Document Comparison
Card_Prod_Security_Rqrmts_FAQs_v1_July_2015.pdf
→
Card_Prod_Security_Rqrmts_FAQS_v1_1_March_2016.pdf
72% similar
24 → 28
Pages
9126 → 9376
Words
76
Content Changes
Content Changes
76 content changes. 30 administrative changes (dates, page numbers) hidden.
Added
p. 4
Section 2
• Roles and Responsibilities This section defines requirements that apply for the various roles and responsibilities relating to the management of the vendor’s security policies and procedures. These requirements relate to:
Information security personnel Assignment of security duties 2.1 Information Security Personnel
a) The vendor must designate, in writing, a senior manager with adequate security knowledge to be responsible for the vendor’s Information Security Management. These requirements refer to this person as the “Chief Information Security Officer” (“CISO”).
b) The CISO must be an employee of the vendor.
c) The CISO must, on a monthly basis, report to executive management the current status of security compliance and issues that pose potentials risks to the organization.
• Roles and Responsibilities This section defines requirements that apply for the various roles and responsibilities relating to the management of the vendor’s security policies and procedures. These requirements relate to:
Information security personnel Assignment of security duties 2.1 Information Security Personnel
a) The vendor must designate, in writing, a senior manager with adequate security knowledge to be responsible for the vendor’s Information Security Management. These requirements refer to this person as the “Chief Information Security Officer” (“CISO”).
b) The CISO must be an employee of the vendor.
c) The CISO must, on a monthly basis, report to executive management the current status of security compliance and issues that pose potentials risks to the organization.
Added
p. 4
i. Be responsible for compliance to these requirements.
ii. Have sufficient authority to enforce the requirements of this document.
iii. Not perform activities that they have the responsibility for approving.
iv. Designate a back-up person who is qualified and empowered to act upon critical security events in the event the CISO is not available.
b) When the CISO backup is functioning on behalf of the CISO, the backup must not perform activities for which they have approval responsibility and must not approve activities which they previously performed.
c) Where managers have security compliance responsibilities, the activities for which the manager has responsibility must be clearly defined.
d) Staff responsible for day-to-day production activities must not be assigned security compliance assessment responsibility for the production activities that they perform.
Q 2 November 2015 - The CISO must be an employee of the company. In the event the CISO is not available, there must be a designated back-up person …
ii. Have sufficient authority to enforce the requirements of this document.
iii. Not perform activities that they have the responsibility for approving.
iv. Designate a back-up person who is qualified and empowered to act upon critical security events in the event the CISO is not available.
b) When the CISO backup is functioning on behalf of the CISO, the backup must not perform activities for which they have approval responsibility and must not approve activities which they previously performed.
c) Where managers have security compliance responsibilities, the activities for which the manager has responsibility must be clearly defined.
d) Staff responsible for day-to-day production activities must not be assigned security compliance assessment responsibility for the production activities that they perform.
Q 2 November 2015 - The CISO must be an employee of the company. In the event the CISO is not available, there must be a designated back-up person …
Added
p. 6
a) All removable media (e.g., USB devices, tapes, disks) within the HSA must be clearly labeled with a unique identifier and the data classification.
b) All removable media must be securely stored, controlled, and tracked.
c) All removable media within the HSA must be in the custody of an authorized individual.
d) A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain:
iii. Name and signature of current custodian
iv. Name and signature of recipient custodian
v. Reason for transfer
e) Transfers of custody between two individuals must be authorized and logged.
f) Transfer of removable media to and from the HSA must be authorized and logged.
g) Physically destroy any media holding secret or confidential data when it is not possible to delete the data so that it is no longer recoverable.
Q 5 November 2015 - Removable media is subject …
b) All removable media must be securely stored, controlled, and tracked.
c) All removable media within the HSA must be in the custody of an authorized individual.
d) A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain:
iii. Name and signature of current custodian
iv. Name and signature of recipient custodian
v. Reason for transfer
e) Transfers of custody between two individuals must be authorized and logged.
f) Transfer of removable media to and from the HSA must be authorized and logged.
g) Physically destroy any media holding secret or confidential data when it is not possible to delete the data so that it is no longer recoverable.
Q 5 November 2015 - Removable media is subject …
Added
p. 9
a) Ensure all documents relating to firewall configurations are stored securely.
b) Deploy an external firewall outside the HSA to protect the HSA’s DMZ (see figures 2 and 3 above for acceptable configurations).
c) Install a firewall between the data-preparation network and the personalization network unless both are located within the same high security area or network.
d) Utilize physically separate firewalls for the aforementioned.
e) Implement appropriate operating-system controls on firewalls.
f) Review firewall rule sets and validate supporting business justification at least monthly.
g) Restrict physical access to firewalls to only those designated personnel who are authorized to perform firewall administration activities.
h) Ensure the firewall rule set is such that any server only requiring inbound connections (for example, web servers) is prohibited from making outbound connections.
i) Ensure that only authorized individuals can perform firewall administration.
j) Run firewalls on dedicated hardware. All non-firewall-related software such as compilers, editors, and communication software must be deleted or …
b) Deploy an external firewall outside the HSA to protect the HSA’s DMZ (see figures 2 and 3 above for acceptable configurations).
c) Install a firewall between the data-preparation network and the personalization network unless both are located within the same high security area or network.
d) Utilize physically separate firewalls for the aforementioned.
e) Implement appropriate operating-system controls on firewalls.
f) Review firewall rule sets and validate supporting business justification at least monthly.
g) Restrict physical access to firewalls to only those designated personnel who are authorized to perform firewall administration activities.
h) Ensure the firewall rule set is such that any server only requiring inbound connections (for example, web servers) is prohibited from making outbound connections.
i) Ensure that only authorized individuals can perform firewall administration.
j) Run firewalls on dedicated hardware. All non-firewall-related software such as compilers, editors, and communication software must be deleted or …
Added
p. 11
i. The internal penetration test must not be performed remotely.
ii. Penetration tests must be performed on the network layer and include all personalization network components as well as operating systems.
iii. Penetration tests must be performed on the application layer and must include:
Injection flaws (e.g., SQL injection) Buffer overflow Insecure cryptographic storage Improper error handling All other discovered network vulnerabilities
Q 12 March 2016 - How must the internal penetration test be conducted? A The internal penetration test must be performed using the criteria defined in this requirement. Additionally, testing must occur in accordance with DSS requirement 11 with the exception that the coverage must be all HSA systems and the personalization network. The internal penetration test must not require any rule changes to conduct and must originate from systems within the HSA.
i. Inspect and ensure that no one has tampered with the shipping package. If there are any signs of tampering, …
ii. Penetration tests must be performed on the network layer and include all personalization network components as well as operating systems.
iii. Penetration tests must be performed on the application layer and must include:
Injection flaws (e.g., SQL injection) Buffer overflow Insecure cryptographic storage Improper error handling All other discovered network vulnerabilities
Q 12 March 2016 - How must the internal penetration test be conducted? A The internal penetration test must be performed using the criteria defined in this requirement. Additionally, testing must occur in accordance with DSS requirement 11 with the exception that the coverage must be all HSA systems and the personalization network. The internal penetration test must not require any rule changes to conduct and must originate from systems within the HSA.
i. Inspect and ensure that no one has tampered with the shipping package. If there are any signs of tampering, …
Added
p. 18
a) All exterior walls must be pre-cast or masonry block or material of equivalent strength and penetration resistance.
b) Windows, doors, and other openings must be protected against intrusion by mechanisms such as intruder-resistant (e.g., “burglar-resistant”) glass, bars, glass-break detectors, or motion or magnetic contact detectors.
