PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI_CP_v1_1_ROC_Reporting_Template_Logical_June_2016b.pdf PCI_CP_ROC_v3.0_Reporting_Template_Logical.pdf
43% similar
84 → 170 Pages
18237 → 46095 Words
468 Content Changes

From Revision History

  • July 2015 1.0 Initial version

Content Changes

468 content changes. 40 administrative changes (dates, page numbers) hidden.

Added p. 2
April 2017 2.0 Updated for changes incorporated into v2 of the Security Requirements, including Mobile Provisioning.

December 2017 2.1 Updated with addition of Test Procedures

June 2022 3.0 Updated for new requirements release
Added p. 4
• Cryptographic Key Life Cycles
Added p. 5
• It serves as a declaration of the results of the card vendor’s assessment of compliance with the PCI Card Production and Provisioning Logical Security Requirements v3.0.1

• Select the appropriate response for “Compliant to PCI CP Requirement” for each requirement.

• If non-compliance, a description of the reason for non-compliance.

Do’s and Don’ts: Reporting Expectations DO: DON’T:

• Provide useful, meaningful diagrams, as directed.

• Don’t simply repeat or echo the security requirement in the response.

• Don’t copy responses from one requirement to another.

• Don’t copy responses from previous assessments.

• Don’t include information irrelevant to the assessment.

• Company name: Payment Brand Identification Code:
Added p. 10
• Address of facility where assessment was performed:

• Was the review done onsite or remotely: Select

• If remote, state the rationale:

• Card Manufacturing Select

• Chip Embedding Select

• Data Preparation Select

• Card Personalization Select

• Pre-Personalization Select

• Chip Personalization Select

• PIN Printing and Mailing (personalized, credit or debit) Select

• PIN Printing (non-personalized prepaid cards) Select

• Electronic PIN Distribution Select
Added p. 11
• Secure Element Provisioning Services Select

• Cloud-based (HCE) Provisioning Services Secure Element Provisioning Services
Added p. 11
5. Select Product/Solution Description Cloud-based (HCE) Provisioning Services

• including the section reference number each non-compliance relates to

•within the findings text as each non-compliance occurs. List all non- compliances in order, including the relevant section reference number the non-compliance

•for example:

3.5.b Cardholder data is not deleted within 30 days of the date the card file is personalized.

4.1.1.a The DMZ is not dedicated to card production/provisioning activities.
Added p. 15
• Vendor Facility and Card Production and Provisioning Environment
Added p. 23
• Examine: The assessor critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.

• Observe: The assessor watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, system configurations/settings, environmental conditions, and physical controls.

• Interview: The assessor converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.

− The validation methods are intended to allow the assessed entity to demonstrate how it has met a requirement. They also provide the assessed entity and the assessor with a common understanding of the assessment activities to be performed. The specific items to be examined or observed and personnel to be interviewed should be appropriate for …
Added p. 26
Select Examine logs or similar documentation to confirm the backup CISO does not perform activities related to the approval process for the vendor’s Information Security Management and security of the cloud- based provisioning platform for which they have approval responsibility.

Select Examine documentation to authenticate the manager’s security roles and responsibilities are clearly defined.

Select Interview security personnel or examine documentation

•e.g., reviewing accounts on personalization machines and in the production workflow

•to determine independence exists between day-to-day production operations and personnel performing security compliance assessments for those same production activities.

Select Examine the information security policy and verify that the policy is published.

Interview a sample of relevant personnel to verify they are aware of the policy and that they have access to it.

Select Examine evidence

•e.g., formal sign-off

• that the information security policy has been reviewed and endorsed by senior management within the most recent 12- month period.

Select Examine the ISP to verify that:

• The …
Added p. 28
Select Examine procedural documents to ensure procedures have been defined for each function described in the ISP•e.g., password policy, remote access policy.

b) Procedures must be documented and followed to support compliance with these Security Requirements. The security procedures must be reviewed, validated, and where necessary updated annually.

Select Interview a sample of staff to determine that procedures are followed to support compliance with these Security Requirements.

Select Examine policies to verify that they clearly define information security responsibilities for all personnel.

Interview a sample of responsible personnel to verify they understand the security policies.

Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.3 Incident Response Plans and Forensics The vendor must:

Select Examine the incident response plan and related procedures to verify the entity has a documented IRP addressing known or suspected compromise of any classified data.

Interview personnel to determine that the IRP is communicated to relevant …
Added p. 32
a) Documented security requirements must exist that define the protection controls commensurate to the classification scheme.

Select Examine documentation to verify that data- protection controls are documented, and that the data-classification scheme differentiates between secret, confidential, and public data.

b) All payment data must have an identifiable owner who is responsible for classification for ensuring protection controls are implemented and working.

Select Examine documentation to verify that data ownership identification is included in the data-protection controls.

Examine a sample of stored data to verify that the data owner and security classification are identifiable.

Select Examine key-management policies and procedures to verify that cryptographic keys used for secret and confidential data use algorithms and keys sizes that are in accordance with Annex A.

Examine evidence for a sample of keys to verify that the key algorithms (select at least one asymmetric and one symmetric) and sizes used for secret and confidential data conform to the values defined …
Added p. 46
a) The vendor must maintain an electronic log for both when cards are successfully and unsuccessfully provisioned. The log must be maintained for a minimum of 45 days.

Select Examine a sample of electronic logs to verify that successful and unsuccessful provisioning activity is logged.

Examine evidence that provisioning activity logs are retained for at least 45 days.
Added p. 46
a) The vendor must document its policies and procedures by which assets associated with card production and provisioning activities are secured in the event production activities are terminated.

Select Examine policies and procedures to verify that there is a decommissioning plan by which assets associated with card production and provisioning activities are secured in the event production activities are discontinued.

b) The procedures must identify all data storage, card design materials, cards, card components, physical keys, cryptographic keys, and hardware utilized for production activities that must be secured.

Select Examine the decommissioning plan to verify it includes the process by which the following items, at a minimum, are secured:

• Card design materials

• Production hardware

c) The disposition expectations for each identified item must be defined. For example, items may be returned to the owner, transported to an authorized user, or destroyed.

Select Examine the decommissioning plan to verify that the disposition expectation is defined for …
Added p. 62
Select Examine evidence to verify that the baseline security configuration was validated either:

Examine a sample of baseline configuration checks to verify that they occurred either:
Added p. 62
a) Define, document, and follow procedures to demonstrate:

• Identification of security alerts e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT)

• Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components

• Identification of system component updates that affect the supportability and stability of operating systems, software drivers, and firmware components

• Inventory of current systems in the environment including information about installed software components and about running services Select Examine policies and procedures documentation to verify coverage of:

• Identification of security alerts

•e.g., subscribing to security alerts such as Microsoft and the Computer Emergency Response Team (CERT)

• Inventory of current systems in the environment including information about installed software components and about running services Interview personnel to ensure procedures are known and followed.

Select Examine a sample of system components potentially affected by malicious software to verify that …
Added p. 63
Select Examine policies and procedures to verify that remote access is permitted only for the administration of the network or system components.

Examine a sample of users with remote access to verify such access is permitted only for the administration of the network or system components.

b) Access from outside the facility to the physical access-control system is not permitted except as used in conjunction with an approved SOC.

Select Examine a sample of system configurations to verify that remote access is not permitted from outside the facility to the physical access-control system except as used in connection an approved SOC.

Select Examine a sample of remote access system configurations and access logs to verify access is accepted only from pre- determined and authorized locations using vendor-approved systems.

Select Examine policies and procedures to verify that remote access using a personally owned device is prohibited.

Examine a sample of remote access system configurations and access logs …
Added p. 77
Select Examine policies and procedures to verify that internal and external penetration tests are performed at least once a year and after any significant infrastructure changes.

Examine the most recent internal and external penetration tests to verify that the following requirements, at a minimum, were met:

Select

• The internal penetration test was not performed remotely.

Select

• Penetration tests were performed on the network layer and included all personalization network components as well as operating systems.

− Injection flaws•e.g., SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.

− Buffer overflow − Insecure cryptographic − Improper error handling − Insecure communications − All other discovered “high- risk” network vulnerabilities with criteria for ranking vulnerabilities, including:

• Consideration of the Common Vulnerability Scoring System (CVSS) base score, and/or

• The classification by the vendor, and/or − Type of systems affected.

Select

• Penetration tests were performed on the application layer and included …
Added p. 89
a) Ensure that audit logs exist for all networks and network devices in the vendor environment and for systems and applications connected to the cloud-based provisioning network. This includes operating system logs, security software logs, product logs, and application logs containing security events.

Select Examine all networks and network devices in the vendor environment

•including systems and applications connected to the cloud-based provision network

•to ensure that audit logs are enabled and function correctly.

Interview personnel to ensure that audit trails are enabled and active for identified items, including operating system logs, security software logs, product logs, and application logs containing security events.

• Changes in access privileges Select Examine the audit logs to ensure they contain the required components.

c) Ensure that procedures are documented and followed for audit log review and reporting of unusual activity. Log reviews may be automated or manual and must include authentication, authorization, and directory servers. At a minimum, log …
Added p. 92
a) The backup and recovery procedures for mobile provisioning must be documented.

Select Examine documentation to verify existence of procedures supporting the backup and recovery of the mobile provisioning network.

b) The procedures must include the backup and recovery of hardware and software that support the provisioning activity.

Select Examine documented procedures to verify they include requirements for the backup and recovery of hardware and software that support the provisioning activity.

c) The procedures must differentiate between and address short-term and long- term service outages.

Select Examine documented procedures to verify they include requirements for both short- term and long-term service outages.

d) The vendor must protect backup copies from intentional or unintentional modifications or destruction.

Select Examine applicable access-control lists to ensure the ability to modify or delete audit backups is prohibited.

e) Backups, whether stored within or outside of the HSA, must be encrypted and protected equivalent to the primary data as delineated in Section 3.1, …
Added p. 96
a) Mutual authentication is required. It must be implemented using either client and server X.509 certificates issued and signed by a trusted Certificate Authority (CA) or a VPN constructed in accordance with Section 4.6.2, “Virtual Private Network.” Select Examine documentation for web services for issuer interfaces to identify mutual authentication is used.

Examine system configurations and settings to ensure X.509 certificates, signed by a trusted Certificate Authority (CA) or VPN, are used.

If VPN is used, examine the VPN configuration and settings to ensure they adhere to requirements in Section 4.6.2.

b) The most current approved version of TLS is used to secure the connection and requires the following minimum cryptography standards. Refer to the Normative Annex A section of this document for acceptable algorithms and key strengths.

• The strongest encryption reasonable must be implemented for the application, if both client and server support higher than these minimum standards.

• Implementations must disallow cipher …
Added p. 105
Select Examine policy and detailed procedures to identify processes for generation, use, renewal, and distribution of passwords.

Select Examine policy and detailed procedures to identify processes for handling lost, forgotten, and compromised passwords.

Interview system administrators to validate adherence to procedures.

Select Examine procedures for disseminating password procedures and policies to users with access to cardholder data or any system used as part of the personalization process.

Interview a sample of user population to verify password procedures and policies were distributed.

Select Examine procedures for managing user IDs and verify that only users with administrative privileges can administer user passwords.

Observe a sample of user password resets and verify only users with administrative privileges can perform a reset.

Select Examine system documentation and configuration settings to verify that passwords are not stored in clear text.

Examine a sample of system components and their password files to verify that passwords are unreadable during storage.

Select Examine a sample of system …
Added p. 126
Select Interview personnel to verify that any generation of keys is not observable or otherwise accessible in clear text to any other person during the generation process.

Observe a key-generation process (live or demonstration if necessary) to verify procedures are followed.

Select Interview personnel to verify that key components or shares are placed in pre- serialized, tamper-evident envelopes when not in use by the authorized key custodian.

Examine locations of key components or shares not in use by the authorized key custodian to verify they are contained in pre-serialized, tamper-evident envelopes.

Select Examine payment system requirements for public-key algorithms regarding the length of issuer key pairs and the vendor’s key- management documentation for consistency.

Select Examine key-management documentation and interview personnel to verify:

• The generation of asymmetric key pairs ensures the secrecy of the private key and the integrity of the public key; and

• Their creation and management are in compliance with the payment system …
Added p. 137
Select Examine documentation to identify controls that ensure private keys are used only to create digital signatures or perform decryption; that private keys shall not be used to encrypt other keys; and RSA encryption (public) keys must be prohibited from being used to generate signatures.

Select Examine documentation to identify controls that ensure public keys can only be used to verify digital signatures OR perform encryption operations.

Select Examine policies/procedures to identify controls that KEKs are not used as working keys and vice versa.

Examine evidence that verifies controls are in place and functioning.

Select Examine documentation to verify it requires that transport keys are:

• Unique per established key zone

• Only shared between the two communicating entities Interview key custodians and key- management supervisory personnel to verify the implementation of the aforementioned.

Select Examine key-management documentation to verify that cryptographic keys are only used for the one, specific purpose for which they were defined.

Observe HSM …
Added p. 139
Select Examine key-management documentation to verify that keys used for prototyping are not used in production.

Select Examine documented procedures to verify procedures require that the life of key- encrypting keys (KEKs) is shorter than the time required to conduct an exhaustive search of the key space.

Examine documented procedures to verify procedures require that only the algorithms and key lengths stipulated in Normative Annex A of this document be used.

Select Examine documented procedures to verify that private and secret keys exist in the minimum number of locations consistent with effective system operation.

Select Examine documented procedures for generating all types of keys and verify the procedures ensure that only unique keys, or sets of keys, are used, and any key variants exist only within the device with the original key.

