PCI Card Production

Physical and Logical Security Audits for Card Manufacturers

In May 2013, the PCI SSC published the PCI Card Production Security Requirements for Card Manufactureres and Personalization Bureaus. The task of maintaining and further developing the requirements was thus transferred to the PCI SSC.
However, the payment schemes (e.g. MasterCard) still decide independently about the interpretation of the standards and the final decision on whether or not a manufacturer or personalization bureau is compliant with the security requirements continues to rest with them. The payment schemes maintain their own Compliance Programs for this purpose.

In addition to the physical (construction of the site) and organisational security requirements, the payments industry also expects card manufacturers and personalization bureaus to comply with security requirements concerning data processing and storage, i.e. logical security requirements. 

The card manufacturers and personalization bureaus undergo regular physical and/or logical security audits to prove their compliance with all requirements; for logical requirements this means e.g. that a manufacturer/personalization bureau has an Information Security Management System in place that covers all relevant IT-related matters.