What happens next with the PCI Card Production and Provisioning Standards? PCI SSC Chief Technology Officer Troy Leach provides an update ahead of the Europe Community Meeting in London.
First, can you provide a quick overview of the PCI Card Production and Provisioning Standards and who they are designed for?
Troy Leach: The PCI Card Production and Provisioning Logical and Physical Security Requirements are for vendors involved in securely manufacturing cards and provisioning customer payment information on to cards and mobile devices. Card production includes card manufacturing; magnetic-stripe card encoding and embossing; card personalization; chip initializing, embedding, and personalization; card storing; packaging, shipping and mailing. Card provisioning is the process of adding cardholder account information to a device via an over-the-air or over-the-internet communication channel.
What are some of the risks to card data that these standards help address?
Troy Leach: Cardholder trust begins when they receive their personalized card, or their credentials are loaded on to their mobile device. The security of card production has always been a critical part of protecting data and as such, a high-value target for criminals.
As we adopt new payment technologies, criminals are working to exploit weaknesses in the processes supporting them. It is critical that we continue to provide the same or better security for emerging payment forms such as mobile wallets and contactless that consumers and financial stakeholders have come to expect from traditional card payments.
This was the key driver for the update to the card production and provisioning standard published in 2017. Version 2.0 strengthens the physical and logical access to payment material to protect against future fraudulent use, regardless of what instrument is used for payments.
What’s next for PCI Card Production and Provisioning?
Troy Leach: PCI SSC intends to launch a Card Production Assessor program during 2019. Work is underway on a program to qualify Card Production Assessor companies and their assessor employees.
There will be separate tracks for Card Production Logical Assessors and Card Production Physical Assessors. Eligible companies and employees may choose to join either or both tracks. More details should be available early in 2019.
How will industry stakeholders benefit from this new program?
Troy Leach: Aligning industry activity within a PCI SSC program will ensure assessment criteria and guidance is aligned and bring greater consistency across assessments in a similar manner as other PCI SSC assessment programs, such as those for PCI Data Security Standard (PCI DSS) and Point-to-Point Encryption (P2PE). PCI SSC will introduce new training and assessor quality management processes for Card Production Assessors.
Do Card Production Assessors also have to be Qualified Security Assessors (QSAs)?
Troy Leach: No, Assessors do not need to be QSAs before joining the Card Production Assessor program. Qualification and training for the Card Production Assessors will be separate to that for QSAs. The rationale here is that knowledge of PCI DSS is not a prerequisite for performing assessments using the PCI Card Production standards; these standards apply to different types of entities in the payment ecosystem.