(PCI) Card Production and Provisioning

Total Page:16

File Type:pdf, Size:1020Kb

(PCI) Card Production and Provisioning Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements Version 2.0 December 2016 © 2013-2016 PCI Security Standards Council, LLC This document and its contents may not be used, copied, disclosed, or distributed for any purpose except in accordance with the terms and conditions of the Non-Disclosure Agreement executed between the PCI Security Standards Council LLC and your company. Please review the Non-Disclosure Agreement before reading this document. PCI Card Production and Provisioning – Physical Security Requirements, v2.0 December 2016 Copyright 2013-2016 PCI Security Standards Council, LLC Page i Document Changes Date Version Author Description December 2012 1.x PCI RFC version May 2013 1.0 PCI Initial Release March 2015 1.1 PCI Enhancements for clarification July 2016 2.x PCI RFC version Addition of Mobile Provisioning and other changes. December 2016 2.0 PCI See Summary of Changes from v1.1 to v2. PCI Card Production and Provisioning – Physical Security Requirements, v2.0 December 2016 Copyright 2013-2016 PCI Security Standards Council, LLC Page ii Table of Contents Document Changes .................................................................................................................... ii 1 Scope ............................................................................................................................... 1 1.1 Laws and Regulations .......................................................................................................... 2 1.2 Loss Prevention ................................................................................................................... 2 1.3 Limitations ............................................................................................................................ 2 2 Personnel ........................................................................................................................ 3 2.1 Employees ........................................................................................................................... 3 2.1.1 Pre-employment Documentation and Background Checks .................................... 3 2.1.2 Applicant/Employee Background Information Retention ......................................... 3 2.1.3 Screening and Documentation Usage .................................................................... 3 2.1.4 Personnel Changes ................................................................................................ 4 2.1.5 Security Communication and Training .................................................................... 5 2.1.6 Notification .............................................................................................................. 5 2.2 Guards ................................................................................................................................. 6 2.2.1 General Guidelines ................................................................................................. 6 2.2.2 Role and Responsibilities ........................................................................................ 6 2.2.3 Documentation ........................................................................................................ 7 2.2.4 Security Training ..................................................................................................... 7 2.3 Visitors ................................................................................................................................. 8 2.3.1 Registration procedures .......................................................................................... 8 2.3.2 Visitor Security Notification ..................................................................................... 9 2.3.3 Visitor identification ................................................................................................. 9 2.4 External Service Providers ................................................................................................... 9 2.4.1 General Guidelines ................................................................................................. 9 2.5 Vendor’s Agents ................................................................................................................. 10 2.5.1 General Guidelines ............................................................................................... 10 3 Premises ........................................................................................................................ 11 3.1 External Structure .............................................................................................................. 11 3.1.1 External Construction ............................................................................................ 11 3.1.2 Exterior Entrances and Exits ................................................................................. 11 3.1.3 External Walls, Doors and Windows ..................................................................... 11 3.1.4 Building Peripheral Protection ............................................................................... 12 3.2 External Security ................................................................................................................ 12 3.2.1 Emergency Exits ................................................................................................... 12 3.2.2 Exterior Lighting .................................................................................................... 12 3.2.3 Roof Access .......................................................................................................... 13 3.2.4 Exterior CCTV ....................................................................................................... 13 3.2.5 Signage ................................................................................................................. 13 3.3 Internal Structure and Processes ....................................................................................... 13 3.3.1 Reception .............................................................................................................. 13 3.3.2 Security Control Room .......................................................................................... 14 3.3.3 High Security Areas (HSAs) .................................................................................. 16 3.3.4 HSA – Security Protection and Access Procedures .............................................. 16 3.3.5 Rooms ................................................................................................................... 18 3.3.6 Other Areas ........................................................................................................... 21 3.4 Internal Security ................................................................................................................. 23 3.4.1 Alarm Systems ...................................................................................................... 23 3.4.2 Badge Administration ............................................................................................ 23 3.4.3 Badge Access System .......................................................................................... 24 3.4.4 Duress Buttons ..................................................................................................... 25 PCI Card Production and Provisioning – Physical Security Requirements, v2.0 December 2016 Copyright 2013-2016 PCI Security Standards Council, LLC Page iii 3.4.5 Locks and Keys ..................................................................................................... 26 3.4.6 Closed Circuit Television (CCTV) ......................................................................... 27 3.4.7 Security Device Inspections .................................................................................. 28 3.5 Vendor Security Contingency Plan .................................................................................... 29 3.6 Decommissioning Plan ...................................................................................................... 29 4 Production Procedures and Audit Trails .................................................................... 30 4.1 Order Limitations ................................................................................................................ 30 4.2 Card Design Approvals ...................................................................................................... 30 4.2.1 Proof Submission .................................................................................................. 30 4.2.2 Approval Response ............................................................................................... 30 4.3 Samples ............................................................................................................................. 30 4.3.1 Sample Retention ................................................................................................. 30 4.3.2 Required Samples ................................................................................................ 30 4.4 Origination Materials and Printing Plates – Access and Inventory ..................................... 31 4.5 Core Sheets and Partially Finished Cards ......................................................................... 31 4.5.1 Core Sheets .........................................................................................................