Select Examine documented procedures to verify that private keys are only used to decipher or to create a digital signature; and public keys …
Added p. 147
Select Examine documented procedures for destroying keys to verify that dual control is implemented and key-destruction affidavits are signed by the applicable key custodian for all key-component destruction processes.

Observe a demonstration of processes for removing keys from service to verify that dual control is implemented.

Examine a sample of key-destruction logs and verify that the key custodian signs an affidavit as a witness to the key destruction process.

Section 7 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 7.12 Key-Management Audit Trail

• Pre-serialized key envelope number, if applicable Select Examine key-management logs to verify the following is recorded for each activity:

• The date and time of the activity took

• The action taken

•e.g., key generation, key distribution, key destruction

• Name and signature of the person performing the action (may be more than one name and signature if split responsibility is involved)

• Countersignature of the Key Manager or …
Added p. 150
Select Examine documented procedures for key compromise to verify they include the actions to be taken to protect and/or recover system software and/or hardware, symmetric and asymmetric keys, previously generated signatures, and encrypted data.

Select Examine documented procedures for key compromise to verify they include requiring an investigation into the cause of the compromise, including a documented analysis of how and why the event occurred and the damages suffered.

Select Examine documented procedures for key compromise to verify they include that the vendor will remove from operational use all compromised keys within a predefined time frame and provide a means of migrating to new key(s).

Select Examine documented procedures for key compromise to verify they include that where keys are issuer-owned, the issuer must be notified immediately for further instruction.

Select Examine documented procedures to ensure replacement keys are not created from a variant of the compromise key.

Select Examine documented procedures to verify that …
Added p. 152
Select Examine documented procedures to verify that all keys encrypted with a key that has been revoked are also revoked.

Select Examine documented procedures to verify that if a KEK is compromised, the KEK and all keys encrypted with that KEK are replaced.

Select Examine documented procedures to verify that if a MDK is compromised, the MDK and all keys derived from that MDK are replaced.

Select Examine documented procedures to verify steps include notification of the VPA within 24 hours of a known or suspected compromise.

Select Examine documented procedures to verify data items that have been signed with a key that has been revoked are withdrawn as soon as possible and replaced.

Select Examine policies/procedures to verify all key-management activity uses an HSM.

Select Examine documented procedures to verify that when the HSM is in its normal operational state, all of the HSM’s tamper- resistant mechanisms must be activated.

Observe HSMs in normal operational state …
Added p. 168
Inside HSM Affina PSG 1 Key Custodian Head of CPC Not planned Not planned MDK 2TDES 112 Issuer Master Application Keys, derivatives of which are for Authentication, Secure Messaging Integrity and Secure Messaging Confidentiality.

Inside HSM Affina PSG 1 Key Custodian Head of CPC Not planned Not planned dCVV 2TDES 112 Master Key, derivatives of which are used in contactless application to create a dynamic CVV.

Inside HSM Affina PSG 1 Key Custodian Head of CPC Not planned Not planned KMC 2TDES 112 Locks chips between card manufacturer and vendor.

Chip vendor Encrypted under ZMK Bank.

Vendor Not distributed, coded on chip card.

Generated on SafeNet PSG HSM.

Generated on SafeNet PSG HSM or by third party.

Generated on SafeNet PSG HSM by key custodian.

Deletion from the memory of the HSM Physical destruction in cross cut shredder Not Confirmed

Generated by the chip producer and distributed as a cryptogram.
Removed p. 5
The Report on Compliance (ROC) is originated by the card vendor and further refined by the payment brand-designated assessor during the onsite card production vendor assessment as part of validation process. The ROC provides details about the vendor environment and assessment methodology, and documents the vendor Card Production Security Requirement. A
Modified p. 5
It serves as a de PCI Card Production Logical Security Requirements v1.1 It provides reporting instructions and the template for assessors to use. This can help provide reasonable assurance that a consistent level of reporting is present among assessors.
It provides reporting instructions and the template for assessors to use. This can help provide reasonable assurance that a consistent level of reporting is present among assessors.
Modified p. 5
Use of this reporting template is subject to payment brand stipulations for all Card Production v1.1 submissions.
Use of this reporting template is subject to payment brand stipulations for all Card Production and Provisioning v3.0.1 submissions.
Modified p. 5
PCI Card Production Security compliance assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These work papers contain comprehensive records of the assessment activities including observations, results of system testing, configuration data, file lists, interview notes, documentation excerpts, references, screenshots, and other evidence collected during the course of the assessment. The ROC is effectively a summary of evidence performed the validation activities and how the resultant findings were reached. At a high level, …
The Report on Compliance (ROC) is originated by the card vendor and further refined by the payment brand-designated assessor during the onsite card production vendor assessment as part of the card vendor’s validation process. The ROC provides details about the vendor’s environment and assessment methodology, and documents the vendor’s compliance status for each Card Production and Provisioning Security Requirement. A PCI Card Production and Provisioning Security compliance assessment involves thorough testing and assessment activities, from which the assessor will generate …
Modified p. 6
Section 1: Summary of Findings
Section 1: Summary of Findings
Modified p. 6
Section 2: Contact Information and Report Date
Section 2: Contact Information and Report Date
Modified p. 6
Section 3: Summary Overview
Section 3: Summary Overview
Modified p. 6
Section 4: Cryptographic Key Life Cycle
Section 4: Cryptographic Key Life Cycle
Modified p. 6
Section 5: Findings and Observations
Section 5: Findings and Observations
Modified p. 6
Note: Sections 1 through 4 must be thoroughly and accurately completed, in order for the assessment findings in Section 5 to have the proper context. The reporting template includes tables with reporting instructions built-in to help assessors provide all required information throughout the document. Responses should be specific but efficient. Information provided should focus on concise quality of detail, rather than lengthy, repeated verbiage. Parroting the testing procedure within a description is discouraged, as it does not add any level …
Note: Sections 1 through 4 must be thoroughly and accurately completed in order for the assessment findings in Section 5 to have the proper context. The reporting template includes tables with reporting instructions built-in to help assessors provide all required information throughout the document. Responses should be specific but efficient. Information provided should focus on concise quality of detail, rather than lengthy, repeated verbiage. Parroting the testing procedure within a description is discouraged, as it does not add any level …
Modified p. 6
Only one response should be selected at the sub-requirement level, and reporting of that should be consistent with other required documents. r may enter an explanation regarding its compliance that provides the payment brand assessor with additional information to be considered for the compliance assessment.
Only one response should be selected at the sub-requirement level, and reporting of that should be consistent with other required documents.
Modified p. 6
Compliance column, the vendor must state the planned remediation action and the date for the remediation. In the event "Not Applicable" is entered in the Compliance column, the vendor must explain why they believe the requirement does not apply for their situation.
• In the “Comments/Remediation Date and Actions” section, the vendor may enter an explanation regarding its compliance that provides the payment brand assessor with additional information to be considered for the compliance assessment. In the event “No” is entered in the Compliance column, the vendor must state the planned remediation action and the date for the remediation. In the event "Not Applicable" is entered in the Compliance column, the vendor must explain why they believe the requirement does not apply …
Modified p. 7
The following table is a helpful representation when considering which selection to make and when to add comments. Remember, only one response may be selected at the sub-requirement level, and reporting of that should be consistent with other required documents.
The following table is a helpful representation when considering which selection to make and when to add comments. Remember, only one “Result” response may be selected at the sub-requirement level, and reporting of that should be consistent with other required documents.
Modified p. 7
Indicates that this item was previously reported as a non-compliance finding and action (if any) taken by the vendor does not resolve the original condition. The "Non-Compliance Description" column must explicitly state when this finding was first reported, the non-compliance condition observed, and the action (or lack thereof) taken by the vendor to resolve the finding. Findings for which the vendor has taken corrective action that resolved the original finding but introduced new non-compliance condition are reported as new findings …
Indicates that this item was previously reported as a non-compliance finding, and action (if any) taken by the vendor does not resolve the original condition. The "Non-Compliance Description" column must explicitly state when this finding was first reported, the non-compliance condition observed, and the action (or lack thereof) taken by the vendor to resolve the finding. Findings for which the vendor has taken corrective action that resolved the original finding but introduced new non-compliance condition are reported as new findings …
Modified p. 7
Closed Indicates that this item was previously reported as a non-compliance finding and vendor corrective action has resolved the finding. The "Non-Compliance Description" column must describe the action the vendor has taken to resolve the finding.
Indicates that this item was previously reported as a non-compliance finding, and vendor corrective action has resolved the finding. The "Non-Compliance Description" column must describe the action the vendor has taken to resolve the finding.
Modified p. 7
Not Applicable Indicates that the assessment confirms that the requirement does not apply to for the vendor. Not Applicable responses are only expected it the requirement applies to an activity that the vendor does not perform.
Not Applicable Indicates that the assessor’s assessment confirms that the requirement does not apply to for the vendor. Not Applicable responses are only expected it the requirement applies to an activity that the vendor does not perform.
Modified p. 7
Non-Compliance Assessment Use this column to indicate:
Comment/ Non-Compliance Assessment Use this column to indicate:
Modified p. 7
Clarification describing the conditions observed in support of conclusion of compliance, or If non-compliance, a description of the reason for non-compliance.
Clarification describing the conditions observed in support of the assessor’s conclusion of compliance, or
Removed p. 8
Provide useful, meaningful diagrams, as directed. security requirement in the response. requirement to another. responses from previous assessments. information irrelevant to the assessment.
Modified p. 8
Reporting Expectations Use this Reporting Template when assessing against v1.1 of the Card Production Security Requirements.
Use this Reporting Template when assessing against v3.0.1 of the Card Production and Provisioning Security Requirements.
Modified p. 8
Complete all sections in the order specified.
Complete all sections in the order specified.
Modified p. 8
Read and understand the intent of each requirement and testing procedure.
Read and understand the intent of each requirement and testing procedure.
Modified p. 8
Provide a response for every security requirement.
Provide a response for every security requirement.
Modified p. 8
Provide sufficient detail and information to support the designated finding, but be concise.
Provide sufficient detail and information to support the designated finding, but be concise.
Modified p. 8
Describe how a Requirement was verified per the Reporting Instruction, not just that it was verified.
Describe how a Requirement was verified per the Reporting Instruction, not just that it was verified.
Modified p. 8
Ensure all parts of the Reporting Instructions are addressed.
Ensure all parts of the Reporting Instructions are addressed.
Modified p. 8
Ensure the response covers all applicable system components.
Ensure the response covers all applicable system components.
Modified p. 8
Perform an internal quality assurance review of the ROC for clarity, accuracy, and quality.
Perform an internal quality assurance review of the ROC for clarity, accuracy, and quality.
Removed p. 9
Company contact: Name:

Assessor Company Company name:

