PCI SSC is in the process of launching a new program to train and qualify security professionals to perform assessments using the Card Production Security Standards. Gill Woodcock, Senior Director of Certification Programs, provides an update on this effort and how it will improve the security of payments.
The PCI Security Standards Council is launching a new program to qualify security professionals to perform assessments using the Card Production Security Standards. Can you tell me a little bit more about that?
Gill Woodcock: PCI SSC is announcing the launch of a new program to train and certify card production companies and assessors. The Card Production Security Assessor (CSPA) Program will qualify companies and train security professionals to perform assessments using the Card Production and Provisioning Logical Security Requirements and Card Production and Provisioning Physical Security Requirements (also known as the Card Production Security Standards).
In late April 2019, PCI SSC will begin accepting applications from existing card production assessors to receive training on the new program in June. This computer-based training is only open to those professionals who are currently card production assessors through an existing program.
Those who are not currently card production assessors, but meet the requirements to become a CPSA, will be able to apply when the program opens to new applicants in Q1 of 2020. PCI SSC will provide more details about the program for new applicants in Q3 of 2019.
Why is PCI SSC creating the Card Production Assessor Program?
Gill Woodcock: PCI SSC’s primary mission is to protect payment card data and to do so in a manner that draws upon cross-industry expertise and drives collaboration within the industry. By converging different card production assessor programs into a single industry card production assessor program, the PCI CSPA program will create consistency across assessments and ensure guidance and training is aligned with the current threat landscape.
Can you tell me a little bit about what a card production assessor does and how they help protect payment card data?
Gill Woodcock: Card production entities represent a large, high risk cache of payment card data demanding a specialized security program to mitigate that risk. There are two aspects to a card production security assessment – logical and physical. All systems and business processes associated with the logical security activities in card production and provisioning such as data preparation, pre-personalization, card personalization, PIN generation, PIN mailers, and card carriers and distribution are assessed using the Card Production and Provisioning Logical Security Requirements. Assessment against the Card Production and Provisioning Physical Security Requirements addresses the physical security requirements and procedures that entities must follow before, during, and after card manufacturing, chip embedding, personalization, storage, packaging, mailing, shipping and delivery of payment cards. To reflect these two different types of assessment there are two types of Card Production Assessor – Logical and Physical.
What does this mean for companies and individuals currently performing card production assessments?
Gill Woodcock: Existing card production assessors from legacy programs may be grandfathered into the new PCI Card Production Security Assessor Program for two years. They will be required to take computer-based training and pass the exam at no charge.
Who will determine when a CPSA is required?
Gill Woodcock: The Participating Payment Brands, will continue to determine the compliance requirements associated with their card production security program including use of CPSAs, deciding which entities must undergo an assessment, frequency and the reporting process for the produced as part of each assessment.
Will PCI SSC have a website listing for entities which have been successfully validated against the Card Production Security Standards?
Gill Woodcock: No, PCI SSC will not be listing entities which have been validated against the Card Production Security Standards. This remains within the remit of the payment brand compliance programs.
Is it a pre-requisite to be a Qualified Security Assessor (QSA) before becoming a Card Production Security Assessor?
Gill Woodcock: No. While QSA Companies and QSAs are welcome to apply to the CPSA program (provided they meet the qualification requirements), it is not necessary for a company or an assessor to first be certified as a QSA before applying for certification as a CPSA.
Can those who have not performed card production assessments previously apply to become a CPSA? What are some of the requirements to become a CPSA?
Gill Woodcock: Yes. Security professionals interested in becoming a CPSA must meet the requirements set out in the CPSA Qualification Requirements, which will be published late April 2019. New assessors will apply to become CPSA-L (Logical Assessors), CPSA-P (Physical Assessors) or both. Some requirements outlined in the CPSA QR include (but are not limited to):
- 2 Industry certifications (Information Security and Audit)
- Advanced experience in cryptography and key management, network security, system security and IT auditing or security assessments
- Employee of CPSA Company
- Advanced experience in physical security and physical security audits
- Experience in system security. System security refers to the logical security of systems that provide or enforce physical security (e.g. CCTV and access control systems)
- Employee of CPSA Company
When will training be available for CPSAs?
The program will open to applications for new assessors in Q1 of 2020. PCI SSC will provide more details about the program for new applicants in Q3 of 2019. Subscribe to our blog to stay informed of the latest updates from the PCI SSC.