Recommended publications
  • Wiegand Converter Board Manual
    Wiegand Converter Configuration Utility User Manual 99009020 Rev B Thank You! Congratulations on the purchase of the Wiegand Converter. RF IDeas knows you will enjoy using the converter board as much as we enjoyed creating and developing it! Configuration is easy so you will be able to quickly take advantage of a more secure environment in your business, school, or organization Please call our Sales department if you have any questions or are interested in our OEM and Independent Developer’s programs. We look forward to your comments and suggestions for our product line! Please go to www.RFIDeas.com and follow the Support a Learning Center link for more details about our product line. We are always discovering new applications for our product line(s). There are several software developer’s licensing our technology so the solution you are looking for may already be developed. Thank you, The RF IDeas Staff Need Assistance? Ph: 847.870.1723 Fx: 847.483.1129 E: [email protected] [email protected] 2 Contents 2 Thank You! 13 Chapter 4: Control Protocol 13 Serial OEM ASCII Control Protocol 4 Chapter 1: The Basics 4 Wiegand Converter Overview 15 Chapter 5: OEM-W2065 Connection Diagrams 5 Chapter 2: Installation 5 Wiegand Converter Installation 17 Chapter 6: Glossary 6 Wiegand Converter Board Layout 8 RS-485/422 Connections 18 Chapter 7: Support 9 Jumper Locations 10 Connectors Locations 23 Index 11 Chapter 3: Lock Connection 24 Other Products and Accessories 11 Push Button Magnetic Lock Connection 12 Magnetic Lock Connection 3 The Basics
    [Show full text]
  • Designing Physical Security Monitoring for Water Quality Surveillance and Response Systems
    United States Environmental Protection Agency Designing Physical Security Monitoring For Water Quality Surveillance and Response Systems Office of Water (AWBERC, MS 140) EPA 817-B-17-001 September 2017 Disclaimer The Water Security Division of the Office of Ground Water and Drinking Water has reviewed and approved this document for publication. This document does not impose legally binding requirements on any party. The information in this document is intended solely to recommend or suggest and does not imply any requirements. Neither the U.S. Government nor any of its employees, contractors or their employees make any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party’s use of any information, product or process discussed in this document, or represents that its use by such party would not infringe on privately owned rights. Mention of trade names or commercial products does not constitute endorsement or recommendation for use. Version History: The 2019 version is the second release of the document, originally published in September 2017. This release includes updated component names (Enhanced Security Monitoring was changed to Physical Security Monitoring and Consequence Management was changed to Water Contamination Response), an updated version of Figure 1.1 that reflects the component name changes and includes the Advanced Metering Infrastructure component, an updated Glossary, updated target capabilities, and updated links to external resources. “Enhanced” was replaced with “Physical” in this document to avoid any implication of a baseline standard, and better describe the type of security. Questions concerning this document should be addressed to [email protected] or the following contacts: Nelson Mix U.S.
