Document Comparison
PCI_Card_Production_SR_FAQs_v3_July_2025.pdf
→
PCI_Card_Production_SR_FAQs_v3_October_2025.pdf
98% similar
42 → 43
Pages
16447 → 16680
Words
73
Content Changes
Content Changes
73 content changes. 32 administrative changes (dates, page numbers) hidden.
Added
p. 17
• An approved key-generation function of a PCI
•approved HSM
• An approved key-generation function of a FIPS 140-2 or 140-3 Level 3 (or higher) for physical security HSM
• An approved key-generation function of a FIPS 140-2 or 140-3 Level 3 (or higher) for physical security HSM
• An approved random number generator that has been certified by an independent qualified laboratory according to NIST SP 800-22.
Q 22 October 2025 - In light of NIST clarifying that the purpose and use of the statistical test suite in NIST SP 800-22 (A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic) is not suitable for use in assessing cryptographic random number generators, what is the impact for protection of confidential data? A The vendor must generate keys and key components using a random or pseudo-random process in one of the following:
• An approved key-generation function of a PCI approved HSM
• Or if …
•approved HSM
• An approved key-generation function of a FIPS 140-2 or 140-3 Level 3 (or higher) for physical security HSM
• An approved key-generation function of a FIPS 140-2 or 140-3 Level 3 (or higher) for physical security HSM
• An approved random number generator that has been certified by an independent qualified laboratory according to NIST SP 800-22.
Q 22 October 2025 - In light of NIST clarifying that the purpose and use of the statistical test suite in NIST SP 800-22 (A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic) is not suitable for use in assessing cryptographic random number generators, what is the impact for protection of confidential data? A The vendor must generate keys and key components using a random or pseudo-random process in one of the following:
• An approved key-generation function of a PCI approved HSM
• Or if …
Added
p. 31
The vault must be fitted with a main steel-reinforced door with a dual-locking mechanism (mechanical and/or logical
•e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access. The access mechanism requires that access occurs under dual control and does not allow entry by a single individual
•i.e., it is not feasible for a single individual to use credentials belonging to someone else to simulate dual access.
•e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access. The access mechanism requires that access occurs under dual control and does not allow entry by a single individual
•i.e., it is not feasible for a single individual to use credentials belonging to someone else to simulate dual access.
Added
p. 36
Good sheets Rejected sheets Set-up sheets Quality control sheets Unused core sheets
Modified
p. 3
PaymentProductsCertification@aexp.com
PaymentProductsCertification@aexp.com Discover:
Modified
p. 3
DN_CARD_REQUEST@discover.com riskmanagement@info.jcb.co.jp
DN_CARD_REQUEST@discover.com riskmanagement@info.jcb.co.jp Mastercard:
Modified
p. 6
PAN, expiry, service code, cardholder name, Track 2, or Track 2 equivalent TLS keys Vendor evidence preserving data Authentication credentials for requesting tokens Mobile Station International Subscriber Directory Number (number used to identify a mobile phone number)
Modified
p. 7
Requirement 3.6. Are hard drives in desktops, servers, and storage area networks (SANs) considered removable media? A No. Internal hard drives are not considered removable media. Removable electronic media is media that stores digitized data, and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives, and external/portable hard drives.
Q 12 November 2015
• Removable media is subject to a number of restrictions as defined in Requirement 3.6. Are hard drives in desktops, servers, and storage area networks (SANs) considered removable media? A No. Internal hard drives are not considered removable media. Removable electronic media is media that stores digitized data, and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives, and external/portable hard drives.
• Removable media is subject to a number of restrictions as defined in Requirement 3.6. Are hard drives in desktops, servers, and storage area networks (SANs) considered removable media? A No. Internal hard drives are not considered removable media. Removable electronic media is media that stores digitized data, and which can be easily removed and/or transported from one computer system to another. Examples of removable electronic media include CD-ROM, DVD-ROM, USB flash drives, and external/portable hard drives.
