PCI Card Production Security Requirements Challenges for Card Manufacturing and Personalization Larry Brown ICMA 2015 EXPO
Good afternoon ICMA 25 th Anniversary EXPO attendees I m Larry Brown and I ve had the privilege of working in the card industry for about 30 years. As I m sure many of you are aware, especially the Secured Card Processors, the Physical and Logical Security Requirements for Card Production have recently been consolidated under the PCI Security Standards Council. Implementation schedules vary by association; Visa and MasterCard are currently utilizing the new requirements for most manufacturing and personalization facilities.
Factors Potentially Affecting You The immediate or near-term affect to your operation s requirement will initially depend upon which Association(s) you process under and implementation timing. In some instances you may find that requirements are somewhat more restrictive; in some instances the requirement may actually be more liberal. In either instance, however, the requirements will be more consistent and
Factors Potentially Affecting You Since the PCI Security Standards Council was founded by the predominant card brands, who better to review and consolidate industry standards? Historically, Visa, MasterCard, American Express, Discover and JCB have had somewhat different requirements relating to Physical and Logical Security; although logic tended to drive similar solutions to common risks. Physical Security Requirements are necessarily based upon how best to prevent unauthorized individuals from physically accessing product, components or areas where sensitive cardholder information might be found. Logical Security Requirements are based upon how best to prevent unauthorized logical access to cardholder information and other system based sensitive data elements such as CVV or PIN data, or systems capable of generating secret data. If you are trying to prevent an unauthorized individual from entering an area; then a secured door is usually a requirement. In the past, there was sometimes confusion based upon differing rules about how strong that door had to be, how long it could be open, how unauthorized individuals were restricted from opening the door, etc. So the general requirement, common to almost anyone who attempted to enforce rules or reduce risk by use of an easily understood security measure, was sometimes difficult to accommodate sufficiently to achieve compliance due to differing interpretations as to the specifics. This sometimes created a confusing environment for secured vendors, especially those who processed products for more than one brand.
Factors Potentially Affecting You Most agree that consolidation is a good idea, and will ultimately benefit the Vendor. The new requirements are a culmination of input by the Associations, with many of the changes a result of vendor input and interpretations made in the past to clarify vendor issues. This provides a clear set of requirements that will simplify vendor security planning. This simplifies vendor preparation for logical and physical security reviews, especially for those who must prepare for multiple associations. This enhances security planning and risk remediation for the industry; since there is now or soon will be a consistent approach utilizing best practices from all stakeholders. Do not confuse the new PCI Card Production Logical and Physical Security Requirements with PCI Data Security Standard PCI-DSS. Implementation schedules are announced separately by the various Associations. After draft versions of the proposed PCI requirements had been available for some time; Versions 1.0 for both Physical and Logical Security were released May 2013, with several Technical FAQs released subsequently to provide clarification for requirements where needed. For those shops already affiliated with one or more of the associations, you will quickly recognize some requirements listed almost verbatim and see others that are new or significantly modified.
Examples of Changes Physical Security: Restrooms are prohibited within the High Security Area except where required by law. All enclosed rooms within the HSA are considered HSAs and must conform individually to the dual occupancy and other HSA requirements (this would include miscellaneous areas such as conference rooms). Dual occupancy for each HSA is enforced by the access control system by requiring 2 nd authorized occupant access within 60 seconds. Motion detection for each HSA interfaced with the access control system such that alarms are activated if motion is detected when occupancy = 0 and/or are activated if motion is not detected when occupancy >0. Information on card back must identify vendor that produced the card.
Examples of Changes Logical Security PIN Distribution via Electronic Methods has been added as a separate chapter. An Annex has been added clarifying minimum and equivalent key sizes and strengths for approved algorithms. Network security and configuration requirements have been updated and better described, and in some instances strengthened. Security testing and monitoring clarified User access, emergency changes, remote access, etc. all more clearly described
What Can I Do to Prepare? Go to www.pcisecuritystandards.org and review the new Card Production Logical and Physical Security Standards Compare your existing policies and procedures to determine any gaps Review your facility layout and controls to determine gaps, with particular attention to HSAs Review your network topology and system controls to determine compliance with the new requirements Assess costs and production impacts relative to any modifications necessary to bring bureau into compliance
What Can I Do to Prepare? As in the past, work closely with your Card Association to determine timing When is my next Association Site Review? What is my Association s implementation schedule? Perform a local Risk Assessment What are my areas of greatest risk exposure? Which modifications, if any are needed, can I make quickly and inexpensively? Remember that some changes may be as simple as adding verbiage to existing procedures and implementing the modified procedure. What are the capital implications and how can I plan for any modifications that may require more extensive preparation: construction, equipment acquisition, etc.?
Overview Requirements consolidation seems to be a good thing for the vendor Unified set of requirements for Associations rather than different rules that require substantially different preparation Clarified requirements based upon historic questions regarding interpretations and emerging threats FAQs and Interpretations from different Associations/Vendors will provide a more unified approach to threats that are common to all
Remember We re all in this together The bad guys seem to be getting smarter New threats are emerging every day and responses with new or modified controls are likely to be an ongoing part of our environment A unified, consolidated approach to our response to security threats would seem to make good sense Thank you