PCI Card Production Certification

We promote compliance to reduce fraud related to the manufacturing and personalization processes of payment cards as a PCI Card Production certifier in Europe, USA and LAC (Latin America and Caribbean)

PCI Card Production compliance allows:

What is PCI Card Production?

This regulation defines the physical and logical security criteria that must be implemented during the production processes and the supply of cards. The standard details aspects on:

A certification aimed at those suppliers involved in the secure manufacture of cards and the provisioning of customer payment information on cards and mobile devices.

Why get certified with us?

  • We have auditors with extensive international experience.
  • We certify PCI DSS, PCI 3DS, PCI PIN, and PCI Card Production.
  • Automated evidence tracking tool (TCT).
  • Team of consultants and auditors in both Spanish and English.

What are the consequences of not getting certified?

  • Penalties and fines.
  • Loss of trust and confidence with customers.
  • Significant economic losses that in some cases can even lead to the closure of a business.

Frequently Asked Questions

The PCI Card Production logic standard covers the technical aspects that IT systems within the card production environment such as servers, PCs/laptops, firewalls, routers and all systems within the perimeter of the HSA (High Security Area) must comply with.

Some specific requirements include:

  • Having a DMZ with physical firewalls protecting network segments.
  • Approved devices (HSM) to encrypt or decrypt card data.
  • Have data and process flow diagrams.
  • Change control processes.
  • Processes for patch management.
  • Hardening of equipmen.

The physical PCI Card Production standard covers the physical security aspects that must be covered to protect the card production environment.

Some requirements are:

  • Separate racks for servers, firewalls and HSM encryption devices that must be under CCTV surveillance and with access under dual access control.
  • Two people to be present at all times for the execution of processes.
  • Inventory of all systems.
  • In the HSA, have walls that meet precise industry standards.
  • Have an on-call room (SCR) that is monitoring physical security.

The whole process takes approximately 6 weeks:

  • Planning: 2 days
  • Auditing: 3 days
  • Documentation and delivery of certificates: 5 weeks
  • Total time: 6 weeks

Certification methodology

The evaluation method is carried out through the following steps:

1. Initial Training Course

During this phase, general concepts and key points for compliance are addressed and awareness is promoted within the organization.

2. Expert advice

Conduct interviews and review the necessary documentation to establish and record the active processes and suppliers involved that will determine the scope of PCI Card Production.

3. GAP Analysis

GAP analysis for new customers, by gathering information to analyze all existing security processes and determine the organization's level of compliance.

4. Accompaniment and advice

A consultant will provide ongoing advice throughout the implementation process.

5. On-site audit

We retrieve information to determine proper PCI Card Production compliance. The assessment is included in the final ROC (Report of Compliance) and AOC (Attestation of Compliance) report along with any other requested documentation.

6. Final review

Prepares documentation of PCI Card Production compliance status and subsequent ROC and AOC reporting.

Do you need to comply with PCI Card Production?

Send us an email to info@botech.info or fill out the following contact form.