Q 7 December 2015: If a card vendor is using a hosted or other type of shared facility, there may be a combination of real external concrete walls of the building and walls inside the facility that would be considered ‘external’ to the card vendor, or only interior perimeter walls. For interior walls that form the ‘exterior’ for the card vendor, it may not be feasible to use pre-cast or masonry block material for the construction due to legal, safety or other considerations. For purposes of this requirement, what would be considered material of equivalent strength and penetration resistance? A Interior walls may be considered equivalent …
b) Windows, doors, and other openings must be protected against intrusion by mechanisms such as intruder-resistant (e.g., “burglar-resistant”) glass, bars, glass-break detectors, or motion or magnetic contact detectors.
Q 7 December 2015: If a card vendor is using a hosted or other type of shared facility, there may be a combination of real external concrete walls of the building and walls inside the facility that would be considered ‘external’ to the card vendor, or only interior perimeter walls. For interior walls that form the ‘exterior’ for the card vendor, it may not be feasible to use pre-cast or masonry block material for the construction due to legal, safety or other considerations. For purposes of this requirement, what would be considered material of equivalent strength and penetration resistance? A Interior walls may be considered equivalent …
Added
p. 20
Q 12 March 2016 - Is it OK for a company to provide water stations with disposable cups or disposable bottles inside the HSA for hydration and/or medication purposes as long as the disposable cups or disposable bottles are discarded in the trash before exiting the HSA? A Yes if company provided. These must be brought in/out through the goods/tools trap 3.3.4.1i If the access-control server is not located in the security control room it must be located in a room of equivalent security. The access-control server cannot be located in the HSA
Q 25 March 2016 - Employees involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards. Does this mean that operators who only work in the Vault, Warehouse, Dispatch, or any other role located outside the HSA, can perform PIN printing / …
Q 25 March 2016 - Employees involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards. Does this mean that operators who only work in the Vault, Warehouse, Dispatch, or any other role located outside the HSA, can perform PIN printing / …
Added
p. 24
An outside wall of the building must not be used as a wall of the vault.
If the construction of the vault leaves a small (dead) space between the vault and the outside wall, this space must be constantly monitored for intrusion•e.g., via motion sensors.
No windows are permitted.
There must be no access to the vault except through the vault doors and gate configurations meeting these requirements. The vault must be protected with sufficient number of shock detectors to provide full coverage of the walls, ceiling, and floor.
4.7.1.i During the processing of card products (encoding, embossing, and personalizing), only the minimum number of boxes or sleeves required may be opened at one time. The contents of partially used boxes or sleeves must be verified against the inventory control documents. Before additional boxes or sleeves are opened, any partially used boxes or sleeves must be fully used. The number …
If the construction of the vault leaves a small (dead) space between the vault and the outside wall, this space must be constantly monitored for intrusion•e.g., via motion sensors.
No windows are permitted.
There must be no access to the vault except through the vault doors and gate configurations meeting these requirements. The vault must be protected with sufficient number of shock detectors to provide full coverage of the walls, ceiling, and floor.
4.7.1.i During the processing of card products (encoding, embossing, and personalizing), only the minimum number of boxes or sleeves required may be opened at one time. The contents of partially used boxes or sleeves must be verified against the inventory control documents. Before additional boxes or sleeves are opened, any partially used boxes or sleeves must be fully used. The number …
Modified
p. 1
Payment Card Industry (PCI) Card Production Security Requirements Technical FAQs for use with Version 1.0
Payment Card Industry (PCI) Card Production Security Requirements Technical FAQs for use with Version 1.1
Removed
p. 3
Section 2
• Roles and Responsibilities No FAQ in this section
• Reserved for future use.
• Roles and Responsibilities No FAQ in this section
• Reserved for future use.
Modified
p. 3 → 5
Section 4
• Data Security 4.1.2 Confidential Data4.1.2.a Confidential data is data restricted to authorized individuals. This includes cardholder data and the keys used to encrypt cardholder data. These are confidential data and must be managed in accordance with Section 9 of this document, “Key Management: Confidential Data.”
• Data Security 4.1.2 Confidential Data
Section 4
• Data Security 4.1.2 Confidential Data Confidential data is data restricted to authorized individuals. This includes cardholder data and the keys used to encrypt cardholder data. These are confidential data and must be managed in accordance with Section 9 of this document, “Key Management: Confidential Data.”
• Data Security 4.1.2 Confidential Data Confidential data is data restricted to authorized individuals. This includes cardholder data and the keys used to encrypt cardholder data. These are confidential data and must be managed in accordance with Section 9 of this document, “Key Management: Confidential Data.”
Modified
p. 3 → 5
Q 2 December 2013
• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
Q 3 December 2013
• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
• Confidential data is defined to include PAN, expiry date, service code, and cardholder name. Does this apply to all these data elements individually or in any combination? A The PAN must always be considered confidential, and the other three data elements are considered confidential if stored or otherwise available in conjunction with the PAN.
Removed
p. 4
a) Ensure personalization signals cannot be detected beyond the HSA.
b) Conduct a scan of area surrounding the HSA whenever the personalization environment is changed to confirm personalization data sent by wireless communication does not reach beyond the HSA.
c) Ensure that when personalization signals are encrypted, they comply with the encryption standards defined in Normative Annex A.
d) Perform a manual or automated inspection of the secure personalization area at least twice each month in order to detect any rogue radio-frequency (RF) devices.
e) Ensure that personalized cards (including rejects) are stored and handled as batches of two or more cards or enclosed within protective packaging that restricts reading card emissions until the cards are packaged for final distribution or destruction.
b) Conduct a scan of area surrounding the HSA whenever the personalization environment is changed to confirm personalization data sent by wireless communication does not reach beyond the HSA.
c) Ensure that when personalization signals are encrypted, they comply with the encryption standards defined in Normative Annex A.
d) Perform a manual or automated inspection of the secure personalization area at least twice each month in order to detect any rogue radio-frequency (RF) devices.
e) Ensure that personalized cards (including rejects) are stored and handled as batches of two or more cards or enclosed within protective packaging that restricts reading card emissions until the cards are packaged for final distribution or destruction.
