According to the PCI Card Production and Provisioning – Logical Security Requirements, there must be a clear segregation of duties between the staff involved in different card production and provisioning activities, such as card personalization, PIN generation and printing, and card fulfillment. This is to prevent any unauthorized access, modification, or disclosure of sensitive cardholder data and to ensure the integrity and confidentiality of the card production process. Therefore, if John is involved in card personalization, which is the process of transferring cardholder information to a payment card, then he must never be involved in PIN printing, which is the process of printing the personal identification number associated with the cardholder account on a mailer. This way, John cannot link the cardholder data on the card with the PIN on the mailer, and cannot compromise the security of the cardholder authentication. The other statements are not true, as there is no requirement that prohibits John from being involved in the card shipment process, as long as he does not have access to both the card and the PIN mailer at the same time.  References:

Payment Card Industry (PCI) Card Production and Provisioning – Logical Security Requirements , Section 2.1.1 and 2.1.2

Payment Card Industry (PCI) Card Production and Provisioning – Glossary of Terms, Abbreviations, and Acronyms , Definitions of Card Personalization and PIN Printing

 According to the PCI Card Production Logical Security Requirements, the vendor must have a formal employee termination process that includes notifying the security manager in writing prior to the termination of any employee who has access to cardholder data or sensitive authentication data. This is to ensure that the security manager can take appropriate actions to revoke the employee’s access rights, credentials, and keys, and to prevent any unauthorized use or disclosure of cardholder data or sensitive authentication data by the terminated employee. The vendor must also have a documented policy and procedure for the employee termination process, and must maintain a log of all termination activities.  References :

PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.2

PCI Card Production Logical Security Requirements, v2.0, April 2019, page 20, requirement 6.1.3

According to the PCI Card Production Physical Security Requirements, the CCTV and access control servers must be located within the Security Control Room (SCR) or a room with equivalent security. This means that the room must have the same level of physical protection as the SCR, such as locks, alarms, sensors, cameras, and access control devices. The purpose of this requirement is to prevent unauthorized access, tampering, or theft of the servers that store and process sensitive data related to card production and security.  References:   PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16

 Card personalization is the process of transferring cardholder information, such as account number, name, expiration date, and other data, to a payment card. This can be done by various methods, such as magnetic stripe encoding, embossing, laser engraving, or chip programming. Chip programming is the method of personalizing a card that has an embedded microchip that can store and process data. Chip cards can support contact or contactless transactions, depending on the chip type and the terminal capabilities. Contact transactions require the card to be inserted into a reader, while contactless transactions use radio frequency (RF) communication between the card and the reader. The vendor in the question is performing card personalization by programming the chip and verifying the data on the card.  References:

Payment Card Industry (PCI) Card Production and Provisioning – Logical Security Requirements , Section 1.1.1

Payment Card Industry (PCI) Card Production and Provisioning – Physical Security Requirements , Section 1.1.1

Payment Card Industry (PCI) Card Production and Provisioning – Glossary of Terms, Abbreviations, and Acronyms , Definitions of Card Personalization, Chip Card, Contact Card, and Contactless Card

According to the PCI Card Production and Provisioning Template for Report on Compliance, for each requirement listed in a ROC, all types of findings must have a full narrative response. A finding is the result of the assessor’s evaluation of the entity’s compliance status for each requirement. The types of findings are:

Compliant: The entity meets the requirement as stated in the PCI Card Production Standards.

Non-Compliant: The entity does not meet the requirement as stated in the PCI Card Production Standards.

Not Applicable: The requirement does not apply to the entity’s environment or operations.

Not Tested: The requirement was not tested by the assessor for a valid reason.

New: The entity has implemented a new process, system, or control that affects the requirement since the last assessment.

Closed: The entity has remediated a previous non-compliant finding and has provided sufficient evidence to the assessor.

A full narrative response is a detailed explanation of the finding, including the following elements:

The scope of testing performed by the assessor to evaluate the requirement

The testing procedures and tools used by the assessor

The sampling methodology and rationale used by the assessor

The evidence collected and reviewed by the assessor

The observations and conclusions made by the assessor

The recommendations and remediation actions (if any) suggested by the assessor

A full narrative response is required for all types of findings to provide a clear and comprehensive documentation of the entity’s compliance status and to support the assessor’s professional judgment and opinion. A full narrative response also helps the payment brands, the PCI SSC, and the entity itself to understand the entity’s environment, risks, and controls, and to verify the accuracy and validity of the assessment.  References :

PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 4

PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 5

PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 6

According to the PCI Card Production Logical Security Requirements, a vendor’s HSA access must be enforced by a security turnstile that has a logical access-control system that ensures anti pass-back. This means that the system must prevent a person from using the same badge to enter or exit the HSA more than once without completing the access cycle. The access cycle is the process of entering or exiting the HSA through the turnstile, which may involve biometric verification, PIN entry, or other authentication methods. The status of the access must change upon initial presentation of an authorised badge, prior to completion of the access cycle, to prevent another person from using the same badge to enter or exit the HSA. For example, if a person presents an authorised badge to enter the HSA, the system must register that the badge is inside the HSA and deny access to anyone else who tries to use the same badge until the person exits the HSA with the same badge.  References:   PCI Card Production Logical Security Requirements, v2.0, April 2019, page 12

 According to the PCI Card Production and Provisioning Physical Security Requirements, emergency exit doors must be equipped with devices that prevent unauthorized entry from the outside, such as panic bars, crash bars, or push pads. These devices allow the door to be opened from the inside without a key or a code, but prevent the door from being opened from the outside by unauthorized persons. Therefore, the most concerning aspect of the situation is that the exit door can be opened from the outside with a key, which creates a security risk for the facility. The other options are not as concerning, as they do not directly affect the security of the exit door. The exit door can lead into the facility as long as it provides a safe and unobstructed path to the exit discharge. The guard’s memory lapse is not a major issue, as long as they follow the proper procedures and protocols for opening the door. The guard’s permission from their manager is not relevant, as long as they have the authority and the responsibility to open the door for inspection purposes.  References :

PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 17 1

PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 18 1