    [Show full text]
  • Standards for Building Materials, Equipment and Systems Used in Detention and Correctional Facilities
    NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY Research Information Center Gaithersburg, MD 20890 PUBLICATIONS NBSIR 87-3687 Standards for Building Materials, Equipment and Systems Used in Detention and Correctional Facilities Robert D. Dikkers Belinda C. Reeder U.S. DEPARTMENT OF COMMERCE National Bureau of Standards National Engineering Laboratory Center for Building Technology Building Environment Division Gaithersburg, MD 20899 November 1987 Prepared for: -QC ment of Justice 100 ititute of Corrections i, DC 20534 . U56 87-3687 1987 C . 2 Research Information Center National Bureau of Standards Gaithersburg, Maryland NBSIR 87-3687 20899 STANDARDS FOR BUILDING MATERIALS, EQUIPMENT AND SYSTEMS USED IN u - DETENTION AND CORRECTIONAL FACILITIES Robert D. Dikkers Belinda C. Reeder U.S. DEPARTMENT OF COMMERCE National Bureau of Standards National Engineering Laboratory Center for Building Technology Building Environment Division Gaithersburg, MD 20899 November 1987 Prepared for: U.S. Department of Justice National Institute of Corrections Washington, DC 20534 U.S. DEPARTMENT OF COMMERCE, C. William Verity, Secretary NATIONAL BUREAU OF STANDARDS, Ernest Ambler, Director TABLE OF CONTENTS Page Preface . vi Acknowledgements vii Executive Summary ix I . INTRODUCTION 1 A. Background , 1 B. Objectives and Scope of NBS Study 3 II. FACILITY DESIGN AND CONSTRUCTION 6 A. Facility Development Process 6 1 . Needs Assessment ........................................ 6 2 . Master Plan 6 3 . Mission Statement . 6 4. Architectural Program 7 5. Schematic Design and Design Development 7 6 . Construction 9 B. Security Levels 10 C . ACA S tandar ds 13 . III MATERIALS , EQUIPMENT AND SYSTEMS .... 14 A. Introduction 14 B. Performance Problems 15 C. Available Standards/Guide Specifications 20 iii TABLE OF CONTENTS (continued) 5 Page D« Perimeter Systems 21 1 .
    [Show full text]
  • Physical Access Control Systems (PACS) Customer Ordering Guide
    Physical Access Control Systems (PACS) Customer Ordering Guide Revised January 2017 1 Physical Access Control Systems (PACS) Customer Ordering Guide Table of Contents Purpose ...................................................................................................................3 Background .............................................................................................................3 Recent Policy Announcements ...............................................................................4 What is PACS? .......................................................................................................5 As an end-user agency, where do I start and what steps are involved? ................. 7 Where do I purchase PACS Solutions from GSA? ..............................................10 How do I purchase a PACS Solution using GSA eBuy? .....................................11 Frequently Asked Questions (FAQs) ...................................................................12 GSA Points of Contact for PACS .........................................................................15 Reference Documents ...........................................................................................16 Sample Statement of Work (SOW) ......................................................................18 2 Physical Access Control Systems (PACS) Customer Ordering Guide Purpose The purpose of this document is to create a comprehensive ordering guide that assists ordering agencies, particularly contracting officers, to
    [Show full text]
  • HIPAA Security Standards: Physical Safeguards
    Security SERIES HIPAA Security 3 Security Standards: Physical Safeguards Topics What is the Security Series? 1. The security series of papers will provide guidance from the Centers for Security 101 for Medicare & Medicaid Services (CMS) on the rule titled “Security Standards Covered Entities for the Protection of Electronic Protected Health Information,” found at 45 CFR Part 160 and Part 164, Subparts A and C. This rule, commonly known 2. as the Security Rule, was adopted to implement provisions of the Health Security Standards Insurance Portability and Accountability Act of 1996 (HIPAA). The series - Administrative will contain seven papers, each focused on a specific topic related to the Safeguards Security Rule. The papers, which cover the topics listed to the left, are designed to give HIPAA covered entities 3. insight into the Security Rule, and Compliance Deadlines assistance with implementation of the No later than April 20, 2005 Security for all covered entities except Standards security standards. This series aims to small health plans which have - Physical explain specific requirements, the thought Safeguards until no later than April 20, process behind those requirements, and 2006. 4. possible ways to address the provisions. Security Standards - Technical CMS recommends that covered entities read the first paper in this series, Safeguards “Security 101 for Covered Entities” before reading the other papers. The first paper clarifies important Security Rule concepts that will help covered entities as they plan for implementation. This third paper in the series is 5. devoted to the standards for Physical Safeguards and their implementation Security Standards - Organizational, specifications and assumes the reader has a basic understanding of the Policies and Security Rule.
