brand
a) All records of approval for the job from the applicable payment brand Examine a sample of order documentation to verify all payment brand job-approval records have been retained.
Modified
p. 36 → 73
b) A sample of the partially processed product or component
b) A sample of the partially processed product or component Examine a sample of production run retentions to verify they include partially processed products or components.
Modified
p. 36 → 73
d) Documentation indicating the source, quantities, and the distribution of each product received from an external company
d) Documentation indicating the source, quantities, and the distribution of each product received from an external company Examine a sample of production run retentions to verify they include documentation of each product received from an external company.
Modified
p. 36 → 73
e) All samples visually voided and functionally inoperable 4.3.2 Required Samples When requested by the payment brand, the vendor must send samples of the finished cards or components from each production run before shipping the finished card products. These samples must be functionally inoperative, and it must be visibly apparent that they are not live cards.
e) All samples visually voided and functionally inoperable Examine a sample of production run retentions to verify their inoperability and void markings.
Removed
p. 37
c) The audit sheet must contain at least the following: o Signature of the pre-press staff delivering or collecting the printing films o Job number identification and description of item(s) to be transferred o Signature of the card printing staff collecting or delivering the printing films o Quantity of item(s) transferred (number of films, front and reverse) o Date and time of transfer
Modified
p. 37 → 74
e) The vendor must audit this inventory quarterly.
e) The vendor must audit this inventory quarterly. Examine documentation to verify the vendor conducts audits on a quarterly basis.
Modified
p. 37 → 75
a) Access to unbundled core sheets must be restricted at all times.
a) Access to unbundled core sheets must be restricted at all times. Observe to verify unbundled core sheets are under restricted access at all times.
Modified
p. 37 → 76
b) Audit or accountability forms for core sheets must provide the following information for every order processed: o Good sheets o Rejected sheets o Set-up sheets
b) Audit or accountability forms for core sheets must provide the following information for every order processed:
Modified
p. 38 → 77
a) The vendor must obtain proprietary components (e.g., signature panels, holographic materials, special dies) only from authorized suppliers.
a) The vendor must obtain proprietary components•e.g., signature panels, holographic materials, special dies•only from authorized suppliers.
Modified
p. 38 → 77
b) The vendor must provide the supplier with both the street and mailing addresses of the facility, as well as names and signatures that will be ordering components.
b) The vendor must provide the supplier with both the street and mailing addresses of the vendor’s facility, as well as names and signatures of the vendor’s authorized representatives that will be ordering components.
Removed
p. 39
c) An effective audit trail is comprised of a series of audit logs that must contain but are not limited to the following information: o Description of the component or card product(s) being transferred o Name and signature of the individual releasing the component or card product(s) o Name and signature of the individual receiving the component or card product(s) o Number of components or card products transferred o Number of components used o Number returned to vault or WIP storage o Number rejected or damaged o Number to be destroyed o Date and time of transfer o Name and signature of supervisor o Signatures of persons inventorying components
Modified
p. 39 → 77
b) All card products and components both good and rejected, including samples must be counted and reconciled prior to any transfer of responsibility.
b) All card products and components•both good and rejected, including samples•must be counted and reconciled prior to any transfer of responsibility.
Removed
p. 40
p) The card component inventory log must include but is not limited to: o The reel number or equivalent control that provides unique identification. o Date of usage o Customer job number o Number of images or modules placed on cards o Number of rejected images or modules from header and trailer scrap o Number of and reason for rejected images
Modified
p. 40 → 79
j) Card components shipping documentation under dual control.
j) Card components must be received and initially inventoried against the supplier’s shipping documentation under dual control.
Modified
p. 40 → 79
k) A physical count of the boxes containing the card components must be completed at delivery to confirm accuracy of the shipper s documents.
k) A physical count of the boxes containing the card components must be completed at delivery to confirm accuracy of the shipper’s documents.
Modified
p. 40 → 79
l) An authorized employee must sign for all component stock received by the vendor. The person delivering the stock must also sign the transfer document.
l) An authorized card production staff member must sign for all component stock received by the vendor. The person delivering the stock must also sign the transfer document.
Modified
p. 40 → 79
m) Card components must be transferred to the vault immediately.
m) Card components must be transferred to the vault immediately. Observe or review the process in place to verify immediate storage of card components into the vault.
Modified
p. 40 → 80
b) The updated figure and the initials of the employee making the changes must be placed adjacent to the incorrect figure.
b) The updated figure and the initials of the card production staff member making the changes must be placed adjacent to the incorrect figure.