Primary Assessor: Name:
Modified p. 9
1. Contact Information and Assessment Specifics 1.1 Contact Information Company name:
1. Contact Information and Assessment Specifics 1.1 Contact Information
Removed p. 10
Card Manufacturing Select Chip Embedding Select Data Preparation Select Card Personalization Select Pre-Personalization Select Chip Personalization Select Fulfillment Select Mailing Select Packaging Select Shipping Select Storage Select PIN Printing and Mailing (personalized, credit or debit) Select Other PIN Printing (non- personalized prepaid cards) Select Electronic PIN Distribution Select
Modified p. 10
Date of Report (yyyy/dd/mm):
Date of Report (yyyy/mm/dd):
Modified p. 10
Timeframe of assessment (start date to completion date): Start date (yyyy/mm/dd): Completion date (yyyy/mm/dd):
Timeframe of assessment (start date to completion date): Start date (yyyy/mm/dd): Completion date (yyyy/mm/dd):
Modified p. 10
Identify date(s) spent onsite at the entity: Start date (yyyy/mm/dd): Completion date (yyyy/mm/dd):
• If applicable, identify date(s) spent onsite at the entity: Start date (yyyy/mm/dd): Completion date (yyyy/mm/dd):
Removed p. 11
6.1, 6.2 The vendor could not produce written authorization for packaging, shipping, or mailing the card and PIN together from its customer (issuer name).
Modified p. 11 → 12
2. Summary of Non-Compliance Findings Please use the table on the following page to report, covering all sections under each heading. Write up findings and list non-compliances including the section reference number the non-compliance relates to within the findings text as each non-compliance occurs. List all non- compliances in order, including the relevant section reference number the non-compliance for example:
2. Summary of Non-Compliance Findings Please use the table on the following page to report, covering all sections under each heading. Write up findings and list non-compliances
Modified p. 11 → 12
Notes for Consideration Please ensure non-compliances are written exactly as the examples above and be as specific as possible down to the exact bullet that covers the non-compliance.
Please ensure non-compliances are written exactly as the examples above and be as specific as possible down to the exact bullet that covers the non-compliance.
Modified p. 11 → 12
Also list items that are not non-compliances but are items that either the assessor is unsure of, or the vendor has discussed with the assessor and questions arising from this discussion can only be answered by the applicable payment brands(s). This section is optional, so if not required, please delete it from the report.
Also list items that are not non-compliances but are items that either the assessor is unsure of, or the vendor has discussed with the assessor and questions arising from this discussion can only be answered by the applicable payment brands(s). This section is optional, so if not required, please delete it from the report.
Modified p. 14 → 15
3. Inspection Overview 3.1 Facility Description lity consists of multiple buildings, and card production activities are performed in one building consisting of a High Security Area for card production.
3. Inspection Overview 3.1 Facility Description The auditor must provide a general description of the vendor facility and card production environment. For example, “The facility consists of multiple buildings, and card production activities are performed in one building consisting of a High Security Area for card production. Administration functions are performed external to the HSA. The vendor being audited is the only occupant of this building.” The introduction must also include any unusual conditions that may impact the audit scope …
Modified p. 14 → 15
The introduction must also include any unusual conditions that may impact the audit scope or compliance assessment process. For example, oduction of new Vendor Facility and Card Production Environment Conditions that may Impact Audit Scope 3.2 High-level Network Diagram(s) Provide a high-level overall architecture of the environment being assessed. This high-level diagram should demonstrate the data life-cycle using arrows and numbers similar to the example below. If more than one data path exists, this should be accounted for in the …
Conditions that may Impact Audit Scope 3.2 High-level Network Diagram(s) Provide a high-level network diagram (either obtained from the entity or created by assessor) of the entity’s networking topography, showing the overall architecture of the environment being assessed. This high-level diagram should demonstrate the data life-cycle using arrows and numbers similar to the example below. If more than one data path exists, this should be accounted for in the diagram and each should be clearly distinguishable.
Modified p. 17 → 18
Number Document Name (including version, if applicable) Brief description of document purpose Document date (latest version date)
Document Name (including version, if applicable) Brief description of document purpose Document date (latest version)
Modified p. 18 → 20
Number Employee Name Role/Job Title Organization Summary of Topics Covered / Areas or Systems of (high-level summary only)
Number Employee Name Role/Job Title Organization Summary of Topics Covered / Areas or Systems of Expertise (high-level summary only)
Modified p. 19 → 22
4. Cryptographic Key Life Cycles (See Annex A for Examples) Name * Algorithm Key (HEX) Purpose of Use Generation Distribution Storage HSMs Loading Destruction Update
4. Cryptographic Key Life Cycles (See Annex A for Examples) Key Name * Algorithm Key Length (HEX) Purpose of Use Generation Distribution Storage HSMs Loading Destruction Update
Modified p. 20 → 24
Section 2: Roles and Responsibilities
Section 1: Roles and Responsibilities
Modified p. 20 → 24
Section 2 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.1 Information Security Personnel
Section 1 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 1.1 Information Security Personnel
Modified p. 20 → 24
a) The vendor must designate, in writing, a senior manager with adequate security Information Security Management. These Select Select
a) The vendor must designate, in writing, a senior manager with adequate security knowledge to be responsible for the vendor’s Information Security Management and security of the cloud-based provisioning platform. These requirements refer to this person as the “Chief Information Security Officer” (“CISO”).
Modified p. 20 → 24
b) The CISO must be an employee of the vendor. Select Select
b) The CISO must be an employee of the vendor.
Modified p. 20 → 24
i. Be responsible for compliance to these requirements. Select Select
i. Be responsible for compliance to these requirements.
Modified p. 20 → 25
ii. Have sufficient authority to enforce the requirements of this document. Select Select
ii. Have sufficient authority to enforce the requirements of this document.
Modified p. 20 → 25
iii. Not perform activities that they have the responsibility for approving. Select Select
iii. Not perform activities that he or she has the responsibility for approving.
Modified p. 20 → 25
iv. Designate a back-up person who is qualified and empowered to act upon critical security events in the event the CISO is not available.
iv. Designate a backup person who is empowered to act upon critical security events in the event the CISO is not available.
Modified p. 21 → 26
b) When the CISO backup is functioning on behalf of the CISO, the backup must not perform activities for which they have approval responsibility and must not approve activities which they previously performed.
b) When the CISO backup is functioning on behalf of the CISO, the backup must not perform activities for which they have approval responsibility and must not approve activities that they previously performed.
Modified p. 21 → 26
d) Staff responsible for day-to-day production activities must not be assigned security compliance assessment responsibility for the production activities that they perform.
d) Staff responsible for day-to- day production activities must not be assigned security compliance assessment responsibility for the production activities that they perform.
Modified p. 21 → 26
Section 3: Security Policy and Procedures
Section 2: Security Policy and Procedures
Modified p. 21 → 27
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.1 Information Security Policy
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 2.1 Information Security Policy
Modified p. 21 → 27
a) The vendor must define and document an information security policy (ISP) for the facility. Select Select
a) The vendor must define and document an information security policy (ISP) for the facility and disseminate to all relevant personnel (including vendors, sub-contractors, and business partners).
Modified p. 21 → 27
c) The ISP must include a named individual responsible for management and enforcement of that policy.
c) The ISP must include a named individual assigned as the “policy owner” and be responsible for management and enforcement of that policy.
Modified p. 21 → 28
d) The vendor must maintain audit trails to demonstrate that the ISP and all updates are communicated and received by relevant staff.
d) The vendor must maintain audit trails to demonstrate that the ISP and all updates are communicated and received by relevant staff. Evidence of staff review and acceptance of ISP must be maintained.
Removed p. 22
Select Select 3.3 Incident Response Plans and Forensics The vendor must:
Modified p. 22 → 28
Section 3 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.2 Security Procedures
Section 2 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 22 → 28
b) The security procedures must be reviewed, validated, and where necessary updated annually.
Examine evidence that the procedures are reviewed, validated, and where necessary, updated annually.
Modified p. 22 → 29
a) Have a documented incident response plan (IRP) for known or suspected compromise of any classified data.
a) Have a documented incident response plan (IRP) for known or suspected compromise of any classified data. The IRP must be communicated to relevant parties.
Modified p. 23 → 29
c) Within 24 hours, report in writing any known or suspected compromise of confidential or secret data to the Vendor Program Administrator (VPA) and the impacted issuers.
c) Within 24 hours, report in writing any known or suspected compromise of confidential or secret data to the Vendor Program Administrator (VPA) and the impacted issuers. Confirmed incidences must be reported to appropriate law enforcement agencies upon confirmation.
Modified p. 23 → 30
iii. Name and address of the vendor
Name and address of the
Modified p. 23 → 30
iv. Identification of the source of the data
Identification of the source of
Modified p. 23 → 30
v. Description of the incident including:
Description of the incident including:
Modified p. 23 → 30
Date and time of incident Details of companies and persons Details of the investigation Name, e-mail, and telephone number of the person reporting the loss or Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) Select Select
- Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident)
Modified p. 23 → 30
d) Investigate the incident and provide at least weekly updates about investigation progress. Select Select
d) Investigate the incident and provide at least weekly updates about investigation progress.
Modified p. 23 → 30
e) Supply a final incident report providing the investigation results and any remediation. Select Select
e) Supply a final incident report providing the investigation results and any remediation.
Removed p. 24
Section 4 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.1 Classification 4.1.1 Secret Data Secret data is data that, if known to any individual, would result in risks of widespread compromise of financial assets All symmetric (e.g., Triple DES, AES) and private asymmetric keys (e.g., RSA) except keys used only for encryption of cardholder data are secret data and must be managed in Chip personalization keys PIN keys and keys used to generate CVVs or CVCs 4.1.2 Confidential Data Confidential data is data restricted to authorized individuals. This includes cardholder data and the keys used to encrypt cardholder data. These are confidential data and must be PAN, expiry, service code, cardholder name Vendor evidence preserving data 4.1.3 Unrestricted / Public Data Unrestricted / public data includes any data not defined in the above terms. Controls are out of scope of these requirements and may be …
Modified p. 24 → 31
f) Identify and preserve specific logs, documents, equipment, and other relevant items that provide evidence for forensic Select Select
f) Identify and preserve specific logs, documents, equipment, and other relevant items that provide evidence for forensic analysis.
Modified p. 24 → 31
Section 4: Data Security The data security requirements in this and embedded sections apply to confidential and secret data. The vendor must maintain detailed procedures relating to each activity in this section.
Section 3: Data Security The data security requirements in this and embedded sections apply to confidential and secret data. The vendor must maintain detailed procedures relating to each activity in this section.
Modified p. 25 → 33
Section 4 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.2 Encryption All secret and confidential data must be:
Section 3 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 3.2 Encryption All secret and confidential data must be:
Modified p. 25 → 33
a) Encrypted using algorithms and key sizes as stated in Normative Annex A. Select Select
a) Encrypted using algorithms and key sizes as stated in Normative Annex A.
Modified p. 25 → 33
b) Encrypted at all times during transmission and storage. Select Select
b) Encrypted at all times during transmission and storage.
Modified p. 25 → 33
c) Decrypted for the minimum time required for data preparation and personalization. Select Select
c) Decrypted for the minimum time required for data preparation and personalization.
Modified p. 25 → 34
d) The vendor must only decrypt or translate cardholder data on the data-preparation or personalization network and not while it is on an Internet or public facing network.
d) The vendor must only decrypt or translate cardholder data on the data-preparation or personalization or cloud-based provisioning network and not while it is on an Internet- or public facing network.
Modified p. 25 → 34
a) Prevent physical and logical access from outside the high security area (HSA) to the data-preparation or personalization networks.
c) Prevent logical access from outside the high security area (HSA) to the data-preparation or personalization networks.
Modified p. 25 → 35
b) Ensure that access is on a need-to-know basis and that an individual is granted no more than sufficient access to perform his or her job.
d) Ensure that access is on a need-to-know basis and that an individual is granted no more than sufficient access to perform his or her job.
Modified p. 25 → 35
c) Establish proper user authentication prior to access. Select Select
e) Establish proper user authentication prior to access.
Modified p. 25 → 35
d) Make certain that access audit trails are produced that provide sufficient details to identify the cardholder data accessed and the individual user accessing the data.
f) Make certain that access audit trails are produced that provide sufficient details to identify the cardholder data accessed and the individual user accessing the data.
Modified p. 25 → 35
e) Ensure that PANs are masked when displayed or printed unless there is a written issuer authorization. When PANs are masked, only a maximum of the first six and last four digits of the PAN can be visible.
g) Ensure that PANs are masked when displayed or printed unless there is a written issuer authorization. When PANs are masked, only a maximum of the first six and last four digits of the PAN can be visible. Business requirements must be documented and approved by the issuer.
Removed p. 26
ii. Access to cardholder data and the processing facilities must not be provided until the appropriate access controls have been implemented and a contract defining terms for access has been signed.