    [Show full text]
  • How to Manage Physical Security Risk
    How to Manage Physical Security Risk Table of Contents Introduction ........................................................................................................................................................3 What Is Physical Security Exactly? ...........................................................................................................4 Components of Physical Security ..............................................................................................................5 The Importance Of Physical Security ......................................................................................................5 How Physical Security Helps To Ensure Digital Safety ...................................................................7 The Most Common Physical Security Threats ....................................................................................9 How To Mitigate Physical Security Threats ...................................................................................... 10 Top Tips To Maintain Physical Security At Your Workplace .................................................... 12 Final Words....................................................................................................................................................... 14 Introduction Digital security has become the watchword of the day. As we step into the new decade, the world is visibly dependent on IT infrastructure for carrying out everyday business operations. Be it monetary transactions or information exchange,
    [Show full text]
  • Cyber Security and Cloud Video Surveillance
    CYBER SECURITY WHITE PAPER Page 1 of 14 Cyber Security and Cloud Video Surveillance Eagle Eye Networks | 4611 Bee Caves Rd, #200 | Austin, TX 78746 www.een.com | +1-512-473-0500 | [email protected] CYBER SECURITY WHITE PAPER Page 2 of 14 This paper explains why video surveillance system security can and should be more fully addressed within the industry, so that cyber security is not left as a problem for installers or customers to solve. Eagle Eye Networks is a leader in this respect, mitigating security concerns from the point of product research, development and deployment. Introduction Figure 1. Timeline: escalating cyber attacks on security video cameras and DVRs. Today’s networked video surveillance systems are vulnerable in many ways, and their cameras have been weaponiZed by hackers to create massive Distributed Denial of Service (DDoS) attacks on targeted systems. Figure 1 presents a timeline of recent cyber attacks and threats affecting Internet-connected security cameras and digital video recorders (DVRs). Securing today’s networked video systems can be a complex and difficult technical challenge. However, especially for small and medium siZe businesses, it doesn’t have to be that way. Video systems and equipment can be purpose-built to constitute a pre- hardened and more easily securable system, in contrast to the current installed base of networked video technology. In September of 2016, a large French web-hosting provider reported a record-breaking 1-terabit-per- second DDoS attack against their web servers, unleashed by a collection of more than 145 thousand hacked Internet-connected video cameras and digital video recorders.
    [Show full text]
  • Physical Security Models, Philosophies, and Context
    Journal of International Information Management Volume 10 Issue 2 Article 9 2001 Physical security models, philosophies, and context Karen A. Forcht James Madison University S. E. Kruck James Madison University Follow this and additional works at: https://scholarworks.lib.csusb.edu/jiim Part of the Management Information Systems Commons Recommended Citation Forcht, Karen A. and Kruck, S. E. (2001) "Physical security models, philosophies, and context," Journal of International Information Management: Vol. 10 : Iss. 2 , Article 9. Available at: https://scholarworks.lib.csusb.edu/jiim/vol10/iss2/9 This Article is brought to you for free and open access by CSUSB ScholarWorks. It has been accepted for inclusion in Journal of International Information Management by an authorized editor of CSUSB ScholarWorks. For more information, please contact [email protected]. Forcht and Kruck: Physical security models, philosophies, and context Physical Security Journal of International Information Manasement Physical security models, philosophies, and context Karen A. Forcht S. E. Krnck James Madison University ABSTRACT This paper presents physical security of a computer facility within the context of a corpo­ rate environment. The context is established from several different perspectives. It first presents physical security philosophies and illustrates the philosophies via the Onion and Garlic Mod­ els. It defines a process for identifying and describing transition strategies between security levels. Once the models are defined, a Macro View of physical security is presented. This view discusses physical security goals and critical factors such as budget, monitoring and redun­ dancy. With this context established, the Micro View is presented. Its focus is on information technology (IT) facilities that protect centralized or clustered IT resources.
    [Show full text]
  • Rfids and Secret Handshakes: Defending Against Ghost-And-Leech Attacks and Unauthorized Reads with Context-Aware Communications
    RFIDs and Secret Handshakes: Defending Against Ghost-and-Leech Attacks and Unauthorized Reads with Context-Aware Communications Alexei Czeskis Karl Koscher University of Washington University of Washington [email protected] [email protected] Joshua R. Smith Tadayoshi Kohno Intel Research Seattle University of Washington [email protected] [email protected] ABSTRACT 1. INTRODUCTION We tackle the problem of defending against ghost-and-leech Radio frequency identification tags (RFIDs) and other con- (a.k.a. proxying, relay, or man-in-the-middle) attacks against tactless cards (like proximity cards and contactless smart- RFID tags and other contactless cards. The approach we cards) are increasing in ubiquity. For example, large corpo- take — which we dub secret handshakes — is to incorpo- rations often use RFIDs or proximity cards to regulate build- rate gesture recognition techniques directly on the RFID ing access. American Express, VISA, and MasterCard all tags or contactless cards. These cards will only engage in produce credit cards with embedded RFID tags. Many car wireless communications when they internally detect these keys also have embedded RFID tags to help protect against secret handshakes. We demonstrate the effectiveness of this hot-wiring. While the security community has invested sig- approach by implementing our secret handshake recognition nificant resources in understanding and addressing the se- system on a passive WISP RFID tag with a built-in ac- curity deficiencies of such cards — including documented celerometer. Our secret handshakes approach is backward attacks against and defensive recommendations for each of compatible with existing deployments of RFID tag and con- the above examples [2, 11, 13] — there exists one class of tactless card readers.
