Last updated at Wed, 30 Aug 2017 00:18:17 GMT

PCI SSC is putting the finalizing touches to two new standards (Physical and Logical Security Requirements) for card manufacturers and card personalization centers.

After having co-authored the first version of the PCI DSS and having designed and led the ASV certification program on behalf of PCIco, I've been assigned with another critical mission for a "secret" department at Mastercard, the Global Vendor Certification Program. My role was to write a set of logical security requirements to minimize the risks pertaining to the personalization of credit cards.

That was back in 2009. It's Interesting to see that nowadays these specs follow the same destiny as the Data Security Standard (DSS) and the PIN Transaction Security (PTS) standard. The Payment Brands, mostly VISA and MasterCard, eventually decided to combine their sources under the umbrella of PCI SSC.  The standards (Physical and Logical) are expected to be released early 2013. Audit processes and compliance management will stay under the supervision of each Payment Brand.

The context

As you can imagine, your cards do not appear in your wallet by the manifestation of a Holy spirit (although that would be cool!!). There are organizations out there whose business and expertise is to manufacture and personalize magnetic-stripe and chip cards on behalf of Issuing banks.

Imagine hundreds or thousands of cards and associated details located on such sites and you will have a good sense of the associated risks. In term of data the standards focus on the protection of:

Secret data: All symmetric (e.g., Triple DES, AES) and private asymmetric keys (e.g., RSA)—except keys used only for encryption of cardholder data—are secret data and must be managed in accordance with the key management secret data (8.0) section of this document. Examples:

  • Chip personalization keys
  • PIN Key and the key used to generate CVVs, CVCs

Confidential data: Cardholder data and keys used to encrypt cardholder data are confidential data and must be managed in accordance with Key management confidential data (9.0) section of this document


  • PAN, expiry, service code, cardholder name
  • SSL keys
  • Vendor evidence preserving data

Such vendors are therefore subjected to stringent physical and logical security rules which are validated yearly. Non compliance to these rules has an heavy impact on the business: Removal from the list of approved card vendors used by the Issuers. I had several opportunities to audit such premises. Quite impressive in fact, the processes, the machines and the security.

The standards

Logical standard

This standard describes the logical security requirements required of vendors that personalize cards or manipulate card data during the preparation of payment system cards. All systems and business processes associated with card personalization must comply with these requirements. The logical standard is quite comprehensive (and more demanding than PCI DSS) the main difference resides in a heavy section on Key management (section #8 and #9). There are 9 sections, 46 subsections and about 420 requirements.

You will find here under an overview of the structure of this standard.

2. Roles and Responsibilities

2.1 Information Security Personnel

2.2 Assignment of Security Duties

3. Security Policy and Procedures

3.1 Information Security Policy

3.2 Security Procedures

3.3 Incident Response Plans and Forensics Data Security

4. Data Security

4.1 Classification

4.2 Encryption

4.3 Access to Cardholder Data

4.4 Transmission of Cardholder Data

4.5 Retention and Deletion of Cardholder Data

4.6 Media Handling

4.7 Contactless Personalization Network Security

5.  Network Security

5.1 Personalization Network

5.2 General Requirements

5.3 Network Devices

5.4 Firewalls

5.5 Remote Access

5.6 Wireless Networks

5.7 Security Testing and Monitoring

6. System Security

6.1 General

6.2 Change Management

6.3 Configuration and Patch Management

6.4 Audit Logs

6.5 Software Design and Development

6.6 Software implementation

7. User Management and System Access Control

7.1 User Management

7.2 Password Control

7.3 Session Locking

7.4 Account Locking

8. Key Management: Secret Data

8.1 General Principles

8.2 Symmetric Keys

8.3 Asymmetric Keys

8.4 Key Management Security Administration

8.4.1 General Requirements

8.4.2 Key Manager

8.4.3 Key Custodians

8.4.4 Key Management Device PINS

8.5 Key Generation

8.6 Key Distribution

8.7 Key Loading

8.8 Key Storage

8.9 Key Usage

8.10 KeyBackup/Recovery.

8.11 Key Destruction

8.12 Key Management Audit Trail

8.13 Key Compromise

8.14 Key Management Security Hardware

9. Key Management: Confidential Data

10. PIN Distribution via Electronic Methods

Physical Standard

The Physical Standard manual is a comprehensive source of information for approved card vendors (manufacturers, personalizers, pre-personalizers, chip embedders, data preparation vendors and fulfillment vendors). The contents of this manual specify the physical security requirements and procedures that vendors must follow before, during, and after the following processes:

  • Card manufacturing
  • Magnetic-stripe card encoding and embossing
  • Card personalization
  • Chip initializing or pre-personalization
  • Chip embedding
  • Chip personalization
  • Card storing
  • Shipping
  • Mailing


Do you dread the arrival of the new standards? How is it impacting your business?

Did you read our previous newsletter: PCI 30 second newsletter #24 - PCIco strengthens the scoping rules

Didier Godart