ii. Identification of the data source Select Select
Modified p. 26 → 36
f) Apply appropriate measures to ensure that any third-party access meets the following requirements:
h) Apply appropriate measures to ensure that any third-party access meets the following requirements:
Modified p. 26 → 36
i. Third-party access must be based on a formal contract referencing applicable security policies and standards.
Third-party access to cardholder or cloud-based provisioning data must be based on a formal contract referencing applicable security policies and standards.
Modified p. 26 → 37
a) Data transmission procedures must incorporate the maintenance of a transmission audit log that includes, at a minimum:
a) Cardholder data transmission procedures must incorporate the maintenance of a transmission audit log that includes, at a minimum:
Modified p. 26 → 37
i. Date and time of transmission
Date and time of transmission
Modified p. 26 → 38
b) The vendor must establish mechanisms that ensure the authenticity and validate the integrity of data transmitted and received.
c) The vendor must establish mechanisms that ensure the authenticity and validate the integrity of cardholder data transmitted and received.
Modified p. 26 → 38
c) The vendor must protect the integrity of cardholder data against modification and deletion at all times.
d) The vendor must protect the integrity of cardholder data against modification and deletion at all times.
Modified p. 26 → 38
d) The vendor must accept data only from pre- authorized sources. Select Select
e) The vendor must accept cardholder data only from pre- authorized sources that are defined and documented.
Modified p. 26 → 39
e) The vendor must log and inform the card brands of all issuers sending the vendor cardholder data in clear text.
f) The vendor must log and inform the card brands of all issuers sending the vendor cardholder data in clear text.
Modified p. 27 → 39
f) If the file is not successfully transmitted, or only part of the data is received, the recipient must contact the sender to resolve. The vendor must inform the issuer or authorized processor as soon as possible that the file was not successfully received. Any incomplete data transmission received must be deleted under dual control and logged accordingly.
g) If the file is not successfully transmitted, or only part of the cardholder data is received, the recipient must contact the sender to resolve. The vendor must inform the issuer or authorized processor upon discovery that the file was not successfully received. Any incomplete cardholder data transmission received must be deleted under dual control and logged accordingly.
Modified p. 27 → 40
a) Delete cardholder data within 30 days of the date the card is personalized unless the issuer has authorized longer retention in writing.
b) Delete cardholder data within 30 days of the date the card file is personalized unless the issuer has authorized longer retention in writing.
Modified p. 27 → 40
i. Ensure that the authorized retention period does not exceed six months from the date the card is personalized.
Ensure that the authorized retention period does not exceed six months from the date the card is personalized.
Modified p. 27 → 40
ii. Ensure each issuer authorization to retain data is valid for no longer than two years.
Ensure each issuer authorization to retain cardholder data is valid for no longer than two years.
Modified p. 27 → 40
b) Delete data on the personalization machine as soon as the job is completed. Select Select
c) Delete data on the personalization machine as soon as the job is completed.
Modified p. 27 → 40
c) Confirm the deletion of manually deleted data including sign-off by a second authorized person.
d) Confirm the deletion of manually deleted cardholder data including sign-off by a second authorized person.
Modified p. 27 → 41
d) Conduct quarterly audits to ensure that all data beyond the data retention period has been deleted.
e) Conduct quarterly audits to ensure that all cardholder data beyond the data retention period has been deleted.
Modified p. 27 → 41
e) Ensure that all secret or confidential data has been irrecoverably removed before the media is used for any other purpose.
f) Ensure that all cardholder data has been irrecoverably removed before the media is used for any other purpose.
Removed p. 28
Select Select 4.6 Media Handling
Modified p. 28 → 41
f) Ensure media destruction is performed according to industry standards (see ISO 9564- 1: Personal Identification Number Management and Security) under dual control and that a log is maintained and signed confirming the destruction process.
g) Ensure media destruction is performed under CCTV surveillance according to industry standards (see ISO 9564-1: Personal Identification Number Management and Security) under dual control, and that a log is maintained and signed confirming the destruction process.
Modified p. 28 → 41
g) Ensure data is always stored within the high security area (HSA). Select Select
h) Ensure cardholder data is always stored within the high security area (HSA).
Modified p. 28 → 42
h) Ensure that data retained for longer than 30 days after personalization complies with the following additional requirements. This data
i) Ensure that cardholder data retained for longer than 30 days after personalization complies with the following additional requirements. This data must:
Modified p. 28 → 42
i. Be removed from the active production environment.
Be removed from the active production environment.
Modified p. 28 → 42
ii. Be stored on a separate server or media
Be stored on a separate server or media
Modified p. 28 → 42
iii. Be accessible only under dual control.
Be accessible only under dual control.
Modified p. 28 → 42
a) All removable media (e.g., USB devices, tapes, disks) within the HSA must be clearly labeled with a unique identifier and the data classification.
within the HSA must be clearly labeled with a unique identifier and the data classification.
Modified p. 28 → 42
b) All removable media must be securely stored, controlled, and tracked. Select Select
c) All removable media must be securely stored, controlled, and tracked.
Modified p. 28 → 44
c) All removable media within the HSA must be in the custody of an authorized individual. Select Select
g) Transfer of removable media to and from the HSA must be authorized and logged.
Removed p. 29
f) Transfer of removable media to and from the HSA must be authorized and logged. Select Select
Modified p. 29 → 43
d) A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain:
e) A log must be maintained when media is removed from or returned to its storage location or transferred to the custody of another individual. The log must contain:
Modified p. 29 → 43
iii. Name and signature of current custodian
Name and signature of current custodian
Modified p. 29 → 43
iv. Name and signature of recipient custodian
Name and signature of custodian
Modified p. 29 → 43
v. Reason for transfer Select Select
Reason for transfer
Modified p. 29 → 43
e) Transfers of custody between two individuals must be authorized and logged. Select Select
f) Transfers of custody between two individuals must be authorized and logged.
Modified p. 29 → 44
g) Physically destroy any media holding secret or confidential data when it is not possible to delete the data so that it is no longer recoverable.
h) Physically destroy any media holding secret or confidential data when it is not possible to delete the data so that it is no longer recoverable.
Modified p. 29 → 44
a) Ensure personalization signals cannot be detected beyond the HSA. Select Select
a) Ensure personalization signals cannot be detected beyond the HSA.
Removed p. 30
Select Select 4.8 Data Used for Testing
Modified p. 30 → 45
d) Perform a manual or automated inspection of the secure personalization area at least twice each month in order to detect any rogue radio-frequency (RF) devices.
d) Perform a manual or automated inspection of the secure personalization area at least twice each month in order to detect any rogue radio- frequency (RF) devices.
Modified p. 30 → 45
a) Test (non-production) keys and test (non- production) data cannot be used with production equipment.
a) Test (non-production) keys and test (non-production) data cannot be used with production equipment.
Modified p. 30 → 46
b) Cards used for final system validation or user acceptance that use production keys and/or data may be produced using production equipment.
b) Cards used for final system validation or user acceptance that use production keys and/or data must be produced using production equipment.
Modified p. 31 → 47
Section 5: Network Security
Section 4: Network Security
Modified p. 31 → 47
Section 5 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.1 Typical Vendor Network The requirements in this section do not apply to vendors that only perform key management or pre-personalization activities on a stand-alone wired system and do not perform data preparation or personalization within their facilities.
Section 4 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.1 Typical Vendor Network The requirements in this section do not apply to vendors that only perform key management or pre-personalization activities on a stand-alone wired system (not connected to any network) and do not perform data preparation or personalization within their facilities.
Modified p. 31 → 48
a) The card production network must be segregated from other parts of an organization's network.
b) The card production and provisioning network must be segregated from other parts of an organization's network.
Modified p. 31 → 48
b) Effective 1 January 2016, the DMZ must be located in the Server Room of the HSA. Select Select
d) The DMZ must be located in the server room of the HSA.
Modified p. 31 → 48
c) DMZ infrastructure equipment located within the HSA Server Room must be in a dedicated rack with access restricted to the minimum number of authorized individuals.
e) DMZ infrastructure equipment located within the HSA server room must be in a dedicated rack with access restricted to the minimum number of authorized individuals.
Modified p. 31 → 48
d) All switches and cabling associated with the DMZ equipment must be stored within the same rack with only the minimum required number of cable connections entering/exiting the rack in order to provide connectivity to firewalls.
f) All switches and cabling associated with the DMZ equipment must be stored within the same rack with only the minimum required number of cable connections entering/exiting the rack in order to provide connectivity to firewalls.
Modified p. 31 → 49
a) Maintain a current network topology diagram that includes all system components on the network.
a) Maintain a current network topology diagram that includes all system components on the network. The diagram must clearly define the boundaries of all networks.
Removed p. 32
e) Put controls in place to restrict, prevent, and detect unauthorized access to this network.

Access from within the high security area to anything other than the personalization network Select Select
Modified p. 32 → 50
d) Ensure that the personalization and data- preparation systems are on dedicated network(s) independent of the back office (e.g., accounting, human resources, etc.) and Internet-connected networks. A virtual LAN (VLAN) is not considered a separate network.
e) Ensure that the personalization and data-preparation systems are on dedicated network(s) independent of the back office
Modified p. 32 → 51
f) Be able to immediately assess the impact if any of their critical nodes are compromised. Select Select g) permission to any system external to the personalization network to only pre-approved functions that have been authorized by the VPA, except for systems in the dedicated DMZ.
• “Write” permissions to any system external to the personalization network and not in the dedicated DMZ are restricted to only pre-approved functions that have been authorized by the VPA; and
Modified p. 32 → 51
These write functions must not transmit cardholder data if this involves direct write from the system containing the information.
• “Write” functions do not allow the transmission of cardholder data involving direct writes from the system(s) containing the information.
Modified p. 32 → 52
h) Control at all times the physical connection points leading into the personalization network. Select Select
j) Control at all times the physical connection points leading into the personalization network and cloud- based provisioning network.
Modified p. 32 → 52
i) Prevent data from being tampered with or monitored by protecting the network cabling associated with personalization-data movement.
k) Prevent data from being tampered with or monitored by protecting the network cabling associated with personalization- data movement.
Modified p. 32 → 52
j) Transfer required issuer data and keys into the personalization network via a defined and documented process.
l) Transfer required issuer data and keys into the personalization network or the cloud-based provisioning network via a defined and documented process.
Removed p. 33
k) Ensure a process is in place for updates and patches and identification of their criticality, as detailed in Section 6.3.

Section 6.3, Configuration and Patch Management.
Modified p. 33 → 53
Select Select 5.3 Network Devices The requirements in this section apply to all hardware (e.g., routers, controllers, firewalls, storage devices) that comprises the data-preparation and personalization networks.
Section 4 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.3 Network Devices The requirements in this section apply to all hardware (e.g., routers, controllers, firewalls, storage devices) that comprises the data-preparation and personalization networks.
Modified p. 33 → 53
a) Document the process to authorize all changes to network devices and protocols. Select Select
a) Document the process to authorize all changes to network devices and protocols.
Modified p. 33 → 53
b) Document the current network device configuration settings, rules set and justification for each device.
b) Document the current network device configuration settings, rulesets, and justification for each device.
Modified p. 33 → 53
c) Ensure all available services are approved by an authorized security manager. Select Select
c) Ensure all available services are approved by an authorized security manager.
Modified p. 33 → 54
e) Implement mechanisms to effectively monitor the activity on network devices. Select Select
e) Implement mechanisms to effectively monitor the activity on network devices.
Modified p. 33 → 54
g) Maintain an audit trail of all changes and the associated approval. Select Select
g) Maintain an audit trail of all changes and the associated approval.
Modified p. 33 → 54
h) Implement unique IDs for each administrator. Select Select
h) Implement unique IDs for each administrator.
Modified p. 33 → 54
i) Implement network device backups (e.g., system software, configuration data, and database files) prior to any change and securely store and manage all media.
i) Implement network device backups •e.g., system software, configuration data, and database files

•prior to any change, and securely store and manage all media.
Removed p. 34
d) Utilize physically separate firewalls for the aforementioned. Select Select
Modified p. 34 → 55
Select Select 5.4 Firewalls The requirements in this section apply to firewalls protecting the data-preparation and personalization networks.
Section 4 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 4.4 Firewalls The requirements in this section apply to firewalls protecting the data-preparation and personalization networks.
Modified p. 34 → 55
a) Ensure all documents relating to firewall configurations are stored securely. Select Select
a) Ensure all documents relating to firewall configurations are stored securely.
Modified p. 34 → 55
b) Deploy an external firewall outside the HSA above for acceptable configurations).
b) Deploy an external firewall outside the HSA to protect the HSA’s DMZ.
Modified p. 34 → 55
c) Install a firewall between the data- preparation network and the personalization network unless both are located within the same high security area or network.
c) Install a firewall between the data-preparation network and the personalization network unless both are located within the same high security area or network.
Modified p. 34 → 56
e) Implement appropriate operating-system controls on firewalls. Select Select
f) Implement appropriate operating-system controls on firewalls.
Modified p. 34 → 56
f) Review firewall rule sets and validate supporting business justification at least monthly.
g) Review firewall rule sets and validate supporting business justification either:
Modified p. 34 → 57
g) Restrict physical access to firewalls to only those designated personnel who are authorized to perform firewall administration activities.
h) Restrict physical and logical access to firewalls to only those designated personnel who are authorized to perform firewall or router administration activities.
Modified p. 34 → 57
h) Ensure the firewall rule set is such that any server only requiring inbound connections (for example, web servers) is prohibited from making outbound connections.
i) Ensure the firewall rule set is such that any server only requiring inbound connections (for example, web servers) is prohibited from making outbound connections, and vice versa.
Removed p. 35
Select Select 5.4.2 Configuration The firewalls must:

d) Implements IP masquerading or Network Address Translation (NAT). Select Select

e) If managed remotely, be managed according to the remote access section. Select Select
Modified p. 35 → 57
i) Ensure that only authorized individuals can perform firewall administration. Select Select
j) Ensure that only authorized individuals can perform firewall administration.
Modified p. 35 → 57
j) Run firewalls on dedicated hardware. All non-firewall-related software such as compilers, editors, and communication software must be deleted or disabled.
k) Run firewalls and routers on dedicated hardware. All non- firewall-related software such as compilers, editors, and communication software must be deleted or disabled.
Modified p. 35 → 58
k) Implement daily, automated analysis reports to monitor firewall activity. Select Select
l) Implement daily, automated analysis reports to monitor firewall activity.
Modified p. 35 → 58
l) Use unique administrator passwords for firewalls used by the personalization system and those passwords used for other network devices in the facility.
m) Use unique administrator passwords for firewalls used by the personalization system as well as those passwords used for other network devices in the facility.
Modified p. 35 → 58
m) Implement mechanisms to protect firewall system logs from tampering, and procedures to check the system integrity monthly.
n) Implement both mechanisms to protect firewall and router system logs from tampering, and procedures to check the integrity of the logs monthly.
Modified p. 35 → 59
a) Be configured to permit network access to required services only. Select Select
a) Be configured to permit network access to required services only.
Removed p. 36
b) Ensure that all anti-virus programs detect, remove, and protect against all known types of malicious software.

b) Offsite access to the badge access system is not permitted. Select Select
Modified p. 36 → 60
f) Be configured to deny all services not expressly permitted. Select Select
f) Be configured to deny all services not expressly permitted.
Modified p. 36 → 60
g) Disable all unnecessary services, protocols, and ports. Select Select
g) Disable all unnecessary services, protocols, and ports. Authorized services must be documented with a business justification and be approved by the IT Security Manager.
Modified p. 36 → 60
h) Disable source routing on the firewall. Select Select
h) Disable source routing on the firewall.
Modified p. 36 → 61
i) Notify the administrator in real time of any items requiring immediate attention. Select Select 5.5 Anti-virus Software or Programs The vendor must:
i) Notify the administrator in real time of any items requiring immediate attention.
Modified p. 36 → 63
a) Deploy anti-virus software on all systems potentially affected by malicious software (e.g., personal computers and servers).
b) Deploy anti-virus software on all systems potentially affected by malicious software•e.g., personal computers and servers.
Modified p. 36 → 63
d) Check for anti-virus updates at least daily, and install updates whenever updates are available.
d) Check for anti-virus updates at least daily and install updates in a manner consistent with Patch Management. Documentation must exist for why any updates were not installed.
Modified p. 37 → 64
c) Remote access (i.e., from outside the HSA) for administrative-activities is permitted only from pre-determined and authorized locations using vendor-approved systems.
c) Remote access •i.e., from outside the HSA