Modified
p. 4 → 5
Q 3 October 2014 - Does transmission include the file movement between the systems on the data-preparation or personalization or does it apply only to data that is transmitted between organizational entities over a public network? A If the data is going from one system or server to another then it is being transmitted and must be encrypted. It does not matter if the networks are not internet or public facing. The intention is that data is in clear only …
Q 4 October 2014 - Does transmission include the file movement between the systems on the data-preparation or personalization or does it apply only to data that is transmitted between organizational entities over a public network? A If the data is going from one system or server to another then it is being transmitted and must be encrypted. It does not matter if the networks are not internet or public facing. The intention is that data is in clear only …
Modified
p. 5 → 7
Q 5 October 2014 - Access from within the high security area to anything other than the personalization network must be read-only. If the data preparation network is also in the high security area, can the personalization network write to the data preparation network? A Yes, if they are separate networks then generally the data preparation network will deposit files for production on the personalization network or the personalization network will read them from the data preparation network. It’s not …
Q 6 October 2014 - Access from within the high security area to anything other than the personalization network must be read-only. If the data preparation network is also in the high security area, can the personalization network write to the data preparation network? A Yes, if they are separate networks then generally the data preparation network will deposit files for production on the personalization network or the personalization network will read them from the data preparation network. It’s not …
Modified
p. 5 → 8
Q 6 October 2014 - Controls must be in place to restrict write permission to any system external to the personalization network to only pre-approved functions that have been authorized by the VPA and these write functions must not transmit cardholder data. If the data preparation and personalization networks are separate, can the data preparation network have write permissions to a corporate network? A No, the data preparation network must meet the same requirements as the personalization network, data preparation …
Q 7 October 2014 - Controls must be in place to restrict write permission to any system external to the personalization network to only pre-approved functions that have been authorized by the VPA and these write functions must not transmit cardholder data. If the data preparation and personalization networks are separate, can the data preparation network have write permissions to a corporate network? A No, the data preparation network must meet the same requirements as the personalization network, data preparation …
Modified
p. 6 → 8
Q 7 October 2014 - Inventory and order systems may reside in the HSA on the data preparation and personalization networks. Corporate users may require access to the inventory and order detail updates performed on those systems. However, logical access from outside the HSA to these networks is not allowed, and access from within the HSA to anything other than the personalization network must be read-only How can the corporate users obtain access to this information? A The information needs …
Q 8 October 2014 - Inventory and order systems may reside in the HSA on the data preparation and personalization networks. Corporate users may require access to the inventory and order detail updates performed on those systems. However, logical access from outside the HSA to these networks is not allowed, and access from within the HSA to anything other than the personalization network must be read-only How can the corporate users obtain access to this information? A The information needs …
Modified
p. 6 → 10
Q 8 July 2013
• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes, administration of the network and system components is a critical activity that requires a secure environment that complies …
• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes, administration of the network and system components is a critical activity that requires a secure environment that complies …
Q 11 July 2013
• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes, administration of the network and system components is a critical activity that requires a secure environment that complies …
• Remote access is permitted only for administration of the network or system components and is not permitted to any system where clear-text cardholder data is being processed. If system administration is handled remotely by the card vendor or outsourced to a third party, are they still subject to the criteria defined within the Remote Access Section? A Yes, administration of the network and system components is a critical activity that requires a secure environment that complies …
Modified
p. 6 → 10
Q 9 December 2013
• Section 5.6.2 stipulates criteria that VPNs must meet. Under what circumstances does this criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 5.6.
• Section 5.6.2 stipulates criteria that VPNs must meet. Under what circumstances does this criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 5.6.
Q 10 December 2013
• Section 5.6.2 stipulates criteria that VPNs must meet. Under what circumstances does this criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 5.6. Therefore, they apply to the remote administration of networks and system components that comprise the HSA and do not apply to VPNs that are used for other purposes. For example, the VPN requirements apply to administration of …
• Section 5.6.2 stipulates criteria that VPNs must meet. Under what circumstances does this criteria apply, and is there differentiation between mobile VPNs and site-to-site VPNs? A The VPN requirements are part of the Remote Access requirements in Section 5.6. Therefore, they apply to the remote administration of networks and system components that comprise the HSA and do not apply to VPNs that are used for other purposes. For example, the VPN requirements apply to administration of …
Removed
p. 7
a) Implement a policy regarding wireless communications and clearly communicate this policy to all employees.
b) Not use wireless communications for the transfer of any personalization data.
c) Identify, analyze, and document all connections. Analysis must include purpose, risk assessment, and action to be taken.
d) Use a scanning device that detects hidden networks, as well as wireless intrusion detection systems (WIDS)
•fixed and/or mobile
•that will detect hidden and spoofed networks.
e) Use a WIDS to conduct random monthly wireless scans within the HSA to detect rogue and hidden wireless networks.
Q 10 October 2014 - Requirement 5.7.1.d requires that a scanning device is used to detect hidden networks, and the use of a wireless intrusion detection network to detect hidden and spoofed networks. If a vendor does not have a wireless network, do they still need to comply? A This requirement is under revision. Yes, the vendor must still use a scanning device that is …
b) Not use wireless communications for the transfer of any personalization data.
c) Identify, analyze, and document all connections. Analysis must include purpose, risk assessment, and action to be taken.
d) Use a scanning device that detects hidden networks, as well as wireless intrusion detection systems (WIDS)
•fixed and/or mobile
•that will detect hidden and spoofed networks.
e) Use a WIDS to conduct random monthly wireless scans within the HSA to detect rogue and hidden wireless networks.
Q 10 October 2014 - Requirement 5.7.1.d requires that a scanning device is used to detect hidden networks, and the use of a wireless intrusion detection network to detect hidden and spoofed networks. If a vendor does not have a wireless network, do they still need to comply? A This requirement is under revision. Yes, the vendor must still use a scanning device that is …
Removed
p. 7
a) Perform quarterly external vulnerability scans using an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC).
c) Ensure all findings from vulnerability scans are prioritized and tracked. Corrective action for high- priority vulnerabilities must be started within two working days.
d) Retain evidence of successful remediation and make this evidence available during site compliance evaluations upon request.
Q 11 October 2014 - Is an internal vulnerability scan only required when there has been a change and no longer each quarter? A This requirement is under revision. Because of evolving threat vectors, both external and internal network vulnerability scans must occur at least quarterly, as well as after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Scans after changes may be performed by internal staff.
c) Ensure all findings from vulnerability scans are prioritized and tracked. Corrective action for high- priority vulnerabilities must be started within two working days.
d) Retain evidence of successful remediation and make this evidence available during site compliance evaluations upon request.
Q 11 October 2014 - Is an internal vulnerability scan only required when there has been a change and no longer each quarter? A This requirement is under revision. Because of evolving threat vectors, both external and internal network vulnerability scans must occur at least quarterly, as well as after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Scans after changes may be performed by internal staff.
Modified
p. 7 → 11
a) Perform internal and external penetration tests at least once a year and after any significant infrastructure changes.
Removed
p. 8
Q 13 December 2013
• Is there any dispensation from this requirement? A This requirement is under revision. Meanwhile, the need to patch within seven business days applies to all Internet-facing system components. Otherwise the maximum is thirty days, and still requires the proper sign-offs.
• Is there any dispensation from this requirement? A This requirement is under revision. Meanwhile, the need to patch within seven business days applies to all Internet-facing system components. Otherwise the maximum is thirty days, and still requires the proper sign-offs.
Removed
p. 8
Q 15 December 2013
• Are other mechanisms available to meet this requirement? A This requirement is under revision. Meanwhile, user accounts can also be unlocked via automated password reset mechanisms. Challenge questions with answers that only the individual user would know must be used. These questions must be designed such that the answers are not information that is available elsewhere in the organization, such as in the Human Resources Department.
• Are other mechanisms available to meet this requirement? A This requirement is under revision. Meanwhile, user accounts can also be unlocked via automated password reset mechanisms. Challenge questions with answers that only the individual user would know must be used. These questions must be designed such that the answers are not information that is available elsewhere in the organization, such as in the Human Resources Department.
Modified
p. 8 → 11
Q 12 December 2013
• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
Q 13 December 2013
• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
• For purposes of this requirement, how are network domains defined for what is allowed or not allowed? A In a virtualized environment, activities involving data preparation and personalization can use the same equipment. However, you cannot use the same equipment for systems in the DMZ and data-preparation or personalization area. This is because data preparation and personalization must occur within the HSA, whereas other activities must occur outside the HSA.