Removed
p. 41
a) A log is required for items moved in or out of the vault and must contain: o Name of the card issuer o Type of card o Number of cards originally placed in inventory o Reason for transaction (e.g., job number) o Number of cards removed from inventory o Number of cards returned to inventory o Balance remaining in the vault o Date and time of activity o Names and signatures of the employees who handled the transaction
d) At a minimum, the monthly inventory log must contain: o Date of the review o Name of the card issuer o Type of card o Number of cards indicated in the inventory o Number of cards counted o Name and signature of both employees who conducted the inventory
c) For each personalization batch, include: o Initial card procurement (beginning balance) o Card re-makes o Cards returned to inventory o Spoiled cards o …
d) At a minimum, the monthly inventory log must contain: o Date of the review o Name of the card issuer o Type of card o Number of cards indicated in the inventory o Number of cards counted o Name and signature of both employees who conducted the inventory
c) For each personalization batch, include: o Initial card procurement (beginning balance) o Card re-makes o Cards returned to inventory o Spoiled cards o …
Modified
p. 41 → 81
b) Two employees must create a written, physical inventory of card and card components monthly.
b) Two card production staff must create a written, physical inventory of card and card components monthly.
Modified
p. 41 → 81
c) Employees performing the inventory must not have knowledge of the results of the last inventory.
c) Card production staff performing the inventory must not have knowledge of the results of the last inventory.
Modified
p. 41 → 82
e) Any discrepancies must be reported to management and resolved.
e) Any discrepancies must be reported to management and resolved. Examine procedures related to discrepancies to verify they are reported to management for resolution.
Modified
p. 41 → 82
a) During personalization, cards and cardholder information must be handled in a secure manner to ensure accountability.
a) During personalization, cards and cardholder data must be handled in a secure manner to ensure accountability.
Modified
p. 41 → 82
b) An audit control log must be maintained for each job/sub-job (batch) designating: o Job number o Issuer name o Card type
b) An audit control log must be maintained for each job/sub-job (batch) designating:
Removed
p. 42
d) For accounts/envelopes, include: o Number of accounts o Number of card carriers printed o Number of carriers wasted o Number of envelopes that contain cards o Operator name and signature o Name and signature of an individual other than the operator, who is responsible for verifying the count
e) For PIN mailers, include: o Number of mailers to be printed o Number of mailers actually printed o Wasted mailers that have been printed o Number of mailers transferred to the mailing area/room o Operator name and signature o Name and signature of an individual other than the operator, who is responsible for verifying the count 4.8 Production Equipment and Card components 4.8.1 Personalization Equipment The vendor must maintain a log of personalization equipment failures, including at a minimum:
e) For PIN mailers, include: o Number of mailers to be printed o Number of mailers actually printed o Wasted mailers that have been printed o Number of mailers transferred to the mailing area/room o Operator name and signature o Name and signature of an individual other than the operator, who is responsible for verifying the count 4.8 Production Equipment and Card components 4.8.1 Personalization Equipment The vendor must maintain a log of personalization equipment failures, including at a minimum:
Modified
p. 42 → 83
• Supervisor name and signature
Modified
p. 42 → 83
• Machine description/number
Modified
p. 42 → 83
• Cause of the malfunction 3.8.2 Indent Printing Module The vendor must:
Modified
p. 42 → 84
• The destruction can occur as frequently as the vendor deems necessary but •in all cases •weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA.
Modified
p. 42 → 84
b) Used tipping foil must be removed from the machine during non-production hours
b) Used tipping foil must be removed from the machine during non-production hours.
Removed
p. 43
a) Use payment system proprietary typefaces within indent-printing modules only for payment system cards.
b) The log must contain at a minimum: o Date of receipt, o Written initials of both employees counting the cards, o The issuer name, and o For each package:
ii. The number of envelopes
iii. The number of cards
b) The log must contain at a minimum: o Date of receipt, o Written initials of both employees counting the cards, o The issuer name, and o For each package:
ii. The number of envelopes
iii. The number of cards
Modified
p. 43 → 84
c) Prior to destruction e.g., shredding the foil must be stored within the HSA under dual access control.
c) Prior to destruction •e.g., shredding •the foil must be stored within the HSA under dual access control.
Modified
p. 43 → 84
d) When destroyed the results must be non-readable and non-recoverable
d) When destroyed the results must be non-readable and non-recoverable. Examine a sample of waste to verify proper shredding and destruction of materials is being followed.