    [Show full text]
  • Strong Authentication
    WHITE PAPER Strong Authentication How to achieve the level of Identity Assurance you need, in a way that’s both convenient and affordable Executive Summary It’s a constant challenge to accommodate all the different access needs of all your users, while simultaneously locking down your resources to protect them from threats. To trust your users are who they say they are and effectively manage their access to your resources, you need a complete identity assurance solution, the foundation of which is strong authentication. The issuance and ongoing management, however, of user credentials, on all the various devices, from smart cards to mobile phones you need to support, for all the applications and resources your users may want to access can pose its own issues. As a result, you need a strong authentication solution that makes it easy for you to issue and manage credentials to provide differing levels of security for differing levels of access in a way that is convenient for the user – anything less negates the effectiveness of the overall solution. WHITE PAPER Strong Authentication 2 Table of Contents 1. Executive summary 3. The need for Strong Authentication in today’s enterprise 3. Defining Strong Authentication to address the challenges of traditional solutions 4. Requirements for effective Strong Authentication – no compromises 5. The approach for a Strong Authentication solution capable of delivering your users the secure access they need 8. ActivID card management system 8. Reaping the benefits of an effective Strong Authentication solution 10. The ActivID difference – peace of mind for users and organisations WHITE PAPER Strong Authentication 3 The need for Strong Authentication in today’s Enterprise Users are increasingly distributed, mobile and varied, requiring many enterprises to take a new look at how to establish trust in a user’s identity and control their access accordingly.
    [Show full text]
  • P2000/P2000LE Security Management System
    P2000/P2000LE Security Management System Web Access Option Version 3.8 and higher, April, 2008 09-9303-01 Revision A P2000/P2000LE Security Management System Web Access Version 3.8 and higher, April, 2008 09-9303-01 Revision A Security Solutions (805) 522-5555 www.johnsoncontrols.com Copyright 2008 Johnson Controls, Inc. All Rights Reserved No part of this document may be reproduced without the prior permission of Johnson Controls, Inc. Acknowledgment Cardkey P2000, BadgeMaster, and Metasys are trademarks of Johnson Controls, Inc. All other company and product names are trademarks or registered trademarks of their respective owners. If this document is translated from the original English version by Johnson Controls, Inc., all reasonable endeavors will be used to ensure the accuracy of translation. Johnson Controls, Inc. shall not be liable for any translation errors contained herein or for incidental or consequential damages in connection with the furnishing or use of this translated material. Due to continuous development of our products, the information in this document is subject to change without notice. Johnson Controls, Inc. shall not be liable for errors contained herein or for incidental or consequential damages in connection with furnishing or use of this material. Contents of this publication may be preliminary and/or may be changed at any time without any obligation to notify anyone of such revision or change, and shall not be regarded as a warranty. TABLE OF CONTENTS Chapter 1: Introduction Chapter Summaries................................................................................................................................
    [Show full text]
  • Pcprox® Plus, Pcprox® Enroll & Wiegand Converter
    pcProx® Plus, pcProx® Enroll & Wiegand Converter Configuration Utility User Manual 99009010 ev A.5 Thank You( Congratulations on the purchase of your pcProx® Enroll, pcProx® Plus, or Wiegand device)s). F ,Deas hopes you en.oy using the readers as much as 0e en.oyed creating and developing them. Configuration is easy, so you 0ill 1e a1le to 2uickly take advantage of a more secure environment in your 1usiness, school, or organi3ation. Please call our Sales department if you have any 2uestions or are interested in our OEM and ,ndependent Developer6s programs. We look for0ard to your comments and suggestions for our product line( Please go to 000. F,Deas.com and follo0 the Support a 7earning Center link for more details a1out our product line. We are al0ays discovering ne0 applications for our product line)s). There are several soft0are developer6s licensing our technology so the solution you are looking for may already 1e developed. Thank you, The F ,Deas Staff 8eed Assistance9 Ph: 847.870.1723 Fx: 847.483.1129 E: Sales@ F,Deas.com TechSupport@ F,Deas.com Alossary Of Terms ASC,,: The American Standard Code for ,nformation ,nterchange codes represent text in computers, communications e2uipment, and other devices that use text. Contactless: The high fre2uency 13.56 MC3 smart card technology. FAC: Facility Access Code OEM: The proximity card and 1adge reader availa1le in selfDcontained electronic modules for easy system integration. pcProx Contactless: The registered F ,Deas 1rand name given to all 13.56 MC3 contactless card reader products. pcProx Proximity: The registered F ,Deas 1rand name given to all 125 kC3 proximity reader products.
    [Show full text]