•for administrative activities is permitted only from pre-determined and authorized locations using vendor-approved systems.
Modified p. 37 → 64
d) Access using personally owned hardware is prohibited. Select Select
d) Access using personally owned hardware is prohibited.
Modified p. 37 → 64
e) Remote access is not permitted where qualified employees are temporarily off-site and remote access is a convenience.
e) Remote access is not permitted where qualified personnel are temporarily off-site and remote access is a convenience.
Modified p. 37 → 64
i. System components for which remote access is permitted Select Select
i. System components for which remote access is permitted Select • System components for which remote access is permitted
Modified p. 37 → 64
ii. The location from which remote access is permitted Select Select
ii. The location from which remote access is permitted Select • The location from which remote access is permitted
Modified p. 37 → 64
iii. The conditions under which remote access is acceptable Select Select
iii. The conditions under which remote access is acceptable Select • The conditions under which remote access is acceptable
Modified p. 37 → 65
iv. Users with remote access permission Select Select
iv. Users with remote access permission Select • Users with remote access permission Select
Modified p. 37 → 65
v. The access privileges applicable to each authorized user Select Select
v. The access privileges applicable to each authorized user Select • The access privileges applicable to each authorized user
Modified p. 37 → 65
g) All access privileges must be validated on a quarterly basis by an authorized individual. Select Select
g) All access privileges must be validated on a quarterly basis by an authorized individual.
Modified p. 37 → 65
i) Remote access is prohibited to clear-text cardholder data, clear-text cryptographic keys, or clear-text key components/shares.
i) Remote access is prohibited to clear-text cardholder data, clear- text cryptographic keys, or clear- text key components/shares.
Removed p. 38
Select Select 5.6.2 Virtual Private Network (VPN)
Modified p. 38 → 65
ii. Ensure remote administration is predefined and preauthorized by the vendor. Select Select
ii. Ensure remote administration is predefined and preauthorized by the vendor.
Modified p. 38 → 65
iii. Ensure remote changes comply with change-management requirements as outlined in Section 6.2, Change Management.
iii. Ensure remote changes comply with change- management requirements as outlined in Section 5.2, “Change Management.” Select

• Remote changes comply with change- management requirements as outlined in Section 5.2, “Change Management.”
Modified p. 38 → 66
iv. Ensure that all remote access locations assessment and meet these requirements.
iv. Ensure that all remote access locations are included in the facility’s compliance assessment and meet these requirements.
Modified p. 38 → 66
v. Be able to provide evidence of compliance validation for any remote access location. Select Select
v. Be able to provide evidence of compliance validation for any remote access location.
Modified p. 38 → 66
vi. Ensure that non-vendor staff performing remote administration maintain liability insurance to cover potential losses.
Select Interview a sample of non-vendor staff performing remote administration and verify that they maintain liability insurance to cover potential losses.
Modified p. 38 → 66
k) All personnel performing remote administration must meet the same pre- screening qualification requirements as employees working in high security areas.
Examine policies and procedures to verify that personnel performing remote administration must meet the same pre- screening qualification requirements as employees working in high security areas.
Modified p. 38 → 67
a) Traffic on the VPN must be encrypted using Triple DES with at least double-length keys or Advanced Encryption Standard (AES).
d) Traffic on the VPN must be encrypted using Triple DES with at least double-length keys or Advanced Encryption Standard (AES).
Modified p. 39 → 67
b) Modifications to the VPN must be in compliance with the change-management requirements as outlined in Section 6.2, Change Management.
e) Modifications to the VPN must be in compliance with the change- management requirements as outlined in Section 5.2, “Change Management.” Select Examine a sample of modifications made to VPN configurations and verify that changes are in compliance with the change-management requirements as outlined in Section 5.2, “Change Management.”
Modified p. 39 → 68
c) Mechanisms (e.g., digital signatures, checksums) must exist to detect unauthorized changes to VPN configuration and change- control settings.
f) Mechanisms •e.g., digital signatures, checksums

•must exist to detect unauthorized changes to VPN configuration and change- control settings.
Modified p. 39 → 68
d) Two-factor authentication must be used for all VPN connections. Select Select
g) Multi-factor authentication must be used for all VPN connections.
Modified p. 39 → 68
e) Access must be declined after three consecutive unsuccessful access attempts. Select Select
h) Access must be declined after three consecutive unsuccessful access attempts.
Modified p. 39 → 68
f) Access counters must only be reset by an authorized individual after user validation by another authorized individual.
i) Access counters must only be reset by an authorized individual after user validation by another authorized individual.
Modified p. 39 → 68
g) The connection must time out within five minutes if the session is inactive. Select Select
j) The connection must time out within five minutes if the session is inactive.
Modified p. 39 → 68
h) Remote access must be logged, and the log must be reviewed weekly for suspicious activity.
k) Remote access must be logged, and the log must be reviewed weekly for suspicious activity. Evidence of log review must be maintained.
Modified p. 39 → 69
i) VPN traffic using Internet Protocol Security (IPsec) must meet the following additional requirements:
l) VPN traffic using Internet Protocol Security (IPsec) must meet the following additional requirements:
Modified p. 39 → 69
i. Tunnel mode must be used except where communication is host-to-host. Select Select
i. Tunnel mode must be used except where communication is host-to-host.
Modified p. 39 → 69
ii. Aggressive mode must not be used for tunnel establishment. Select Select
ii. Aggressive mode must not be used for tunnel establishment.
Removed p. 40
f) When a vendor does not use a wireless network, the vendor must still use a scanning device that is capable of detecting rogue and hidden wireless networks. Random scans of the HSA must be conducted at least monthly.
Modified p. 40 → 69
a) Implement a policy regarding wireless communications and clearly communicate this policy to all employees.
a) Implement a documented policy regarding wireless communications and clearly communicate this policy to all card production staff.
Modified p. 40 → 70
b) Not use wireless communications for the transfer of any personalization data. Select Select
b) Not use wireless communications for the transfer of any personalization data and/or cloud-based provisioning data.
Modified p. 40 → 70
d) Use a wireless intrusion detection system (WIDS) capable of detecting hidden and spoofed networks for all authorized wireless networks.
d) Use a wireless intrusion- detection system (WIDS) capable of detecting hidden and spoofed.
Modified p. 40 → 70
e) When a vendor uses a wireless network, the WIDS must be used to conduct random scans within the HSA at least monthly to detect rogue and hidden wireless networks.
e) When using a wireless network, use the WIDS to conduct random scans within the HSA at least monthly to detect rogue and hidden wireless networks.
Modified p. 41 → 71
b) Wireless networks must only be used for the transmission of non-cardholder data (e.g., production control, inventory tracking) and be properly secured.
b) Wireless networks must only be used for the transmission of non- cardholder data •e.g., production control, inventory tracking

•and be properly secured.
Modified p. 41 → 72
d) All wireless gateways must be protected with firewalls. Select Select
d) All wireless gateways must be protected with firewalls.
Modified p. 41 → 72
WEP encryption must not be used and must be disabled.
WEP encryption must be disabled.
Modified p. 41 → 72
g) The service set identifier (SSID) must not be broadcast. Select Select
g) The service set identifier (SSID) must not be broadcast.
Modified p. 42 → 73
j) The vendor must disable the SNMP at all wireless access points. Select Select
j) The vendor must disable the SNMP at all wireless access points.
Modified p. 42 → 74
k) Static passwords used to join wireless networks must be compliant with the requirements in the password section, but may be shared with other individuals in the organization on a need-to-know basis.
k) Static passwords used to join wireless networks must be compliant with the requirements in Section 6.2, “Password Control,” but may be shared with other individuals in the organization on a need-to-know basis.
Modified p. 42 → 74
a) Default SSID must be changed upon installation and must be at least 8 characters. Select Select
a) Default SSIDs must be changed upon installation and new passwords must be at least 8 characters.
Modified p. 42 → 74
b) A log of media access-control addresses and associated devices (including make, model, owner, and reason for access) must be maintained, and a check of authorized media access control addresses on the access point (AP) must be conducted at least quarterly.
b) A log of media access-control addresses and associated devices (including but not limited to make, model, owner, and reason for access) must be maintained, and a check of authorized media access- control addresses on the access point (AP) must be conducted at least quarterly.
Modified p. 42 → 75
d) Wi-Fi Protected Access (WPA) must be enabled if the wireless system is WPA-capable. Select Select
d) Wi-Fi Protected Access (WPA) must be enabled if the wireless system is WPA-capable.
Removed p. 43
Select Select 5.8 Security Testing and Monitoring 5.8.1 Vulnerability The vendor must:
Modified p. 43 → 75
e) Default passwords on the AP must be changed. Select Select
e) Default passwords on the AP must be changed.
Removed p. 44
Section 5 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.8.2 Penetration The vendor must:

Select Select 5.8.3 Intrusion Detection Systems The vendor must:

a) Use an intrusion detection system (IDS) to monitor all data-preparation and personalization network traffic.
Modified p. 44 → 77
i. The internal penetration test must not be performed remotely. Select Select
i. The internal penetration test must not be performed remotely.
Modified p. 44 → 78
iii. Penetration tests must be performed on the application layer and must include:
iii. Penetration tests must be performed on the application layer and must include at least the following:
Modified p. 44 → 78
Injection flaws (e.g., SQL injection) Buffer overflow Insecure cryptographic storage Improper error handling All other discovered network vulnerabilities Select Select
Injection flaws•e.g., SQL injection − Buffer overflow Insecure cryptographic storage Improper error handling − Insecure communications − All other discovered high-risk network vulnerabilities
Modified p. 44 → 79
b) Ensure all findings from penetration tests are prioritized and tracked. Corrective action for high-priority vulnerabilities must be started within two working days.
b) Ensure all findings from penetration tests are prioritized and tracked. Corrective action for high- priority vulnerabilities must be started within two working days.
Removed p. 45
Section 6: System Security 6.1 General Requirements The vendor must:
Modified p. 45 → 80
b) Ensure the IDS alerts personnel to suspicious activity in real time. Select Select
b) Ensure the IDS alerts personnel to suspicious activity in real time.
Modified p. 45 → 81
c) Ensure the IDS monitors all traffic at the personalization network perimeter as well as at critical points inside the personalization network.
c) Ensure the IDS monitors all traffic at the personalization network perimeter as well as at critical points inside the personalization network, such as but not limited to firewalls and public-facing interfaces or servers where cardholder data is decrypted.
Modified p. 45 → 81
Section 6: System Security
Section 5: System Security
Modified p. 45 → 81
a) Ensure that any system used in the personalization process is only used to perform and control personalization activities.
b) Ensure that any system used in the personalization process or in the cloud-based provisioning process is only used to perform its intended function•i.e., control personalization or cloud-based provisioning process activities.
Modified p. 45 → 82
b) Change supplier provided default parameters prior to installation in the production environment.
c) Change supplier-provided default parameters prior to or during installation in the production environment.
Modified p. 45 → 82
c) Encrypt non-console administrative access when it takes place from within the personalization network.
d) Encrypt non-console administrative access when it takes place from within the personalization network.
Modified p. 45 → 82
d) Synchronize clocks on all systems associated with personalization with an external time source.
e) Synchronize clocks on all systems associated with personalization or cloud-based provisioning networks with an external time source based on International Atomic Time or Universal Time Coordinated (UTC).
Modified p. 45 → 82
e) Restrict and secure access to system files at all times. Select Select
f) Restrict and secure access to system files at all times.
Modified p. 45 → 82
f) Ensure that virtual systems do not span different network domains. Select Select
g) Ensure that virtual systems do not span different network domains.
Removed p. 46
j) Ensure that the badge access is compliant Select Select 6.2 Change Management The vendor must:

a) Document the change-management process. Select Select
Modified p. 46 → 83
g) Ensure that all components of the personalization network physically reside within the HAS.
h) Ensure that all components of the personalization network physically reside within the HSA.
Modified p. 46 → 83
h) Ensure that PIN printing takes place on a dedicated network that is either separated from other networks by its own firewall or standalone.
i) Ensure that PIN printing takes place on a dedicated network that is either separated from other networks by its own firewall or standalone