Modified
p. 43 → 84
f) A log, pre-numbered and bound, of the destruction of the foil must be maintained and include at a minimum: o Number of reels partial or full. All used foil must be accounted for and destroyed. o Date and time o Written initials of both individuals who witnessed the destruction 4.8.3 Indent Printing Module The vendor must:
f) A log, pre-numbered and bound, of the destruction of the foil must be maintained and include at a minimum:
Modified
p. 43 → 85
• Immediate destruction
Modified
p. 43 → 86
a) Maintain a log of all returned cards and PIN mailers.
a) Maintain a log of all returned cards and PIN mailers. Examine polices/procedures to verify that a log is required for all returned cards and PIN mailers.
Modified
p. 43 → 86
b) Store all returned cards in a secure container under dual control.
b) Store all returned cards in a secure container under dual control. Observe that a secure container is utilized to store all returned cards under dual control.
Modified
p. 43 → 87
c) Either send returned cards to the issuer or destroy them as defined in Section 4.10,
c) Either send returned cards to the issuer or destroy them as defined in
Modified
p. 43 → 87
d) Destroy returned PIN mailers as defined in Section 4.10 below.
d) Destroy returned PIN mailers as defined in Section 3.10 below. Observe the method of destruction of PIN mailers to verify it is in accordance with “Destruction and Audit Procedures.”
Removed
p. 44
e) Destruction must be carried out in a separate room as defined in 3.3.5.3.
f) Proper destruction requires the following: o Individuals destroying the materials must ensure that they are rendered unusable and unreadable. o Two employees must simultaneously count and shred the material. o Before leaving the room, both employees must ensure that all material has been destroyed and not displaced in the machinery or equipment. o Employees must prepare, sign, and maintain a destruction document. o Once the destruction process is initiated, the process must not be interrupted
g) An audit log must be created which, at a minimum, contains the following information: o Signatures of the individuals presenting waste material o Description of item(s) to be destroyed (such as product type, job number, and issuer name) o Signatures of the persons observing or carrying out the waste destruction o Quantity of item(s) to be destroyed o Date and time …
f) Proper destruction requires the following: o Individuals destroying the materials must ensure that they are rendered unusable and unreadable. o Two employees must simultaneously count and shred the material. o Before leaving the room, both employees must ensure that all material has been destroyed and not displaced in the machinery or equipment. o Employees must prepare, sign, and maintain a destruction document. o Once the destruction process is initiated, the process must not be interrupted
g) An audit log must be created which, at a minimum, contains the following information: o Signatures of the individuals presenting waste material o Description of item(s) to be destroyed (such as product type, job number, and issuer name) o Signatures of the persons observing or carrying out the waste destruction o Quantity of item(s) to be destroyed o Date and time …
Modified
p. 44 → 88
a) All waste components must be counted before being destroyed in-house and under dual control. A record of destruction by reel number and item count must be maintained for 24 months.
a) All waste components must be counted before being destroyed in- house⎯i.e., within the facility⎯and under dual control. A record of destruction by reel number and item count must be maintained for 24 months.
Modified
p. 44 → 88
b) The following materials must be destroyed on a batch basis by shredding or grinding such that the resulting material cannot be reconstructed: o Spoiled or waste card products o Holographic materials o Signature panels o Sample and test cards o Any other sensitive card component material or courier material related to any phase of the card production and personalization process. o Destruction of chips, modules, or chip cards must ensure that the chip itself is destroyed.
b) The following materials must be destroyed on a batch basis by shredding or grinding such that the resulting material cannot be reconstructed:
Modified
p. 44 → 88
d) An exception to the above is that holograms failing the hot-stamping process must be rendered unusable at the machine.
Modified
p. 44 → 88
e) The material waiting to be destroyed must be stored securely, under dual control.
Removed
p. 45
b) The report must include but is not limited to: o The complete and detailed chronology of events o Cardholder account numbers o Personal identification numbers (PINs) o Printing plates o Encoding or personalizing equipment o Signature panels o Holograms o Electronic storage media o Chips or any carrier containing card components o T specification manual
i. Date and time of incident
ii. Details of companies and persons involved
iii. Details of the investigation
iv. Name, e-mail address, and telephone number of the person reporting the loss or
i. Date and time of incident
ii. Details of companies and persons involved
iii. Details of the investigation
iv. Name, e-mail address, and telephone number of the person reporting the loss or
Modified
p. 45 → 91
c) The written communication must contain information regarding the loss or theft, including but not limited to the following: o Name of issuer o Type of card or product o Name and address of the vendor o Identification of source of cards o Description of the incident including:
c) The written communication must contain information regarding the loss or theft, including but not limited to the following:
Modified
p. 45 → 91
− Date and time of incident − Details of companies and persons involved − Details of the investigation − Name, e-mail address, and telephone number of the person reporting the loss or theft − Name, e-mail address, and telephone number of the person to contact for additional information (if different from the person reporting the incident) Additional or follow-up reports should be forwarded to the VPA, issuer, and the appropriate law-enforcement agencies as activities or actions occur.
