Document Comparison
PCI_CP_ROC_v3.0_Reporting_Template_Physical_Form.pdf
→
PCI_Card_Production_Physical_AOC_v3_-_SOC_2024.pdf
0% similar
203 → 9
Pages
59281 → 1590
Words
108
Content Changes
Content Changes
108 content changes. 36 administrative changes (dates, page numbers) hidden.
Added
p. 2
Section 1: Assessment Information Instructions for Submission This Attestation of Compliance must be completed as a declaration of the results of the card vendor’s assessment with the Payment Card Industry Card Production and Provisioning Physical Security Requirements (PCI CPPPSR)
• Appendix C: Security Operations Center. Complete all sections: The card vendor is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting and submission procedures.
Part 1. Card Vendor and Card Production Security Assessor
• Security Operations Center Controls (CPSA-S) Information Part 1a. Card Production and Provisioning Organization Information Company Name:
DBA (doing business as):
Business Address: City:
Business Address: City:
• Appendix C: Security Operations Center. Complete all sections: The card vendor is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting and submission procedures.
Part 1. Card Vendor and Card Production Security Assessor
• Security Operations Center Controls (CPSA-S) Information Part 1a. Card Production and Provisioning Organization Information Company Name:
DBA (doing business as):
Business Address: City:
Business Address: City:
Added
p. 2
Part 1b. Card Production Security Assessor Company Information (if applicable) Company Name:
Lead Assessor Contact Name:
Lead Assessor Contact Name:
Added
p. 5
• The requirement and all sub-requirements of that requirement were assessed, and no sub- requirements were marked as “Not Applicable” in the ROC.
• One or more sub-requirements of that requirement were marked as “Not Applicable” in the ROC.
• All sub-requirements of that requirement were marked as “Not Applicable” in the ROC.
Note: Payment brand waivers do not constitute full compliance.
For all requirements identified as either “Partial” or “None,” provide details in the “Justification for Approach” column, including:
• Details of specific sub-requirements that were marked as “Not Applicable” in the ROC
• Reason why sub-requirement(s) were not applicable.
Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website.
PCI Card Production and Provisioning − Security Operations Details of Requirements Assessed Full Partial None Justification for Approach (Required for all “Partial” and “None” responses. Identify which sub- requirements were not applicable …
• One or more sub-requirements of that requirement were marked as “Not Applicable” in the ROC.
• All sub-requirements of that requirement were marked as “Not Applicable” in the ROC.
Note: Payment brand waivers do not constitute full compliance.
For all requirements identified as either “Partial” or “None,” provide details in the “Justification for Approach” column, including:
• Details of specific sub-requirements that were marked as “Not Applicable” in the ROC
• Reason why sub-requirement(s) were not applicable.
Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website.
PCI Card Production and Provisioning − Security Operations Details of Requirements Assessed Full Partial None Justification for Approach (Required for all “Partial” and “None” responses. Identify which sub- requirements were not applicable …
Added
p. 8
Part 3c. Security Assessor Acknowledgement (if applicable) If a Security Assessor was involved or assisted with this assessment, describe the role performed:
Signature of Assessor Date:
Assessor Name: Assessor Company:
Signature of Assessor Date:
Assessor Name: Assessor Company:
Added
p. 9
Check with the applicable payment brand(s) before completing Part 4.
Security Operations Center Section Description of Requirement Compliant to PCI Card Vendor Security Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) C.1 General Requirements C.2 Physical Construction C.3 Security Management System C.4 SOC Personnel C.5 Data Security C.6 Software Design and Development C.7 User Management and System Access Control C.8 Continuity of Service
Security Operations Center Section Description of Requirement Compliant to PCI Card Vendor Security Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) C.1 General Requirements C.2 Physical Construction C.3 Security Management System C.4 SOC Personnel C.5 Data Security C.6 Software Design and Development C.7 User Management and System Access Control C.8 Continuity of Service
Removed
p. 2
July 2015 1.0 Initial version
December 2015 1.0a Minor errata
June 2016 1.0b Expanded sections 2.2, 3.2 and 3.3
April 2017 2.0 Updated for changes incorporated into v2 of the Security Requirements, including Mobile Provisioning.
December 2017 2.1 Updated with addition of Test Procedures
June 2022 3.0 Updated for release of new Requirements
December 2015 1.0a Minor errata
June 2016 1.0b Expanded sections 2.2, 3.2 and 3.3
April 2017 2.0 Updated for changes incorporated into v2 of the Security Requirements, including Mobile Provisioning.
December 2017 2.1 Updated with addition of Test Procedures
June 2022 3.0 Updated for release of new Requirements
Removed
p. 4
The ROC Reporting Template serves two purposes:
• It serves as a declaration of the results of the card vendor’s assessment of compliance with the PCI Card Production and Provisioning Physical Security Requirements v3.0.1.
• It provides reporting instructions and the template for assessors to use. This can help provide reasonable assurance that a consistent level of reporting is present among assessors.
Use of this reporting template is subject to payment brand stipulations for all Card Production and Provisioning v3.0.1 submissions.
Tables have been included in this template to facilitate the reporting process for certain lists and other information as appropriate. Additional appendices may be added if the assessor feels there is relevant information to be included that is not addressed in the current format. However, the assessor must not remove any details from the tables provided in this document.
Do not delete any content from any place in this document, including this section and …
• It serves as a declaration of the results of the card vendor’s assessment of compliance with the PCI Card Production and Provisioning Physical Security Requirements v3.0.1.
• It provides reporting instructions and the template for assessors to use. This can help provide reasonable assurance that a consistent level of reporting is present among assessors.
Use of this reporting template is subject to payment brand stipulations for all Card Production and Provisioning v3.0.1 submissions.
Tables have been included in this template to facilitate the reporting process for certain lists and other information as appropriate. Additional appendices may be added if the assessor feels there is relevant information to be included that is not addressed in the current format. However, the assessor must not remove any details from the tables provided in this document.
Do not delete any content from any place in this document, including this section and …
Removed
p. 5
1. Section 1: Contact Information and Report Date
2. Section 2: Summary of Non-Compliance Findings
3. Section 3: Inspection Overview
4. Section 4: Findings and Observations
Note: Sections 1 through 4 must be thoroughly and accurately completed, in order for the assessment findings in Section 5 to have the proper context. The reporting template includes tables with reporting instructions built-in to help assessors provide all required information throughout the document. Responses should be specific but efficient. Information provided should focus on concise quality of detail, rather than lengthy, repeated verbiage. Parroting the testing procedure within a description is discouraged, as it does not add any level of assurance to the narrative. Use of template language for summaries and descriptions is discouraged and details should be specifically relevant to the assessed entity.
ROC Vendor Self-Evaluation The card vendor is asked to complete the card vendor self-evaluation in Section 5: Findings and Observations, for all requirements.
• Only …
2. Section 2: Summary of Non-Compliance Findings
3. Section 3: Inspection Overview
4. Section 4: Findings and Observations
Note: Sections 1 through 4 must be thoroughly and accurately completed, in order for the assessment findings in Section 5 to have the proper context. The reporting template includes tables with reporting instructions built-in to help assessors provide all required information throughout the document. Responses should be specific but efficient. Information provided should focus on concise quality of detail, rather than lengthy, repeated verbiage. Parroting the testing procedure within a description is discouraged, as it does not add any level of assurance to the narrative. Use of template language for summaries and descriptions is discouraged and details should be specifically relevant to the assessed entity.
ROC Vendor Self-Evaluation The card vendor is asked to complete the card vendor self-evaluation in Section 5: Findings and Observations, for all requirements.
• Only …
Removed
p. 6
The following table is a helpful representation when considering which selection to make and when to add comments. Remember, only one “Result” response may be selected at the sub-requirement level, and reporting of that should be consistent with other required documents.
Response When to use this response:
Yes Indicates the vendor is in compliance with this requirement New Indicates that this is a new non-compliance finding identified by the assessor for the first time.
Indicates that this item was previously reported as a non-compliance finding and action (if any) taken by the vendor does not resolve the original condition. The "Non-Compliance Description" column must explicitly state when this finding was first reported, the non-compliance condition observed, and the action (or lack thereof) taken by the vendor to resolve the finding. Findings for which the vendor has taken corrective action that resolved the original finding but introduced new non-compliance condition are reported as new …
Response When to use this response:
Yes Indicates the vendor is in compliance with this requirement New Indicates that this is a new non-compliance finding identified by the assessor for the first time.
Indicates that this item was previously reported as a non-compliance finding and action (if any) taken by the vendor does not resolve the original condition. The "Non-Compliance Description" column must explicitly state when this finding was first reported, the non-compliance condition observed, and the action (or lack thereof) taken by the vendor to resolve the finding. Findings for which the vendor has taken corrective action that resolved the original finding but introduced new non-compliance condition are reported as new …
Removed
p. 7
Do’s and Don’ts: Reporting Expectations DO: DON’T:
• Use this Reporting Template when assessing against v3.0.1 of the Card Production and Provisioning Security Requirements.
• Complete all sections in the order specified.
• Read and understand the intent of each requirement and testing procedure.
• Provide a response for every security requirement.
• Provide sufficient detail and information to support the designated finding, but be concise.
• Describe how a Requirement was verified per the Reporting Instruction, not just that it was verified.
• Ensure all parts of the Reporting Instructions are addressed.
• Ensure the response covers all applicable system components.
• Perform an internal quality assurance review of the ROC for clarity, accuracy, and quality.
• Provide useful, meaningful diagrams, as directed.
• Don’t simply repeat or echo the security requirement in the response.
• Don’t copy responses from one requirement to another.
• Don’t copy responses from previous assessments.
• Don’t include information irrelevant to the assessment.
• Use this Reporting Template when assessing against v3.0.1 of the Card Production and Provisioning Security Requirements.
• Complete all sections in the order specified.
• Read and understand the intent of each requirement and testing procedure.
• Provide a response for every security requirement.
• Provide sufficient detail and information to support the designated finding, but be concise.
• Describe how a Requirement was verified per the Reporting Instruction, not just that it was verified.
• Ensure all parts of the Reporting Instructions are addressed.
• Ensure the response covers all applicable system components.
• Perform an internal quality assurance review of the ROC for clarity, accuracy, and quality.
• Provide useful, meaningful diagrams, as directed.
• Don’t simply repeat or echo the security requirement in the response.
• Don’t copy responses from one requirement to another.
• Don’t copy responses from previous assessments.
• Don’t include information irrelevant to the assessment.
Removed
p. 8
• Company name: Payment Brand Identification Code:
Removed
p. 9
• Card Manufacturing Select
• Chip Embedding Select
• Data Preparation Select
• Card Personalization Select
• Pre-Personalization Select
• Chip Personalization Select
• PIN Printing and Mailing (personalized, credit or debit) Select
• PIN Printing (non-personalized prepaid cards) Select
• Electronic PIN Distribution Select
• Chip Embedding Select
• Data Preparation Select
• Card Personalization Select
• Pre-Personalization Select
• Chip Personalization Select
• PIN Printing and Mailing (personalized, credit or debit) Select
• PIN Printing (non-personalized prepaid cards) Select
• Electronic PIN Distribution Select
Modified
p. 9 → 4
• Timeframe of assessment (start date to completion date): Start date (yyyy/mm/dd): Completion date (yyyy/mm/dd):
• Timeframe of assessment (start date to completion date):
Modified
p. 9 → 4
• If remotely, state the rationale:
• If remote, state the rational:
Modified
p. 9 → 4
• If applicable, identify date(s) spent onsite at the entity: Start date (yyyy/mm/dd): Completion date (yyyy/mm/dd):
• If applicable, identify date(s) spent onsite at the entity:
Removed
p. 10
• Secure Element Provisioning Services Select
• Cloud-based (HCE) Provisioning Services Secure Element Provisioning Services
• Cloud-based (HCE) Provisioning Services Secure Element Provisioning Services
Removed
p. 10
5. Select Product/Solution Description Cloud-based (HCE) Provisioning Services
Removed
p. 11
• A Security Operations Center subject to PCI Card Production and Provisioning Physical Security Requirements, Appendix C, “Security Operations Center” requirements, is located on the premises of this facility.
• This facility has been monitored for any part of the audit cycle by a SOC subject to PCI Card Production and Provisioning Physical Security Requirements, Appendix C, “Security Operations Center.”
• This facility operates a Security Control Room (SCR) and was also monitored by a remote SOC (Subject to Appendix C) for part of the audit cycle.
• This facility operates a Security Control Room (SCR) and was not monitored by a remote SOC (Subject to Appendix C) for any part of the audit cycle.
• Security Operations Center This facility operates a SOC (Subject to Appendix C)
• Remote SOC This facility is monitored by a SOC (Subject to Appendix C) Select If yes, indicate the Country, City and Payment Brand Identification Code in …
• This facility has been monitored for any part of the audit cycle by a SOC subject to PCI Card Production and Provisioning Physical Security Requirements, Appendix C, “Security Operations Center.”
• This facility operates a Security Control Room (SCR) and was also monitored by a remote SOC (Subject to Appendix C) for part of the audit cycle.
• This facility operates a Security Control Room (SCR) and was not monitored by a remote SOC (Subject to Appendix C) for any part of the audit cycle.
• Security Operations Center This facility operates a SOC (Subject to Appendix C)
• Remote SOC This facility is monitored by a SOC (Subject to Appendix C) Select If yes, indicate the Country, City and Payment Brand Identification Code in …
Modified
p. 11 → 4
Completion date (yyyy/mm/dd):
Removed
p. 12
2. Summary of Non-Compliance Findings Please use the table on the following page to report, covering all sections under each heading. Write up findings and list non-compliances
• including the section reference number the non-compliance relates to
•within the findings text as each non-compliance occurs. List all non- compliances in order, including the relevant section reference number the non-compliance
•for example:
• including the section reference number the non-compliance relates to
•within the findings text as each non-compliance occurs. List all non- compliances in order, including the relevant section reference number the non-compliance
•for example:
Removed
p. 12
3.7.1.r Card components are not returned to the vault during non-production hours.
5.1, 5.2 The vendor could not produce written authorization for packaging, shipping, or mailing the card and PIN together from its customer (issuer name).
Notes for Consideration
• Please ensure non-compliances are written exactly as the examples above and be as specific as possible down to the exact bullet that covers the non-compliance.
• Also list items that are not non-compliances but are items that either the assessor is unsure of, or the vendor has discussed with the assessor and questions arising from this discussion can only be answered by the applicable payment brands(s). This section is optional, so if not required, please delete it from the report.
5.1, 5.2 The vendor could not produce written authorization for packaging, shipping, or mailing the card and PIN together from its customer (issuer name).
Notes for Consideration
• Please ensure non-compliances are written exactly as the examples above and be as specific as possible down to the exact bullet that covers the non-compliance.
• Also list items that are not non-compliances but are items that either the assessor is unsure of, or the vendor has discussed with the assessor and questions arising from this discussion can only be answered by the applicable payment brands(s). This section is optional, so if not required, please delete it from the report.
Removed
p. 15
3. Inspection Overview 3.1 Facility Description The auditor must provide a general description of the vendor facility and Card Production and Provisioning environment. For example, “The facility consists of multiple buildings, and card production activities are performed in one building consisting of a High Security Area for Card Production and Provisioning. Administration functions are performed external to the HSA. The vendor being audited is the only occupant of this building.” The introduction must also include any unusual conditions that may impact the audit scope or compliance assessment process. For example, “First audit after relocation, significant expansion / reconfiguration of the HAS, significant changes to key personnel, introduction of new technologies,” and any other unusual conditions.
• Vendor Facility and Card Production and Provisioning Environment
• Conditions that may Impact Audit Scope
• Vendor Facility and Card Production and Provisioning Environment
• Conditions that may Impact Audit Scope
Removed
p. 16
Document Name (including version, if applicable) Brief description of document purpose Document date (latest version)
Removed
p. 18
Employee Name Role/Job Title Organization Summary of Topics Covered / Areas or Systems of Expertise (high-level summary only)
Removed
p. 20
4. Validating the Requirements The validation methods identified for each requirement describe the expected activities to be performed by the assessor to validate whether the entity has met the requirement. The intent behind each validation method is described as follows:
• Examine: The assessor critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.
• Observe: The assessor watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, system configurations/settings, environmental conditions, and physical controls.
• Interview: The assessor converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.
The validation methods are intended to allow the assessed entity to demonstrate how it has met a …
• Examine: The assessor critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.
• Observe: The assessor watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, system configurations/settings, environmental conditions, and physical controls.
• Interview: The assessor converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.
The validation methods are intended to allow the assessed entity to demonstrate how it has met a …
Removed
p. 21
a) Senior management and corporate officers Select Interview personnel to verify that roles a) through d) are filled by vendor employees.
Examine the relevant appointment information for these positions.
b) Physical security manager Select Select
c) Acting physical security manager is any qualified individual acting as the physical security manager during any operational period of a facility⎯i.e., there must be such a designated individual accessible on-site during any operational period of the facility.
d) Card production supervisor is any card production staff that fulfills a supervisory role of other staff.
Select Select 1.1.2 Pre-employment Documentation and Background Checks The vendor must undertake a pre-employment documentation and background check using the same pre-employment procedures, employment application documents, and background checks for:
a) Full-time employees Select Examine the pre-employment documentation for a sample of each
b) Part-time employees Select Select
Examine the relevant appointment information for these positions.
b) Physical security manager Select Select
c) Acting physical security manager is any qualified individual acting as the physical security manager during any operational period of a facility⎯i.e., there must be such a designated individual accessible on-site during any operational period of the facility.
d) Card production supervisor is any card production staff that fulfills a supervisory role of other staff.
Select Select 1.1.2 Pre-employment Documentation and Background Checks The vendor must undertake a pre-employment documentation and background check using the same pre-employment procedures, employment application documents, and background checks for:
a) Full-time employees Select Examine the pre-employment documentation for a sample of each
b) Part-time employees Select Select
Modified
p. 21 → 5
Section 1: Roles and Responsibilities
Section C.2: Physical Construction Facilities
Removed
p. 22
c) Temporary employees, consultants, and contractors Select category to verify it includes application documentation and a background check. Select
d) Guards (internal or external) Select Select 1.1.3 Applicant/Employee Background Information Retention
a) The vendor must retain all personnel’s background information on file for at least 18 months after termination of the contract of employment.
Select Examine policies and procedures to verify that all applicant and personnel background information is retained for at least 18 months after termination of the contract of employment.
b) This information must be available for the inspector during site security reviews.
Select Examine a sample of documentation from personnel whose contract of employment has been terminated within the last 18 months.
d) Guards (internal or external) Select Select 1.1.3 Applicant/Employee Background Information Retention
a) The vendor must retain all personnel’s background information on file for at least 18 months after termination of the contract of employment.
Select Examine policies and procedures to verify that all applicant and personnel background information is retained for at least 18 months after termination of the contract of employment.
b) This information must be available for the inspector during site security reviews.
Select Examine a sample of documentation from personnel whose contract of employment has been terminated within the last 18 months.
Removed
p. 22
a) The vendor must use employment application forms that include the following detail relating to the applicant’s past:
• Details of any “alias” or any other names.
• List of their previous addresses or residences for the last seven years
• Previous employers for the last seven years
• Applicants must satisfactorily explain gaps in employment.
Select Examine a sample of employment applications to verify that they have the minimum information required.
b) The vendor must maintain a personnel file for each individual listed in Section 1.1.2 that includes but is not limited to the following information:
i. Gathered as part of the hiring − Background check results − Verification of aliases (when applicable) − List of previous employers and referral follow-up results − Education history − Social security number or appropriate national identification number − Signed document confirming that the individual has read and understands the vendor’s security policies and procedures − Fingerprints and results of …
• Details of any “alias” or any other names.
• List of their previous addresses or residences for the last seven years
• Previous employers for the last seven years
• Applicants must satisfactorily explain gaps in employment.
Select Examine a sample of employment applications to verify that they have the minimum information required.
b) The vendor must maintain a personnel file for each individual listed in Section 1.1.2 that includes but is not limited to the following information:
i. Gathered as part of the hiring − Background check results − Verification of aliases (when applicable) − List of previous employers and referral follow-up results − Education history − Social security number or appropriate national identification number − Signed document confirming that the individual has read and understands the vendor’s security policies and procedures − Fingerprints and results of …
Removed
p. 25
a) If termination of employment is a planned event, the physical security manager must be notified in writing prior to termination.
Select Examine policies and procedures to verify that the physical security manager is notified in writing of any expected termination of personnel prior to it taking effect.
Examine a sample of written notifications to the physical security manager of any termination of personnel to verify that such notifications were made prior to the termination’s taking effect.
b) If termination of employment is an unscheduled event⎯e.g., termination or extended medical leave⎯the physical security manager must be notified in writing as soon as the decision is made.
Select Examine policies and procedures to verify that the physical security manager is notified in writing for unscheduled terminations as soon as the decision is made.
c) Upon termination effective date of any personnel the physical security manager or designated representative must:
• Deactivate all access rights.
• Deactivate all access …
Select Examine policies and procedures to verify that the physical security manager is notified in writing of any expected termination of personnel prior to it taking effect.
Examine a sample of written notifications to the physical security manager of any termination of personnel to verify that such notifications were made prior to the termination’s taking effect.
b) If termination of employment is an unscheduled event⎯e.g., termination or extended medical leave⎯the physical security manager must be notified in writing as soon as the decision is made.
Select Examine policies and procedures to verify that the physical security manager is notified in writing for unscheduled terminations as soon as the decision is made.
c) Upon termination effective date of any personnel the physical security manager or designated representative must:
• Deactivate all access rights.
• Deactivate all access …
Removed
p. 26
a) Disable or remove the individual’s computer user IDs and passwords from all applicable systems.
Select Examine documentation for a sample of terminated individual evidencing that such individual’s computer user IDs and passwords have been disabled or removed.
b) Retrieve all software programs and documentation distributed to the individual.
Select Examine documentation for a sample of terminated individuals evidencing that all software programs and documentation distributed to such individuals have been retrieved.
c) Disable the individual’s access to computer data and applications.
Select Examine documentation for a sample of terminated individuals evidencing that all such individuals’ access to computer data and applications have been disabled.
d) Retrieve all company keys, badges, and company photo identification distributed to the individual.
Select Examine documentation for a sample of terminated individuals evidencing that all company keys, badges, and company photo identification distributed to such individuals have been retrieved.
e) Change all applicable vault combinations and other applicable access codes known to …
Select Examine documentation for a sample of terminated individual evidencing that such individual’s computer user IDs and passwords have been disabled or removed.
b) Retrieve all software programs and documentation distributed to the individual.
Select Examine documentation for a sample of terminated individuals evidencing that all software programs and documentation distributed to such individuals have been retrieved.
c) Disable the individual’s access to computer data and applications.
Select Examine documentation for a sample of terminated individuals evidencing that all such individuals’ access to computer data and applications have been disabled.
d) Retrieve all company keys, badges, and company photo identification distributed to the individual.
Select Examine documentation for a sample of terminated individuals evidencing that all company keys, badges, and company photo identification distributed to such individuals have been retrieved.
e) Change all applicable vault combinations and other applicable access codes known to …
Removed
p. 27
a) Designating an individual
• e.g., the CISO
•responsible for all security matters and concerns, reporting to a senior company executive.
Select Interview the appropriate personnel designated with responsibility for all security matters and concerns to confirm that they understand their responsibility, including reporting to a senior company executive.
b) Ensuring that individuals performing or managing tasks requiring access to card components or data or support the cloud-based provisioning processes and/or environment have a signed employment agreement with the vendor. The agreement includes stipulating that the card production staff complies with company polices and rules.
Select Examine a sample of employment agreements to verify that all individuals performing or managing tasks requiring access to card components or data or support for cloud-based provisioning processes and/or environment:
• Have a signed employment agreement; and
• The agreement stipulates that the card production staff complies with company policies and rules.
c) Providing a copy of vendor’s internal security manual to …
• e.g., the CISO
•responsible for all security matters and concerns, reporting to a senior company executive.
Select Interview the appropriate personnel designated with responsibility for all security matters and concerns to confirm that they understand their responsibility, including reporting to a senior company executive.
b) Ensuring that individuals performing or managing tasks requiring access to card components or data or support the cloud-based provisioning processes and/or environment have a signed employment agreement with the vendor. The agreement includes stipulating that the card production staff complies with company polices and rules.
Select Examine a sample of employment agreements to verify that all individuals performing or managing tasks requiring access to card components or data or support for cloud-based provisioning processes and/or environment:
• Have a signed employment agreement; and
• The agreement stipulates that the card production staff complies with company policies and rules.
c) Providing a copy of vendor’s internal security manual to …
Removed
p. 31
a) Guards are not permitted to perform any of the functions normally associated with the production of card products or card components.
Select Examine policies and procedures to verify that guards are not permitted to perform any of the functions normally associated with the production of card products or card components.
b) Guards must not have access to:
• Physical master keys that provide access to card production or provisioning areas
• Audit logs Select Examine policies and procedures to verify that guards are not permitted access to the restricted areas and assets identified.
Examine the access rights granted to a sample of guards on the access control system. Verify the guards do not have physical access to the HSA or to any restricted areas where the vendor processes, stores, or delivers card products and card components.
c) Guards must be prevented from modifying or altering the internal configuration settings on access system controls, intrusion alarm …
Select Examine policies and procedures to verify that guards are not permitted to perform any of the functions normally associated with the production of card products or card components.
b) Guards must not have access to:
• Physical master keys that provide access to card production or provisioning areas
• Audit logs Select Examine policies and procedures to verify that guards are not permitted access to the restricted areas and assets identified.
Examine the access rights granted to a sample of guards on the access control system. Verify the guards do not have physical access to the HSA or to any restricted areas where the vendor processes, stores, or delivers card products and card components.
c) Guards must be prevented from modifying or altering the internal configuration settings on access system controls, intrusion alarm …
Removed
p. 32
a) If an unauthorized access attempt is detected internally or reported by law enforcement agents, the guard must ensure emergency procedures are followed. The vendor must make an assessment of any unauthorized access attempt. Access attempts that are not accidental or testing must be reported to the VPA.
Select Interview guards to confirm that they follow appropriate emergency procedures and give prompt attention to reports of unauthorized access to the facility received from law enforcement agents, and where necessary the VPA.
b) It maintains a clear segregation of duties and independence between the production staff and the guards.
Select Interview guards and production staff to confirm that they have a clear segregation of duties and independence from the production staff.
c) Any time activities are performed in the HSA, the security control room is always occupied by at least one guard.
Select Interview guards to confirm that at least one guard occupies the security control …
Select Interview guards to confirm that they follow appropriate emergency procedures and give prompt attention to reports of unauthorized access to the facility received from law enforcement agents, and where necessary the VPA.
b) It maintains a clear segregation of duties and independence between the production staff and the guards.
Select Interview guards and production staff to confirm that they have a clear segregation of duties and independence from the production staff.
c) Any time activities are performed in the HSA, the security control room is always occupied by at least one guard.
Select Interview guards to confirm that at least one guard occupies the security control …
Removed
p. 33
Examine the internal security procedures manual to verify that they contain the following minimum information:
a) Guard’s responsibilities, procedures, and activities by position Select
• Guard’s responsibilities, procedures, and activities by position
b) Vendor’s security policies Select
• Vendor’s security policies Select
c) Interaction between production process management, contracted guard or monitoring services, the police, and other emergency services Select
• Interaction between production process management, contracted guard or monitoring services, the police, and other emergency services
d) Access control at all entry and exit points of the facility, by date and time of activation Select
• Access control at all entry and exit points of the facility, by date and time of activation
e) External resource response activities Select
• External resource response activities Select
f) CCTV monitoring and video or digital recordings Select
• CCTV monitoring and video or digital recordings
g) Administration of access credentials and photo ID badges Select
• Administration of access credentials and photo ID badges
h) Access-control system …
a) Guard’s responsibilities, procedures, and activities by position Select
• Guard’s responsibilities, procedures, and activities by position
b) Vendor’s security policies Select
• Vendor’s security policies Select
c) Interaction between production process management, contracted guard or monitoring services, the police, and other emergency services Select
• Interaction between production process management, contracted guard or monitoring services, the police, and other emergency services
d) Access control at all entry and exit points of the facility, by date and time of activation Select
• Access control at all entry and exit points of the facility, by date and time of activation
e) External resource response activities Select
• External resource response activities Select
f) CCTV monitoring and video or digital recordings Select
• CCTV monitoring and video or digital recordings
g) Administration of access credentials and photo ID badges Select
• Administration of access credentials and photo ID badges
h) Access-control system …
Removed
p. 35
a) Procedures must be reviewed, validated and if necessary, updated annually.
Select Examine documentation to verify updates occur annually as necessary.
Section 1 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 1.2.4 Security Training
a) Guards must be trained and aware of all of their assigned tasks defined within the vendor's internal security procedures manual. Training must occur at least every 12 months and prior to the assignment of any new responsibilities. A record of the training session must be maintained.
Select Interview guards to confirm that they have been trained and are aware of all of their assigned tasked as defined within the internal security procedures manual and that their training occurs at least every 12 months and prior to the assignment of any new responsibilities.
Examine records evidencing the guards received the training at least annually.
b) Exceptional situations not specified within these manuals must be reported immediately …
Select Examine documentation to verify updates occur annually as necessary.
Section 1 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 1.2.4 Security Training
a) Guards must be trained and aware of all of their assigned tasks defined within the vendor's internal security procedures manual. Training must occur at least every 12 months and prior to the assignment of any new responsibilities. A record of the training session must be maintained.
Select Interview guards to confirm that they have been trained and are aware of all of their assigned tasked as defined within the internal security procedures manual and that their training occurs at least every 12 months and prior to the assignment of any new responsibilities.
Examine records evidencing the guards received the training at least annually.
b) Exceptional situations not specified within these manuals must be reported immediately …
Removed
p. 40
a) Each visitor entering the facility must be issued with and must wear visibly on their person a security pass or ID badge that identifies them as a non-employee.
Select Observe live visitor processes to verify that visitors entering the facility are issued and wear visibly on their person a security pass or ID badge that identifies them as a non- employee.
b) If the security pass or ID badge is disposable, the visitor’s name and date of entry to the facility and, if multi-day, the validity period must be clearly indicated on the front of the badge.
Select Examine the visitor process and the disposable visitor security passes or ID badges handed out to the auditor to verify that the visitor's name, date of entry to the facility, and (if multi-day) the validity period are clearly indicated on the front of the badge.
c) If the security pass or ID badge is the …
Select Observe live visitor processes to verify that visitors entering the facility are issued and wear visibly on their person a security pass or ID badge that identifies them as a non- employee.
b) If the security pass or ID badge is disposable, the visitor’s name and date of entry to the facility and, if multi-day, the validity period must be clearly indicated on the front of the badge.
Select Examine the visitor process and the disposable visitor security passes or ID badges handed out to the auditor to verify that the visitor's name, date of entry to the facility, and (if multi-day) the validity period are clearly indicated on the front of the badge.
c) If the security pass or ID badge is the …
Removed
p. 42
a) Procedures that define how third parties are managed at the vendor facility are documented and followed.
Select Examine the security manual to verify that procedures are documented for how third parties are managed at the vendor facility.
Interview personnel to verify that the procedures are followed.
b) The requirements of Section 1.1.2, “Card Production Staff,” of this document have been met by the employer of all suppliers, repair and maintenance staff, and any other external service provider.
Select Examine documentation to verify that the employers of all suppliers, repair and maintenance staff, and any other external service providers comply with the requirements of Section 1.1.2.
c) A pre-approved list of third parties is made available to the receptionist or to the guard on a daily or weekly basis for the preparation of ID badges. Only those persons with pre- approved ID badges may be granted facility access. The physical security manager or senior management …
Select Examine the security manual to verify that procedures are documented for how third parties are managed at the vendor facility.
Interview personnel to verify that the procedures are followed.
b) The requirements of Section 1.1.2, “Card Production Staff,” of this document have been met by the employer of all suppliers, repair and maintenance staff, and any other external service provider.
Select Examine documentation to verify that the employers of all suppliers, repair and maintenance staff, and any other external service providers comply with the requirements of Section 1.1.2.
c) A pre-approved list of third parties is made available to the receptionist or to the guard on a daily or weekly basis for the preparation of ID badges. Only those persons with pre- approved ID badges may be granted facility access. The physical security manager or senior management …
Removed
p. 44
a) Prior to conducting any business with an agent or third- party regarding card-related activities, the vendor must register the agent with the VPA and obtain the following information:
• Agent’s name, address, and telephone numbers
• Agent’s name, address, and telephone numbers
• Agent’s role or responsibility Select Examine the security procedures manual to verify that a process is in place to register with the VPA any agent or third party to conduct any business regarding card- related activities, prior to conducting such business.
Examine a sample of registration documentation to verify it contains the following information:
• Agent’s role or responsibility
b) The vendor must inform the VPA whenever the agent relationship is changed or terminated.
Select Examine the security procedures manual to verify that a process is in place to inform the VPA whenever the agent relationship is changed or terminated.
c) Agents of the vendor are not permitted to be in the possession of …
• Agent’s name, address, and telephone numbers
• Agent’s name, address, and telephone numbers
• Agent’s role or responsibility Select Examine the security procedures manual to verify that a process is in place to register with the VPA any agent or third party to conduct any business regarding card- related activities, prior to conducting such business.
Examine a sample of registration documentation to verify it contains the following information:
• Agent’s role or responsibility
b) The vendor must inform the VPA whenever the agent relationship is changed or terminated.
Select Examine the security procedures manual to verify that a process is in place to inform the VPA whenever the agent relationship is changed or terminated.
c) Agents of the vendor are not permitted to be in the possession of …
Modified
p. 45 → 5
Section 2: Facilities
Section C.5: Data Security
Removed
p. 46
b) The vendor must prevent unauthorized access to buildings, building areas, or structures containing technical machinery or equipment such as the heating system generator, auxiliary power supply, and air conditioning.
Select Examine documentation to verify a process is in place to prevent unauthorized access to buildings, building areas, or structures containing technical machinery or equipment such as the heating system generator, auxiliary power supply, and air conditioning.
Observe access and security-control mechanisms to verify they prevent unauthorized access to buildings, building areas, or structures containing technical machinery or equipment such as the heating system generator, auxiliary power supply, and air conditioning.
c) The vendor must protect doors that provide access to these by use of electrical or magnetic contacts that are permanently alarmed and that are connected to the security control-room panels.
Select Examine settings of door contacts
•electrical or magnetic
•to verify they are permanently alarmed and are connected to the security control-room panels.
Observe that …
Select Examine documentation to verify a process is in place to prevent unauthorized access to buildings, building areas, or structures containing technical machinery or equipment such as the heating system generator, auxiliary power supply, and air conditioning.
Observe access and security-control mechanisms to verify they prevent unauthorized access to buildings, building areas, or structures containing technical machinery or equipment such as the heating system generator, auxiliary power supply, and air conditioning.
c) The vendor must protect doors that provide access to these by use of electrical or magnetic contacts that are permanently alarmed and that are connected to the security control-room panels.
Select Examine settings of door contacts
•electrical or magnetic
•to verify they are permanently alarmed and are connected to the security control-room panels.
Observe that …
Removed
p. 48
a) The vendor must not place any device
•e.g., carriers, waste containers, and tools
•against the external wall protecting the outer perimeter of the vendor’s facility.
Select Observe vendor facility to verify any devices
• e.g., carriers, waste containers, and tools
•are not against the facility’s external wall.
•e.g., carriers, waste containers, and tools
•against the external wall protecting the outer perimeter of the vendor’s facility.
Select Observe vendor facility to verify any devices
• e.g., carriers, waste containers, and tools
•are not against the facility’s external wall.
Removed
p. 48
a) The vendor facility must be located in an area serviced by public law enforcement and fire protection services in a timely manner.
Select Interview personnel to determine the vendor facility is located in an area that is serviced on a timely basis by public law enforcement and fire protection services.
b) The facility must be secured with an intrusion alarm system as defined in Section 2.4.1, “Alarm Systems.” Select Examine the policy and procedures (or appropriate documentation) to determine the facility is secured with an intrusion alarm system as defined in Section 2.4.1, “Alarm Systems.”
c) The alarm system must be equipped with an auxiliary power or battery backup system with capabilities for ensuring operation for a minimum of 48 hours in the event of a power failure.
Select Examine documentation to verify alarm system is equipped with an auxiliary power or battery backup system with capabilities for ensuring operation for a minimum …
Select Interview personnel to determine the vendor facility is located in an area that is serviced on a timely basis by public law enforcement and fire protection services.
b) The facility must be secured with an intrusion alarm system as defined in Section 2.4.1, “Alarm Systems.” Select Examine the policy and procedures (or appropriate documentation) to determine the facility is secured with an intrusion alarm system as defined in Section 2.4.1, “Alarm Systems.”
c) The alarm system must be equipped with an auxiliary power or battery backup system with capabilities for ensuring operation for a minimum of 48 hours in the event of a power failure.
Select Examine documentation to verify alarm system is equipped with an auxiliary power or battery backup system with capabilities for ensuring operation for a minimum …
Removed
p. 51
a) Exterior lights must illuminate the exterior of the facility as well as all entrances and shipping and delivery areas, such that persons within these areas can be identified.
Select Observe CCTV footage to verify that exterior lights illuminate the exterior of the facility as well as all entrances and shipping and delivery areas, such that persons within these areas can be identified.
b) The vendor must check all exterior lights monthly and must maintain a record for 24 months.
Select Examine a sample of vendor logs to determine that all exterior lights are checked monthly and a record is maintained for 24 months.
a) Trees, telegraph poles, fences, etc. located adjacent to the property line that might facilitate roof access must be removed, relocated, or otherwise secured against unauthorized access.
Select Observe the facility to verify trees, telegraph poles, fences, etc. located adjacent to the property line that might facilitate roof access have been …
Select Observe CCTV footage to verify that exterior lights illuminate the exterior of the facility as well as all entrances and shipping and delivery areas, such that persons within these areas can be identified.
b) The vendor must check all exterior lights monthly and must maintain a record for 24 months.
Select Examine a sample of vendor logs to determine that all exterior lights are checked monthly and a record is maintained for 24 months.
a) Trees, telegraph poles, fences, etc. located adjacent to the property line that might facilitate roof access must be removed, relocated, or otherwise secured against unauthorized access.
Select Observe the facility to verify trees, telegraph poles, fences, etc. located adjacent to the property line that might facilitate roof access have been …
Removed
p. 52
a) The main entrance to the building must lead visitors into a reception area that restricts any physical contact between visitor(s) and the receptionist/guard.
Select Observe to verify that the main entrance to the building leads visitors into a reception area that restricts any physical contact between visitor(s) and the receptionist/guard.
b) The reception area must be within a mantrap.
A mantrap is the secured space between doors operating on an electronic interlocking basis that may be accessed by a card-reader access system or a remote-control device, provided that all movement and activity is monitored.
Select Observe that the reception area for visitors is contained within a mantrap.
c) The receptionist or guard responsible for the entrance and departure of visitors must have an unobstructed view of the reception area at all times.
Select Observe the receptionist(s) or guard(s) responsible for the entrance and departure of visitors to verify their view of the reception area is …
Select Observe to verify that the main entrance to the building leads visitors into a reception area that restricts any physical contact between visitor(s) and the receptionist/guard.
b) The reception area must be within a mantrap.
A mantrap is the secured space between doors operating on an electronic interlocking basis that may be accessed by a card-reader access system or a remote-control device, provided that all movement and activity is monitored.
Select Observe that the reception area for visitors is contained within a mantrap.
c) The receptionist or guard responsible for the entrance and departure of visitors must have an unobstructed view of the reception area at all times.
Select Observe the receptionist(s) or guard(s) responsible for the entrance and departure of visitors to verify their view of the reception area is …
Removed
p. 57
a) Staff the room at all times while activity occurs in the HSA.
Select Examine policy and procedures to verify that the room is staffed at all times while activity occurs in the HSA.
Interview personnel to verify that the room is staffed at all times while activity occurs in the HSA.
Observe random CCTV recordings of the security control room when activity occurs in the HSA.
Examine access-control logs to verify the SCR was not left unoccupied.
b) Locate the security control room outside of the HSA and cloud-based provisioning environment to achieve the segregation of duties and independence between the guards and the HSA staff.
Select Observe the location of the security control room to verify that it is located outside of the HSA and cloud-based provisioning environment.
c) Build the security control room of concrete block or other material offering similar resistance, if not part of the facility.
Select Observe the build of the security …
Select Examine policy and procedures to verify that the room is staffed at all times while activity occurs in the HSA.
Interview personnel to verify that the room is staffed at all times while activity occurs in the HSA.
Observe random CCTV recordings of the security control room when activity occurs in the HSA.
Examine access-control logs to verify the SCR was not left unoccupied.
b) Locate the security control room outside of the HSA and cloud-based provisioning environment to achieve the segregation of duties and independence between the guards and the HSA staff.
Select Observe the location of the security control room to verify that it is located outside of the HSA and cloud-based provisioning environment.
c) Build the security control room of concrete block or other material offering similar resistance, if not part of the facility.
Select Observe the build of the security …
Removed
p. 63
a) At a minimum, the following activities must take place only in an HSA:
• Shipping or delivery
• Shipping or delivery
• HCE and SE mobile provisioning Select Examine documentation to verify that the activities listed below only occur within the HSA. Observe to verify that the activities listed below, at a minimum, take place within the HSA and only within the HSA. Interview personnel to verify the activities listed below only occur within the HSA.
• HCE and SE mobile provisioning
b) Card production staff may only bring items related to card production and provisioning activity into the HSA.
Select Examine documentation to verify that card production staff are only allowed to bring in items related to card production and provisioning activity into the HSA.
Observe that card production staff are only allowed to bring items related to card production and provisioning activity into the HSA.
Interview personnel to verify that card production staff are only …
• Shipping or delivery
• Shipping or delivery
• HCE and SE mobile provisioning Select Examine documentation to verify that the activities listed below only occur within the HSA. Observe to verify that the activities listed below, at a minimum, take place within the HSA and only within the HSA. Interview personnel to verify the activities listed below only occur within the HSA.
• HCE and SE mobile provisioning
b) Card production staff may only bring items related to card production and provisioning activity into the HSA.
Select Examine documentation to verify that card production staff are only allowed to bring in items related to card production and provisioning activity into the HSA.
Observe that card production staff are only allowed to bring items related to card production and provisioning activity into the HSA.
Interview personnel to verify that card production staff are only …
Removed
p. 66
Select Examine access-control systems documentation to verify that they:
• Are always connected to the computer that monitors and logs all staff and visitor movements.
• Are always connected to the computer that monitors and logs all staff and visitor movements.
Observe access-control systems to verify that they:
c) The vendor must program the software access-control system, whereby access is on a person-by- person basis and restricted to authorized personnel.
Select Examine access settings to verify that the vendor has programmed the software access-control system access to a person-by-person basis and is restricted to authorized personnel.
d) The access-control system must activate the alarm system each time the last person leaves the HSA.
Select Examine access-control system settings to verify the access-control system will activate an alarm system each time the last person leaves the HSA.
Examine a sample of logs to verify that the access-control system activated the alarm system each time the last person left the …
• Are always connected to the computer that monitors and logs all staff and visitor movements.
• Are always connected to the computer that monitors and logs all staff and visitor movements.
Observe access-control systems to verify that they:
c) The vendor must program the software access-control system, whereby access is on a person-by- person basis and restricted to authorized personnel.
Select Examine access settings to verify that the vendor has programmed the software access-control system access to a person-by-person basis and is restricted to authorized personnel.
d) The access-control system must activate the alarm system each time the last person leaves the HSA.
Select Examine access-control system settings to verify the access-control system will activate an alarm system each time the last person leaves the HSA.
Examine a sample of logs to verify that the access-control system activated the alarm system each time the last person left the …
Removed
p. 69
a) Access must be enforced by the use of an air lock, single sluice, or security turnstile, which must be controlled by logical means, ensuring strict compliance with the person-by-person mandate.
Select Observe to verify that access is enforced by the use of an air lock, single sluice, or security turnstile. Examine security settings to verify that access controls are activated by logical means, ensuring strict compliance with the person-by-person mandate. Observe via demonstration the person-by-person access control, by attempting for two personnel to cross the control point together.
b) Activation of the access device must be controlled by a card reader that enforces an anti-pass-back function.
Select Examine settings to verify activation of the access device is controlled by a card reader that enforces an anti-pass-back function. Observe via demonstration that activation of the access device is controlled by a card reader that enforces an anti-pass-back function.
c) The card readers must be …
Select Observe to verify that access is enforced by the use of an air lock, single sluice, or security turnstile. Examine security settings to verify that access controls are activated by logical means, ensuring strict compliance with the person-by-person mandate. Observe via demonstration the person-by-person access control, by attempting for two personnel to cross the control point together.
b) Activation of the access device must be controlled by a card reader that enforces an anti-pass-back function.
Select Examine settings to verify activation of the access device is controlled by a card reader that enforces an anti-pass-back function. Observe via demonstration that activation of the access device is controlled by a card reader that enforces an anti-pass-back function.
c) The card readers must be …
Removed
p. 70
a) All physical materials required for production must be transferred to the HSA through either a goods-tools trap or the shipping and delivery area.
Select Examine documentation to verify that all physical materials required for production are transferred to the HSA through either a goods-tools trap or the shipping and delivery area.
Observe to verify that all physical materials required for production must be transferred to the HSA through either a goods-tools trap or the shipping and delivery area.
b) A goods-tools trap or a shipping and delivery area must be used to transfer physical materials between different HSAs within the same facility.
Select Observe that a goods-tools trap or similar mechanism is used to transfer physical materials between different HSAs.
Select Examine documentation to verify that all physical materials required for production are transferred to the HSA through either a goods-tools trap or the shipping and delivery area.
Observe to verify that all physical materials required for production must be transferred to the HSA through either a goods-tools trap or the shipping and delivery area.
b) A goods-tools trap or a shipping and delivery area must be used to transfer physical materials between different HSAs within the same facility.
Select Observe that a goods-tools trap or similar mechanism is used to transfer physical materials between different HSAs.
Removed
p. 70
a) Bullet-resistant
•e.g., UL 752
•glass or iron bars must protect all windows in HSAs that are on an exterior wall or door of the building.
Select Examine documentation to verify bullet- resistant
•e.g., UL 752
•glass or iron bars protects all windows in HSAs. Observe that bullet-resistant glass or iron bars are used to protect all windows in HSAs.
b) It must not be possible to view activities in the HSA from the exterior of the building•e.g., by use of opaque or non-transparent glass.
Select Observe to validate that activities in the HSA cannot be viewed from the exterior of the building•e.g., by use of opaque or non- transparent glass.
Note: See Annex A for further clarification.
c) Walls and ceilings must be constructed around the HSA consistent with the enforcement of dual presence• e.g., prevention of access via false ceilings or raised floors.
Select Examine documentation to verify that the walls and ceilings are constructed around the HSA …
•e.g., UL 752
•glass or iron bars must protect all windows in HSAs that are on an exterior wall or door of the building.
Select Examine documentation to verify bullet- resistant
•e.g., UL 752
•glass or iron bars protects all windows in HSAs. Observe that bullet-resistant glass or iron bars are used to protect all windows in HSAs.
b) It must not be possible to view activities in the HSA from the exterior of the building•e.g., by use of opaque or non-transparent glass.
Select Observe to validate that activities in the HSA cannot be viewed from the exterior of the building•e.g., by use of opaque or non- transparent glass.
Note: See Annex A for further clarification.
c) Walls and ceilings must be constructed around the HSA consistent with the enforcement of dual presence• e.g., prevention of access via false ceilings or raised floors.
Select Examine documentation to verify that the walls and ceilings are constructed around the HSA …
Removed
p. 73
a) Whenever any room within the HSA is occupied, it must contain a minimum of two authorized card production staff. This must be enforced by the access- control system.
Select Observe via demonstration the access-control system by requesting that one authorized person authenticates to the access reader:
• If the door opens, does a “single occupancy” alarm sound within a 60-second period?
• If the door does not open, verify that it opens after two authorized authentications have been presented.
a) Separate rooms within the HSA must meet all of the HSA requirements with the exception of person-by-person access.
Select Examine HSA documentation to verify separate rooms within the HSA meet all of the HSA requirements with the exception of person-by- person access.
Observe that separate rooms within the HSA meet the HSA requirements with the exception of person-by-person access.
b) Toilet rooms are prohibited except where required by local law. Where used, the entry/exit way must …
Select Observe via demonstration the access-control system by requesting that one authorized person authenticates to the access reader:
• If the door opens, does a “single occupancy” alarm sound within a 60-second period?
• If the door does not open, verify that it opens after two authorized authentications have been presented.
a) Separate rooms within the HSA must meet all of the HSA requirements with the exception of person-by-person access.
Select Examine HSA documentation to verify separate rooms within the HSA meet all of the HSA requirements with the exception of person-by- person access.
Observe that separate rooms within the HSA meet the HSA requirements with the exception of person-by-person access.
b) Toilet rooms are prohibited except where required by local law. Where used, the entry/exit way must …
Removed
p. 74
a) The pre-press process must be performed in a separate room within the HSA.
Select Observe to verify that the pre-press process is performed in a separate room within the HSA.
b) The pre-press room is where the vendor produces or stores film, plates, or electronic media.
Select Observe to verify that the pre-press room is the location where the vendor stores film, plates, or electronic media.
Select Observe to verify that the pre-press process is performed in a separate room within the HSA.
b) The pre-press room is where the vendor produces or stores film, plates, or electronic media.
Select Observe to verify that the pre-press room is the location where the vendor stores film, plates, or electronic media.
Removed
p. 74
a) This room must be segregated from production and protected at a minimum by wire mesh.
Select Observe the WIP storage room to verify it is segregated from production and is protected by at a minimum by wire mesh.
b) If wire mesh is used in the construction of such areas, it must extend from the floor to enclose the entire room on all surfaces, including a top (if below the ceiling).
Select Observe to verify that if wire mesh was used in the construction of such areas, it extends from the floor to enclose the entire room on all surfaces, including a top (if below the ceiling).
c) Doors to these areas must be contact monitored and fitted with an audible alarm that sounds when the door remains open for more than 60 seconds.
Select Observe to verify that the doors to these areas are contact monitored and fitted with an audible alarm that …
Select Observe the WIP storage room to verify it is segregated from production and is protected by at a minimum by wire mesh.
b) If wire mesh is used in the construction of such areas, it must extend from the floor to enclose the entire room on all surfaces, including a top (if below the ceiling).
Select Observe to verify that if wire mesh was used in the construction of such areas, it extends from the floor to enclose the entire room on all surfaces, including a top (if below the ceiling).
c) Doors to these areas must be contact monitored and fitted with an audible alarm that sounds when the door remains open for more than 60 seconds.
Select Observe to verify that the doors to these areas are contact monitored and fitted with an audible alarm that …
Removed
p. 75
a) Destruction of card product and component waste must take place in a separate room(s) within the HSA that is dedicated for destruction.
Select Observe to verify that destruction of card product and component waste takes place in a separate room(s) within the HSA that is dedicated for destruction.
b) Destruction by a third party may take place in the loading bay using portable/mobile equipment. All requirements for a destruction room must be met for this temporary usage.
Select Examine documentation to verify that destruction by a third party takes place in the loading bay using portable/mobile equipment. Examine a sample of video logs to verify all requirements for a destruction room are met for this temporary usage. Interview personnel to verify destruction by a third party that takes place in the loading bay using portable/mobile equipment meets all requirements for a destruction room for this temporary usage.
Section 2 Requirement Card Vendor Self- …
Select Observe to verify that destruction of card product and component waste takes place in a separate room(s) within the HSA that is dedicated for destruction.
b) Destruction by a third party may take place in the loading bay using portable/mobile equipment. All requirements for a destruction room must be met for this temporary usage.
Select Examine documentation to verify that destruction by a third party takes place in the loading bay using portable/mobile equipment. Examine a sample of video logs to verify all requirements for a destruction room are met for this temporary usage. Interview personnel to verify destruction by a third party that takes place in the loading bay using portable/mobile equipment meets all requirements for a destruction room for this temporary usage.
Section 2 Requirement Card Vendor Self- …
Removed
p. 88
a) To facilitate the shipment and delivery of card components, the loading/unloading area must be composed of at least two consecutive enclosed rooms and three doors (external, intermediate, and inner), which minimizes physical contact between the individuals collecting or delivering materials and the shipment/delivery card production staff.
Note: If existing facilities have used wired enclosures for the outer room, they may continue. All new facilities requiring initial validation against these requirements must comply with the requirement as written⎯i.e., a room that is part of the building structure.
Select Observe to verify the shipping and delivery areas (loading/unloading) of card components to have at a minimum:
• At least two consecutive enclosed rooms and three doors (external, intermediate, and inner), and
• Minimization of physical contact between the individuals collecting or delivering materials and the shipment/delivery card production staff.
b) All shipping and delivery doors must operate on an electronic and interlocking basis so that when …
Note: If existing facilities have used wired enclosures for the outer room, they may continue. All new facilities requiring initial validation against these requirements must comply with the requirement as written⎯i.e., a room that is part of the building structure.
Select Observe to verify the shipping and delivery areas (loading/unloading) of card components to have at a minimum:
• At least two consecutive enclosed rooms and three doors (external, intermediate, and inner), and
• Minimization of physical contact between the individuals collecting or delivering materials and the shipment/delivery card production staff.
b) All shipping and delivery doors must operate on an electronic and interlocking basis so that when …
Removed
p. 96
a) Procedures must be documented and followed for managing identification (ID) badges.
Select Examine badging administration documentation to verify procedures are defined for managing ID badges.
Examine a sample of logs to verify procedures are followed in managing ID badges.
b) The vendor must issue a photo identification (ID) badge to each card production staff member and consultant. A temporary badge valid ONLY for the work shift does not need to contain a picture.
Select Examine documented procedures to verify the vendor issues a photo identification badge to each card production staff member and consultant.
Examine a sample of logs to verify badge issuance to card production staff and consultants.
c) ID badges and lanyards must not be imprinted with the company name or logo and are not allowed to be imprinted with any information that may identify the vendor’s name or location.
Select Observe to verify that ID badges and lanyards do not contain the corporate …
Select Examine badging administration documentation to verify procedures are defined for managing ID badges.
Examine a sample of logs to verify procedures are followed in managing ID badges.
b) The vendor must issue a photo identification (ID) badge to each card production staff member and consultant. A temporary badge valid ONLY for the work shift does not need to contain a picture.
Select Examine documented procedures to verify the vendor issues a photo identification badge to each card production staff member and consultant.
Examine a sample of logs to verify badge issuance to card production staff and consultants.
c) ID badges and lanyards must not be imprinted with the company name or logo and are not allowed to be imprinted with any information that may identify the vendor’s name or location.
Select Observe to verify that ID badges and lanyards do not contain the corporate …
Removed
p. 97
a) The access-control system must grant physical access to card production staff or consultants only during authorized working hours, and only to those areas required by the card production staff or consultants’ job functions.
Select Examine access-control system settings to verify physical access to card production staff or consultants is only during authorized working hours, and only to those areas required by the card production staff or consultants’ job functions.
Examine a sample of logs to verify that the physical access is only granted during authorized working hours and only to the areas required by the individual’s job functions.
Observe a demonstration of one or more individuals attempting to access areas they are not authorized for to verify the access-control system prevents that access.
b) Personnel must display their ID badges at all times while in the facility.
Select Observe that personnel display their ID badges at all times while in the facility.
c) Card production …
Select Examine access-control system settings to verify physical access to card production staff or consultants is only during authorized working hours, and only to those areas required by the card production staff or consultants’ job functions.
Examine a sample of logs to verify that the physical access is only granted during authorized working hours and only to the areas required by the individual’s job functions.
Observe a demonstration of one or more individuals attempting to access areas they are not authorized for to verify the access-control system prevents that access.
b) Personnel must display their ID badges at all times while in the facility.
Select Observe that personnel display their ID badges at all times while in the facility.
c) Card production …
Removed
p. 98
a) Maintain an inventory of unassigned ID badges.
Select Examine the unassigned badge inventory log to verify completeness.
b) Ensure dual control exists for badge access and distribution to individuals.
Select Examine procedures to validate a process is in place to have dual control for badge access and distribution to individuals.
Examine a sample of logs to verify dual control for badge access and assignments.
c) Ensure ID badges are retrieved from terminated individuals prior to their departure from the facility.
Select Examine procedures to validate a process is in place to retrieve ID badges from terminated individuals prior to their departure from the facility.
Examine a sample of terminated personnel documentation to verify ID badges were retrieved from each terminated individual prior to their departure from the facility.
d) Ensure all access rights are immediately deactivated.
Select Examine procedures to validate a process is in place to deactivate all access rights immediately on a departure of an individual.
Examine …
Select Examine the unassigned badge inventory log to verify completeness.
b) Ensure dual control exists for badge access and distribution to individuals.
Select Examine procedures to validate a process is in place to have dual control for badge access and distribution to individuals.
Examine a sample of logs to verify dual control for badge access and assignments.
c) Ensure ID badges are retrieved from terminated individuals prior to their departure from the facility.
Select Examine procedures to validate a process is in place to retrieve ID badges from terminated individuals prior to their departure from the facility.
Examine a sample of terminated personnel documentation to verify ID badges were retrieved from each terminated individual prior to their departure from the facility.
d) Ensure all access rights are immediately deactivated.
Select Examine procedures to validate a process is in place to deactivate all access rights immediately on a departure of an individual.
Examine …
Removed
p. 99
a) The vendor must document, follow, and maintain procedures for access- control system administration.
Select Examine policy and procedures to verify access- control system administration is documented and maintained.
Interview personnel to verify personnel follow the procedures for access-control system administration.
b) Access-control systems that allow entry into restricted areas must have a backup electrical power source capable of maintaining the system for 48 hours.
Select Examine documentation to verify the access- control systems into restricted areas are protected by a backup electrical power source with capabilities for ensuring operation for a minimum of 48 hours in the event of a power failure.
Observe the presence of a backup electrical power source with capabilities for ensuring operation of the access-control system for a minimum of 48 hours in the event of a power failure.
c) Contingency plans must exist for securing card components in the event of an outage greater than 48 hours.
Select Examine contingency plans …
Select Examine policy and procedures to verify access- control system administration is documented and maintained.
Interview personnel to verify personnel follow the procedures for access-control system administration.
b) Access-control systems that allow entry into restricted areas must have a backup electrical power source capable of maintaining the system for 48 hours.
Select Examine documentation to verify the access- control systems into restricted areas are protected by a backup electrical power source with capabilities for ensuring operation for a minimum of 48 hours in the event of a power failure.
Observe the presence of a backup electrical power source with capabilities for ensuring operation of the access-control system for a minimum of 48 hours in the event of a power failure.
c) Contingency plans must exist for securing card components in the event of an outage greater than 48 hours.
Select Examine contingency plans …
Removed
p. 102
a) Each access-control system administrator uses his or her own user ID and password.
Select Examine access-control system documentation to validate each access-control system administrator uses his or her own user ID and password.
Interview personnel to verify that each access- control system administrator uses his or her own user ID and password.
b) Passwords are changed at least every 90 days.
Select Examine documentation to verify procedures are in place that passwords are changed at least every 90 days.
Examine a sample of system configurations to verify passwords required to be changed at least every 90 days.
Interview personnel to verify that passwords are changed at least every 90 days.
c) User IDs and passwords are assigned to the physical security manager and authorized personnel, who must be employees.
Select Examine documentation to verify that user IDs and passwords are assigned to the physical security manager and authorized personnel Interview personnel to verify that access-control system administrators …
Select Examine access-control system documentation to validate each access-control system administrator uses his or her own user ID and password.
Interview personnel to verify that each access- control system administrator uses his or her own user ID and password.
b) Passwords are changed at least every 90 days.
Select Examine documentation to verify procedures are in place that passwords are changed at least every 90 days.
Examine a sample of system configurations to verify passwords required to be changed at least every 90 days.
Interview personnel to verify that passwords are changed at least every 90 days.
c) User IDs and passwords are assigned to the physical security manager and authorized personnel, who must be employees.
Select Examine documentation to verify that user IDs and passwords are assigned to the physical security manager and authorized personnel Interview personnel to verify that access-control system administrators …
Removed
p. 104
a) Offsite access to the access-control system is not permitted.
Select Examine documentation to verify that the remote- access requirements listed below are met where system administration is performed remotely.
Examine a sample of reports to verify system administrators follow requirements for remote access as stipulated below.
Examine documentation to verify vendor facilities not subject to logical security audits have a written statement that requirements are being met.
Interview personnel to verify that the following remote-access requirements are met where system administration is performed remotely:
• Offsite access to the access-control system is not permitted.
• Access-control system data must be backed up on a weekly basis.
• Access-control systems administration must be performed from within the security control room.
• For generic administrative accounts that cannot be disabled, the password must be used only for emergency. The password must be changed from the default value and managed under dual control.
In addition, the access-control system must meet the …
Select Examine documentation to verify that the remote- access requirements listed below are met where system administration is performed remotely.
Examine a sample of reports to verify system administrators follow requirements for remote access as stipulated below.
Examine documentation to verify vendor facilities not subject to logical security audits have a written statement that requirements are being met.
Interview personnel to verify that the following remote-access requirements are met where system administration is performed remotely:
• Offsite access to the access-control system is not permitted.
• Access-control system data must be backed up on a weekly basis.
• Access-control systems administration must be performed from within the security control room.
• For generic administrative accounts that cannot be disabled, the password must be used only for emergency. The password must be changed from the default value and managed under dual control.
In addition, the access-control system must meet the …
Removed
p. 108
a) The key logbook must have consecutive, pre-numbered, bound pages and must contain at least the following information:
• Key identification number
• Key identification number
• Date and time the key is issued (transfer of responsibility)
• Date and time the key is issued (transfer of responsibility)
• Name and signature of the card production staff member issuing the key
• Name and signature of the card production staff member issuing the key
• Name and signature of the authorized recipient
• Name and signature of the authorized recipient
• Date and time the key is returned (transfer of responsibility)
• Date and time the key is returned (transfer of responsibility)
• Name and signature of the authorized individual returning the key
• Name and signature of the card production staff member receiving the key Select Examine documentation to verify procedures require the key logbook to contain the information listed below at a minimum.
Examine a sample of the key logbook to …
• Key identification number
• Key identification number
• Date and time the key is issued (transfer of responsibility)
• Date and time the key is issued (transfer of responsibility)
• Name and signature of the card production staff member issuing the key
• Name and signature of the card production staff member issuing the key
• Name and signature of the authorized recipient
• Name and signature of the authorized recipient
• Date and time the key is returned (transfer of responsibility)
• Date and time the key is returned (transfer of responsibility)
• Name and signature of the authorized individual returning the key
• Name and signature of the card production staff member receiving the key Select Examine documentation to verify procedures require the key logbook to contain the information listed below at a minimum.
Examine a sample of the key logbook to …
Removed
p. 109
• The locks each key operates Select Examine documentation to verify that a process exists for the physical security manager to review the following for keys issued that allow access to sensitive materials.
• The locks each key operates Examine evidence that for keys that allow access to sensitive materials, the physical security manager performed a quarterly review of:
• The locks each key operates
d) The physical security manager must sign and date each of the key-control documents, attesting that the review process was completed.
Select Examine documentation to verify a process is in place for the physical security manager to, at a minimum:
• Sign and date each of the key-control documents; and
• Attest that the review process was completed.
Examine a sample of records to verify the physical security manager performed the key- control process as noted above.
a) The physical security manager and executive managers are the only employees authorized to possess master …
• The locks each key operates Examine evidence that for keys that allow access to sensitive materials, the physical security manager performed a quarterly review of:
• The locks each key operates
d) The physical security manager must sign and date each of the key-control documents, attesting that the review process was completed.
Select Examine documentation to verify a process is in place for the physical security manager to, at a minimum:
• Sign and date each of the key-control documents; and
• Attest that the review process was completed.
Examine a sample of records to verify the physical security manager performed the key- control process as noted above.
a) The physical security manager and executive managers are the only employees authorized to possess master …
Removed
p. 110
a) Combinations for any combination locks where a combination holder had access must be changed when a combination holder is removed from the list of authorized combination holders.
Select Examine documentation to verify that combinations for any combination locks where a combination holder had access must be changed when a combination holder is removed from the list of authorized combination holders.
Examine a sample of logs to verify that combinations for any combination locks where a combination holder had access was changed when a combination holder was removed from the list of authorized combination holders.
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.6 Closed Circuit Television (CCTV) 2.4.6.1 CCTV Cameras
a) Procedures for managing the facility’s CCTV must be documented and followed.
Select Examine documentation to verify CCTV procedures are documented.
Interview personnel to verify they are aware of and follow the CCTV procedures.
Examine a sample …
Select Examine documentation to verify that combinations for any combination locks where a combination holder had access must be changed when a combination holder is removed from the list of authorized combination holders.
Examine a sample of logs to verify that combinations for any combination locks where a combination holder had access was changed when a combination holder was removed from the list of authorized combination holders.
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.6 Closed Circuit Television (CCTV) 2.4.6.1 CCTV Cameras
a) Procedures for managing the facility’s CCTV must be documented and followed.
Select Examine documentation to verify CCTV procedures are documented.
Interview personnel to verify they are aware of and follow the CCTV procedures.
Examine a sample …
Removed
p. 114
a) CCTV images must be kept for at least 90 days and must be backed up daily. Both primary and backup copies must exist for a minimum of 90 days.
Select Examine documentation and a sample of archived video to verify CCTV images are:
• Kept for at least 90 days;
• Backed up daily; and that
• Both primary and backup copies exist for a minimum of 90 days.
b) The backup recording or mirror image must be stored in a separate, secure location within the facility and must ensure segregation of duties between the users and administrators of the system. Backups may also be stored in other approved facilities of the card vendor via techniques such as disk mirroring, provided the storage is secure in accordance with these requirements. An approved facility is one evaluated as compliant to these requirements and is participating in the applicable card brand program.
Select Examine documentation to verify …
Select Examine documentation and a sample of archived video to verify CCTV images are:
• Kept for at least 90 days;
• Backed up daily; and that
• Both primary and backup copies exist for a minimum of 90 days.
b) The backup recording or mirror image must be stored in a separate, secure location within the facility and must ensure segregation of duties between the users and administrators of the system. Backups may also be stored in other approved facilities of the card vendor via techniques such as disk mirroring, provided the storage is secure in accordance with these requirements. An approved facility is one evaluated as compliant to these requirements and is participating in the applicable card brand program.
Select Examine documentation to verify …
Removed
p. 115
a) The CCTV system must meet the logical security requirements in Appendix B.
Select See Appendix B.
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.7 Security Device Inspections 2.4.7.1 Semi-Annual Inspections
a) A semi-annual inspection and testing must be conducted on all security devices and hardware including but not limited to:
• Access-control system
• Access-control system
• Window and door contacts
• Window and door contacts
• Glass-break detectors
• Glass-break detectors
• Emergency door alarms
• Emergency door alarms
• Passive infrared detectors
• Passive infrared detectors
• CCTV image recorders Select Examine documentation to verify inspections on all security devices and hardware were performed at least semi-annually and include but were not limited to:
• CCTV image recorders
b) Inspections must be carried out by an external organization qualified to perform such functions.
Select Examine sample documents to verify security inspections are performed by a qualified external organization.
c) A copy of the inspection reports …
Select See Appendix B.
Section 2 Requirement Card Vendor Self- Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.4.7 Security Device Inspections 2.4.7.1 Semi-Annual Inspections
a) A semi-annual inspection and testing must be conducted on all security devices and hardware including but not limited to:
• Access-control system
• Access-control system
• Window and door contacts
• Window and door contacts
• Glass-break detectors
• Glass-break detectors
• Emergency door alarms
• Emergency door alarms
• Passive infrared detectors
• Passive infrared detectors
• CCTV image recorders Select Examine documentation to verify inspections on all security devices and hardware were performed at least semi-annually and include but were not limited to:
• CCTV image recorders
b) Inspections must be carried out by an external organization qualified to perform such functions.
Select Examine sample documents to verify security inspections are performed by a qualified external organization.
c) A copy of the inspection reports …
Removed
p. 117
a) The vendor must have a written contingency plan to guarantee that security for card components, products, and data is maintained in case of critical business interruption.
Select Examine documentation to verify the vendor has a written contingency plan to guarantee that security for card components, products, and data are maintained in case of critical business interruption.
Interview personnel to validate they understand the process of the contingency plans to guarantee that security for card components, products, and data are maintained in case of critical business interruption.
Select Examine documentation to verify the vendor has a written contingency plan to guarantee that security for card components, products, and data are maintained in case of critical business interruption.
Interview personnel to validate they understand the process of the contingency plans to guarantee that security for card components, products, and data are maintained in case of critical business interruption.
Removed
p. 117
a) The vendor must document its policies and procedures by which assets associated with card production and provisioning activities are secured in the event production activities are terminated.
Select Examine the vendor’s policy and procedures to verify they include that assets associated with card production and provisioning activities are secured in the event production activities are terminated.
b) The procedures must identify all data storage, card design materials, cards, card components, physical keys, cryptographic keys, and hardware utilized for production activities that must be secured.
Select Examine procedures to verify the process identifies and secures all of the following but not limited to:
• Card design materials
• Hardware utilized for production activities
c) The disposition expectations for each identified item must be defined. For example, items may be returned to the owner, transported to an authorized user, or destroyed.
Select Examine the vendor’s policy and procedures to verify they include the disposition expectations for each identified …
Select Examine the vendor’s policy and procedures to verify they include that assets associated with card production and provisioning activities are secured in the event production activities are terminated.
b) The procedures must identify all data storage, card design materials, cards, card components, physical keys, cryptographic keys, and hardware utilized for production activities that must be secured.
Select Examine procedures to verify the process identifies and secures all of the following but not limited to:
• Card design materials
• Hardware utilized for production activities
c) The disposition expectations for each identified item must be defined. For example, items may be returned to the owner, transported to an authorized user, or destroyed.
Select Examine the vendor’s policy and procedures to verify they include the disposition expectations for each identified …
Removed
p. 120
a) The vendor must follow submission procedures mandated by the appropriate payment brand to receive approval for the card design in order to confirm the design’s compliance to the applicable payment brand standards.
Select Examine the various card-design approval processes to verify that payment brand reviews are appropriately understood and documented by the design team.
Examine documentation with vendor to verify that all mandated approvals have been received and are on file to be reviewed upon request.
Select Examine the various card-design approval processes to verify that payment brand reviews are appropriately understood and documented by the design team.
Examine documentation with vendor to verify that all mandated approvals have been received and are on file to be reviewed upon request.
Removed
p. 120
a) The vendor must proceed with card manufacturing only after the submission has been approved.
Select Interview production management to verify what controls are in place to verify vendor only starts a manufacturing run after approvals have been received.
Examine a sample of artwork approval timeframes compared with production runs to verify approval has occurred prior to production.
Select Interview production management to verify what controls are in place to verify vendor only starts a manufacturing run after approvals have been received.
Examine a sample of artwork approval timeframes compared with production runs to verify approval has occurred prior to production.
Removed
p. 120
a) All records of approval for the job from the applicable payment brand Select Examine a sample of order documentation to verify all payment brand job-approval records have been retained.
b) A sample of the partially processed product or component Select Examine a sample of production run retentions to verify they include partially processed products or components.
c) A portion of a printed sheet Select Examine a sample of production run retentions to verify they each include a portion of a printed sheet.
d) Documentation indicating the source, quantities, and the distribution of each product received from an external company Select Examine a sample of production run retentions to verify they include documentation of each product received from an external company.
e) All samples visually voided and functionally inoperable Select Examine a sample of production run retentions to verify their inoperability and void markings.
b) A sample of the partially processed product or component Select Examine a sample of production run retentions to verify they include partially processed products or components.
c) A portion of a printed sheet Select Examine a sample of production run retentions to verify they each include a portion of a printed sheet.
d) Documentation indicating the source, quantities, and the distribution of each product received from an external company Select Examine a sample of production run retentions to verify they include documentation of each product received from an external company.
e) All samples visually voided and functionally inoperable Select Examine a sample of production run retentions to verify their inoperability and void markings.
Removed
p. 121
a) When requested by the payment brand, the vendor must send samples of the finished cards or components from each production run before shipping the finished card products. These samples must be functionally inoperative, and it must be visibly apparent that they are not live cards.
Select Examine policies/procedures to verify that when requested by the payment brand, the vendor sends samples of the finished cards or components from each production run before shipping the finished card products.
Examine a sample of payment brand requests for samples to verify the samples are functionally inoperative and it is visibly apparent that they are not live cards.
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.4 Origination Materials and Printing Plates
• Access and Inventory
a) The vendor must restrict access to the department or to the dark room where film, plates, or electronic media are produced or stored …
Select Examine policies/procedures to verify that when requested by the payment brand, the vendor sends samples of the finished cards or components from each production run before shipping the finished card products.
Examine a sample of payment brand requests for samples to verify the samples are functionally inoperative and it is visibly apparent that they are not live cards.
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.4 Origination Materials and Printing Plates
• Access and Inventory
a) The vendor must restrict access to the department or to the dark room where film, plates, or electronic media are produced or stored …
Removed
p. 123
d) The vendor must inventory the films, printing plates, and duplicates including a record of plates issued from and returned to the printing department.
Select Interview printing department staff to verify how often, by whom, and what documentation is in place regarding the inventory of films, printing plates, and duplicates issued and returned to the printing department.
e) The vendor must audit this inventory quarterly.
Select Examine documentation to verify the vendor conducts audits on a quarterly basis.
f) The vendor must keep films and printing plates locked under dual control when not in use.
Select Observe security controls in place for films and printing plates and verify there are dual-control storage requirements when films and printing plates are not in use.
g) Materials maintained must be limited to the final approved version of the last production run of a particular card type.
Select Examine what materials are in place within the production area.
Observe production staff and …
Select Interview printing department staff to verify how often, by whom, and what documentation is in place regarding the inventory of films, printing plates, and duplicates issued and returned to the printing department.
e) The vendor must audit this inventory quarterly.
Select Examine documentation to verify the vendor conducts audits on a quarterly basis.
f) The vendor must keep films and printing plates locked under dual control when not in use.
Select Observe security controls in place for films and printing plates and verify there are dual-control storage requirements when films and printing plates are not in use.
g) Materials maintained must be limited to the final approved version of the last production run of a particular card type.
Select Examine what materials are in place within the production area.
Observe production staff and …
Removed
p. 124
a) Access to unbundled core sheets must be restricted at all times.
Select Observe to verify unbundled core sheets are under restricted access at all times.
b) Core sheets must be allocated for production use under a materials/production regimen.
Select Observe the material/production regimen for allocation of core sheets for production runs to verify existence.
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.5.1.2 Partially or Fully Printed Sheets
a) When partially or fully printed sheets are stored outside the vault for more than one week, they must be stored in a work-in- progress (WIP) storage room.
Select Examine documentation to verify that the WIP storage room is utilized for storage longer than one week.
Observe storage controls in place by vendor for both partially and fully printed sheets.
b) Audit or accountability forms for core sheets must provide the following information for every order processed:
• Quality control sheets
• Quality …
Select Observe to verify unbundled core sheets are under restricted access at all times.
b) Core sheets must be allocated for production use under a materials/production regimen.
Select Observe the material/production regimen for allocation of core sheets for production runs to verify existence.
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.5.1.2 Partially or Fully Printed Sheets
a) When partially or fully printed sheets are stored outside the vault for more than one week, they must be stored in a work-in- progress (WIP) storage room.
Select Examine documentation to verify that the WIP storage room is utilized for storage longer than one week.
Observe storage controls in place by vendor for both partially and fully printed sheets.
b) Audit or accountability forms for core sheets must provide the following information for every order processed:
• Quality control sheets
• Quality …
Removed
p. 126
a) When partially finished cards
•e.g., pre-personalized
• are temporarily stored outside the vault, they must be stored in a secure, locked container in the HSA under dual control. Cards shall not be stored outside of the vault except as WIP while the facility is in operation.
Select Observe to verify cards stored outside the vault are stored in secure, locked containers in the HSA under dual controls.
Examine procedures for use of the WIP area to verify that partially finished cards are stored properly in the HSA.
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.6 Ordering Proprietary Components
a) The vendor must obtain proprietary components
•e.g., signature panels, holographic materials, special dies
•only from authorized suppliers.
Select Examine documentation to determine what supplier the vendor is receiving proprietary components from, and whether they are authorized suppliers.
b) The vendor must provide the supplier with both the street and mailing addresses …
•e.g., pre-personalized
• are temporarily stored outside the vault, they must be stored in a secure, locked container in the HSA under dual control. Cards shall not be stored outside of the vault except as WIP while the facility is in operation.
Select Observe to verify cards stored outside the vault are stored in secure, locked containers in the HSA under dual controls.
Examine procedures for use of the WIP area to verify that partially finished cards are stored properly in the HSA.
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.6 Ordering Proprietary Components
a) The vendor must obtain proprietary components
•e.g., signature panels, holographic materials, special dies
•only from authorized suppliers.
Select Examine documentation to determine what supplier the vendor is receiving proprietary components from, and whether they are authorized suppliers.
b) The vendor must provide the supplier with both the street and mailing addresses …
Removed
p. 127
a) The vendor must apply audit controls to each job/batch received, whereby an effective audit trail is established for each production step.
Select Examine policies/procedures to verify audit controls and an audit trail are in place for each job/batch and production step.
Examine a complete job run to verify procedures are followed.
b) All card products and components
•both good and rejected, including samples
• must be counted and reconciled prior to any transfer of responsibility.
Select Observe a sample production job/run and validate that all card products and components
•both good and rejected, including samples
•are counted and reconciled prior to any transfer of responsibility.
c) An effective audit trail is comprised of a series of audit logs that must contain but are not limited to the following information:
• Description of the component or card product(s) being transferred
• Description of the component or card product(s) being transferred
• Name and signature of the individual releasing the component or card …
Select Examine policies/procedures to verify audit controls and an audit trail are in place for each job/batch and production step.
Examine a complete job run to verify procedures are followed.
b) All card products and components
•both good and rejected, including samples
• must be counted and reconciled prior to any transfer of responsibility.
Select Observe a sample production job/run and validate that all card products and components
•both good and rejected, including samples
•are counted and reconciled prior to any transfer of responsibility.
c) An effective audit trail is comprised of a series of audit logs that must contain but are not limited to the following information:
• Description of the component or card product(s) being transferred
• Description of the component or card product(s) being transferred
• Name and signature of the individual releasing the component or card …
Removed
p. 132
a) If modifications are to be made to the audit log, a single line must be made through the original figure.
Select Examine a sample of audit logs to verify that all modifications to the audit logs are being made in the authorized and designated manner.
b) The updated figure and the initials of the card production staff member making the changes must be placed adjacent to the incorrect figure.
Select Examine a sample of logs to verify that all modifications to the audit log are being made in the authorized and designated manner.
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.7.1.2 Log Review
a) All logs must be reviewed and validated for completeness at least weekly by an individual who is not involved in the direct operation of the equipment.
Select Examine a sample of logs to verify that they are being reviewed and validated for …
Select Examine a sample of audit logs to verify that all modifications to the audit logs are being made in the authorized and designated manner.
b) The updated figure and the initials of the card production staff member making the changes must be placed adjacent to the incorrect figure.
Select Examine a sample of logs to verify that all modifications to the audit log are being made in the authorized and designated manner.
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.7.1.2 Log Review
a) All logs must be reviewed and validated for completeness at least weekly by an individual who is not involved in the direct operation of the equipment.
Select Examine a sample of logs to verify that they are being reviewed and validated for …
Removed
p. 134
• Number of cards originally placed in inventory
• Number of cards originally placed in inventory
• Reason for transaction
•e.g., job number
• Reason for transaction
•e.g., job number
• Number of cards removed from inventory
• Number of cards removed from inventory
• Number of cards returned to inventory
• Number of cards returned to inventory
• Balance remaining in the vault
• Balance remaining in the vault
• Date and time of activity
• Date and time of activity
• Names and signatures of the card production staff who handled the transaction Select Examine the vault log to verify that at a minimum it contains:
• Names and signatures of the card production staff who handled the transaction Observe items being logged in and out of the vault to verify that proper documentation is accurately completed.
b) Two card production staff must create a written, physical inventory of card and card components monthly.
Select Examine a sample of monthly inventory to verify that an …
• Number of cards originally placed in inventory
• Reason for transaction
•e.g., job number
• Reason for transaction
•e.g., job number
• Number of cards removed from inventory
• Number of cards removed from inventory
• Number of cards returned to inventory
• Number of cards returned to inventory
• Balance remaining in the vault
• Balance remaining in the vault
• Date and time of activity
• Date and time of activity
• Names and signatures of the card production staff who handled the transaction Select Examine the vault log to verify that at a minimum it contains:
• Names and signatures of the card production staff who handled the transaction Observe items being logged in and out of the vault to verify that proper documentation is accurately completed.
b) Two card production staff must create a written, physical inventory of card and card components monthly.
Select Examine a sample of monthly inventory to verify that an …
Removed
p. 135
a) During personalization, cards and cardholder data must be handled in a secure manner to ensure accountability.
Select Observe personalization process and validate controls are in place that ensure a secure method of handling and accountability.
b) An audit control log must be maintained for each job/sub-job (batch) designating:
• Card type Select Examine a sample of audit control logs to verify they include job number, issuer name, and card type.
c) For each personalization batch, include:
• Initial card procurement (beginning balance)
• Initial card procurement (beginning balance)
• Cards returned to inventory
• Cards returned to inventory
• Machine/operation identification
• Machine/operation identification
• Date and time of reconciliation
• Date and time of reconciliation
Select Observe personalization process and validate controls are in place that ensure a secure method of handling and accountability.
b) An audit control log must be maintained for each job/sub-job (batch) designating:
• Card type Select Examine a sample of audit control logs to verify they include job number, issuer name, and card type.
c) For each personalization batch, include:
• Initial card procurement (beginning balance)
• Initial card procurement (beginning balance)
• Cards returned to inventory
• Cards returned to inventory
• Machine/operation identification
• Machine/operation identification
• Date and time of reconciliation
• Date and time of reconciliation
Removed
p. 136
• Name and signature of an individual other than the operator, who is responsible for verifying the count
• Name and signature of an individual other than the operator, who is responsible for verifying the count
d) For accounts/envelopes, include:
• Number of card carriers printed
• Number of card carriers printed
• Number of carriers wasted
• Number of carriers wasted
• Number of envelopes that contain cards
• Number of envelopes that contain cards
e) For PIN mailers, include:
• Number of mailers to be printed
• Number of mailers to be printed
• Number of mailers actually printed
• Number of mailers actually printed
• Wasted mailers that have been printed
• Wasted mailers that have been printed
• Number of mailers transferred to the mailing area/room
• Number of mailers transferred to the mailing area/room
• Name and signature of an individual other than the operator, who is responsible for verifying the count 3.8 Production Equipment and Card Components 3.8.1 Personalization Equipment
a) The vendor …
• Name and signature of an individual other than the operator, who is responsible for verifying the count
d) For accounts/envelopes, include:
• Number of card carriers printed
• Number of card carriers printed
• Number of carriers wasted
• Number of carriers wasted
• Number of envelopes that contain cards
• Number of envelopes that contain cards
e) For PIN mailers, include:
• Number of mailers to be printed
• Number of mailers to be printed
• Number of mailers actually printed
• Number of mailers actually printed
• Wasted mailers that have been printed
• Wasted mailers that have been printed
• Number of mailers transferred to the mailing area/room
• Number of mailers transferred to the mailing area/room
• Name and signature of an individual other than the operator, who is responsible for verifying the count 3.8 Production Equipment and Card Components 3.8.1 Personalization Equipment
a) The vendor …
Removed
p. 142
a) Maintain a log of all returned cards and PIN mailers.
Select Examine polices/procedures to verify that a log is required for all returned cards and PIN mailers.
Examine a sample of logs to verify procedures are followed to maintain a log of all returned cards and PIN mailers.
b) Store all returned cards in a secure container under dual control.
Select Observe that a secure container is utilized to store all returned cards under dual control.
c) Either send returned cards to the issuer or destroy them as defined in Section 3.10, “Destruction and Audit Procedures.” Select Examine polices/procedures to verify returned cards are either sent to the issuer or destroyed according to “Destruction and Audit Procedures.” Interview personnel to verify procedures are known and followed.
d) Destroy returned PIN mailers as defined in Section 3.10 below.
Select Observe the method of destruction of PIN mailers to verify it is in accordance with “Destruction and Audit …
Select Examine polices/procedures to verify that a log is required for all returned cards and PIN mailers.
Examine a sample of logs to verify procedures are followed to maintain a log of all returned cards and PIN mailers.
b) Store all returned cards in a secure container under dual control.
Select Observe that a secure container is utilized to store all returned cards under dual control.
c) Either send returned cards to the issuer or destroy them as defined in Section 3.10, “Destruction and Audit Procedures.” Select Examine polices/procedures to verify returned cards are either sent to the issuer or destroyed according to “Destruction and Audit Procedures.” Interview personnel to verify procedures are known and followed.
d) Destroy returned PIN mailers as defined in Section 3.10 below.
Select Observe the method of destruction of PIN mailers to verify it is in accordance with “Destruction and Audit …
Removed
p. 150
a) Count all card products under dual control.
Select Observe an example (live or recorded previous count if live not available) of a count to verify that counts of all card products are performed under dual control.
Select Observe an example (live or recorded previous count if live not available) of a count to verify that counts of all card products are performed under dual control.
Modified
p. 150 → 5
Section 4: Packaging and Delivery Requirements
Section C.1: General Requirements
Removed
p. 151
b) Complete audit-control documentation before the cards are packaged.
Select Observe an example (live or recorded previous count if live not available) to verify that audit-control documentation is completed before the cards are packaged.
c) Reconcile all counts with amount to be shipped prior to packaging.
Select Observe an example (live or recorded previous count if live not available) to verify that all counts of card products to be shipped prior to packaging are reconciled.
d) Immediately seal containers for final packaging.
Select Observe an example (live or recorded previous count if live not available) to verify that the containers for the card products to be shipped are immediately sealed for final packaging.
e) Immediately investigate and resolve discrepancies.
Select Examine policies and procedures to verify that all discrepancies in the preparation process are immediately investigated and resolved before packaging.
Select Observe an example (live or recorded previous count if live not available) to verify that audit-control documentation is completed before the cards are packaged.
c) Reconcile all counts with amount to be shipped prior to packaging.
Select Observe an example (live or recorded previous count if live not available) to verify that all counts of card products to be shipped prior to packaging are reconciled.
d) Immediately seal containers for final packaging.
Select Observe an example (live or recorded previous count if live not available) to verify that the containers for the card products to be shipped are immediately sealed for final packaging.
e) Immediately investigate and resolve discrepancies.
Select Examine policies and procedures to verify that all discrepancies in the preparation process are immediately investigated and resolved before packaging.
Removed
p. 151
a) Use materials for the packaging of cards and components with sufficient strength to minimize breakage during shipment.
Select Observe an example to verify the use of packaging materials of sufficient strength to minimize breakage during shipment.
b) Use packaging that does not indicate or imply the nature of the contents.
Select Observe an example to verify the packaging does not indicate or imply the nature of the contents.
c) Use reinforced, tamper- evident, color-coded tape that is not in common use to band the containers.
Select Observe an example to verify the tape used for sealing the packaging is reinforced, tamper-evident, unique, and color-coded.
d) Use containers that are uniquely numbered and labeled.
Select Observe an example to verify the containers are uniquely numbered and labeled.
e) Record the number of containers and cards on a packing list.
Select Observe an example to verify that the number of containers and cards on a packing list are recorded.
f) Package …
Select Observe an example to verify the use of packaging materials of sufficient strength to minimize breakage during shipment.
b) Use packaging that does not indicate or imply the nature of the contents.
Select Observe an example to verify the packaging does not indicate or imply the nature of the contents.
c) Use reinforced, tamper- evident, color-coded tape that is not in common use to band the containers.
Select Observe an example to verify the tape used for sealing the packaging is reinforced, tamper-evident, unique, and color-coded.
d) Use containers that are uniquely numbered and labeled.
Select Observe an example to verify the containers are uniquely numbered and labeled.
e) Record the number of containers and cards on a packing list.
Select Observe an example to verify that the number of containers and cards on a packing list are recorded.
f) Package …
Removed
p. 157
iii. The contents are secured with tamper-evident straps and checked upon delivery.
Select Examine vendor policies and procedures to verify the contents are secured with tamper-evident straps and checked upon delivery.
iv. The vehicle is loaded using dual control and locked during transport.
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the card transport vehicle is loaded using dual control and locked during transport.
v. Vehicle drivers do not have a key or access to contents.
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the card transport vehicle drivers do not have a key or access to contents.
vi. Two persons are in the vehicle equipped with a device to communicate with the security control room.
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that two persons …
Select Examine vendor policies and procedures to verify the contents are secured with tamper-evident straps and checked upon delivery.
iv. The vehicle is loaded using dual control and locked during transport.
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the card transport vehicle is loaded using dual control and locked during transport.
v. Vehicle drivers do not have a key or access to contents.
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify the card transport vehicle drivers do not have a key or access to contents.
vi. Two persons are in the vehicle equipped with a device to communicate with the security control room.
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that two persons …
Removed
p. 159
a) Mail must be in tamper- evident packaging and/or strapped to prevent the removal of envelopes or placed in locked carts.
Select Examine a sample of mail awaiting delivery to verify that it is in tamper-evident packaging and/or strapped to prevent the removal of envelopes or placed in locked carts.
b) The packaging must be the same as that used by the local mail service.
Select Examine a sample of mail trays to verify that their packaging is the same as that used by the local mail service.
c) Labels on packages sent to the postal service or presort facility must not indicate the name of the vendor or issuer.
Select Examine a sample of packages intended for the postal service or a presort facility to verify that their package labeling does not indicate the name of the vendor or issuer.
d) Labels on packages sent to the issuer must not indicate the name of the …
Select Examine a sample of mail awaiting delivery to verify that it is in tamper-evident packaging and/or strapped to prevent the removal of envelopes or placed in locked carts.
b) The packaging must be the same as that used by the local mail service.
Select Examine a sample of mail trays to verify that their packaging is the same as that used by the local mail service.
c) Labels on packages sent to the postal service or presort facility must not indicate the name of the vendor or issuer.
Select Examine a sample of packages intended for the postal service or a presort facility to verify that their package labeling does not indicate the name of the vendor or issuer.
d) Labels on packages sent to the issuer must not indicate the name of the …
Removed
p. 160
a) The vendor must secure packages under dual control with access limited to authorized personnel.
Select Observe that the packages are secured under dual control with access limited to authorized personnel prior to transfer to courier service.
Select Examine policies and procedures to verify that:
b) The vendor must only utilize a courier service that assigns a unique tracking number for each package. A tracking system in conjunction with the tracking number must enable the vendor to identify the successful completion of delivery milestones and exception conditions during the delivery process commencing with initial pick-up and ending with delivery.
• Only a courier service that assigns a unique tracking number for each package is used,
• A tracking system is in place to enable the identification of:
− Successful completion of delivery milestones during the delivery process from initial pick-up to final delivery.
− Exception conditions during the delivery process commencing with initial pick-up and ending with …
Select Observe that the packages are secured under dual control with access limited to authorized personnel prior to transfer to courier service.
Select Examine policies and procedures to verify that:
b) The vendor must only utilize a courier service that assigns a unique tracking number for each package. A tracking system in conjunction with the tracking number must enable the vendor to identify the successful completion of delivery milestones and exception conditions during the delivery process commencing with initial pick-up and ending with delivery.
• Only a courier service that assigns a unique tracking number for each package is used,
• A tracking system is in place to enable the identification of:
− Successful completion of delivery milestones during the delivery process from initial pick-up to final delivery.
− Exception conditions during the delivery process commencing with initial pick-up and ending with …
Removed
p. 163
a) The vendor must confirm with the VPA whether specific requirements apply to its geographic locations.
Select Examine evidence of VPA guidance for whether specific requirements apply to its geographic locations.
b) Secure transport originates at the vendor or issuer and must terminate at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.
Select Examine policies and procedures to verify secure transport originates at the vendor or issuer and terminates at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.
Observe a sample of shipping logs to verify that secure transport originates at the vendor or issuer and terminates at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.
c) Secure transport must occur in one of the following manners: armored vehicle, unarmored vehicle, air freight, sea freight, …
Select Examine evidence of VPA guidance for whether specific requirements apply to its geographic locations.
b) Secure transport originates at the vendor or issuer and must terminate at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.
Select Examine policies and procedures to verify secure transport originates at the vendor or issuer and terminates at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.
Observe a sample of shipping logs to verify that secure transport originates at the vendor or issuer and terminates at a vendor, issuer, mail facility, pre-sort facility, or courier facility shipping area unless otherwise approved by the VPA.
c) Secure transport must occur in one of the following manners: armored vehicle, unarmored vehicle, air freight, sea freight, …
Removed
p. 164
a) This service must be carried out under dual control.
Select Examine the agreement(s) with the armored transport service to verify it contains language that ensures that armored services used employ dual control during card transport.
b) The card transport vehicle must not carry any signs or logos indicating it belongs to a card vendor.
Select Examine the agreement(s) with the armored transport service to verify it contains language that ensures that card transport vehicles do not carry any signs or logos indicating they belong to a card vendor.
c) If intermediate stops are made during transport, the carrier must ensure the integrity of the shipment remains intact:
i. The cargo must never be left unattended unless the cargo area is armored.
Select Examine the agreement(s) with the armored transport service to verify it contains language that ensures the card transport vehicle’s cargo must never be left unattended unless the cargo area is armored.
ii. If the …
Select Examine the agreement(s) with the armored transport service to verify it contains language that ensures that armored services used employ dual control during card transport.
b) The card transport vehicle must not carry any signs or logos indicating it belongs to a card vendor.
Select Examine the agreement(s) with the armored transport service to verify it contains language that ensures that card transport vehicles do not carry any signs or logos indicating they belong to a card vendor.
c) If intermediate stops are made during transport, the carrier must ensure the integrity of the shipment remains intact:
i. The cargo must never be left unattended unless the cargo area is armored.
Select Examine the agreement(s) with the armored transport service to verify it contains language that ensures the card transport vehicle’s cargo must never be left unattended unless the cargo area is armored.
ii. If the …
Removed
p. 165
a) The card transport vehicle must not carry any signs or logos indicating it belong to a card vendor.
Select Examine vendor policies and procedures, if done in-house⎯i.e., using internal staff⎯or service provider agreement language if outsourced, to verify that any unarmored vehicle used for deliveries does not carry any signs or logos indicating it belongs to a card vendor.
b) An accompanying escort vehicle must be used in conjunction with the unarmored transport vehicle. This vehicle must not also be used as a card transport vehicle.
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement if outsourced, to verify that any unarmored vehicle used for deliveries is accompanied by another vehicle that is not used for card transport.
c) The card transport vehicle used between the vendor facility and the destination must be under dual control at all times (a driver accompanied by a guard) and never …
Select Examine vendor policies and procedures, if done in-house⎯i.e., using internal staff⎯or service provider agreement language if outsourced, to verify that any unarmored vehicle used for deliveries does not carry any signs or logos indicating it belongs to a card vendor.
b) An accompanying escort vehicle must be used in conjunction with the unarmored transport vehicle. This vehicle must not also be used as a card transport vehicle.
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement if outsourced, to verify that any unarmored vehicle used for deliveries is accompanied by another vehicle that is not used for card transport.
c) The card transport vehicle used between the vendor facility and the destination must be under dual control at all times (a driver accompanied by a guard) and never …
Removed
p. 166
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that shipments made via air freight are secured in locked or sealed containers.
•i.e., using internal staff
•or service provider agreement language to verify that shipments made via air freight are secured in locked or sealed containers.
Removed
p. 166
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that goods registered as consolidated cargo are not permitted.
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that all transports between the vendor location and the destination location are required to be nonstop whenever possible.
c) The card transport vehicle must not carry any signs or logos indicating it belong to a card vendor.
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language if outsourced, to verify that any vehicle used for transfer to the air freight terminal does not carry any signs or logos indicating it belongs to a card vendor.
d) An accompanying escort vehicle must be used in conjunction with the card transport vehicle. This vehicle must not also be used as a card transport vehicle.
Select …
•i.e., using internal staff
•or service provider agreement language to verify that goods registered as consolidated cargo are not permitted.
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language to verify that all transports between the vendor location and the destination location are required to be nonstop whenever possible.
c) The card transport vehicle must not carry any signs or logos indicating it belong to a card vendor.
Select Examine vendor policies and procedures, if done in-house
•i.e., using internal staff
•or service provider agreement language if outsourced, to verify that any vehicle used for transfer to the air freight terminal does not carry any signs or logos indicating it belongs to a card vendor.
d) An accompanying escort vehicle must be used in conjunction with the card transport vehicle. This vehicle must not also be used as a card transport vehicle.
Select …
Removed
p. 176
a) Have access to the names and signatures of individuals who are authorized to collect and deliver shipments.
Select Examine policies and procedures to verify that the vendor has the names and signatures of individuals who are authorized to collect and deliver shipments.
b) Verify the identity of personnel arriving to collect or deliver shipments.
Select Examine policies and procedures to verify that the vendor confirms the identity of personnel arriving to collect or deliver shipments.
c) Confirm the identity with the signature list.
Select Examine policies and procedures to verify that the vendor confirms the identity of individuals with the signature list.
d) Place the cartons on a pallet in such a manner that the sides of the carton showing the batch code are visible.
Select Examine policies and procedures to verify that the vendor places the cartons on a pallet in such a manner that the sides of the carton showing the batch code are …
Select Examine policies and procedures to verify that the vendor has the names and signatures of individuals who are authorized to collect and deliver shipments.
b) Verify the identity of personnel arriving to collect or deliver shipments.
Select Examine policies and procedures to verify that the vendor confirms the identity of personnel arriving to collect or deliver shipments.
c) Confirm the identity with the signature list.
Select Examine policies and procedures to verify that the vendor confirms the identity of individuals with the signature list.
d) Place the cartons on a pallet in such a manner that the sides of the carton showing the batch code are visible.
Select Examine policies and procedures to verify that the vendor places the cartons on a pallet in such a manner that the sides of the carton showing the batch code are …
Removed
p. 177
a) Before release of the consignment, a pre-arranged method of identification between the vendor and destination party must be established to verify the authority and identity of the carrier to receive shipment.
Select Examine shipping activity logs to verify establishment of a pre-arranged method of identification between the vendor and destination party to verify the authority and identity of the carrier to receive the shipment before release of the consignment.
b) At each point where custody and possession of the consignment changes from one entity or agent to another, the consignment must be inspected to confirm the integrity of all locks and seals.
Select Examine shipping activity logs to verify that the consignment is inspected to confirm the integrity of all locks and seals at each point where custody and possession of the consignment changes from one entity to another.
c) A written receipt must be completed under dual control at each point of …
Select Examine shipping activity logs to verify establishment of a pre-arranged method of identification between the vendor and destination party to verify the authority and identity of the carrier to receive the shipment before release of the consignment.
b) At each point where custody and possession of the consignment changes from one entity or agent to another, the consignment must be inspected to confirm the integrity of all locks and seals.
Select Examine shipping activity logs to verify that the consignment is inspected to confirm the integrity of all locks and seals at each point where custody and possession of the consignment changes from one entity to another.
c) A written receipt must be completed under dual control at each point of …
Removed
p. 178
a) All card components must be delivered and returned by secure transport.
Select Examine policies and procedures to verify that all card components subject to return are delivered by secure transport.
b) The consignment must be received under dual control.
Select Examine shipping activity logs to verify that the consignments of returned card components are received under dual control.
c) Whilst under dual control, the consignment must be inventoried and handled as defined in ”Audit Controls” (Section 3.7).
Select Examine shipping activity logs to verify that the consignment of returned card components is inventoried and handled under dual control as defined in “Audit Controls” (Section 3.7).
d) Documentation of the shipment must be maintained for 24 months and must include:
• Sequential identification numbers (if applicable)
• Sequential identification numbers (if applicable)
• Reel numbers (if applicable)
• Reel numbers (if applicable)
• Total quantity returned
• Total quantity returned
• Recipient name and signatures
• Recipient name and signatures
• Destination or origination address
• …
Select Examine policies and procedures to verify that all card components subject to return are delivered by secure transport.
b) The consignment must be received under dual control.
Select Examine shipping activity logs to verify that the consignments of returned card components are received under dual control.
c) Whilst under dual control, the consignment must be inventoried and handled as defined in ”Audit Controls” (Section 3.7).
Select Examine shipping activity logs to verify that the consignment of returned card components is inventoried and handled under dual control as defined in “Audit Controls” (Section 3.7).
d) Documentation of the shipment must be maintained for 24 months and must include:
• Sequential identification numbers (if applicable)
• Sequential identification numbers (if applicable)
• Reel numbers (if applicable)
• Reel numbers (if applicable)
• Total quantity returned
• Total quantity returned
• Recipient name and signatures
• Recipient name and signatures
• Destination or origination address
• …
Removed
p. 179
a) The transfer of shipment responsibility occurs at the point at which the vendor has delivered cards according to the contract between the issuer and the approved vendor.
Select Examine a sample of agreements with issuers to verify that they contain language indicating that the transfer of shipment responsibility occurs at the point at which the vendor has delivered cards.
Section 5: PIN Printing and Packaging of Non-personalized Prepaid Cards
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment The following requirements apply only for non-personalized, prepaid cards. All other preceding requirements apply unless explicitly superseded in this section.
The PIN-printing system may be a single, integrated device with multiple components (e.g., control system, HSM, and printer) or a system of separate components with dedicated functionality, connected via cables.
Prepaid cards may be packaged, shipped, and mailed together with their PINs, provided the following requirements are fulfilled:
5.1. The …
Select Examine a sample of agreements with issuers to verify that they contain language indicating that the transfer of shipment responsibility occurs at the point at which the vendor has delivered cards.
Section 5: PIN Printing and Packaging of Non-personalized Prepaid Cards
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment The following requirements apply only for non-personalized, prepaid cards. All other preceding requirements apply unless explicitly superseded in this section.
The PIN-printing system may be a single, integrated device with multiple components (e.g., control system, HSM, and printer) or a system of separate components with dedicated functionality, connected via cables.
Prepaid cards may be packaged, shipped, and mailed together with their PINs, provided the following requirements are fulfilled:
5.1. The …
Removed
p. 181
• must be performed in the personalization HSA or in a separate HSA that meets the physical and logical requirements for a personalization HSA.
Select Observe that all activity surrounding the matching of the card with a pre-printed PIN mailer is being handled either in the personalization HSA, or in a separate HSA that meets the physical and logical requirements for a personalization HSA.
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.5 Clear-text PINs must never be available on any system on the personalization network.
Select Examine documentation to verify that clear-text PINs are never to be available on any system on the personalization network.
Interview the network administrator to have them validate that clear-text PINs must never be available on any system on the personalization network.
Observe DB tables containing PIN data retrieved by the network administrator to verify PINs are not in clear text.
Select Observe that all activity surrounding the matching of the card with a pre-printed PIN mailer is being handled either in the personalization HSA, or in a separate HSA that meets the physical and logical requirements for a personalization HSA.
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.5 Clear-text PINs must never be available on any system on the personalization network.
Select Examine documentation to verify that clear-text PINs are never to be available on any system on the personalization network.
Interview the network administrator to have them validate that clear-text PINs must never be available on any system on the personalization network.
Observe DB tables containing PIN data retrieved by the network administrator to verify PINs are not in clear text.
Removed
p. 182
Select Examine network diagrams to verify that PIN-printing systems are either on:
• A network physically separate from the personalization network, or
• A logically separated subnet dedicated for PIN printing, which is protected by a dedicated firewall.
Examine firewall rules to verify the aforementioned.
• A network physically separate from the personalization network, or
• A logically separated subnet dedicated for PIN printing, which is protected by a dedicated firewall.
Examine firewall rules to verify the aforementioned.
Removed
p. 182
Select Addressed in review conducted under the PCI Card Production and Provisioning Logical Security Requirements.
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.8 PINs must be deleted from the PIN-printing system immediately after printing using a secure erasure tool that prevents recovery of the PIN using forensic techniques or off-the- shelf recovery software.
Select Examine documentation to identify the controls in place to verify that PINs are deleted from the PIN-printing system immediately after use via:
• A secure erasure tool that prevents recovery of the PIN using forensic techniques, or
• Off-the-shelf recovery software.
• Interview the PIN production manager to verify secure erasure of PINs after printing.
Observe PIN-printing process and verify that PINs are securely erased immediately after printing.
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.8 PINs must be deleted from the PIN-printing system immediately after printing using a secure erasure tool that prevents recovery of the PIN using forensic techniques or off-the- shelf recovery software.
Select Examine documentation to identify the controls in place to verify that PINs are deleted from the PIN-printing system immediately after use via:
• A secure erasure tool that prevents recovery of the PIN using forensic techniques, or
• Off-the-shelf recovery software.
• Interview the PIN production manager to verify secure erasure of PINs after printing.
Observe PIN-printing process and verify that PINs are securely erased immediately after printing.
Removed
p. 183
Select Examine documentation to verify that clear-text PINs are not stored.
Observe PIN-printing process and verify that clear-text PINs are only available for minimum time required for printing and are not stored in clear text.
Observe PIN-printing process and verify that clear-text PINs are only available for minimum time required for printing and are not stored in clear text.
Removed
p. 183
a) Be in a dedicated PIN-printing room as defined in the Section 2.3.5.4 of this document, “PIN Mailer Production Room”; and Select Examine architecture documentation to verify that the PIN-printing room is in a dedicated room as defined in Section 2.3.5.4.
Interview the owner of the PIN-printing process to verify whether clear-text PINs are available outside of the printer and to identify locations.
b) Only be made operational after physical review of the cabling has been performed and it is confirmed that there is no evidence of tampering.
Select Observe cabling to confirm no evidence of tampering.
Observe how it is secured above ceiling or below flooring and the procedure for gaining access to cabling.
c) Additionally, the PIN must be concealed in tamper-evident packaging immediately after printing.
Select Observe the process for how the PIN is concealed in tamper-evident packaging immediately after printing.
Interview the owner of the PIN-printing process to verify whether clear-text PINs are available outside of the printer and to identify locations.
b) Only be made operational after physical review of the cabling has been performed and it is confirmed that there is no evidence of tampering.
Select Observe cabling to confirm no evidence of tampering.
Observe how it is secured above ceiling or below flooring and the procedure for gaining access to cabling.
c) Additionally, the PIN must be concealed in tamper-evident packaging immediately after printing.
Select Observe the process for how the PIN is concealed in tamper-evident packaging immediately after printing.
Removed
p. 184
• i.e., the HSM, controller, printer, and all cabling that carries the PIN are secured inside a single, integrated device
•PIN printing may take place in any of the following places:
a) The personalization HSA Select Examine documentation to verify that clear-text PINs only exist within a single integrated device.
Observe that this occurs within the personalization HSA; or
b) A dedicated PIN printing room within the personalization HSA Select Observe that that the activity occurs in a room dedicated to only PIN printing; or
c) A separate HSA that meets the physical and logical requirements for a personalization HSA Select Observe the separate HSA to verify set- up of the separate HSA meets the physical and logical requirements for a personalization HSA.
d) Additionally, all of the following requirements must be fulfilled:
Select Examine policies/procedures to verify that each of the following is required:
e) The printer must be locked under dual control before the print job …
•PIN printing may take place in any of the following places:
a) The personalization HSA Select Examine documentation to verify that clear-text PINs only exist within a single integrated device.
Observe that this occurs within the personalization HSA; or
b) A dedicated PIN printing room within the personalization HSA Select Observe that that the activity occurs in a room dedicated to only PIN printing; or
c) A separate HSA that meets the physical and logical requirements for a personalization HSA Select Observe the separate HSA to verify set- up of the separate HSA meets the physical and logical requirements for a personalization HSA.
d) Additionally, all of the following requirements must be fulfilled:
Select Examine policies/procedures to verify that each of the following is required:
e) The printer must be locked under dual control before the print job …
Removed
p. 186
a) Ensure that procedures are documented and followed by security personnel responsible for granting access to the CCTV and access-control systems.
Select Examine procedures for granting access to the CCTV system and access-control systems to verify existence.
Interview security personnel responsible for the adding or removing of authorized users on the CCTV system and access-control systems to verify adherence to procedures.
b) Restrict approval and level of access to staff with a documented business need before access is granted. At a minimum, documented approvals must be retained while the account is active.
Select Examine a sample of access grants and compare the positions of those granted access to the CCTV and access-control systems to verify access is appropriately restricted.
c) Restrict systems access by unique user ID to only those individuals who have a business need.
Select Examine documentation to verify there is a list of roles that need system access together with a legitimate business …
Select Examine procedures for granting access to the CCTV system and access-control systems to verify existence.
Interview security personnel responsible for the adding or removing of authorized users on the CCTV system and access-control systems to verify adherence to procedures.
b) Restrict approval and level of access to staff with a documented business need before access is granted. At a minimum, documented approvals must be retained while the account is active.
Select Examine a sample of access grants and compare the positions of those granted access to the CCTV and access-control systems to verify access is appropriately restricted.
c) Restrict systems access by unique user ID to only those individuals who have a business need.
Select Examine documentation to verify there is a list of roles that need system access together with a legitimate business …
Removed
p. 187
d) Only grant individuals the minimum level of access sufficient to perform their duties.
Select Examine documentation and verify that the access is restricted based on least privileges necessary to perform job responsibilities.
Interview administrator to verify that individual access is based the minimum level of access sufficient to perform their duties.
e) Make certain that systems authentication requires at least the use of a unique ID and password.
Select Examine documentation to make certain that ID and password for system authentication is unique.
Observe logon to system to verify that
•at a minimum
•authentication requires the use of an ID and password.
f) Restrict administrative access to the minimum number of individuals required for management of the system.
Select Interview administrator to determine names of people with administrative access.
Interview management of systems to determine if the number of people with administrative access is the minimum number of individuals required for management of the system.
g) Ensure security guards do …
Select Examine documentation and verify that the access is restricted based on least privileges necessary to perform job responsibilities.
Interview administrator to verify that individual access is based the minimum level of access sufficient to perform their duties.
e) Make certain that systems authentication requires at least the use of a unique ID and password.
Select Examine documentation to make certain that ID and password for system authentication is unique.
Observe logon to system to verify that
•at a minimum
•authentication requires the use of an ID and password.
f) Restrict administrative access to the minimum number of individuals required for management of the system.
Select Interview administrator to determine names of people with administrative access.
Interview management of systems to determine if the number of people with administrative access is the minimum number of individuals required for management of the system.
g) Ensure security guards do …
Removed
p. 195
a) Define, document, and follow procedures to demonstrate:
• Identification of security alerts
•e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT)
• Identification of security alerts
•e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT)
• Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components
• Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components
• Inventory of current systems in the environment including information about installed software components and about running services Select Examine anti-virus policies/procedures to verify that the following are defined and that corresponding procedures exist for each:
• Inventory of current systems in the environment including information about installed software components and about running services
b) Deploy anti-virus software on all systems potentially affected by malicious software•e.g., personal computers and servers.
Select Examine …
• Identification of security alerts
•e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT)
• Identification of security alerts
•e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT)
• Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components
• Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components
• Inventory of current systems in the environment including information about installed software components and about running services Select Examine anti-virus policies/procedures to verify that the following are defined and that corresponding procedures exist for each:
• Inventory of current systems in the environment including information about installed software components and about running services
b) Deploy anti-virus software on all systems potentially affected by malicious software•e.g., personal computers and servers.
Select Examine …
Removed
p. 198
• Identifying and evaluating newly discovered security vulnerabilities, and
• Identifying and evaluating security patches from software vendors.
Interview the system administrator to verify that procedures are implemented to identify and evaluate newly discovered security vulnerabilities and security patches from software vendors.
c) Ensure that secure configuration standards are established for all system components.
Select Examine documentation to verify that secure configuration standards are established for all system components.
Interview the system administrator to verify that a secure configuration standard exists and that there is a documented configuration standard for all system components.
d) Ensure that the configuration standards include system hardening by removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
Select Examine the organization’s system configuration standards for all types of system components and verify that the standard addresses:
• The removing of all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
e) Ensure …
• Identifying and evaluating security patches from software vendors.
Interview the system administrator to verify that procedures are implemented to identify and evaluate newly discovered security vulnerabilities and security patches from software vendors.
c) Ensure that secure configuration standards are established for all system components.
Select Examine documentation to verify that secure configuration standards are established for all system components.
Interview the system administrator to verify that a secure configuration standard exists and that there is a documented configuration standard for all system components.
d) Ensure that the configuration standards include system hardening by removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
Select Examine the organization’s system configuration standards for all types of system components and verify that the standard addresses:
• The removing of all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
e) Ensure …