(PCI) Card Production and Provisioning
Total Page:16
File Type:pdf, Size:1020Kb
Payment Card Industry (PCI) Card Production and Provisioning Physical Security Requirements Version 2.0 December 2016 © 2013-2016 PCI Security Standards Council, LLC This document and its contents may not be used, copied, disclosed, or distributed for any purpose except in accordance with the terms and conditions of the Non-Disclosure Agreement executed between the PCI Security Standards Council LLC and your company. Please review the Non-Disclosure Agreement before reading this document. PCI Card Production and Provisioning – Physical Security Requirements, v2.0 December 2016 Copyright 2013-2016 PCI Security Standards Council, LLC Page i Document Changes Date Version Author Description December 2012 1.x PCI RFC version May 2013 1.0 PCI Initial Release March 2015 1.1 PCI Enhancements for clarification July 2016 2.x PCI RFC version Addition of Mobile Provisioning and other changes. December 2016 2.0 PCI See Summary of Changes from v1.1 to v2. PCI Card Production and Provisioning – Physical Security Requirements, v2.0 December 2016 Copyright 2013-2016 PCI Security Standards Council, LLC Page ii Table of Contents Document Changes .................................................................................................................... ii 1 Scope ............................................................................................................................... 1 1.1 Laws and Regulations .......................................................................................................... 2 1.2 Loss Prevention ................................................................................................................... 2 1.3 Limitations ............................................................................................................................ 2 2 Personnel ........................................................................................................................ 3 2.1 Employees ........................................................................................................................... 3 2.1.1 Pre-employment Documentation and Background Checks .................................... 3 2.1.2 Applicant/Employee Background Information Retention ......................................... 3 2.1.3 Screening and Documentation Usage .................................................................... 3 2.1.4 Personnel Changes ................................................................................................ 4 2.1.5 Security Communication and Training .................................................................... 5 2.1.6 Notification .............................................................................................................. 5 2.2 Guards ................................................................................................................................. 6 2.2.1 General Guidelines ................................................................................................. 6 2.2.2 Role and Responsibilities ........................................................................................ 6 2.2.3 Documentation ........................................................................................................ 7 2.2.4 Security Training ..................................................................................................... 7 2.3 Visitors ................................................................................................................................. 8 2.3.1 Registration procedures .......................................................................................... 8 2.3.2 Visitor Security Notification ..................................................................................... 9 2.3.3 Visitor identification ................................................................................................. 9 2.4 External Service Providers ................................................................................................... 9 2.4.1 General Guidelines ................................................................................................. 9 2.5 Vendor’s Agents ................................................................................................................. 10 2.5.1 General Guidelines ............................................................................................... 10 3 Premises ........................................................................................................................ 11 3.1 External Structure .............................................................................................................. 11 3.1.1 External Construction ............................................................................................ 11 3.1.2 Exterior Entrances and Exits ................................................................................. 11 3.1.3 External Walls, Doors and Windows ..................................................................... 11 3.1.4 Building Peripheral Protection ............................................................................... 12 3.2 External Security ................................................................................................................ 12 3.2.1 Emergency Exits ................................................................................................... 12 3.2.2 Exterior Lighting .................................................................................................... 12 3.2.3 Roof Access .......................................................................................................... 13 3.2.4 Exterior CCTV ....................................................................................................... 13 3.2.5 Signage ................................................................................................................. 13 3.3 Internal Structure and Processes ....................................................................................... 13 3.3.1 Reception .............................................................................................................. 13 3.3.2 Security Control Room .......................................................................................... 14 3.3.3 High Security Areas (HSAs) .................................................................................. 16 3.3.4 HSA – Security Protection and Access Procedures .............................................. 16 3.3.5 Rooms ................................................................................................................... 18 3.3.6 Other Areas ........................................................................................................... 21 3.4 Internal Security ................................................................................................................. 23 3.4.1 Alarm Systems ...................................................................................................... 23 3.4.2 Badge Administration ............................................................................................ 23 3.4.3 Badge Access System .......................................................................................... 24 3.4.4 Duress Buttons ..................................................................................................... 25 PCI Card Production and Provisioning – Physical Security Requirements, v2.0 December 2016 Copyright 2013-2016 PCI Security Standards Council, LLC Page iii 3.4.5 Locks and Keys ..................................................................................................... 26 3.4.6 Closed Circuit Television (CCTV) ......................................................................... 27 3.4.7 Security Device Inspections .................................................................................. 28 3.5 Vendor Security Contingency Plan .................................................................................... 29 3.6 Decommissioning Plan ...................................................................................................... 29 4 Production Procedures and Audit Trails .................................................................... 30 4.1 Order Limitations ................................................................................................................ 30 4.2 Card Design Approvals ...................................................................................................... 30 4.2.1 Proof Submission .................................................................................................. 30 4.2.2 Approval Response ............................................................................................... 30 4.3 Samples ............................................................................................................................. 30 4.3.1 Sample Retention ................................................................................................. 30 4.3.2 Required Samples ................................................................................................ 30 4.4 Origination Materials and Printing Plates – Access and Inventory ..................................... 31 4.5 Core Sheets and Partially Finished Cards ......................................................................... 31 4.5.1 Core Sheets .........................................................................................................