Removed
p. 46
A GPS tracking device is used and monitored during transport from within the security control room. The contents are secured with tamper-evident straps and checked upon delivery. The vehicle is loaded using dual control and locked during transport. Vehicle drivers do not have a key or access to contents. Two persons are in the vehicle equipped with a device to communicate with the security control room 2 This includes cards that have been personalized with a cardholder name, generic identifier, or no cardholder identifier.
Modified
p. 46 → 92
Type of Delivery Card Volume Destination Personalized Cards Individual Mail1 Individual Package Cardholder Individual Package Cardholder Issuer, an approved vendor, or (with written issuer and VPA consent) to another destination Secure Shipment Unlimited Issuer, an approved vendor, or (with written issuer2 and VPA consent) to another destination Personalized Cards Mail Not allowed Courier Unlimited Issuer, an approved vendor, or (with written issuer2 and VPA consent) to another destination Secure Shipment Unlimited Issuer, an approved vendor, or (with written issuer2 and …
Type of Delivery Card Volume Destination Personalized Cards • Individual Card Maili Individual Package Cardholder Courier Service Individual Package Cardholder Unlimited Issuer, an approved vendor, or (with written issuer and VPA consent) to another destination Secure Transport Unlimited Issuer, an approved vendor, or (with written issuer2 and VPA consent) to another destination Personalized Cards • Bulk 1 Card Mailing Not allowed Courier Service Unlimited Issuer, an approved vendor, or (with written issuer2 and VPA consent) to another destination Secure Transport …
Removed
p. 47
1. If the vendor has subcontracted the manufacturing process to another approved vendor, the subcontracting vendor must assume responsibility during transportation for the loss/theft/misplacement of the cards and/or materials.
Modified
p. 47 → 91
• Name and address of the vendor
Modified
p. 47 → 93
b) These shipments must be documented to include at least the following information:
Modified
p. 47 → 93
c) The vendor must report to the VPA when a shipment request is not in compliance with these shipping requirements and must withhold shipment until instruction from VPA is received.
Modified
p. 47 → 93
c) Reconcile all counts with amount to be shipped prior to packaging.
c) Reconcile all counts with amount to be shipped prior to packaging. Observe an example (live or recorded previous count if live not available) to verify that all counts of card products to be shipped prior to packaging are reconciled.
Modified
p. 47 → 94
e) Immediately investigate and resolve discrepancies.
e) Immediately investigate and resolve discrepancies. Examine policies and procedures to verify that all discrepancies in the preparation process are immediately investigated and resolved before packaging.
Modified
p. 47 → 94
d) Use containers that are uniquely numbered and labeled.
d) Use containers that are uniquely numbered and labeled. Observe an example to verify the containers are uniquely numbered and labeled.
Modified
p. 47 → 94
e) Record the number of containers and cards on a packing list.
e) Record the number of containers and cards on a packing list. Observe an example to verify that the number of containers and cards on a packing list are recorded.
Modified
p. 47 → 95
Packages that are opened or damaged must not be shipped until the contents are recounted and repackaged.
Removed
p. 48
a) Personalized cards must be placed in envelopes that are nondescript (e.g., envelopes must not contain any brand or other identifying marks) and the same size and color as other envelopes with which they may be presorted or delivered to the postal service.
Removed
p. 48
e) The loading and transfer process must use the shipping and delivery areas as defined in Section
Modified
p. 48 → 96
Electronic distribution of PINs may occur on the same day in accordance with the Logical Security Requirements Section 10.
d) Electronic distribution of PINs may occur on the same day in accordance with the Logical Security Requirements • Section 9.
Modified
p. 48 → 98
f) A receipt of delivery must be signed by a representative of the receiving organization, and a signed copy of the receipt must be retained by the vendor.
Modified
p. 48 → 98
a) Mail must be in tamper-evident packaging, and/or strapped to prevent the removal of envelopes, or placed in locked carts.
a) Mail must be in tamper-evident packaging and/or strapped to prevent the removal of envelopes or placed in locked carts.
Modified
p. 48 → 98
d) Labels on packages sent to the issuer must not indicate the name of the vendor.
Modified
p. 48 → 98
e) If postal service mailbags are used in place of trays or locked carts, the bags must be sealed until transferred to the postal service.
