Vous êtes sur la page 1sur 14

Payment Card Industry (PCI)

Card Production Security Requirements

Summary of Changes from


PCI Card Production Version 1.0 to 1.1
March 2015
Table of Contents

Introduction ................................................................................................................... 1
Section 1: Change Types.............................................................................................. 1
Section 2: Summary of Changes ................................................................................. 2
Changes to Physical Security Requirements ............................................................... 2
Changes to Logical Security Requirements ................................................................. 8

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council LLC Page i
Introduction
This document provides a summary of changes from PCI Card Production Physical Security
Requirements and PCI Card Production Logical Security Requirements Version 1.0 to Version 1.1.
Section 1 below provides an overview of the types of changes included in Version 1.1. Section 2 on the
following pages provides a summary of material changes to be found in both the Physical and Logical
Security Requirements documents.

Section 1: Change Types

Change Type Definition


Explanation, definition and/or instruction to increase understanding
Additional Guidance
or provide further information or guidance on a particular topic.

Requirement Change To reflect the addition or modification or deletion of requirements.

Note: The changes above do not include those that are corrections of grammar or typographical errors or
other rephrasing of existing statements

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page 1
Section 2: Summary of Changes
Changes to Physical Security Requirements

Reference Change Type

Requirement 2 Personnel

2.1.3.3 Clarified that access credentials are not restricted to cards. Additional
Identification badges Guidance

Requirement 3 Premises

3.2.1 Added criteria that emergency exits must not be capable of Requirement
Emergency Exits being opened from outside nor lead to a higher security Change
area.

3.3.2.2 Clarified that person-by-person access may be fulfilled Additional


Location and Security through a procedural control. Guidance
Protection
Clarified that one-way mirror film or other material is not the
only acceptable method to prevent observation of security
equipment inside the security control room

3.3.3 Clarified that equipment that is purely associated with test Additional
High Security Areas activities is not allowed in the HSA. Guidance
(HSAs)

3.3.4 Rephrased motion-detection activation criteria. Additional


HSA Security Protection Guidance
Clarified that medical items such as medications and
and Access Procedures
tissues are allowed if in clear containers that can be
examined and that no food or beverages are allowed.

3.3.4 Modified to state that for motion detection, in addition to a Requirement


HSA Security Protection local sound alarm, a notification (silent alarm) within the Change
and Access Procedures security control room must exist.
Modified to state that if the access-control server is not
located in the security control room, it must be located in a
room of equivalent security. The access-control server
cannot be located in the HSA.

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page 2
Reference Change Type

3.3.5 Added requirements that if the HSA contains fire doors and Requirement
Rooms these doors are normally closed or can be manually Change
closed, those doors are subject to the same access
controls as any other door that provides access to a room;
and if the HSA contains fire doors and these doors are
locked open and only closed automatically when a fire
alarm is activated, the access controls that normally apply
for accessing a room do not apply.

3.3.5.3 Renamed section. Additional


Card Product and Clarified that a dedicated room must be used for the Guidance
Component Destruction destruction of card product and component waste.
Room(s)

3.3.5.5 Clarified that data preparation must occur here and that Additional
Server Room & Key server processing and key management may occur in the Guidance
Management Room same room or each in a separate room

3.3.5.6 Added as an option to the use of reinforced concrete the Requirement


Vault use of materials that at least meet the Underwriters Change
Laboratories Class I Burglary Certification Standards,
which provides for at least 30 minutes of penetration
resistance to tool and torch for all perimeter surfaces.
Defined that if the construction of the vault leaves a small
(dead) space between the vault and the outside wall, this
space must be constantly monitored for intrusion, e.g.,
motion sensors.
Removed exception for emergency exits and stated that
there must be no access to the vault except through the
vault doors and gate configurations meeting these
requirements.
State that the inner grille must meet the same access
control criteria as other rooms within the HSA.
Added that emergency exit doors from the vault to the HSA
must meet the strength requirements for a vault door, are
alarmed, are not able to be opened from outside, and must
conform to the requirements for emergency exits.