Modified
p. 9
a) Maintain a current network topology diagram that includes all system components on the network.
a) Maintain a current network topology diagram that includes all system components on the network. The diagram must clearly define the boundaries of all networks.
Modified
p. 11
Monthly, or Quarterly with review after every firewall configuration change.
Modified
p. 13
• Consideration of the Common Vulnerability Scoring System (CVSS) base score,
• Consideration of the Common Vulnerability Scoring System (CVSS) base score, and/or
Modified
p. 17
It cannot adversely affect the security features of the product that are relevant to the PCI HSM certification.
Modified
p. 17
It cannot modify any of the cryptographic functionality of the HSM or introduce new primitive cryptographic functionality.
Modified
p. 17
The application is strongly authenticated to the HSM by digital signature.
Modified
p. 17
The application does not have access to sensitive keys.
Modified
p. 17
Section 8
• Key Management: Confidential DataNo FAQ in this section
• Reserved for future use.
• Key Management: Confidential Data
• Reserved for future use.
Section 8
• Key Management: Confidential Data 8.1 General Principles 8.1.g The vendor must generate keys and key components using a random or pseudo-random process using one of the following:
• Key Management: Confidential Data 8.1 General Principles 8.1.g The vendor must generate keys and key components using a random or pseudo-random process using one of the following:
Removed
p. 18
• Gathered as part of the hiring process and periodically thereafter:
Modified
p. 18 → 19
Gathered as part of the hiring process:
Modified
p. 18 → 19
- Fingerprints and results of search against national and regional criminal records
- Fingerprints and results of search against national and regional criminal records Gathered as part of the hiring process and periodically thereafter:
Removed
p. 19
• Physical master keys that provide access to card production or provisioning areas
Modified
p. 19 → 20
Employee records Physical master keys that provide access to card production or provisioning areas Audit logs Any restricted areas where the vendor processes, stores, or delivers card products and card components.
Modified
p. 20 → 21
The visitor must be instructed on its proper use.
Modified
p. 20 → 21
The vendor must program the visitor access badge or card to enable the tracking of movement of all visitors. It should be activated only for areas that the visitor is authorized to enter.
Modified
p. 20 → 21
Visitors must use their access card in the card readers to the room into which they enter.
Modified
p. 20 → 21
Badging to track access must be used.
Removed
p. 21
• Agent’s role or responsibility
Modified
p. 21 → 22
Agent’s name, address, and telephone numbers Agent’s role or responsibility
Removed
p. 23
• 16-gauge metal studs are used with 12inch (305mm) on center
• 0.75inch #9 steel mesh or 3/4inch #9 or 19mm #9
• Thickness 0.120 inches (3mm) 0.01-inch tolerance (0.5mm)
• 0.75inch #9 steel mesh or 3/4inch #9 or 19mm #9
• Thickness 0.120 inches (3mm) 0.01-inch tolerance (0.5mm)
Modified
p. 23 → 24
16-gauge metal studs are used with 12inch (305mm) on center 0.75inch #9 steel mesh or 3/4inch #9 or 19mm #9 Thickness 0.120 inches (3mm) 0.01-inch tolerance (0.5mm) Expanded metal mesh is anchored to the stud with vendor supplied mesh anchors every 12 inches (305mm) and installed per the manufacturer’s requirements.
Modified
p. 23 → 24
• e.g., CCTV monitors
•inside the security control room. One example would be covering all security control room windows with a one-way mirror film or other material preventing viewing from outside.
•inside the security control room. One example would be covering all security control room windows with a one-way mirror film or other material preventing viewing from outside.
Modified
p. 24 → 25
Q 13 May 2017
• Under what circumstances, if any, can DVRs be located in the HSA?• Be protected from access by unauthorized personnel. For example, they are installed in:
• Under what circumstances, if any, can DVRs be located in the HSA?