Removed
p. 49
There are four types of secure transport, as noted below:
Modified
p. 49 → 99
c) The vendor must ensure packages sent by courier service contain a manifest prepared by the vendor that describes the package contents and enables content-verification upon receipt. The manifest prepared by the vendor must include but is not limited to: o The type of each card o The quantity per card type o The job number(s) o The date of shipment o The date of receipt o Name of receiving organization o Name and signature of person receiving the cards
c) The vendor must ensure packages sent by courier service contain a manifest prepared by the vendor that describes the package contents and enables content-verification upon receipt. The manifest prepared by the vendor must include but is not limited to:
Modified
p. 49 → 100
e) Shipping of packages must not take place on the last working day of the week or the day before a public holiday and that of the recipient facilitate the delivery in the same manner as all other working days (i.e., they are both open for business).
e) Shipping of packages must not take place on the last working day of the week or the day before a public holiday unless the courier’s operations and that of the recipient facilitate the delivery in the same manner as all other working days•i.e., they are both open for business).
Modified
p. 49 → 101
c) If intermediate stops are made during transport, the carrier must ensure the integrity of the shipment remains intact. The cargo must never be left unattended unless the cargo area is armored.
c) If intermediate stops are made during transport, the carrier must ensure the integrity of the shipment remains intact:
Modified
p. 49 → 101
ii. If the cargo area is unarmored, the vehicle transporting the cards must be under dual control at all times⎯e.g., a driver accompanied by a guard⎯and never left unattended during the trip.
Removed
p. 50
b) The vehicle transporting the cards must be under dual control at all times (a driver accompanied by a guard) and never left unattended during the trip. The vehicle must be equipped with a telephone or have two-way radio contact with the security controller.
b) A nonstop transport between the vendor location and the destination location is required whenever possible.
b) A nonstop transport between the vendor location and the destination location is required whenever possible.
c) A destination capable of handling secure cargo must be used.
f) Goods registered as consolidated cargo are not permitted.
f) Goods registered as consolidated cargo are not permitted.
g) The hand-carrying of goods is strictly prohibited.
c) The vendor must use container shipment.
d) The vendor must arrange delivery to and pick-up from dockside immediately.
e) Sea-freight service must be bonded.
g) The hand-carry of goods is strictly prohibited.
b) A nonstop transport between the vendor location and the destination location is required whenever possible.
b) A nonstop transport between the vendor location and the destination location is required whenever possible.
c) A destination capable of handling secure cargo must be used.
f) Goods registered as consolidated cargo are not permitted.
f) Goods registered as consolidated cargo are not permitted.
g) The hand-carrying of goods is strictly prohibited.
c) The vendor must use container shipment.
d) The vendor must arrange delivery to and pick-up from dockside immediately.
e) Sea-freight service must be bonded.
g) The hand-carry of goods is strictly prohibited.
Modified
p. 50 → 101
b) An accompanying escort vehicle must be used in conjunction with the unarmored transport vehicle. This vehicle must not also be used as a card transport vehicle.
Modified
p. 50 → 102
f) The transport between the vendor location and the destination location must be non-stop whenever possible•i.e., non-emergency stops are not permitted.
Modified
p. 50 → 102
h) If intermediate stops are made during air transport, the vendor must ensure the integrity of the shipment remains intact.
Modified
p. 50 → 103
j) If any ground storage is required before, during, or after the flight, the location must be secured and inaccessible to unauthorized personnel.
Modified
p. 50 → 107
a) Have access to the names and signatures of individuals who are authorized to collect and deliver shipments.
Modified
p. 51 → 108
d) If there is evidence that a container has been tampered with, is missing, or is not received as scheduled at its final destination, the requirements for loss or theft of card products (Section 4.11) must be followed, and there must be no further movement of the shipment without notification to the issuer and VPA.
d) If there is evidence that a container has been tampered with, is missing, or is not received as scheduled at its final destination, the requirements for loss or theft of card products (Section 3.11) must be followed, and there must be no further movement of the shipment without notification to the issuer and VPA.
Modified
p. 51 → 108
e) Obtain positive confirmation of receipt of shipment.
e) Obtain positive confirmation of receipt of shipment. Examine shipping activity logs to verify that positive confirmation of receipt of shipment is obtained by the vendor.
Modified
p. 51 → 108
b) The consignment must be received under dual control.
b) The consignment must be received under dual control. Examine shipping activity logs to verify that the consignments of returned card components are received under dual control.
Modified
p. 51 → 108
c) Whilst under dual control, the consignment must be inventoried and handled as defined in (Section 4.7).
c) Whilst under dual control, the consignment must be inventoried and handled as defined in ”Audit Controls” (Section 3.7).