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page 3
Reference Change Type

3.3.5.6 Clarified that if the vault also is used to store non-payment Additional
Vault products, it must be physically segregated (e.g., stored on Guidance
dedicated aisles or shelves) to create a physical separation
between payment products and other card types.
Clarified that all boxes with payment cards must be sealed,
and a visible label describing the product type, a unique
product identifier number, the quantity of cards contained in
the box, and the date of control must be attached to the
boxes.

3.4.4.2 Clarified that the security managers quarterly review Additional


Locks and Keys: applies to keys that allow access to sensitive materials. Guidance
Audits and Accountability

3.4.5.2 Added option that motion activated CCTV may be used Requirement
Closed Circuit Television: provided that the recording must capture any motion at Change
Monitor, Camera, and least 10 seconds before and after the detected motion.
Digital Recorder
Requirements

3.4.5.4 Clarified that both primary and backup copies must exist for Additional
Retention of Video a minimum of 90 days and that backups may also be Guidance
Recordings stored in other facilities via techniques such as disk
mirroring, provided the storage is secure in accordance
with these requirements.

3.4.6.1 Removed silent duress buttons as addressed separately Requirement


Security Device elsewhere (3.4.3). Change
Inspections:
Semi-Annual Inspections

Requirement 4 Production Procedures and Audit Trails

4.5.1.2 Clarified that sheets printed with the payment system brand Additional
Core Sheets and Partially or issuer design must not be used as set-up sheets unless Guidance
Finished Cards: clearly marked void over the payment system brand/issuer
Partially or Fully Printed design.
Sheets

4.5.2 Added that cards shall not be stored outside of the vault Requirement
Partially Finished Cards except as WIP involving the same batch while the facility is Change
in operation.

4.7 Changed from manufacturing for further clarity. Additional


Audit Controls Guidance
Clarified that references to components refer to card
Production
components.

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page 4
Reference Change Type

4.7.3 Clarified that envelope count is for envelopes that contain Additional
Personalization Audit cards Guidance
Controls

4.8.2 Changed destruction frequency from 24 hours after Requirement


Production Equipment removal from embossing machine to as frequently as the Change
and Card Components: vendor deems necessary, but in all cases, no less
Tipping Foil frequently than weekly. The vendor must maintain proper
controls over these materials at all times prior to
destruction, and the destruction must occur within the HSA.
State that used tipping foil must be removed from the
machine during non-production hours.
State that when destroyed the results must be non-
readable and non-recoverable.

4.8.2 Clarified that prior to destructione.g., shreddingthe foil Additional


Tipping Foil must be stored within the HSA under dual access control. Guidance
Clarified that the destruction log applies whether reels are
partial or full.

4.8.3 Clarified that requirement applies to payment system Additional


Indent Printing Module proprietary type faces. Guidance

4.10 Clarified that destruction must be carried out in a separate Additional


Destruction and Audit room as defined in 3.3.5.3. Guidance
Procedures

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page 5
Reference Change Type

Requirement 5 Packaging and Delivery Requirements

5 Added the following clarifications: Additional


Packaging and Delivery For transfer to the mail facility, personalized cards can Guidance
Requirements be transported using a company vehicle with the
following security controls:
- A GPS tracking device is used and monitored
during transport from within the security control
room.
- The contents are secured with tamper-evident
straps and checked upon delivery.
- The vehicle is loaded using dual control and
locked during transport.
- Vehicle drivers do not have a key or access to
contents.
- Two persons are in the vehicle equipped with a
device to communicate with the security control
room.
Issuer consent must be a letter signed by a corporate
officer indicating the destination of the card shipment
and acceptance of complete and total liability for any
loss, theft, or misplacement of the cards.
Personalized bulk cards includes cards that have
been personalized with a cardholder name, generic
identifier, or no cardholder identifier.

5.4 Defined that PIN mailers and cards must be dispatched Requirement
Delivery separately, a minimum of two days apart for all card Change
delivery methodsincluding mailing, courier delivery, and
secure transportexcept for the distribution of non-
personalized prepaid cards and electronic distribution of
PINs, which may occur on the same day in accordance
with the Logical Security Requirements.