Q 13 May 2017
• Under what circumstances, if any, can DVRs be located in the HSA? Be protected from access by unauthorized personnel. For example, they are installed in:
• Under what circumstances, if any, can DVRs be located in the HSA? Be protected from access by unauthorized personnel. For example, they are installed in:
Modified
p. 24 → 25
Either not have network capability or, if present, policies and procedures must exist to prevent the enablement or usage of the network capability.
Modified
p. 24 → 25
Does this preclude the existence of test and non-production servers and HSMs from existing in the HSA? A Equipment that is purely associated with test activities is not allowed in the HSA. Test (non- production) keys and test (non-production) data cannot be used with production equipment. Cards for testing that use production keys and/or data must be produced using production equipment.
Q 14 January 2015
• Only card production related activities shall take place within the HSA. Does this preclude the existence of test and non-production servers and HSMs from existing in the HSA? A Equipment that is purely associated with test activities is not allowed in the HSA. Test (non- production) keys and test (non-production) data cannot be used with production equipment. Cards for testing that use production keys and/or data must be produced using production equipment.
• Only card production related activities shall take place within the HSA. Does this preclude the existence of test and non-production servers and HSMs from existing in the HSA? A Equipment that is purely associated with test activities is not allowed in the HSA. Test (non- production) keys and test (non-production) data cannot be used with production equipment. Cards for testing that use production keys and/or data must be produced using production equipment.
Removed
p. 25
• Card Product and Component Destruction Room(s)
• PIN Mailer Production Room
• PIN Mailer Production Room
Modified
p. 25 → 26
Q 19 July 2013
• Requirement 2.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA) and Requirement 2.3.5 specifies the following as rooms that may exist within the HSA:• Work in Progress (WIP) Storage Room
• Requirement 2.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA) and Requirement 2.3.5 specifies the following as rooms that may exist within the HSA:
Q 19 July 2013
• Requirement 2.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA) and Requirement 2.3.5 specifies the following as rooms that may exist within the HSA:
• Requirement 2.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA) and Requirement 2.3.5 specifies the following as rooms that may exist within the HSA:
Modified
p. 25 → 26
Pre-Press Room Work in Progress (WIP) Storage Room Card Product and Component Destruction Room(s) PIN Mailer Production Room Server Room & Key Management Room Do the controls specified apply to other rooms within the HSA? A Yes. They apply to all rooms in the HSA. Non-compliant rooms must be either closed off or reconfigured to no longer be separate rooms.
Removed
p. 26
Q 22 December 2013
• For purposes of 2.3.5, do elevators, stairwells, closets, and glass- enclosed rooms
•e.g., conference rooms or other room types
•constitute a room? A If an elevator has a door, access to it must be controlled. Stairwells are not a room if they do not have doors. Closets would not be considered a room if a person could not physically enter. However, a storage room with a door is considered a room. Glass-enclosed rooms are also considered rooms for purposes of this requirement.
• For purposes of 2.3.5, do elevators, stairwells, closets, and glass- enclosed rooms
•e.g., conference rooms or other room types
•constitute a room? A If an elevator has a door, access to it must be controlled. Stairwells are not a room if they do not have doors. Closets would not be considered a room if a person could not physically enter. However, a storage room with a door is considered a room. Glass-enclosed rooms are also considered rooms for purposes of this requirement.
Modified
p. 26 → 27
Q 21 December 2013
• Separate rooms within the HSA must meet all the requirements in
• Separate rooms within the HSA must meet all the requirements in
Q 21 December 2013
• Separate rooms within the HSA must meet all the requirements in Section 2.3.4, with the exception of person-by-person access. If a room cannot or will not be made to meet these requirements, what options exist? A The card vendor has three options:
• Separate rooms within the HSA must meet all the requirements in Section 2.3.4, with the exception of person-by-person access. If a room cannot or will not be made to meet these requirements, what options exist? A The card vendor has three options:
Modified
p. 26 → 27
Close off the room from accessibility to anyone with HSA access.