Modified
p. 51 → 109
d) Documentation of the shipment must be maintained for 24 months and must include: o Item description o Sequential identification numbers (if applicable) o Reel numbers o Total quantity returned o Recipient name and signatures o Destination or origination address o Shipping or receipt date and time
d) Documentation of the shipment must be maintained for 24 months and must include:
Modified
p. 51 → 109
f) At shipment, the vendor must verify the authorized signatures prior to transfer.
Removed
p. 52
10. If the clear-text PIN is available outside the printer at any time (e.g., in the memory of the controlling system or PC), the entire PIN printing system (including the HSM) must:
a) Be in a dedicated PIN printing room as defined in the Section 3.3.5.4 of this document,
a) Be in a dedicated PIN printing room as defined in the Section 3.3.5.4 of this document,
Modified
p. 52 → 110
The PIN printing system may be a single, integrated device with multiple components (e.g., control system, HSM, and printer) or a system of separate components with dedicated functionality, connected via cables.
The PIN-printing system may be a single, integrated device with multiple components •e.g., control system, HSM, and printer
•or a system of separate components with dedicated functionality, connected via cables.
•or a system of separate components with dedicated functionality, connected via cables.
Modified
p. 52 → 110
• Cards will not be activated or loaded with a stored value until they have reached their destination, and
Modified
p. 52 → 110
• The issuer accepts all risk inherent in shipping or mailing cards and PINs together.
Modified
p. 52 → 111
Examine documentation to verify that clear-text PINs are never to be available on any system on the personalization network.
Modified
p. 52 → 112
Only be made operational after physical review of the cabling has been performed and it is confirmed that there is no evidence of tampering.
Removed
p. 53
a) The personalization HSA
b) A dedicated PIN printing room within the personalization HSA
c) A separate HSA that meets the physical and logical requirements for a personalization HSA
b) A dedicated PIN printing room within the personalization HSA
c) A separate HSA that meets the physical and logical requirements for a personalization HSA
Modified
p. 53 → 112
Additionally, all of the following requirements must be fulfilled: Examine policies/procedures to verify that each of the following is required:
Modified
p. 53 → 112
The printer must be locked under dual control before the print job starts and any PINs are decrypted.
Modified
p. 53 → 112
The HSM in the printer must be under dual control at all times. Observe that the HSM is handled under dual control at all times.
Modified
p. 53 → 113
Observe the PIN process to verify that a physical review of the chassis and cabling has been performed, and there is no evidence of tampering.
Modified
p. 53 → 113
The clear-text PIN must only be available inside a securely locked and covered area of the machine for the minimum time required for printing and must not be stored.
Modified
p. 53 → 113
The printed PIN must not be visible from outside the machine at any time•i.e., the machine must be covered to prevent observation and the covers must be locked in place with dual- control locks.
Modified
p. 53 → 113
The PIN must be concealed in tamper-evident packaging immediately after printing and before leaving the secured confines of the printer.
Modified
p. 54 → 114
Section 2 - Personnel All X X X All requirements applicable
Section 1 - Personnel All X X X All requirements applicable
Modified
p. 54 → 114
Section 3 Premises All X X X All requirements applicable
Section 2
• Facilities All X X X All requirements applicable
• Facilities All X X X All requirements applicable
Modified
p. 54 → 114
Section 4 Production Procedures and Audit Trails 4.1 X X X Only 4.1c applies for mobile provisioning
Section 3
• Production Procedures and Audit Trails 3.1 X X X Only 3.1c applies for mobile provisioning
• Production Procedures and Audit Trails 3.1 X X X Only 3.1c applies for mobile provisioning
Modified
p. 54 → 114
Section 5 Packaging and Delivery Requirements All X All requirements applicable
Section 4
• Packaging and Delivery Requirements All X All requirements applicable
• Packaging and Delivery Requirements All X All requirements applicable
Modified
p. 54 → 114
Section 6 PIN Printing and Packaging of Non-personalized Prepaid Cards All X All requirements applicable
Section 5
• PIN Printing and Packaging of Non-personalized Prepaid Cards All X All requirements applicable
• PIN Printing and Packaging of Non-personalized Prepaid Cards All X All requirements applicable
Removed
p. 55
All systems commonly impacted by malicious software and similar vulnerabilities, such as personal computers and servers, must meet these criteria. Additionally, all user management, including password controls, must be implemented except where the platform does not support that degree of granularity. Regardless, controls must be implemented to the degree possible.
B.1 User Management The vendor must:
B.1 User Management The vendor must:
Modified
p. 55 → 115
a) Ensure that procedures are documented and followed by security personnel responsible for granting access to the CCTV and access control systems
a) Ensure that procedures are documented and followed by security personnel responsible for granting access to the CCTV and access- control systems.