5.4 Clarified that for mailing, personalized cards must be Additional


Delivery placed in envelopes that do not contain any brand marks. Guidance

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page 6
Reference Change Type

5.4.2 Defined that the vendor must only utilize a courier service Requirement
Courier Service that assigns a unique tracking number for each package Change
that enables the vendor to identify the successful
completion of delivery milestones and exception conditions
during the delivery process, commencing with initial pick-up
and ending with delivery.
Clarified that the vendor is responsible for a manifest for
packages sent by courier service that describes the
package contents and enables contents verification upon
receipt.

Glossary

Glossary Added glossary definitions for: Area, Armored Vehicle, Additional


Chip Initialization, Dual Presence, HSA Rooms, Non- Guidance
Personalized Cards, Personalized Cards, Security
Components, Unpersonalized Cards

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page 7
Changes to Logical Security Requirements

Reference Change Type

Requirement 4 Data Security

4.8 New section to address data and cryptographic keys used Requirement
Data Used for Testing for testing vs. production. Change

Requirement 5 Network Security

5.1 Defined and illustrated acceptable vendor network designs. Requirement


Typical Vendor Network Change

5.1.3 Defined the following: Requirement


Card Production DMZ This criterion applies to the card production network Change
and it must be segregated from other parts of an
organization's network.
Effective 1 January 2016, the DMZ must be located in
the server room of the HSA.
DMZ infrastructure equipment within the HSA server
room must be in a dedicated rack with access
restricted to the minimum number of authorized
individuals.
All switches and cabling associated with the DMZ
equipment must be stored within the same rack with
only the minimum required number of cable
connections entering/exiting the rack in order to
provide connectivity to firewalls.

5.2 Clarified that controls in place to restrict write permission Additional


General Requirements to any system external to the personalization network to Guidance
only pre-approved functions that have been authorized by
the VPA do not apply to systems in the dedicated DMZ.
Furthermore, these write functions must not transmit
cardholder data if this involves direct write from the system
containing the information.

5.4 Redefined the firewall deployment scheme to protect the Requirement


Firewalls HSAs DMZ with reference to illustrations of acceptable Change
deployments

5.5 Defined that anti-virus updates must be checked for at Requirement


Anti-virus software or least daily and updates must occur whenever updates are Change
programs available.

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page 8
Reference Change Type

5.7 Redefined the requirements to: Requirement


Wireless Networks The vendor must use a wireless intrusion detection Change
system (WIDS) capable of detecting hidden and
spoofed networks for all authorized wireless networks.
When a vendor uses a wireless network, the WIDS
must be used to conduct random scans within the
HSA at least monthly to detect rogue and hidden
wireless networks.
When a vendor does not use a wireless network, the
vendor must still use a scanning device that is capable
of detecting rogue and hidden wireless networks.
Random scans of the HSA must be conducted at least
monthly.

5.7.3 Clarified that the term MAC previously used in this context Additional
Additional Requirements = media access control. Guidance
for Wi-Fi Standard

5.8 Defined that both internal and external network vulnerability Requirement
Security Testing and scans must occur at least quarterly and after any significant Change
Monitoring change in the network.

Requirement 6 System Security

6.3 Changed the implementation of critical patches to seven Requirement


Configuration and Patch days and that it applies to all Internet-facing system Change
Management components; and where this is not possible, senior
management must sign off and the patches must be
implemented within a maximum of 30 business days.

6.5.3 Clarified that access restrictions to source code to Additional


Software Design and authorized personnel applies to applications used on the Guidance
Development: personalization network.
Development
Clarified that in-house developed personalization software
must implement software logs for any restart (and details
associated with that restart event) and that the software
enforces authorization at restart.