Removed
p. 9
i. All key custodians have been trained with regard to their responsibilities, and this forms part of their annual security training.
ii. Each custodian signs a statement, or is legally bonded, acknowledging that they understand their responsibilities.
Key custodians who form the necessary threshold to create a key must not report directly to the same manager.
Q 17 July 2014 - If the key manager is also a key custodian, can other key custodians report to the key manager? A Other key custodians must not report to the key manager if in conjunction with the key manager that would form a threshold to create a key.
ii. Each custodian signs a statement, or is legally bonded, acknowledging that they understand their responsibilities.
Key custodians who form the necessary threshold to create a key must not report directly to the same manager.
Q 17 July 2014 - If the key manager is also a key custodian, can other key custodians report to the key manager? A Other key custodians must not report to the key manager if in conjunction with the key manager that would form a threshold to create a key.
Modified
p. 9 → 12
Section 8
• Key Management: Secret Data 8.4.1 General Requirements8.4.1.a) The vendor must define procedures for the transfer of key-management roles between individuals.
• Key Management: Secret Data 8.4.1 General Requirements
Section 8
• Key Management: Secret Data 8.4.1 General Requirements 8.4.1.a The vendor must define procedures for the transfer of key-management roles between individuals.
• Key Management: Secret Data 8.4.1 General Requirements 8.4.1.a The vendor must define procedures for the transfer of key-management roles between individuals.
Modified
p. 9 → 12
Q 16 July 2015: The vendor must define procedures for the transfer of key-management roles between individuals. Does "roles" mean custodian A holder versus a custodian B holder? A No. This is not intended for transfer of roles between existing custodians if it results in a custodian collectively having access to sufficient key components or shares of a secret or private key to reconstruct a cryptographic key. For example, in an m-of-n scheme (which must use a recognized secret-sharing scheme …
Q 15 July 2015: The vendor must define procedures for the transfer of key-management roles between individuals. Does "roles" mean custodian A holder versus a custodian B holder? A No. This is not intended for transfer of roles between existing custodians if it results in a custodian collectively having access to sufficient key components or shares of a secret or private key to reconstruct a cryptographic key. For example, in an m-of-n scheme (which must use a recognized secret-sharing scheme …
Modified
p. 9 → 13
Q 18 December 2013
• Are there any alternatives to meet this requirement for when the authorized custodian is unavailable? Yes, if the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
• Are there any alternatives to meet this requirement for when the authorized custodian is unavailable? Yes, if the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
Q 16 December 2013
• Are there any alternatives to meet this requirement for when the authorized custodian is unavailable? Yes, if the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
• Are there any alternatives to meet this requirement for when the authorized custodian is unavailable? Yes, if the primary custodian is unavailable, a pre-designated and authorized backup custodian can receive the package. Alternatively, drop boxes can be used for the courier to leave the package in a locked container that is only accessible by the primary and backup custodians.
Modified
p. 10 → 13
Q 19 October 2014 - What specifically is the requirement regarding the signature of a custodian being placed on the access logs? Does it require the full name (first and last) or can the signature be first initial and last name or only be the initials of the custodians? A Signatures must be sufficient to identify each custodian. Full names or initials or any combination are acceptable as long as it can be positively affirmed who provided the signature.
Q 17 October 2014 - What specifically is the requirement regarding the signature of a custodian being placed on the access logs? Does it require the full name (first and last) or can the signature be first initial and last name or only be the initials of the custodians? A Signatures must be sufficient to identify each custodian. Full names or initials or any combination are acceptable as long as it can be positively affirmed who provided the signature.
Modified
p. 10 → 14
Q 20 July 2014
•Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g. Issuer keys or personalization keys) may exist if there is a contract with that site e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted. For disaster recovery purposes, the same conditions apply. There must be a …
•Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g. Issuer keys or personalization keys) may exist if there is a contract with that site e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted. For disaster recovery purposes, the same conditions apply. There must be a …
Q 18 July 2014
•Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g. Issuer keys or personalization keys) may exist if there is a contract with that site e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted. For disaster recovery purposes, the same conditions apply. There must be a …
•Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes? A Copies of keys at another site (e.g. Issuer keys or personalization keys) may exist if there is a contract with that site e.g., if they are subcontracting the personalization activity to that site. This subcontracting needs the written permission of the issuer(s) impacted. For disaster recovery purposes, the same conditions apply. There must be a …
Modified
p. 10 → 14
Q 21 July 2013
• Can the same transport keys be used between the card vendor and separate locations of another organization? A No, each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
• Can the same transport keys be used between the card vendor and separate locations of another organization? A No, each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
Q 19 July 2013
• Can the same transport keys be used between the card vendor and separate locations of another organization? A No, each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
• Can the same transport keys be used between the card vendor and separate locations of another organization? A No, each location would constitute a separate key zone and therefore different transport keys must be used. The same is true for a card vendor with multiple locations communicating to one or more locations of another organizational entity.
Modified
p. 11 → 14
Q 22 December 2013
• Does 8.9.g apply to all IC keys? A No, it does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
• Does 8.9.g apply to all IC keys? A No, it does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
Q 20 December 2013
• Does 8.9.g apply to all IC keys? A No, it does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
• Does 8.9.g apply to all IC keys? A No, it does not apply to manufacturer or founder keys. It does apply to other keys such as those used for pre-personalization.
Modified
p. 11 → 15
Q 23 July 2014
• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is notimpacted. A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not
Q 21 July 2014
• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not impacted? A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
• Does the HSM FIPS/PCI certification include customization of native HSM firmware if the FIPS/PCI mode is not impacted? A If firmware is modified it impacts the approval. However, HSMs may allow customers or integrators to install additional applications where the vendor can show that by permitting this:
Modified
p. 13 → 17
Q 3 July 2015: Does the card vendor have to use fingerprints to conduct a search against criminal records as part of the background check process? A A criminal background search must be conducted. That search may use fingerprints or any other method or means of identification.
Q 3 August 2015: Does the card vendor have to use fingerprints to conduct a search against criminal records as part of the background check process? A A criminal background search must be conducted. That search may use fingerprints or any other method or means of identification. If fingerprints are not used (e.g., it is not legally permissible) for this purpose, they do not need to be collected or retained.
Modified
p. 14 → 18
Section 3
• Premises 3.1 External Structure 3.1.1 External Construction 3.1.1.a The vendor must prevent unauthorized access to buildings, building areas, or structures containing technical machinery or equipment such as the heating system generator, auxiliary power supply, and air conditioning.
• Premises 3.1 External Structure 3.1.1 External Construction 3.1.1.a The vendor must prevent unauthorized access to buildings, building areas, or structures containing technical machinery or equipment such as the heating system generator, auxiliary power supply, and air conditioning.
Modified
p. 14 → 19
Q 7 December 2013: Are any methods of covering security control room windows allowed, other than those described in 3.3.2.2.q? A Yes. Other mechanisms may be used as long as they achieve the same result of preventing observation to inside the security control room to view the security equipment•e.g., CCTV images.
Q 8 December 2013: Are any methods of covering security control room windows allowed, other than those described in 3.3.2.2.q? A Yes. Other mechanisms may be used as long as they achieve the same result of preventing observation to inside the security control room to view the security equipment•e.g., CCTV images.