Modified
p. 26 → 27
Reconfigure smaller rooms into a larger room meeting the requirements.
Modified
p. 26 → 27
•e.g.,
Convert non-compliant rooms into spaces within an HSA that are no longer fully enclosed•e.g., by removing doors.
Removed
p. 27
• Clear plastic flaps hanging from the door
Modified
p. 27 → 28
Q 25 October 2014 − Are any of these options acceptable to implement in lieu of implementing the controls for separate rooms under this section: • Glass doors without locks and a fully lit room
Q 25 October 2014 − Are any of these options acceptable to implement in lieu of implementing the controls for separate rooms under this section:
Modified
p. 27 → 28
Glass doors without locks and a fully lit room Clear plastic flaps hanging from the door Swinging or sliding glass doors that do not have any type of closure mechanism? A Glass doors without locks and swinging or sliding doors are not acceptable. Clear plastic flaps hanging from the door or no door at all are the only viable options.
Modified
p. 27 → 28
Q 27 March 2015
• Can the following processes be performed in the rooms outside the high security areas:• Design development (external graphical view) of a plastic card,
• Can the following processes be performed in the rooms outside the high security areas:
Q 27 March 2015
• Can the following processes be performed in the rooms outside the high security areas:
• Can the following processes be performed in the rooms outside the high security areas:
Modified
p. 27 → 28
•e.g., the plates or the printing of high- resolution images and any pre-production samples
•it must be …
Design development (external graphical view) of a plastic card, Printing the plastic cards designs/rough copies with your company logo on a printer, Preparation of a file containing the plastic card design for output to CTP devices (not an output itself, but only the preparation)? A Work that is purely design work does not need to occur in the HSA. But where the machinery is present that enables the production of the design
•e.g., the plates or the printing …
•e.g., the plates or the printing …
Removed
p. 28
• A separate rack in a server room, or
Modified
p. 28 → 29
A separate rack in a server room, or In a provisioning-only entity, housed in a separate room or cage in a data center.
Modified
p. 29 → 30
Cards awaiting personalization Security components Materials awaiting destruction Samples and test cards prior to distribution and after return Any card that is personalized with production data If the facility is closed, personalized cards that will not be shipped within the same working day Products awaiting return to the supplier
Removed
p. 30
• The vault must be fitted with a main steel-reinforced door with a dual-locking mechanism (mechanical and/or logical
•e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access. The access mechanism requires that access occurs under dual control and does not allow entry by a single individual
•i.e., it is not feasible for a single individual to use credentials belonging to someone else to simulate dual access.
•e.g., mechanical combination and biometrics) that requires physical and simultaneous dual-control access. The access mechanism requires that access occurs under dual control and does not allow entry by a single individual
•i.e., it is not feasible for a single individual to use credentials belonging to someone else to simulate dual access.
Modified
p. 30 → 31
An outside wall of the building must not be used as a wall of the vault.
Modified
p. 30 → 31
•e.g.,
If the construction of the vault leaves a small (dead) space between the vault and the outside wall, this space must be constantly monitored for intrusion•e.g., via motion sensors.
Modified
p. 30 → 31
No windows are permitted.
Modified
p. 30 → 31
•e.g., seismic, vibration/shock, microphonic wire, microphone, etc.
There must be no access to the vault except through the vault doors and gate configurations meeting these requirements. The vault must be protected with a sufficient number of intruder-detection devices that provide an early attack indication
•e.g., seismic, vibration/shock, microphonic wire, microphone, etc.
•e.g., seismic, vibration/shock, microphonic wire, microphone, etc.