Requirement 7 User Management and System Access Control

7.2.2 Clarified that the 90-day maximum for passwords can be Additional
Password Control: less and that the one-day minimum can be longer. Guidance
Characteristics and
Usage

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page 9
Reference Change Type

7.4 Modified requirement to allow for the unlocking of user Requirement


Account Locking accounts via automated password reset mechanisms. Change

Requirement 8 Key Management: Secret Data

8.1 Provided that the vendor must have a written description of Requirement
General Principles the vendors cryptographic architecture that details all the Change
keys used by each HSM. The key description must
describe the key usage.

8.1 Clarified that the principles of split knowledge and dual Additional
General Principles control apply to activities involving key components and Guidance
that the only exceptions to these principles involve those
keys that are managed as cryptograms or stored within a
SCD.

8.3 Changed the reference to ISO 16609. Additional


Asymmetric Keys Guidance

8.4.2 Clarified that if the key manager is also a key custodian, Additional
Key-Management other key custodians must not report to the key manager if Guidance
Security Administration: in conjunction with the key manager who would form a
Key Manager threshold to create a key.

8.4.3 Clarified that the roles and responsibilities of key Additional


Key Custodians custodians must be fully documented at a level sufficient to Guidance
allow performance of required activities on a step-by-step
basis.

8.5 Clarified that key components, if printed, must be created Additional


Key Generation in such a way that the key component cannot be observed Guidance
during the process by other than the authorized key
custodian.

8.5 Defined that key components or shares must be placed in Requirement


Key Generation pre-serialized, tamper-evident envelopes when not in use Change
by the authorized key custodian.

8.5.1 Clarified that it applies to issuer keys used for payment Additional
Asymmetric Keys Used transactions. Guidance
for Payment
Transactions

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page 10
Reference Change Type

8.8 Clarified to apply to envelopes rather than the term key Additional
Key Storage storage container. Guidance
Clarified that a PIN is only an example of an allowed
access control mechanism.
Clarified that access logs must include custodian
signatures and envelope serial numbers must be logged for
both placement into storage and removal.

8.9 Redefined the requirements to: Requirement


Key Usage Private keys shall be used only to create digital Change
signatures OR to perform decryption operations.
Private keys shall never be used to encrypt other
keys.
RSA signature (private) keys must be prohibited from
being used for the encryption of either data or another
key, and similarly RSA encryption (public) keys must
be prohibited from being used to generate signatures.
Public keys shall be used only to verify digital
signature OR perform encryption operations.
Key-encrypting keys must never be used as working
keys (session keys) and vice versa.
Defined that issuer keys must not be used for longer than
the issuer-specified expiry date.
State that an inventory of keys under the vendors
management must be maintained to determine when a key
is no longer required.
Define that all derivation keys must be unique per issuer.

8.9 Clarified that prototyping is using cards for proof of Additional


Key Usage concept or process where production keys are not used Guidance
and that they are not used in production.

8.11 Clarified the decommissioning process for secure Additional


Key Destruction cryptographic devices. Guidance
Clarified where destruction requirements apply to key
components rather than keys.

8.11 Defined that all key destruction must be logged and the log Requirement
Key Destruction retained for verification. Change

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page 11
Reference Change Type

8.13 Clarified that unless otherwise stated, the requirements Additional


Key Compromise apply to vendor-owned keys. Guidance
Clarified that the vendor must remove from operational use
all compromised keys within a predefined time frame and
provide a means of migrating to new key(s) and where
keys are issuer-owned, the issuer must be notified
immediately for further instruction.

Requirement 9 Key Management: Confidential Data

9.1 Defined that issuer keys must not be used for longer than Requirement
General Principles the issuer-specified expiry date. Change

Glossary of Acronyms and Terms

Glossary of Acronyms Defined POTS, Application Keys, Authentication Value, Additional


and Terms Hardware Security Module, Key-Management Device, Guidance
Local Master Key, Master Derivation Key, Master File Key,
Personalization, Personalization Keys, Session Key,
Variant of a Key, Working Key.

Summary of Changes from PCI Card Production Version 1.0 to 1.1 March 2015
Copyright 2015 PCI Security Standards Council, LLC. All Rights Reserved. Page 12