Modified
p. 14 → 19
Q 8 January 2015: Only card production-related activities shall take place within the HSA. Does this preclude the existence of test and non-production servers and HSMs from existing in the HSA? A Equipment that is purely associated with test activities is not allowed in the HSA. Test (non- production) keys and test (non-production) data cannot be used with production equipment. Cards used for testing that use production keys and/or data must be produced using production equipment.
Q 9 January 2015: Only card production-related activities shall take place within the HSA. Does this preclude the existence of test and non-production servers and HSMs from existing in the HSA? A Equipment that is purely associated with test activities is not allowed in the HSA. Test (non- production) keys and test (non-production) data cannot be used with production equipment. Cards used for testing that use production keys and/or data must be produced using production equipment.
Modified
p. 14 → 19
Q 9 December 2013
• Areas in production facilities where card products, components, or data are stored or processed are called high security areas. Section 3.3.3 states that these HSAs must be contiguous if they are within the same building. In some building designs these areas are non-contiguous and retrofitting is prohibitively expensive. Are there any other options? A Yes. HSAs in the same building that are not contiguous may exist provided they are treated physically and logically as separate facilities•i.e., …
• Areas in production facilities where card products, components, or data are stored or processed are called high security areas. Section 3.3.3 states that these HSAs must be contiguous if they are within the same building. In some building designs these areas are non-contiguous and retrofitting is prohibitively expensive. Are there any other options? A Yes. HSAs in the same building that are not contiguous may exist provided they are treated physically and logically as separate facilities•i.e., …
Q 10 December 2013
• Areas in production facilities where card products, components, or data are stored or processed are called high security areas. Section 3.3.3 states that these HSAs must be contiguous if they are within the same building. In some building designs these areas are non-contiguous and retrofitting is prohibitively expensive. Are there any other options? A Yes. HSAs in the same building that are not contiguous may exist provided they are treated physically and logically as separate facilities•i.e., …
• Areas in production facilities where card products, components, or data are stored or processed are called high security areas. Section 3.3.3 states that these HSAs must be contiguous if they are within the same building. In some building designs these areas are non-contiguous and retrofitting is prohibitively expensive. Are there any other options? A Yes. HSAs in the same building that are not contiguous may exist provided they are treated physically and logically as separate facilities•i.e., …
Modified
p. 15 → 19
Q 10 December 2013
• Does this requirement apply to chemical storage areas, cleaner cupboards, and other maintenance/supplies storage? A A space within the HSA may be defined as a cupboard or similar which does not require motion detection if it is not possible for an individual to walk into the space and no longer be visible.
• Does this requirement apply to chemical storage areas, cleaner cupboards, and other maintenance/supplies storage? A A space within the HSA may be defined as a cupboard or similar which does not require motion detection if it is not possible for an individual to walk into the space and no longer be visible.
Q 11 December 2013
• Does this requirement apply to chemical storage areas, cleaner cupboards, and other maintenance/supplies storage? A A space within the HSA may be defined as a cupboard or similar which does not require motion detection if it is not possible for an individual to walk into the space and no longer be visible.
• Does this requirement apply to chemical storage areas, cleaner cupboards, and other maintenance/supplies storage? A A space within the HSA may be defined as a cupboard or similar which does not require motion detection if it is not possible for an individual to walk into the space and no longer be visible.
Modified
p. 15 → 20
Q 11 January (update) 2015 - Is the Access Control Server located in the Security Control Room or in the Server Room? A The activities in the HSA are restricted to card production activities and therefore the access control server cannot be located in the HSA where the Server Room is required to be because for networked systems, only servers directly related to data preparation and personalization are allowed within the HSA.
Q 13 January (update) 2015 - Is the Access Control Server located in the Security Control Room or in the Server Room? A The activities in the HSA are restricted to card production activities and therefore the access control server cannot be located in the HSA where the Server Room is required to be because for networked systems, only servers directly related to data preparation and personalization are allowed within the HSA.
Modified
p. 15 → 20
Q 12 July 2013
• Requirement 3.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA), and Requirement 3.3.5 specifies the following as rooms that may exist within the HSA as:
• Requirement 3.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA), and Requirement 3.3.5 specifies the following as rooms that may exist within the HSA as:
Q 14 July 2013
• Requirement 3.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA), and Requirement 3.3.5 specifies the following as rooms that may exist within the HSA as:
• Requirement 3.3.4 specifies controls that must be applied to all rooms within the High Security Area (HSA), and Requirement 3.3.5 specifies the following as rooms that may exist within the HSA as:
Modified
p. 15 → 20
Q 13 December 2013: Local regulations or other safety considerations may require the presence of fire doors in the HSA. Are there any special considerations? A Yes. If the HSA contains fire doors and these doors are normally closed or can be manually closed, these doors are subject to the same access controls as any other door that provides access to a room.
Q 15 December 2013: Local regulations or other safety considerations may require the presence of fire doors in the HSA. Are there any special considerations? A Yes. If the HSA contains fire doors and these doors are normally closed or can be manually closed, these doors are subject to the same access controls as any other door that provides access to a room.
Modified
p. 16 → 21
Q 14 December 2013
• Separate rooms within the HSA must meet all of the requirements in
• Separate rooms within the HSA must meet all of the requirements in
Q 16 December 2013
• Separate rooms within the HSA must meet all of the requirements in
• Separate rooms within the HSA must meet all of the requirements in
Modified
p. 16 → 21
Q 15 December 2013
• For purposes of3.3.4, do elevators, stairwells, closets and glass- enclosed rooms (e.g., conference rooms or other room types) constitute a room? A If an elevator has a door, access to it must be controlled. Stairwells are not a room if they do not have doors. Closets would not be considered a room if a person could not physically enter. However, a storage room with a door is considered a room. Glass-enclosed rooms are also considered …
• For purposes of
Q 17 December 2013
• For purposes of 3.3.5, do elevators, stairwells, closets and glass- enclosed rooms (e.g., conference rooms or other room types) constitute a room? A If an elevator has a door, access to it must be controlled. Stairwells are not a room if they do not have doors. Closets would not be considered a room if a person could not physically enter. However, a storage room with a door is considered a room. Glass-enclosed rooms are also considered …
• For purposes of 3.3.5, do elevators, stairwells, closets and glass- enclosed rooms (e.g., conference rooms or other room types) constitute a room? A If an elevator has a door, access to it must be controlled. Stairwells are not a room if they do not have doors. Closets would not be considered a room if a person could not physically enter. However, a storage room with a door is considered a room. Glass-enclosed rooms are also considered …
Modified
p. 16 → 21
Q 16 October 2014 - If curtains or similar are used to segment the HSA in subareas, do those subareas constitute rooms for purposes of these requirements. A If visibility into the segmented area is not impaired from the general HSA area (for example: use of clear curtains), then the sub area does not constitute a room and therefore, any requirements pertaining to rooms do not apply for these subareas. When visibility is obstructed (for example: use of opaque curtains) …