•i.e., the printer and HSM are integrated
Modified p. 46 → 83
i) Ensure that the badge access-control system complies with the system security requirements in this document.
j) Ensure that the access- control system complies with the system security requirements in this document.
Modified p. 46 → 84
b) Ensure that network and system changes follow the change-management process. Select Select
b) Ensure that network and system changes follow a documented change- management process, and that the process is validated at least every 12 months.
Modified p. 46 → 85
d) Ensure that the change-management process includes procedures for emergency changes.
d) Ensure that the change- management process includes procedures for emergency changes.
Modified p. 46 → 85
e) Implement version identification and control for all software and documentation. Select Select
e) Implement version identification and control for all software and documentation.
Removed p. 47
Select Select 6.3 Configuration and Patch Management The vendor must:
Modified p. 47 → 85
h) Ensure that both development and production staff must sign off the transfer of a system from test to live, and from live to test.
h) Ensure that both development and production staff must sign off on the transfer of a system from test to live, and from live to test. This sign-off must be witnessed under dual control.
Modified p. 47 → 85
This sign-off must be witnessed under dual control.
This sign-off must be witnessed under dual control.
Modified p. 47 → 86
c) Ensure that secure configuration standards are established for all system components. Select Select
c) Ensure that secure configuration standards are established for all system components.
Modified p. 47 → 87
f) Ensure all systems used in support of personalization are actively supported in the form of regular updates.
f) Ensure all systems used in support of both personalization or cloud-based provisioning networks are actively supported in the form of regular updates.
Modified p. 48 → 87
g) Evaluate and install the latest security- relevant patches for all system components within 30 days of their release (if they pass validation tests).
g) Evaluate and install the latest security-relevant patches for all system components within 30 days of their release (if they pass validation tests).
Modified p. 48 → 87
h) Verify the integrity and quality of the patches before application. Select Select
h) Verify the integrity and quality of the patches before application, including source authenticity.
Modified p. 48 → 87
i) Make a backup of the system being changed before applying any patches. Select Select
i) Make a backup of the system being changed before applying any patches. The backup must be securely stored.
Modified p. 48 → 88
j) Implement critical patches to all Internet- facing system components within seven business days of release. When this is not possible the CISO, security manager, and IT director must clearly record that they understand that a critical patch is required and authorize its implementation within a maximum of 30 business days.
j) Implement critical patches to all Internet-facing system components within 7 business days of release. When this is not possible the CISO, IT Security Manager, and IT director must clearly record that they understand that a critical patch is required and authorize its implementation within a maximum of 30 business days.
Modified p. 48 → 89
l) Ensure that emergency hardware and software implementations follow the configuration and patch management requirements in this section.
Select Examine a sample of emergency hardware and software implementations to verify that all configuration and patch management procedures are followed.
Removed p. 49
viii. Changes in access privileges Select Select

b) Review all access-control and change logs for example, logs from firewalls, routers, wireless access points, and authentication servers to check for any unauthorized activity at least weekly.
Modified p. 49 → 90
a) Ensure that audit logs include at least the following components:
b) Ensure that audit logs include at least the following components:
Modified p. 49 → 90
i. User identification
User identification
Modified p. 49 → 90
iii. Valid date and time stamp
Valid date and time stamp
Modified p. 49 → 90
iv. Success or failure indication
Success or failure indication
Modified p. 49 → 90
v. Origination of the event
Origination of the event
Modified p. 49 → 90
vi. Identity or name of the affected data, system component, or resources
Identity or name of the affected data, system component, or resources
Modified p. 49 → 90
vii. Access to audit logs
Access to audit logs
Modified p. 49 → 91
c) Verify at least once a month that all systems are meeting log requirements. Select Select
d) Verify at least once a month that all systems are meeting log requirements.
Modified p. 49 → 92
d) Ensure that logs for all critical systems are backed up daily, secured, and retained for at least one year. Logs must be accessible for at least three months online and one year offline.
e) Ensure that logs for all critical and cloud-based provisioning systems are backed up daily, secured, and retained for at least one year. Logs must be accessible for at least three months online and one year offline.
Modified p. 49 → 92
e) Protect and maintain the integrity of the audit logs from any form of modification. Select Select
f) Protect and maintain the integrity of the audit logs from any form of modification.
Modified p. 49 → 95
Section 6 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 6.4 Audit Logs The vendor must:
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.6.3 Development The vendor must:
Removed p. 50
Select Select 6.5.3 Development The vendor must:
Modified p. 50 → 94
Section 6 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 6.5 Software Design and Development 6.5.1 General The vendor must:
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.6 Software Design and Development 5.6.1 General The vendor must:
Modified p. 50 → 94
a) Document the design, development, and maintenance processes. Select Select
a) Document the design, development, and maintenance processes.
Modified p. 50 → 94
b) Ensure these activities are based on industry standards and security must be an integral part of the software life cycle process.
b) Ensure these activities are based on industry standards and security is an integral part of the software life cycle process. Web applications must be developed based on secure coding guidelines such as: the OWASP Guide, SANS CWE Top 25, and CERT Secure Coding.
Modified p. 50 → 94
c) Document all software components for each system and describe the functionality provided. Select Select
c) Document all software components for each system and describe the functionality provided.
Modified p. 50 → 94
d) Protect any software backup copies from accidental destruction. Select Select 6.5.2 Design The vendor must document the flow of personalization data within the environment from the receipt/generation to end of lifecycle.
a) The vendor must document the flow of personalization data within the environment from the receipt/generation to end of lifecycle.
Modified p. 51 → 98
Section 6 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 6.6 Software Implementation The vendor must:
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 5.8 Software Implementation The vendor must:
Modified p. 51 → 98
c) Ensure all software implementation complies with Section 6.2, Change Management. Select Select
c) Ensure all software implementation complies with Section 5.2, “Change Management.” Select Examine a sample of recent software updates to verify they comply with Section 5.2, “Change Management.”
Modified p. 51 → 98
d) Test software prior to implementation to ensure correct operation. Select Select
d) Test software prior to implementation to ensure correct operation.
Modified p. 51 → 99
e) Prevent debugging within production environment. Select Select
e) Prevent debugging within production environment.
Modified p. 51 → 99
f) Have a predefined PC device configuration for PC devices used within the HAS. Select Select
f) Have a predefined PC device configuration for PC devices used within the HSA.
Modified p. 51 → 99
g) Implement an approval process for all software beyond the standard PC device configuration for PC devices used within the HAS.
g) Implement an approval process for all software beyond the standard PC device configuration for PC devices used within the HSA.
Modified p. 51 → 99
h) Ensure no unauthorized software can be installed. Select Select
h) Ensure no unauthorized software can be installed.
Modified p. 51 → 99
i) Ensure all software is transferred from development to production in accordance with the change control process.
i) Ensure all software is transferred from development to production in accordance with the change-control process.
Removed p. 52
g) Ensure that when generic administrative accounts are used, the password is managed under dual control where no individual has access to the full password. Each component of the password must comply with the password control requirements in Section 7.2 below.
Modified p. 52 → 100
Section 7: User Management and System Access Control
Section 6: User Management and System Access Control
Modified p. 52 → 100
Section 7 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 7.1 User Management The vendor must:
Section 6 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 6.1 User Management The vendor must:
Modified p. 52 → 101
a) Restrict systems access by unique ID to only those individuals who have a business need.
d) Restrict systems access by unique user ID to only those individuals who have a business need.
Modified p. 52 → 101
b) Only grant individuals the minimum level of access sufficient to perform their duties. Select Select
g) Only grant individuals the minimum level of access sufficient to perform their duties.
Modified p. 52 → 102
c) Make certain that systems authentication requires at least the use of a unique ID and password.
h) Make certain that systems authentication requires at least the use of a unique ID and password.
Modified p. 52 → 102
d) Restrict administrative access to the minimum number of individuals required for management of the system.
i) Restrict administrative access to the minimum number of individuals required for management of the system.
Modified p. 52 → 102
e) Ensure that group, shared, and generic accounts and passwords are disabled wherever the system supports unique values.
j) Ensure that group, shared, and generic accounts and passwords are disabled wherever the system supports unique values.
Modified p. 52 → 103
f) Ensure that where generic administrative accounts cannot be disabled, these accounts are used only when unique administrator sign- on credentials are not possible.
k) Ensure that where generic administrative accounts cannot be disabled, these accounts are used only when unique administrator sign-on credentials are not possible and only in an emergency.
Modified p. 52 → 103
h) Validate all system access at least quarterly. Select Select
m) Validate all system access at least quarterly.
Modified p. 52 → 104
i) Revalidate employee access to any systems upon a change of duties. Select Select
n) Revalidate card production staff access to any systems upon a change of duties.
Removed p. 53
d) Systems enforce password lengths of at least seven characters. Select Select
Modified p. 53 → 99
Section 7 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 7.2 Password Control 7.2.1 General The vendor must:
Section 5 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 53 → 105
b) Implement procedures for handling lost, forgotten and compromised passwords. Select Select
b) Implement procedures for handling lost, forgotten, and compromised passwords.
Modified p. 53 → 105
c) Distribute password procedures and policies to all users who have access to cardholder information or any system used as part of the personalization process.
c) Distribute password procedures and policies to all users who have access to cardholder data, or any system used as part of the personalization process.
Modified p. 53 → 106
d) Ensure that only users with administrative passwords.
d) Ensure that only users with administrative privileges can administer other users’ passwords.
Modified p. 53 → 106
e) Not store passwords in clear text. Select Select
e) Not store passwords in clear text.
Modified p. 53 → 106
f) Change all default passwords. Select Select 7.2.2 Characteristics and Usage The vendor must ensure that:
f) Change all default passwords.
Modified p. 53 → 107
b) Newly issued passwords are changed on first use. Select Select c) within 24 hours of distribution. Select Select
b) Newly issued passwords are changed on first use.
Removed p. 54
i. Upper-case letters

ii. Lower-case letters

iv. Special characters Select Select

Select Select j) resetting a user password. Select Select 7.3 Session Locking The vendor must:

Select Select 7.4 Account Locking
Modified p. 54 → 107
e) Passwords consist of a combination of at least three of the following:
e) Passwords consist of using a combination of at least three of the following categories:
Modified p. 54 → 107
f) Passwords are not the same as the user ID. Select Select
f) Passwords are not the same as the user ID.
Modified p. 54 → 107
g) Passwords are not displayed during entry. Select Select
g) Passwords are not displayed during entry.
Modified p. 54 → 108
h) Passwords must have a maximum life not to exceed 90 days and a minimum life of at least one day.
i) Passwords have a maximum life not to exceed 90 days and a minimum life of at least one day.
Modified p. 54 → 108
i) When updating passwords, the system prevents users from using a password that is the same as one of their previous four passwords.
j) When updating passwords, the system prevents users from using a password that is the same as one of their previous four passwords.
Modified p. 54 → 109
a) Enforce the locking of an inactive session within a maximum of 15 minutes. Select Select
a) Enforce the locking of an inactive session within a maximum of 15 minutes. If the system does not permit session locking, the user must be logged off after the period of inactivity.
Removed p. 55
iii. Application Select Select
Modified p. 55 → 110
Select Select d) immediately upon that user leaving the Select Select e) suspected of being compromised.
e) A user’s account must be locked immediately if that user’s password is known or suspected of being compromised.
Modified p. 55 → 111
f) The user account logs including but not limited to the following must be reviewed at least twice each month for suspect lock-out
f) The user account logs including but not limited to the following must be reviewed at least twice each month for suspect lock-out activity:
Modified p. 56 → 111
Section 8: Key Management: Secret Data
Section 7: Key Management: Secret Data
Modified p. 56 → 111
Section 8 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 8.1 General Principles a) cryptographic architecture must exist. In particular it must detail all the keys used by each HSM. The key description must describe the key usage.
a) A written description of the vendor’s cryptographic architecture must exist. In particular, it must detail all the keys used by each HSM. The key description must describe the key usage.
Modified p. 56 → 112
d) Where clear key components or shares pass through a PC or other equipment, the equipment must never be connected to any network and must be powered down when not in use.
d) Where clear key components or shares pass through a PC or other equipment, the equipment must never be connected to any network and must be powered down when not in use. These computers must be dedicated and be hardened and managed under dual control at all times.
Modified p. 56 → 112
e) Keys used for protection of keying material or other sensitive data must meet the minimums delineated in Appendix A.
e) Keys used for protection of keying material or other sensitive data must meet the minimums delineated in Annex A.
Removed p. 57
b) As a cryptogram Select Select
Modified p. 57 → 113
g) Cryptographic keys must not be hard-coded into software. Select Select
g) Cryptographic keys must not be hard-coded into software.
Modified p. 57 → 113
h) Audit trails must be maintained for all key- management activities. Select Select
h) Audit trails must be maintained for all key- management activities.
Modified p. 57 → 113
i) Key-management activities must be performed by vendor or issuer staff. Select Select
i) Key-management activities must be performed by vendor or issuer staff.
Modified p. 57 → 114
k) All key-management activities must be documented, and all activities involving clear key components must be logged. The log must
l) All key-management activities must be documented, and all activities involving clear key components must be logged. The log must include:
Modified p. 57 → 114
i. Unique identification of the individual that performed each function
Unique identification of the individual that performed each function
Modified p. 57 → 115
iv. Purpose Select Select 8.2 Symmetric Keys Ensure that symmetric keys only exist in the following forms:
a) Symmetric keys only exist in the following forms:
Modified p. 57 → 115
a) As plaintext inside the protected memory of a secure cryptographic device Select Select
As plaintext inside the protected memory of a secure cryptographic device
Modified p. 57 → 115
c) As two or more full-length components (where each component must be the same least 2.
As two or more full-length components (where each component must be the same length as the final key) or as part of an “m of n” sharing scheme where the value of “m” is at least 2.
Removed p. 58
i. The components or shares must be managed using the principles of dual control and split knowledge.

ii. As a cryptogram Select Select

iii. As two or more components or as part of managed using the principles of dual control and split Select Select

b) Public keys must have their authenticity and integrity ensured. In order to ensure authenticity and integrity, a public key must be encrypted, or if in plain-text form, must exist only in one of the following forms:

ii. Within a PKCS#10,

iii. Within a SCD, or
Modified p. 58 → 115
i. As plaintext inside the protected memory of a secure cryptographic device Select Select
As plaintext inside the protected memory of a secure cryptographic device
Modified p. 58 → 116
ii. No single person shall be able to access or use all components or a quorum of shares of a single secret or private cryptographic key.
c) No single person shall be able to access or use all components or a quorum of shares of a single private cryptographic key.
Modified p. 58 → 116
a) Private keys exist only in the following forms: Select Select
a) Private keys exist only in the following forms:
Modified p. 58 → 117
Select Select 8.3 Asymmetric Keys Ensure that:
e) Asymmetric keys also adhere to:
Modified p. 58 → 117
i. Within a certificate,
Within a certificate,
Modified p. 58 → 117
iv. With a MAC (message authentication code) created using the algorithm defined in ISO 16609.
With a MAC (message authentication code) created using the algorithm defined in ISO 16609.
Removed p. 59
c) Asymmetric keys also adhere to:

ii. The payment system specification for asymmetric keys Select Select 8.4 Key-Management Security Administration The secure administration of all key- management activity plays an important role in terms of logical security. The following requirements relate to the procedures and activities for managing keys and key sets.