Modified
p. 55 → 116
g) Ensure security guards do not have administrative access.
g) Ensure security guards do not have administrative access. Examine names of people with administrative access and cross reference with names of security guards to verify the guard names do not have administrative access.
Modified
p. 55 → 116
h) Prevent remote administrative access from outside the facility
h) Prevent remote administrative access from outside the facility, except as used in conjunction with an approved SOC.
Modified
p. 55 → 116
k) Ensure that when generic administrative accounts are used, the password is managed under dual control where no individual has access to the full password. Each component of the password must comply with the password control requirements in the next section.
k) Ensure that when generic administrative accounts are used, the password is managed under dual control where no individual has access to the full password. Each component of the password must comply with the password control requirements in the next section except for password length where an exception condition exists.
Modified
p. 55 → 116
l) Validate all system access at least quarterly.
l) Validate all system access at least quarterly. Examine documentation to verify that (at least quarterly) all system access is reviewed.
Modified
p. 55 → 116
m) Revalidate employee access to any systems upon a change of duties.
m) Revalidate card production staff to any systems upon a change of duties.
Modified
p. 55 → 116
n) Ensure that access controls enforce segregation of duties.
n) Ensure that access controls enforce segregation of duties. Examine documentation to verify that access controls enforce segregation of duties.
Modified
p. 55 → 116
o) Strictly limit privileged or administrative access and ensure such access is approved by both
o) Strictly limit privileged or administrative access and ensure such access is approved by both the user’s manager and the physical security manager.
Removed
p. 56
i. Upper-case letters
ii. Lower-case letters
iv. Special characters
k) ity is verified prior to resetting a user password.
ii. Lower-case letters
iv. Special characters
k) ity is verified prior to resetting a user password.
Modified
p. 56 → 117
B.2 Password Control B.2.1 General The vendor must:
B.2 Password Control Requirement Test Procedure B.2.1 General The vendor must:
Modified
p. 56 → 117
b) Implement procedures for handling lost, forgotten and compromised passwords.
b) Implement procedures for handling lost, forgotten, and compromised passwords.
Modified
p. 56 → 117
c) Distribute password procedures and policies to all users who have access to cardholder information or any system used as part of the personalization process.
c) Distribute password procedures and policies to all users who have access to cardholder data, or any system used as part of the personalization process.
Modified
p. 56 → 117
d) Ensure that only users with administrative privileges can adm passwords.
d) Ensure that only users with administrative privileges can administer other users’ passwords.
Modified
p. 56 → 118
b) Newly issued passwords are changed on first use. c)
b) Newly issued passwords are changed on first use. Examine system configuration settings to verify that newly issued passwords are changed on first use.
Modified
p. 56 → 118
d) Systems enforce password lengths of at least eight characters.
d) Systems enforce password lengths of at least 12 characters or an equivalent strength.
Modified
p. 56 → 118
g) Passwords are not displayed during entry.
g) Passwords are not displayed during entry. Observe a sample of user logons to validate that passwords are not displayed in clear text during entry.
Removed
p. 57
l) Authentication credentials to the tokenization process are secured to prevent unauthorized disclosure and use.
B.5 Anti-virus software or programs The vendor must:
a) Define, document, and follow procedures to demonstrate: o Identification of security alerts e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT) o Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components o Inventory of current systems in the environment including information about installed software components and about running services
B.5 Anti-virus software or programs The vendor must:
a) Define, document, and follow procedures to demonstrate: o Identification of security alerts e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT) o Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components o Inventory of current systems in the environment including information about installed software components and about running services
Modified
p. 57 → 119
B.3 Session Locking The vendor must enforce the locking of an inactive session within a maximum of 15 minutes. If the system does not permit session locking, the user must be logged off after the period of inactivity.
B.3 Session Locking Requirement Test Procedure The vendor must enforce the locking of an inactive session within a maximum of 15 minutes. If the system does not permit session locking, the user must be logged off after the period of inactivity.
Modified
p. 57 → 120
c) Locked accounts must only be unlocked by the security administrator. Alternatively, user accounts may be unlocked via automated password reset mechanisms. Challenge questions with answers that only the individual user would know must be used. These questions must be designed such that the answers are not information that is available elsewhere in the organization, such as in the Human Resources Department. d) until it is removed. e) being compromised.
c) Locked accounts must only be unlocked by the security administrator. Alternatively, user accounts may be unlocked via automated password reset mechanisms. Challenge questions with answers that only the individual user would know must be used. These questions must be designed such that the answers are not information that is available elsewhere in the organization, such as in the Human Resources Department.
Modified
p. 57 → 121
b) Deploy anti-virus software on all systems potentially affected by malicious software e.g., personal computers and servers.
b) Deploy anti-virus software on all systems potentially affected by malicious software•e.g., personal computers and servers.