Q 18 October 2014 - If curtains or similar are used to segment the HSA in subareas, do those subareas constitute rooms for purposes of these requirements. A If visibility into the segmented area is not impaired from the general HSA area (for example: use of clear curtains), then the sub area does not constitute a room and therefore, any requirements pertaining to rooms do not apply for these subareas. When visibility is obstructed (for example: use of opaque curtains) …
Modified
p. 16 → 21
Q 17 October 2014 - If the walls and/or door (s) of the room are glass such that the view is not restricted, does that constitute a room? A Yes it is a room. While glass allows visibility it still restricts access
Q 19 October 2014 - If the walls and/or door (s) of the room are glass such that the view is not restricted, does that constitute a room? A Yes it is a room. While glass allows visibility it still restricts access
Modified
p. 16 → 21
Q 18 October 2014 - Are any of these options acceptable to implement in lieu of implementing the controls for separate rooms under this section such as: Glass doors without locks and a fully lit room Clear plastic flaps hanging from the door Swinging or sliding glass doors that do not have any type of closure mechanism A Glass doors without locks and swinging or sliding doors are not acceptable. Clear plastic flaps hanging from the door …
Q 20 October 2014 - Are any of these options acceptable to implement in lieu of implementing the controls for separate rooms under this section such as: Glass doors without locks and a fully lit room Clear plastic flaps hanging from the door Swinging or sliding glass doors that do not have any type of closure mechanism A Glass doors without locks and swinging or sliding doors are not acceptable. Clear plastic flaps hanging from the door …
Modified
p. 16 → 21
Q 19 December (update) 2013
•What is the rationale for Requirement 3.3.5.b? A The intent is to prevent any single individual being unobserved while within any room within the HSA. This is not a new requirement and was in place under the prior individual payment brand requirements so there should be limited impact on card vendors previously held to payment brand criteria. Toilet rooms that are not fully enclosed and are accessible without opening the door (i.e., sufficient space exists above …
•What is the rationale for Requirement 3.3.5.b? A The intent is to prevent any single individual being unobserved while within any room within the HSA. This is not a new requirement and was in place under the prior individual payment brand requirements so there should be limited impact on card vendors previously held to payment brand criteria. Toilet rooms that are not fully enclosed and are accessible without opening the door (i.e., sufficient space exists above …
Q 21 December (update) 2013
•What is the rationale for Requirement 3.3.5.b? A The intent is to prevent any single individual being unobserved while within any room within the HSA. This is not a new requirement and was in place under the prior individual payment brand requirements so there should be limited impact on card vendors previously held to payment brand criteria. Toilet rooms that are not fully enclosed and are accessible without opening the door (i.e., sufficient space exists above …
•What is the rationale for Requirement 3.3.5.b? A The intent is to prevent any single individual being unobserved while within any room within the HSA. This is not a new requirement and was in place under the prior individual payment brand requirements so there should be limited impact on card vendors previously held to payment brand criteria. Toilet rooms that are not fully enclosed and are accessible without opening the door (i.e., sufficient space exists above …
Removed
p. 17
a) Server processing and key management must be performed in a separate room within the personalization HSA.
Modified
p. 17 → 22
Q 20 October 2014 - In the Card Production Physical Security Requirements it states that card destruction must occur in a separate room within the HSA. Would the Vault be considered a separate room or does in need to be in a secured room within the Vault? A A dedicated room must be used for destruction. This room must be in the HSA and may optionally be a secured room within the vault. This room must meet all room requirements. …
Q 22 October 2014 - In the Card Production Physical Security Requirements it states that card destruction must occur in a separate room within the HSA. Would the Vault be considered a separate room or does in need to be in a secured room within the Vault? A A dedicated room must be used for destruction. This room must be in the HSA and may optionally be a secured room within the vault. This room must meet all room requirements. …
Modified
p. 17 → 22
Q 21 October 2014 - Sheet and card destruction must take place in a separate room within the HSA that is dedicated for destruction. Does this apply to other materials such as used tipping foil, holographic materials and signature panels? 3.3.5.4 PIN Mailer Production Room 3.3.5.4 b) Employees involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards.
Q 23 October 2014 - Sheet and card destruction must take place in a separate room within the HSA that is dedicated for destruction. Does this apply to other materials such as used tipping foil, holographic materials and signature panels? A Yes. 3.3.5.4 PIN Mailer Production Room 3.3.5.4 b Employees involved in personal identification number (PIN) printing and mailing processes must not monitor or be involved in the personalization, encoding, and embossing of the related cards.
Modified
p. 17 → 22
Q 22 July 2014 - If PIN printing and mailing, and personalization, encoding and embossing take place in an open area, how can this requirement be met? A PIN printing must occur in a separate room except as delineated in PIN Printing and Packaging of Non-personalized Prepaid Cards. Documented procedures must exist that restrict personnel involved in PIN printing and mailing from being involved in the personalization, encoding and embossing of the related cards.
Q 24 July 2014 - If PIN printing and mailing, and personalization, encoding and embossing take place in an open area, how can this requirement be met? A PIN printing must occur in a separate room except as delineated in PIN Printing and Packaging of Non-personalized Prepaid Cards. Documented procedures must exist that restrict personnel involved in PIN printing and mailing from being involved in the personalization, encoding and embossing of the related cards.
Modified
p. 17 → 23
3.3.5.5.b An internal CCTV camera must be installed to cover the access to this room and provide an overview of the room whenever there is activity within it. The camera must not have zoom or scanning functionality and must not be positioned in such a manner as to allow observation of keystroke entry or the monitoring of the screen.
Modified
p. 17 → 23
Q 23 October 2014 - Server processing and key management must be performed in a separate room within the personalization HSA. What is considered 'server processing'? A This applies to servers used for data preparation and personalization. It does not apply to DMZ based components.
Q 26 October 2014 - Server processing and key management must be performed in a separate room within the personalization HSA. What is considered 'server processing'? A This applies to servers used for data preparation and personalization. It does not apply to DMZ based components.
Removed
p. 18
Q 24 January (update) 2015 - Vaults are required to be constructed out of reinforced concrete with a minimum thickness of 6 inches, or materials that provide equivalent strength and durability. Does the use of Class 1 Certification Standards for the construction meet the equivalence factor, even though only 5 inch slabs may be used? A This requirement is under revision. Yes, the use of Underwriters Laboratories Class 1 Burglary Certification Standard which provides for at least 30 minutes of penetration resistance to tool and torch for all perimeter surfaces i.e., vault doors, walls, floors and ceilings for the construction is acceptable.
Modified
p. 18 → 24
Q 25 January 2015 - Is it permissible to have more than one entry/exit to the vault from the HSA if each door meets the strength requirement for a vault door and is alarmed and meets all other required controls for a vault door, including anti-passback, etc. A Yes.
Q 27 January 2015 - Is it permissible to have more than one entry/exit to the vault from the HSA if each door meets the strength requirement for a vault door and is alarmed and meets all other required controls for a vault door, including anti-passback, etc. A Yes.
Modified
p. 18 → 24
Q 26 January 2015 - Is it permissible to have an emergency exit from the vault to the HSA if the emergency door meets the strength requirement for a vault door, is alarmed and was not openable from outside?
Q 28 January 2015 - Is it permissible to have an emergency exit from the vault to the HSA if the emergency door meets the strength requirement for a vault door, is alarmed and was not openable from outside? A Yes.