Select Select 8.4.2 Key Manager
Modified p. 59 → 117
i. The payment system requirements for obtaining the issuer certificate Select Select
The payment system requirements for obtaining the issuer certificate
Modified p. 59 → 118
b) All physical equipment associated with key- management activity, such as physical keys, authentication codes, smart cards, and other device enablers as well as equipment such as personal computers must be managed following the principle of dual control.
b) All physical equipment associated with key- management activity, such as physical keys, authentication codes, smart cards, and other device enablers •as well as equipment such as personal computers •must be managed following the principle of dual control.
Modified p. 59 → 118
b) CISO must approve the Key Manager for the position within the vendor. Select Select
b) CISO must approve the Key Manager for the position within the vendor.
Modified p. 59 → 119
i. Have a nominated deputy. Select Select
i. Have a nominated deputy. Select Interview the Key Manager to verify that the Key Manager has a nominated deputy.
Modified p. 60 → 119
ii. Be responsible for ensuring that all key- management activity is fully documented. Select Select
ii. Own and be responsible for ensuring that all key- management activity is fully documented.
Modified p. 60 → 119
iii. Be responsible for ensuring that all key- management activity is carried out in accordance with the documented procedures.
iii. Be responsible for ensuring that all key-management activity is carried out in accordance with the documented procedures.
Modified p. 60 → 120
i. All key custodians have been trained with regard to their responsibilities, and this forms part of their annual security training.
i. All key custodians have been trained with regard to their responsibilities, including incremental changes, and this forms part of their annual security training.
Modified p. 61 → 121
Section 8 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 8.4.3 Key Custodians
Section 7 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 7.4.3 Key Custodians
Modified p. 61 → 121
c) The suitability of personnel must be reviewed on an annual basis. Select Select
c) The suitability of personnel must be reviewed on an annual basis.
Modified p. 61 → 121
d) They must be employees of the vendor and never temporary staff or consultants. Select Select
d) The key custodians must be employees of the vendor and never temporary staff or consultants.
Modified p. 61 → 122
f) Only fully trained key custodians and their backups may participate in key-management activities.
f) Only fully trained key custodians and their backups may participate in key- management activities.
Modified p. 61 → 122
a) If PINs or pass-phrases are stored, a copy of any PIN or pass-phrase, needed to access any device required for any key-management activity, must be stored securely (for recovery purposes).
a) If PINs or pass-phrases are stored, a copy of any PIN or pass-phrase, needed to access any device required for any key- management activity, must be stored securely (for recovery purposes).
Removed p. 62
Select Select 8.5 Key Generation
Modified p. 62 → 123
b) Only those person(s) who need access to a device must have access to the PIN or pass- phrase for that device.
b) Only those individuals needing access to a device must have access to the PIN or pass- phrase for that device.
Modified p. 62 → 124
b) Key generation must take place in a hardware security module (HSM) that has achieved PCI approval or FIPS 140-2 Level 3 certification for physical security.
b) Key generation must take place in a hardware security module (HSM) that has achieved PCI approval or FIPS 140-2 or 140-3 Level 3 or higher certification for physical security.
Modified p. 62 → 124
During operation, the HSM must utilize a security algorithm that complies with payment system requirements as defined in Appendix A.
During operation, the HSM must utilize a security algorithm that complies with payment system requirements as defined in Annex A.
Modified p. 62 → 125
c) Cables must be inspected to ensure disclosure of a plaintext key or key component or share is not possible.
c) Cables must be inspected under dual control to ensure disclosure of a plaintext key or key component or share is not possible.
Modified p. 63 → 125
e) Key components, if printed, must be created in such a way that the key component cannot be observed during the process by other than the authorized key custodian. Additionally, the key components cannot be observed on final documents without evidence of tampering.
e) Key components, if printed, must be created in such a way that the key component cannot be tapped or observed during the process by other than the authorized key custodian. Additionally, the key components cannot be observed on final documents without evidence of tampering.
Modified p. 63 → 126
a) Adhere to the RSA algorithm and ensure that the length of issuer RSA key pairs used for payment-transaction processing is in accordance with payment-system requirements.
a) Adhere to the public-key algorithm and ensure that the length of issuer RSA key pairs used for payment-transaction processing is in accordance with payment-system requirements.
Modified p. 64 → 127
a) Keys must be distributed only in their allowable forms. Select Select
a) Keys must be distributed only in their allowable forms.
Modified p. 64 → 127
b) When transmitted electronically, keys and key components or shares must be encrypted prior to transmission following all key- management requirements documented in this section.
b) When transmitted electronically, keys and key components or shares must be encrypted prior to transmission following all key-management requirements documented in this section.
Modified p. 64 → 128
Section 8 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 8.6 Key Distribution
Section 7 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Modified p. 64 → 128
iv. Key components or shares must be placed in pre-serialized, tamper-evident envelopes for shipment.
iv. Key components or shares must be placed in pre- serialized, tamper-evident envelopes for shipment.
Modified p. 64 → 129
d) Key components or shares must only be received by the authorized custodian, who Select Select
d) Key components or shares must only be received by the authorized custodian, who must:
Modified p. 65 → 129
i. Inspect and ensure that no one has tampered with the shipping package. If there are any signs of tampering, the key must be regarded as compromised and the document must be followed.
i. Inspect and ensure that no one has tampered with the shipping package. If there are any signs of tampering, the key must be regarded as compromised and the vendor’s key-compromise procedures document must be followed.
Modified p. 65 → 129
ii. Verify the contents of the package with the attached two-part form. Select Select
ii. Verify the contents of the package with the attached two-part form.
Modified p. 65 → 129
iv. Securely store the component or share policy.
iv. Securely store the component or share according to the vendor’s key-storage policy.
Modified p. 65 → 130
a) Any hardware used in the key loading function must be dedicated, controlled, and maintained in a secure environment under dual control.
Observe any hardware used in the key- loading function to verify it is dedicated, controlled, and maintained in a secure environment and under dual control.
Modified p. 66 → 131
c) Tokens, PROMs, or other key component/share holding mechanisms used for loading keys (or key components/shares) must only be in the physical possession of the designated custodian (or their backup), and only for the minimum practical time.
c) Tokens, PROMs, or other key component/share mechanisms used for loading keys (or key components/shares) must only be in the physical possession of the designated custodian (or their backup), and only for the minimum practical time.
Modified p. 66 → 131
e) All key loading activities must be under the control of the Key Manager. Select Select
e) All key-loading activities must be under the control of the Key Manager.
Modified p. 66 → 132
f) Control and maintain any tokens, electronically erasable programmable read-only memory (EEPROM), physical keys, or other key component/share holding devices used in loading keys in a secure environment under dual control.
f) Control and maintain any tokens, electronically erasable programmable read-only memory (EEPROM), physical keys, or other key component/share- holding devices used in loading keys in a secure environment under dual control.
Modified p. 66 → 132
g) Make certain that the key-loading process does not disclose any portion of a key component/share to an unauthorized individual.
g) Make certain that the key- loading process does not disclose any portion of a key component/share to an unauthorized individual.
Modified p. 66 → 132
h) If the key component/share is in human- readable form, ensure that it is only visible at one point in time to the key custodian and only for the duration of time required to load the key.
h) If the key component/share is in human-readable form, ensure that it is only visible at one point in time to the key custodian and only for the duration of time required to load the key.
Modified p. 67 → 134
j) Once a key or its components/shares have been loaded and validated as operational,
j) Once a key or its components/shares have been loaded and validated as operational, either:
Modified p. 67 → 134
i. Securely destroy or delete it from the key- loading materials as defined in Section
Securely destroy or delete it from the key-loading materials as defined in Section 7.11, “Key Destruction”; or
Modified p. 67 → 134
ii. Securely store it according to these requirements if preserving the keys or components/shares for future loading.
Securely store it according to these requirements if preserving the keys or components/shares for future loading.
Modified p. 67 → 135
Select Select 8.8 Key Storage The following requirements relate to the secure storage of secret keys, private keys, and their plaintext key components or shares.
Section 7 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 7.8 Key Storage The following requirements relate to the secure storage of secret keys, private keys, and their plaintext key components or shares.
Modified p. 67 → 135
b) These envelopes must not be removable without detection. Select Select
b) These envelopes must not be removable without detection.
Removed p. 68
iii. Purpose of access

Select Select 8.9 Key Usage
Modified p. 68 → 136
d) Where a secret or private key component/share is stored on a token (e.g., an integrated circuit card) and an access code (e.g., a personal identification number (PIN)) or similar access-control mechanism is used to access that token, only that designated backup) must be allowed possession of both the token and its corresponding access code.
d) Where a secret or private key component/share is stored on a token •e.g., an integrated circuit card

•and an access code •e.g., a personal identification number (PIN)) or similar access-control mechanism is used to access that token, only that token’s owner (or designated backup) must be allowed possession of both the token and its corresponding access code.
Modified p. 68 → 136
e) Ensure that access logs include, at a minimum, the following:
e) Ensure that access logs, at a minimum, include the following:
Modified p. 68 → 136
i. Date and time (in/out)
Date and time (in/out)
Modified p. 68 → 136
ii. Names and signatures of the key custodians involved
Names and signatures of the key custodians involved
Modified p. 68 → 136
iv. Serial number of envelope (in/out) Select Select
Serial number of envelope (in/out)
Modified p. 68 → 137
a) Each key must be used for only one purpose and not shared between payment systems, issuers or cryptographic zones, for example:
a) Each key must be used for only one purpose and not shared between payment systems, issuers, or cryptographic zones, for example:
Modified p. 69 → 138
b) Transport keys used to encrypt other keys for conveyance (e.g., KEK, ZCMK) must be unique per established key zone and, optionally, unique per issuer within that zone.
b) Key-encipherment keys used to encrypt other keys for conveyance •e.g., KEK, ZCMK

•must be unique per established key zone and, optionally, unique per issuer within that zone. These keys must only be shared between the two communicating entities and must not be shared with any third organization.
Modified p. 69 → 138
d) No key must be used for a period longer than the designated life span of that key. Issuer keys must not be used for longer than the issuer-specified expiry date.
d) All secret and private keys must have a predefined expiry date by which they must be retired from use. No key must be used for a period longer than the designated life span of that key. Issuer keys must not be used for longer than the issuer-specified expiry date.
Modified p. 70 → 139
ii. Prohibit keys used for pilots (i.e., limited production for example via time, capabilities or volume) from being used for full product rollout unless the keys were managed to the same level of security compliance as required for production.
ii. Prohibit keys used for pilots (i.e., limited production•for example via time, capabilities, or volume) from being used for full product rollout unless the keys were managed to the same level of security compliance as required for production.
Modified p. 70 → 140
iii. Ensure that any keys used for prototyping (i.e., using cards for proof of concept or process where production keys are not used) are not used in production.
iii. Ensure that any keys used for prototyping •i.e., using cards for proof of concept or process where production keys are not used

•are not used in production.
Modified p. 70 → 141
vi. Not use key variants except within the device with the original key. Select Select
vi. Not use key variants except within the device with the original key.
Modified p. 70 → 141
vii. Only use RSA private keys to decipher or to create a digital signature; public keys must only be used to encipher or to verify a signature.
vii. Only use private keys to decipher or to create a digital signature; public keys must only be used to encipher or to verify a signature.
Modified p. 71 → 142
viii. Maintain an inventory of keys under its management to determine when a key is no longer required e.g., could include key label/name, effective date, expiration date, key purpose/type, key length, etc.
viii. Maintain an inventory of keys under its management to determine when a key is no longer required•e.g., could include key label/name, effective date, expiration date, key purpose/type, key length, etc.
Modified p. 71 → 142
g) All derivation keys must be unique per issuer. Select Select
g) All derivation keys must be unique per issuer.
Modified p. 71 → 143
a) Ensure that key backup and recovery are part of the business recovery/resumption plans of the organization.
a) Ensure that key back-up and recovery are part of the business recovery/resumption plans of the organization.
Modified p. 71 → 143
b) Require a minimum of two authorized individuals to enable the recovery of keys. Select Select
b) Require a minimum of two authorized individuals to enable the recovery of keys.
Modified p. 71 → 143
c) All relevant policies and procedures that apply to production keys must also apply to back-up keys.
c) All relevant policies and procedures that apply to production keys must also apply to backup keys.
Modified p. 71 → 144
d) Vendor must prohibit the loading of back-up keys into a failed device until the reason for that failure has been ascertained and the problem has been corrected.
d) Vendor must prohibit the loading of backup keys into a failed device until the reason for that failure has been ascertained and the problem has been corrected.
Modified p. 71 → 144
e) The backup of keys must conform to Information Security Policy. Select Select
e) The back-up of keys must conform to Information Security Policy.
Modified p. 71 → 144
f) All access to back-up storage locations must be witnessed and logged under dual control. Select Select
f) All access to backup storage locations must be witnessed and logged under dual control.
Modified p. 72 → 145
Section 8 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 8.11 Key Destruction The following requirements relating to the destruction of clear keys, components, and shares must be met:
Section 7 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 7.11 Key Destruction The following requirements relating to the destruction of clear keys, components, and shares must be met.
Modified p. 72 → 145
b) When a cryptographic device (e.g., HSM) is decommissioned, any data stored and any resident cryptographic keys must be deleted or otherwise destroyed.
b) When a cryptographic device •e.g., HSM

