atsec China has been qualified by PCI SSC (Payment Card Industry Security Standards Council) as a Card Production Security Assessor (CPSA) Company to validate an entity’s adherence to the PCI Card Production and Provisioning Logical Security and Physical Security Requirements (two separate security standards). Currently atsec provides the PCI Card Production Logical Security and Physical Security Standards assessment services in the CEMEA, Canada, Europe, LAC, USA and Asia Pacific markets.
The development, manufacture, transport, and personalization of payment cards and their components have a strong impact on the security structures of the payment systems, issuers, and vendors involved in their issuance. Data security is the primary focus of the standards.
The PCI Card Production and Provisioning Logical Security Requirements (“PCI Card Production Logical Security Standard”) addresses the logical security controls associated with card production and provisioning such as:
- EMV data preparation
- Pre-personalization
- Card embossing
- IC and magnetic-stripe personalization
- PIN generation
- PIN mailers
- Card carriers
- Distribution
PCI Card Production and Provisioning Physical Security Requirements (“PCI Card Production Physical Security Standard”) define a comprehensive source of information for entities involved in card production and provisioning, which may include manufacturers, personalizers, pre-personalizers, chip embedders, data-preparation, and fulfillment. The standard specifies the physical security requirements and procedures that entities must follow before, during, and after the following processes:
- Card Manufacturing
- Chip embedding
- Personalization
- Storage
- Packaging
- Mailing
- Shipping or delivery
- Fulfillment
In addition to the card production activities above, the two standards describe the logical and physical security requirements for entities that:
- Perform cloud-based or secure element (SE) provisioning services;
- Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data;
- Manage associated cryptographic keys.
atsec’s CPSA assessors can work with you to confirm the assessment scope, perform the assessment on-site, complete PCI Card Production ROC (Report on Compliance) and AOC (Attestation of Compliance), submit them to applicable payment brands or cooperative entities, and re-validation can be further performed where applicable.
In addition to the assessment service, atsec offers a full range of consulting services to support your organization in achieving compliance with the PCI Card Production Logical and/or Physical Security Standards. atsec consultants have experience in each of the requirement areas (e.g. data security, network security, system security hardening and management, user management, key management, PIN distribution, personal security management, premises security protection, production procedures security control, security audit, secure packaging and delivery), and can help you develop appropriate measures in order to achieve your compliance.
The CPSA Assessors list can be found on the official website of PCI SSC, and atsec’s qualification is shown below:
In addition to CPSA assessor, as an accredited PCI QSA, ASV, QPA, PA QSA, P2PE, 3DS assessor, SSF assessor and PFI, atsec offers a full range of services to support organizations in achieving PCI compliance.