Modified
p. 18 → 24
Q 27 July 2015: Can security mesh be used for vault construction in lieu of reinforced concrete as equivalent to the Underwriters Laboratories (UL) Class 1 Burglary Certification Standard, which provides for at least 30 minutes of penetration resistance? A A) Security mesh is unacceptable unless direct evidence can be provided that it meets the UL 608 Standard for Burglary Resistant Vault Doors and Modular Panels Class 1 criteria. Other UL certifications, such as for fire resistance, are not acceptable …
Q 29 July 2015: Can security mesh be used for vault construction in lieu of reinforced concrete as equivalent to the Underwriters Laboratories (UL) Class 1 Burglary Certification Standard, which provides for at least 30 minutes of penetration resistance? A A) Security mesh is unacceptable unless direct evidence can be provided that it meets the UL 608 Standard for Burglary Resistant Vault Doors and Modular Panels Class 1 criteria. Other UL certifications, such as for fire resistance, are not acceptable …
Removed
p. 19
The vault door or inner grille must remain closed and locked at all times, except when staff require access to the vault for example to store or remove items. The inner grille must be fitted with a dual-control locking mechanism or access reader.
Q 28 July 2014 - Where a vault door is required to remain open during production hours, an inner grille must be used. The inner grille must remain closed and locked at all times, except when staff require access to the vault. In this case the inner grille must be fitted with a dual-control locking mechanism or an access reader. However, access by use of physical keys means the access control system does not know who is in the vault and it is not possible to enforce anti-pass back or to enforce automatic activation of the motion detector as required for all other rooms in the HSA. Are …
Q 28 July 2014 - Where a vault door is required to remain open during production hours, an inner grille must be used. The inner grille must remain closed and locked at all times, except when staff require access to the vault. In this case the inner grille must be fitted with a dual-control locking mechanism or an access reader. However, access by use of physical keys means the access control system does not know who is in the vault and it is not possible to enforce anti-pass back or to enforce automatic activation of the motion detector as required for all other rooms in the HSA. Are …
Modified
p. 19 → 24
Q 29 July 2014 - Can a company have a badge access system that services multiple buildings on a single premises and/or multiple buildings throughout the world as long as the system is on its own segregated/dedicated network and all system changes are made on-site within a PCI compliant/secure room? A For multiple buildings within the same facility, a single central location can administer all buildings. However, a central facility cannot administer multiple separate facilities. The badge access system must …
Q 30 July 2014 - Can a company have a badge access system that services multiple buildings on a single premises and/or multiple buildings throughout the world as long as the system is on its own segregated/dedicated network and all system changes are made on-site within a PCI compliant/secure room? A For multiple buildings within the same facility, a single central location can administer all buildings. However, a central facility cannot administer multiple separate facilities. The badge access system must …
Removed
p. 20
a) Each monitor, camera, and digital recorder must function properly and produce clear images on the monitors without being out-of-focus, blurred, washed out, or excessively darkened. The equipment must record at a minimum of four frames per second.
b) CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activated. The recording must continue for at least a minute after the last pixel of activity subsides. .
c) CCTV monitors and recorders must be located in an area that is restricted from unauthorized personnel.
d) CCTV cameras must be connected at all times to: o Monitors located in the control room o An alarm system that will generate an alarm if the CCTV is disrupted o An active image-recording device
Q 30 March (update) 2015 - For purposes …
b) CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activated. The recording must continue for at least a minute after the last pixel of activity subsides. .
c) CCTV monitors and recorders must be located in an area that is restricted from unauthorized personnel.
d) CCTV cameras must be connected at all times to: o Monitors located in the control room o An alarm system that will generate an alarm if the CCTV is disrupted o An active image-recording device
Q 30 March (update) 2015 - For purposes …
Modified
p. 20 → 25
Q 31 July 2014
• Backups must be kept for at least 90 days and must occur daily. Does each daily back up need to occur for at least 90 days and does the 90 days only pertain tobackups. A Standard back-up policies using full/incremental - daily/weekly/monthly
• can be used. Both primary and back-up copies must be kept for a minimum of the most recent 90 days.
• Backups must be kept for at least 90 days and must occur daily. Does each daily back up need to occur for at least 90 days and does the 90 days only pertain to
• can be used. Both primary and back-up copies must be kept for a minimum of the most recent 90 days.
Q 31 July 2014
• Backups must be kept for at least 90 days and must occur daily. Does each daily back up need to occur for at least 90 days and does the 90 days only pertain to backups? A Standard back-up policies using full/incremental - daily/weekly/monthly
• can be used. Both primary and back-up copies must be kept for a minimum of the most recent 90 days.
• Backups must be kept for at least 90 days and must occur daily. Does each daily back up need to occur for at least 90 days and does the 90 days only pertain to backups? A Standard back-up policies using full/incremental - daily/weekly/monthly
• can be used. Both primary and back-up copies must be kept for a minimum of the most recent 90 days.
Modified
p. 20 → 25
3.4.5.4.b The backup recording must be stored in a separate, secure location within the facility and must ensure segregation of duties between the users and administrators of the system.
3.4.5.4.b The backup recording must be stored in a separate, secure location within the facility and must ensure segregation of duties between the users and administrators of the system. Backups may also be stored in other facilities via techniques such as disk mirroring, provided the storage is secure in accordance with these requirements.
Modified
p. 20 → 25
Q 33 December 2013
• Does the use of RAID technology meet the criteria for separate backup recordings? A No. RAID technology is a storage technique that divides and replicates data among multiple physical drive in order to provide reliability, availability, performance and capacity. It is not a mechanism for backing up data.
• Does the use of RAID technology meet the criteria for separate backup recordings? A No. RAID technology is a storage technique that divides and replicates data among multiple physical drive in order to provide reliability, availability, performance and capacity. It is not a mechanism for backing up data.
Q 32 December 2013
• Does the use of RAID technology meet the criteria for separate backup recordings? A No. RAID technology is a storage technique that divides and replicates data among multiple physical drive in order to provide reliability, availability, performance and capacity. It is not a mechanism for backing up data.
• Does the use of RAID technology meet the criteria for separate backup recordings? A No. RAID technology is a storage technique that divides and replicates data among multiple physical drive in order to provide reliability, availability, performance and capacity. It is not a mechanism for backing up data.
Modified
p. 21 → 25
Q 34 December 2013
• Does this requirement apply to core sheets used at the facility? It applies only to production quality core sheets printed with the payment system brand or issuer design and not to blank sheets.
• Does this requirement apply to core sheets used at the facility? It applies only to production quality core sheets printed with the payment system brand or issuer design and not to blank sheets.
Q 33 December 2013
• Does this requirement apply to core sheets used at the facility? A It applies only to production quality core sheets printed with the payment system brand or issuer design and not to blank sheets.
• Does this requirement apply to core sheets used at the facility? A It applies only to production quality core sheets printed with the payment system brand or issuer design and not to blank sheets.
Modified
p. 21 → 26
Q 35 December 2013
• Audit controls for manufacturing include tracking the number returned to the vault or WIP storage. Does this require that finished products that are already packed in containers or cartons prior to shipment be recounted before storage in the vault or WIP storage? A Finished products that have been previously counted in a controlled manner and sealed in tamper-evident packaging do not require recounting; however, they must still be part of the audit trail log.
• Audit controls for manufacturing include tracking the number returned to the vault or WIP storage. Does this require that finished products that are already packed in containers or cartons prior to shipment be recounted before storage in the vault or WIP storage? A Finished products that have been previously counted in a controlled manner and sealed in tamper-evident packaging do not require recounting; however, they must still be part of the audit trail log.
Q 34 December 2013
• Audit controls for manufacturing include tracking the number returned to the vault or WIP storage. Does this require that finished products that are already packed in containers or cartons prior to shipment be recounted before storage in the vault or WIP storage? A Finished products that have been previously counted in a controlled manner and sealed in tamper-evident packaging do not require recounting; however, they must still be part of the audit trail log.