•is decommissioned, any data stored and any resident cryptographic keys must be deleted or otherwise destroyed.
Modified p. 72 → 145
c) Securely destroy all copies of keys that are no longer required for card production. Select Select
c) Securely destroy all copies of keys that are no longer required for card production or provisioning.
Modified p. 72 → 145
d) All key destruction must be logged and the log retained for verification. Select Select
d) All key destruction must be logged, and the log retained for verification.
Modified p. 72 → 147
i) Destroy all key components under dual control with appropriate key-destruction affidavits signed by the applicable key custodian.
i) Destroy all key components under dual presence with appropriate key-destruction affidavits signed by the applicable key custodian.
Removed p. 73
Select Select 8.12 Key-Management Audit Trail
Modified p. 73 → 147
j) A person who is not a key custodian for any part of that key must witness the destruction and also sign the key-destruction affidavits, which are kept indefinitely.
j) A person who is not a key custodian for any part of that key must witness the destruction and also sign the key-destruction affidavits, which are kept indefinitely. (This person may also fulfill the dual-presence requirement above or be a third person to the activity.) Select Observe the key-destruction process and verify that it is witnessed by a person who is not a key custodian for any component of that key; or Examine a sample of key-destruction logs and …
Modified p. 73 → 148
i. The date and time of the activity took place
The date and time of the activity took place
Modified p. 73 → 148
ii. The action taken (e.g., whether key generation, key distribution, key destruction)
The action taken whether key generation, key distribution, key destruction
Modified p. 73 → 148
iii. Name and signature of the person performing the action (may be more than one name and signature if split responsibility is involved)
Name and signature of the person performing the action (may be more than one name and signature if split responsibility is involved)
Modified p. 73 → 148
iv. Countersignature of the Key Manager or Select Select
Countersignature of the Key Manager or CISO
Modified p. 73 → 148
c) The vendor must prohibit access to key- management logs by any personnel outside of the Key Manager or authorized individuals.
c) The vendor must prohibit access to key-management logs by any personnel outside of the Key Manager or authorized individuals.
Modified p. 73 → 149
d) Any facility to reset the sequence number generator in the HSM must be restricted. Select Select
d) Any facility to reset the sequence number generator or other mechanisms such as time and date stamps in the HSM must be restricted.
Modified p. 73 → 149
e) The CISO or an authorized individual must investigate all audit log validation failures. Select Select
e) The CISO or an authorized individual must investigate all audit log validation failures.
Modified p. 74 → 149
g) The vendor must ensure that the deletion of any audit trail is prevented. Select Select 8.13 Key Compromise The following requirements relate to the procedures for dealing with any known or suspected key compromise. Unless otherwise stated, the following applies to vendor-owned keys:
g) The vendor must ensure that the deletion of any audit trail is prevented.
Modified p. 74 → 150
Section 8 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment
Section 7 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 7.13 Key Compromise The following requirements relate to the procedures for dealing with any known or suspected key compromise. Unless otherwise stated, the following applies to vendor-owned keys.
Modified p. 74 → 150
i. Who is to be notified in the event of a key compromise? At a minimum, this must include the CISO, Key Manager, Security Manager, and the VPA Select Select
i. Who is to be notified in the event of a key compromise? At a minimum, this must include the CISO, Key Manager, IT Security Manager, and the VPA.
Modified p. 74 → 150
ii. The actions to be taken to protect and/or recover system software and/or hardware, symmetric and asymmetric keys, previously generated signatures, and encrypted data Select Select
ii. The actions to be taken to protect and/or recover system software and/or hardware, symmetric and asymmetric keys, previously generated signatures, and encrypted data.
Modified p. 74 → 151
v. Where keys are issuer-owned, the issuer must be notified immediately for further instruction.
v. Where keys are issuer- owned, the issuer must be notified immediately for further instruction.
Modified p. 74 → 151
b) Ensure that the replacement key is not a variant of the compromised key. Select Select
b) Ensure that the replacement key is not a variant of the compromised key.
Modified p. 75 → 151
c) Where a key compromise is suspected but not yet proven, the Key Manager must have the ability to activate emergency key replacement procedures.
c) Where a key compromise is suspected but not yet proven, the Key Manager must have the ability to activate emergency key- replacement procedures.
Modified p. 75 → 152
e) All keys that are encrypted with a key that has been revoked must also be revoked. Select Select
e) All keys that are encrypted with a key that has been revoked must also be revoked.
Modified p. 75 → 153
i) Data items that have been signed using a key that has been revoked (e.g., a public-key certificate) must be withdrawn as soon as practically possible and replaced once a new key is in place.
i) Data items that have been signed using a key that has been revoked •e.g., a public-key certificate

•must be withdrawn as soon as practically possible and replaced once a new key is in place.
Modified p. 75 → 153
a) All key-management activity must be performed using a HSM. Select Select
a) All key-management activity must be performed using an HSM.
Modified p. 75 → 153
i. -resistant mechanisms must be activated. Select Select
i. All of the HSM’s tamper- resistant mechanisms must be activated.
Modified p. 76 → 153
ii. All physical keys must be removed. Select Select
ii. All physical keys must be removed.
Modified p. 76 → 154
c) HSMs used for key management or otherwise used for the protection of sensitive data must be approved by PCI or certified to FIPS 140-2 Level 3, or higher.
c) HSMs used for key management or otherwise used for the protection of sensitive data must be approved by PCI or certified to FIPS 140-2 or 140-3 Level 3 or higher certification for physical security.
Modified p. 76 → 155
f) When a HSM is removed from service permanently or for repair, all operational keys must be deleted from the device prior to its removal.
f) When an HSM is removed from service permanently or for repair, all operational keys must be deleted from the device prior to its removal.
Modified p. 76 → 156
h) The HSM must be under physical dual control at all times. Select Select
h) The HSM must be under physical dual control at all times.
Removed p. 77
k) No key must be used for a period longer than the designated life span of that key. Select Select
Modified p. 77 → 157
Section 9: Key Management: Confidential Data
Section 8: Key Management: Confidential Data
Modified p. 77 → 157
Section 9 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 9.1 General Principles
Section 8 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 8.1 General Principles
Modified p. 77 → 158
c) Cryptographic keys must not be hard-coded into software. Select Select
c) Cryptographic keys must not be hard-coded into software.
Modified p. 77 → 158
d) Audit trails must be maintained for all key- management activities. Select Select
d) Audit trails must be maintained for all key- management activities.
Modified p. 77 → 158
e) Key-management activities must be performed by vendor or issuer staff. Select Select
e) Key-management activities must be performed by vendor or issuer staff.
Modified p. 77 → 159
g) The vendor must generate keys and key components using a random or pseudo-random process.
g) The vendor must generate keys and key components using a random or pseudo-random process using one of the following:
Modified p. 77 → 160
h) Before the vendor accepts a key, they must ensure that they know its origin. Select Select
h) Before the vendor accepts a key, it must ensure that it knows its origin.
Modified p. 77 → 160
i) Keys must be stored in a manner that preserves their integrity. Select Select
i) Keys must be stored in a manner that preserves their integrity.
Modified p. 77 → 160
j) Keys must be used for only one purpose and not shared between cryptographic zones. Select Select
j) Keys must be used for only one purpose and not shared between cryptographic zones.
Modified p. 78 → 162
r) In the event of the compromise of a key, all instances of the key must be revoked. Select Select
r) In the event of the compromise of a key, all instances of the key must be revoked.
Modified p. 78 → 162
s) All keys that are encrypted with a key that has been revoked must also be revoked. Select Select
s) All keys that are encrypted with a key that has been revoked must also be revoked.
Modified p. 79 → 163
Section 10: PIN Distribution via Electronic Methods
Section 9: PIN Distribution via Electronic Methods
Modified p. 79 → 163
Section 10 Requirement Card Vendor Self-Evaluation Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 10.1 General Requirements The following requirements apply for the distribution of PINs via electronic methods:
Section 9 Requirement Card Vendor Self-Evaluation Test Procedure Assessor Compliance Evaluation Comply Comments Result Comment/Non-Compliance Assessment 9.1 General Requirements The following requirements apply for the distribution of PINs via electronic methods.
Modified p. 79 → 163
c) The PIN distribution system must perform no other function than PIN distribution, and any sessions established during the distribution (e.g., a telephone call, an e-mail or a SMS message) must be terminated once the PIN has been sent.
c) The PIN distribution system must perform no other function than PIN distribution, and any sessions established during the distribution •e.g., a telephone call, an e-mail, or a SMS message

•must be terminated once the PIN has been sent.
Modified p. 79 → 164
f) The identification and authentication values must not disclose the account number. Select Select
f) The identification and authentication values must not disclose the account number.
Removed p. 80
j) The cardholder must be instructed to initiate a request for their PIN from the PIN distribution system for example, by sending an e-mail or SMS or dialing the IVR PIN distribution system.
Modified p. 80 → 165
The PIN must only be distributed in response to a cardholder request.
j) The PIN must only be distributed in response to the receipt of valid identification and authentication values.
Modified p. 80 → 165
k) The PIN distribution system must be able to identify the cardholder from the identification value in the request, and the request must contain .
k) The PIN distribution system must be able to identify the cardholder from the identification value in the request, and the request must contain the cardholder’s authentication value.
Modified p. 80 → 165
l) The distribution system must not have any way of associating an identification value or authentication value with a specific number.
l) The distribution system must not have any way of associating an identification value or authentication value with a specific cardholder’s name, address, or account number.
Modified p. 80 → 166
n) The PIN must only be decrypted immediately before it is passed to the final distribution channel (e.g., the telephone or e- mail system).
n) The PIN must only be decrypted immediately before it is passed to the final distribution channel•e.g., the telephone or e-mail system.
Modified p. 80 → 166
o) The PIN distribution system must not contain any other cardholder data (e.g., PAN, cardholder name).
o) The PIN distribution system must not contain any other cardholder data•e.g., PAN, cardholder name).
Removed p. 82
Vendor ZMK sent in three paper based components Inside HSM Affina PSG 3 Key Custodians Head of CPC For ZMK Bank 3 bank personnel also shredded Not planned PEK 2TDES 112 Encrypts PIN Block between Issuer and Issuer Encrypted under ZMK Bank Inside HSM Affina PSG 1 Key Custodian Head of CPC Not planned Not planned MDK 2TDES 112 Issuer Master Application Keys, derivatives of which are for Authentication, Secure Messaging Integrity and Secure Confidentiality.

Issuer Encrypted under ZMK Bank Inside HSM Affina PSG 1 Key Custodian Head of CPC Not planned Not planned dCVV 2TDES 112 Master Key, derivatives of which are used in contactless application to create a dynamic Issuer Encrypted under ZMK Bank Inside HSM Affina PSG 1 Key Custodian Head of CPC Not planned Not planned KMC 2TDES 112 Locks chips between card manufacturer and Chip vendor Encrypted under ZMK Bank Inside HSM Affina PSG 1 Key …
Modified p. 82 → 168
ZMK vendor encrypts keys (KMC) used to lock the chip between pre-personaliser and personaliser party entity Bank brings ZMK components on site.
ZMK vendor encrypts keys (KMC) used to lock the chip between pre-personalizer and personalizer.
Modified p. 83 → 169
Inside HSM Affina PSG 1 Key Custodian Head of CPC procedures.
Inside HSM Affina PSG 1 Key Custodian Head of CPC As per procedures.
Modified p. 83 → 169
ICSK is personalised in chip.
ICSK is personalized in chip.
Modified p. 83 → 169
If separate PIN encipherment key required also generated.
If separate PIN encipherment key required•also generated.
Modified p. 83 → 169
Vendor Not distributed, coded on chip card Not stored Affina PSG Automated N/A N/A LMK 3DES 32 Local Master Key Used to encrypt keys in database. on SafeNet PSG HSM.
Not stored Affina PSG Automated N/A N/A LMK 3DES 32 Local Master Key Used to encrypt keys in database.
Modified p. 83 → 169
Not distributed. In memory of HSM and as 3 paper based components.
Not distributed. In memory of HSM and as 3 paper-based components.
Modified p. 83 → 169
SafeNet PSG Loaded by 3 Key Custodians. Deletion from the memory of destruction in Not Confirmed ZMK 3DES 32 Zone Master Key Shared between a third party and vendor. on SafeNet PSG HSM or party.
Deletion from the memory of the HSM Physical destruction in cross cut shredder Not Confirmed ZMK 3DES 32 Zone Master Key Shared between a third party and vendor.
Modified p. 83 → 169
SafeNet PSG Loaded by 3 Key Custodians. Deletion from the memory of destruction in KTK 3DES 32 Key Encryption Key / Key Transport Key Shared between internal cryptographic zones. on SafeNet PSG HSM by custodian.
Deletion from the memory of the HSM Physical destruction in cross cut shredder 3DES 32 Key-Encryption Key / Key-Transport Key Shared between internal cryptographic zones.
Modified p. 83 → 169
SafeNet PSG / Thales Loaded by 3 Key Custodians. Deletion from the memory of destruction in Not Confirmed
SafeNet PSG / Thales Loaded by 3 Key Custodians.
Modified p. 84 → 170
As cryptogram in protected SafeNet PSG Translated from under ZMK Deletion from the memory of destruction in Per batch of MDK 3DES 32 Master Derivation Used by the data preparation system to generate the UDKs by the issuer Ciphered with a ZMK As cryptogram in protected SafeNet PSG Translated from under ZMK Deletion from the memory of destruction in On request of
As cryptogram in protected memory of HSM. SafeNet PSG Translated from under ZMK Deletion from the memory of the HSM Physical destruction in cross cut shredder Per batch of chips MDK 3DES 32 Master Derivation Key Used by the data preparation system to generate the UDKs. Generated by the issuer. As cryptogram in protected memory of HSM. SafeNet PSG Translated from under ZMK Deletion from the memory of the HSM Physical destruction in cross cut shredder On request of issuer