Modified
p. 31 → 32
Vaults existing prior to the March 2015 publication date that do not meet the requirement must comply with the following:
Modified
p. 31 → 32
• Vaults must be constructed of reinforced concrete (minimum 15 centimeters or 6 inches) or at least meet the Underwriters Laboratories Class 1 Burglary Certification Standard (e.g., UL 608), which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter
• Vaults must be constructed of reinforced concrete (minimum 15 centimeters or 6 inches) or at least meet the Underwriters Laboratories Class 1 Burglary Certification Standard (e.g., UL 608), which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces
•i.e., vault doors, walls, floors and ceilings. Can materials certified to the European Standard EN 1143-1 Secure storage units - Requirements, classification and methods of test for resistance to burglary - Part 1: Safes, …
•i.e., vault doors, walls, floors and ceilings. Can materials certified to the European Standard EN 1143-1 Secure storage units - Requirements, classification and methods of test for resistance to burglary - Part 1: Safes, …
Removed
p. 35
• Quality control sheets
Modified
p. 35 → 36
Q 48 September 2016
• Accountability forms must be used to account for information regarding core sheets used for each order. Specifically:• Quality control sheets
• Accountability forms must be used to account for information regarding core sheets used for each order. Specifically:
Q 48 September 2016
• Accountability forms must be used to account for information regarding core sheets used for each order. Specifically:
• Accountability forms must be used to account for information regarding core sheets used for each order. Specifically:
Modified
p. 35 → 36
Good sheets Rejected sheets Set-up sheets Quality control sheets Unused core sheets Does this apply to “make ready” sheets? A The audit or accountability forms only apply to make ready sheets if they are of the same quality as production sheets. Make ready sheets are normally lower quality sheets not suitable for production•e.g., make ready sheets are typically uniquely colored and are made from a sub-grade material and are used to get the press running …
Modified
p. 36 → 37
Description of the component or card product(s) being transferred Name and signature of the individual releasing the component or card product(s) Name and signature of the individual receiving the component or card product(s) Number of components or card products transferred Number of components used Number returned to vault or WIP storage Number rejected or damaged Number to be destroyed Date and time of transfer Name and signature of supervisor …
Removed
p. 37
• Under dual control, and
Modified
p. 37 → 38
Number of mailers to be printed Number of mailers actually printed Wasted mailers that have been printed Number of mailers transferred to the mailing area/room Operator name and signature Name and signature of an individual other than the operator who is responsible for verifying the count.
Modified
p. 37 → 38
•in all cases
•weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA
In-house, Under dual control, and The destruction can occur as frequently as the vendor deems necessary but
•in all cases
•weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA
•in all cases
•weekly at a minimum. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA
Removed
p. 38
• Spoiled or waste card products
• Holographic materials
• Sample and test cards
• Holographic materials
• Sample and test cards
Modified
p. 38 → 39
Spoiled or waste card products Holographic materials Signature panels Sample and test cards Any other sensitive card component material or courier material related to any phase of the card production and personalization process.
Modified
p. 39 → 40
The shredder or granulator meets the DIN66399-P5 standard for shredded material.
Modified
p. 39 → 40
The evacuation system tubing is permanently fixed to the HSA wall.
Modified
p. 39 → 40
The aperture of the security mesh protecting the opening through the HSA wall must prevent the pass-through of material larger than material shredded to DIN66399-P5. The mesh holes must not exceed 3cm on the square, which will not allow larger particles of cards through, but will not disrupt the flow of compliant shredded material, to prevent the blockage of the tube.
Modified
p. 39 → 40
The vendor must review the output at least weekly to verify that the output is completely shredded to at least a P5 level and document that review. This must be validated by the assessor as part of their review.
Modified
p. 42 → 43
Housed within a facility certified to the PCI Card Production and Provisioning Standard.
Modified
p. 42 → 43
Housed within a location that meets the requirements defined for a Security Control Room within the PCI Card Production and Provisioning Physical Security Requirements.
Modified
p. 42 → 43
Housed within the SOC.
Modified
p. 42 → 43
Housed in a separated room under access control.
Modified
p. 42 → 43
Monitored by CCTV surveillance.