Modified
p. 57 → 122
e) Check for anti-virus updates at least daily, and install updates in a manner consistent with Patch Management. Documentation must exist for why any updates were not installed.
e) Check for anti-virus updates at least daily and install updates in a manner consistent with patch management. Documentation must exist for why any updates were not installed.
Removed
p. 58
B.7 Audit Logs The vendor must:
Modified
p. 58 → 123
e) Ensure that the configuration of all system components associated with data transmission, storage, and personalization are validated against the authorized configuration monthly.
e) Ensure that the configuration of the ACS and CCTV systems is validated against the authorized configuration monthly.
Modified
p. 58 → 124
i) Implement critical patches to all Internet-facing system components within 7 business days of release. When this is not possible the CISO, security manager, and IT director must clearly record that they understand that a critical patch is required and authorize its implementation within a maximum of 30 business days.
i) Implement critical patches to all Internet-facing system components within seven business days of release. When this is not possible the CISO, IT security manager, and IT director must clearly record that they understand that a critical patch is required and authorize its implementation within a maximum of 30 business days.
Modified
p. 58 → 125
a) Ensure that audit logs exist for the CCTV and access control systems This includes operating system logs, security software logs or product logs and application logs containing security events.
a) Ensure that audit logs exist for the CCTV and access-control systems This includes operating system logs, security software logs or product logs and application logs containing security events.
Modified
p. 58 → 125
• User identification
Modified
p. 58 → 125
• Valid date and time stamp
Modified
p. 58 → 125
• Success or failure indication
Modified
p. 58 → 125
• Origination of the event
Modified
p. 58 → 125
• Identity or name of the affected data, system component, or resources
Modified
p. 58 → 125
• Access to audit logs
Modified
p. 58 → 125
• Changes in access privileges
Modified
p. 60 → 184
Authorized Personnel Employees who have been authorized by the security manager or other executive to undertake specific roles or functions Card Components This includes sensitive materials such as, but not limited to
Authorized Personnel Card production staff who have been authorized by the physical security manager or other executive to undertake specific roles or functions Card Components This includes sensitive materials such as, but not limited to
Modified
p. 60 → 185
Card Products Cards and the components required to manufacture a credit or debit card, such as plastic sheets, chips, contact plates, etc.
Modified
p. 61 → 185
Chip Personalization Any process that writes issuer- or cardholder-specific data to the integrated circuit on the card. Generally includes:
Chip Personalization Any process that writes issuer-or cardholder-specific data to the integrated circuit on the card. Generally, includes:
Modified
p. 61 → 185
Cloud-Based Provisioning Preparation and delivery of Host Card Emulation data to a device COTS Commercial off-the-shelf (consumer-grade) devices such as mobile phones and tablets.
Cloud-Based Provisioning Preparation and delivery of Host Card Emulation data to a device.
Modified
p. 61 → 186
Dual Presence Two or more individuals are in the HSA as a whole. This does not supplant or replace any requirements for dual control. For example if three people are in the HSA, and two go into a room that requires dual control, the requirement for dual presence in the HSA as a whole is still met.
Dual Presence Two or more individuals are in the HSA as a whole. This does not supplant or replace any requirements for dual control. For example, if three people are in the HSA, and two go into a room that requires dual control, the requirement for dual presence in the HSA as a whole is still met.
Modified
p. 61 → 187
Goods-Tools Trap Controlled area for transfer of materials between two areas.
Modified
p. 62 → 187
HSA Rooms HSA rooms are enclosed spaces with controlled access in production facilities where card products, components, or data are stored or processed, and are where card-production activities occur.
Hostile Vehicle Mitigation (HVM) Methods to mitigate and reduce the risk of vehicles penetrating concerned areas HSA Rooms HSA rooms are enclosed spaces with controlled access in production facilities where card products, components, or data are stored or processed, and are where card-production activities occur.
Removed
p. 63
Security Manager Manager designated with the overall responsibility for physical security for the card production and provisioning facility. The Security Manager must not report to the production manager or director. There must also be a nominated Deputy Security Manager to cover when the Security manager is not on site.
Modified
p. 63 → 190
Security Components Security features that protect the card and may vary from payment brand to payment brand e.g., holographic materials, signature panels, indent-printing modules when not installed.
Security Components Security features that protect the card and may vary from payment brand to payment brand•e.g., holographic materials, signature panels, indent-printing modules when not installed.
Modified
p. 63 → 190
Vendor The legal entity and its associated premises that undertakes card production or provisioning.
Vendor The legal entity and its associated facilities that undertakes card production or provisioning.