• Audit controls for manufacturing include tracking the number returned to the vault or WIP storage. Does this require that finished products that are already packed in containers or cartons prior to shipment be recounted before storage in the vault or WIP storage? A Finished products that have been previously counted in a controlled manner and sealed in tamper-evident packaging do not require recounting; however, they must still be part of the audit trail log.
Removed
p. 22
a) If modifications are to be made to the audit log, a single line must be made through the original figure.
b) The updated figure and the initials of the employee making the changes must be placed adjacent to the incorrect figure.
b) The updated figure and the initials of the employee making the changes must be placed adjacent to the incorrect figure.
Removed
p. 22
Q 36 October 2014 - Section 4.7 is marked as valid only for Manufacturing, but 4.7.3 specifically refers to Personalization Audit Controls. Does 4.7.1.1 & 4.7.1.2 (logs) refer to only manufacturing logs and not to Personalization logs? Or are we to understand that only 4.7.1 (and not its sections 4.7.1.1 and 4.7.1.2) applies exclusively to Manufacturing while the rest apply to both Manufacturing and Personalization? A This requirement is mislabeled. It should say production rather than manufacturing as it applies to both e.g. 4.7.1.1 does contain references to personalization 4.7.3 Personalization Audit Controls 4.7.3.d For accounts /envelopes, must include:
Number of accounts Number of card carriers printed Number of carriers wasted Number of envelopes Number of envelopes wasted Operator name and signature Supervisor or auditor name and signature
Q 37 January (update) 2015
• Section 4.7.3.d requires various counts for envelopes. Does this apply for all …
Number of accounts Number of card carriers printed Number of carriers wasted Number of envelopes Number of envelopes wasted Operator name and signature Supervisor or auditor name and signature
Q 37 January (update) 2015
• Section 4.7.3.d requires various counts for envelopes. Does this apply for all …
Removed
p. 23
Q 40 December 2013
• Considering Requirement 4.8.2.a, there may be circumstances where there is minimal material created that requires destruction. Can the destruction occur less frequently? A The requirement is under revision. Meanwhile, the destruction can occur as frequently as the vendor deems necessary, but in all cases, no less frequently than weekly. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA.
• Considering Requirement 4.8.2.a, there may be circumstances where there is minimal material created that requires destruction. Can the destruction occur less frequently? A The requirement is under revision. Meanwhile, the destruction can occur as frequently as the vendor deems necessary, but in all cases, no less frequently than weekly. The vendor must maintain proper controls over these materials at all times prior to destruction, and the destruction must occur within the HSA.
Modified
p. 23 → 27
Q 38 December 2013
• What happens if a supervisor or auditor is not available to sign off on the various required counts? A For purposes of this requirement, the terms “operator,” “supervisor,” and “auditor” do not mean a formal job title, but rather define a function. Specifically supervisor/auditor refers to the function of the individual who verifies the count, while operator refers to the individual who conducts the count.
• What happens if a supervisor or auditor is not available to sign off on the various required counts? A For purposes of this requirement, the terms “operator,” “supervisor,” and “auditor” do not mean a formal job title, but rather define a function. Specifically supervisor/auditor refers to the function of the individual who verifies the count, while operator refers to the individual who conducts the count.
Q 36 December 2013
• What happens if a supervisor or auditor is not available to sign off on the various required counts? A For purposes of this requirement, the terms “operator,” “supervisor,” and “auditor” do not mean a formal job title, but rather define a function. Specifically supervisor/auditor refers to the function of the individual who verifies the count, while operator refers to the individual who conducts the count.
• What happens if a supervisor or auditor is not available to sign off on the various required counts? A For purposes of this requirement, the terms “operator,” “supervisor,” and “auditor” do not mean a formal job title, but rather define a function. Specifically supervisor/auditor refers to the function of the individual who verifies the count, while operator refers to the individual who conducts the count.
Modified
p. 23 → 27
Q 39 October (update) 2014
• Many facilities use portable/mobile shredding equipment managed by third-party service providers. How is this accommodated to meet 4.8.2.a? A The HSA includes the loading bay. The used foil can be destroyed there using portable/mobile equipment provided any access points (e.g., doors) from outside the HSA are closed and properly secured. This can also be applied to other secure materials that require destruction, such as scrap cards, return mail cards, and vault destroy requests.
• Many facilities use portable/mobile shredding equipment managed by third-party service providers. How is this accommodated to meet 4.8.2.a? A The HSA includes the loading bay. The used foil can be destroyed there using portable/mobile equipment provided any access points (e.g., doors) from outside the HSA are closed and properly secured. This can also be applied to other secure materials that require destruction, such as scrap cards, return mail cards, and vault destroy requests.
Q 37 October (update) 2014
• Many facilities use portable/mobile shredding equipment managed by third-party service providers. How is this accommodated to meet 4.8.2.a? A The HSA includes the loading bay. The used foil can be destroyed there using portable/mobile equipment provided any access points (e.g., doors) from outside the HSA are closed and properly secured. This can also be applied to other secure materials that require destruction, such as scrap cards, return mail cards, and vault destroy requests.
• Many facilities use portable/mobile shredding equipment managed by third-party service providers. How is this accommodated to meet 4.8.2.a? A The HSA includes the loading bay. The used foil can be destroyed there using portable/mobile equipment provided any access points (e.g., doors) from outside the HSA are closed and properly secured. This can also be applied to other secure materials that require destruction, such as scrap cards, return mail cards, and vault destroy requests.
Modified
p. 23 → 27
Q 41 January 2015 - What materials are required to be destroyed in the destruction room? A Remnants/residues of holograms from a post splitting process, signature panels and any materials required to be stored in the vault 4.8.3 Indent Printing Module 4.8.3.a The vendor must use indent-printing modules only for payment system cards.
Q 38 January 2015 - What materials are required to be destroyed in the destruction room? A Remnants/residues of holograms from a post splitting process, signature panels and any materials required to be stored in the vault.
Modified
p. 23 → 27
Q 42 July (update) 2014
• How is this requirement applied? A Payment system proprietary typefaces within Indent-printing modules cannot be used for other purposes than payment cards. Proprietary indent printing characters are destroyed at the end of usage.
• How is this requirement applied? A Payment system proprietary typefaces within Indent-printing modules cannot be used for other purposes than payment cards. Proprietary indent printing characters are destroyed at the end of usage.
Q 39 July (update) 2014
• How is this requirement applied? A Payment system proprietary typefaces within Indent-printing modules cannot be used for other purposes than payment cards. Proprietary indent printing characters are destroyed at the end of usage.
• How is this requirement applied? A Payment system proprietary typefaces within Indent-printing modules cannot be used for other purposes than payment cards. Proprietary indent printing characters are destroyed at the end of usage.
Modified
p. 24 → 28
Q 43 July 2014 - 4.10 requires that materials must be destroyed on a batch basis. Does this mean materials must be destroyed at the conclusion of each job? A No, multiple jobs can be grouped together to form a batch.
Q 40 July 2014 - 4.10 requires that materials must be destroyed on a batch basis. Does this mean materials must be destroyed at the conclusion of each job? A No, multiple jobs can be grouped together to form a batch.
Modified
p. 24 → 28
Q 44 October 2014 - The acceptable methods of shipping personalized cards are:
Q 41 October 2014 - The acceptable methods of shipping personalized cards are: