According to the PCI CPSA Qualification Requirements, Technical FAQs are documents that provide guidance on specific technical topics related to the PCI Card Production Security Standards. Technical FAQs are not mandatory, but they are recommended to be used by CPSA Companies and CPSA Employees during the card production assessment process. Technical FAQs are intended to help clarify the intent and applicability of the PCI Card Production Security Requirements, and to provide examples and best practices for achieving compliance. Technical FAQs are published by the PCI SSC on its website, and are updated periodically based on feedback from the card production industry and the payment brands. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 4.2, Page 81

The best way to check that you are using the most current version of the Card Production requirements is to download it from PCI SSC’s Document Library. The PCI SSC’s Document Library is a repository of all the PCI standards, guidelines, and supporting documents that are developed and maintained by the PCI SSC. The Document Library is accessible to the public and provides the latest versions of the documents, as well as the summary of changes and the effective dates. The Document Library also allows you to search, filter, and sort the documents by category, type, date, and keyword. Therefore, by downloading the Card Production requirements from the Document Library, you can ensure that you have the most up-to-date and authoritative version of the requirements. The other options are not the best ways to check the version of the Card Production requirements, as they may not be reliable, efficient, or available. Having the CPSA Company’s point of contact request the document may not be feasible, as the point of contact may not have the authority, the access, or the time to do so. Emailing a request for the document to PCI SSC may not be effective, as the PCI SSC may not respond promptly or provide the document in the format that you need. Viewing the document directly via PCI SSC Assessor Portal may not be possible, as the Assessor Portal may not have the latest version of the document or may require a login credential that you do not have. References:

• PCI SSC Document Library1
• PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52

According to the PCI Card Production Physical Security Requirements, one of the security controls for high-security areas (HSAs) is to have motion detectors that generate an alarm event when movement is detected and the access-control system indicates the room is not occupied. This is to prevent unauthorized access or intrusion to the HSAs, where sensitive card production and provisioning activities take place. The motion detectors should be configured to cover all areas within the HSA and should be tested periodically to ensure proper functionality. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.1.1, Page 61

According to the PCI Card Production Logical Security Requirements, vendors must have a list of pre-approved third parties that are authorized to access the facility and the systems involved in card production. However, other third parties may be granted access under exceptional circumstances, such as emergency repairs or maintenance, provided that they are approved by the physical security manager or senior management. The vendor must also ensure that the third parties comply with the security policies and procedures, and that their access is logged and monitored. References: PCI Card Production Logical Security Requirements, v2.0, April 2019, page 13

According to the PCI Card Production Physical Security Requirements, the vendor must ensure that a clear segregation of duties is maintained between guard and reception related job functions. This is to prevent any conflict of interest or collusion that could compromise the security of the card production and provisioning processes or the cardholder data. The vendor must also ensure that the guards are adequately trained, supervised, and evaluated, and that they follow the security policies and procedures established by the vendor. The vendor must also have a documented policy and procedure for the selection, hiring, and termination of guards, and must maintain a log of all guard activities. References:

• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 24, requirement 6.1.1
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 25, requirement 6.1.2
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 26, requirement 6.1.3
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 27, requirement 6.1.4

According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have an alarm system that monitors and detects unauthorized access to the card production and provisioning facilities, and that alerts the security control room or a central monitoring service. The alarm system must also be able to identify the location and cause of the alarm, and allow authorized personnel to reset it. The alarm system must be operational 24/7, and must be tested at least annually. The vendor must also have procedures to respond to alarms and incidents, and to report them to the relevant parties. If the alarm system does not send alerts to the security control room, or a central monitoring service, during working hours, the vendor may not be able to comply with these requirements, and may not be able to prevent, detect, or respond to unauthorized access or security breaches. This may cause a problem for their assessment, as they may not meet the PCI Card Production and Provisioning Physical Security Requirements. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101

According to the PCI Card Production Physical Security Requirements, the CCTV and access control servers must be located within the Security Control Room (SCR) or a room with equivalent security. This means that the room must have the same level of physical protection as the SCR, such as locks, alarms, sensors, cameras, and access control devices. The purpose of this requirement is to prevent unauthorized access, tampering, or theft of the servers that store and process sensitive data related to card production and security. References: PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16

According to the PCI Card Production Logical Security Requirements, the vendor must securely destroy all employee information, including background checks, within two years of the employee’s termination of contract. This is to prevent unauthorized access to sensitive employee data and to comply with the PCI DSS requirement 3.1, which states that cardholder data must not be stored longer than necessary. The vendor must also have a documented policy and procedure for the secure destruction of employee information, and must maintain a log of all destruction activities. References:

• PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.1
• PCI DSS, v3.2.1, May 2018, page 25, requirement 3.1

According to the CPSA Program Guide1, PCI SSC does not list compliant card vendors on its website. The PCI SSC only lists the qualified CPSA Companies and CPSA Employees who are authorized to perform PCI Card Production Security Assessments. The PCI SSC also does not receive or review the full ROCs or AOCs from the card vendors or the CPSA Companies. The ROCs and AOCs are submitted by the CPSA Companies to the applicable payment brands that have contracted with the card vendors for card production and provisioning services. The payment brands are responsible for verifying the compliance status of the card vendors and determining whether to list them on their own websites or databases. Therefore, the CPSA Company should inform the vendor that they must request a listing via the payment brand(s) that received their ROC, and that the listing process may vary depending on the payment brand’s policies and procedures. The CPSA Company should also advise the vendor to maintain their compliance with the PCI Card Production Standards and to undergo annual assessments by a qualified CPSA Company.

According to the PCI CPSA Program Guide, a CPSA Company must maintain workpapers and technical information obtained during an assessment for a minimum of three years from the date of the assessment. The workpapers and technical information must be stored securely and made available to PCI SSC upon request. The workpapers and technical information must include, but are not limited to, the following:

• The Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC)
• The Card Production Entity’s policies and procedures
• The Card Production Entity’s network diagrams and data flow diagrams
• The results of any testing performed by the CPSA Company or the Card Production Entity
• The evidence of any remediation actions taken by the Card Production Entity
• The correspondence between the CPSA Company and the Card Production Entity
• The correspondence between the CPSA Company and the payment brands
• The feedback form completed by the Card Production Entity References:
• PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 111

The PCI Security Standards Council (PCI SSC) performs regular Assessor Quality Management (AQM) audits of CPSA companies to ensure that they comply with the PCI CPSA Qualification Requirements and the PCI Card Production Standards. The AQM audits are conducted by PCI SSC staff or authorized third parties, and may include onsite visits, remote reviews, or both. The AQM audits aim to verify the quality and consistency of the CPSA companies’ assessment processes, reports, and documentation, as well as their adherence to the PCI SSC Code of Professional Responsibility. The AQM audits may result in corrective actions, sanctions, or revocation of the CPSA company status, depending on the severity and frequency of the non-compliance issues identified. References:

• PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 12, requirement 8.1
• PCI Card Production Security Assessor (CPSA) Program Guide, v1.0, April 2019, page 6, section 3.2

Data preparation is the process of creating cardholder data and keys for each card, and formatting them for the hardware that will put them on a card. Data preparation involves the use of an HSM to generate keys and encrypt data, and the creation of an encrypted file that contains the cardholder data and keys. Data preparation is one of the steps in the card production lifecycle, and it precedes the manufacture and personalization of the cards. References:

• Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 10
• PCI Card Production Logical Security Requirements, v2.0, April 2019, page 9
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 9