Credit card factories given new secure manufacturing rules

The world's payment card producers have released the latest guidelines to help interested businesses to protect payment data.

Version 1.1 of the PCI Card Production Security Requirements (pdf) modifies and introduces features for physical and logical security advising on everything from printing PINs to guarding vaults.

The requirements, first introduced in 2013, are designed for card manufacturers but are general enough to be tweaked for the common rabble.

It unifies recommendations and requirements previously administered in silos by Mastercard, Visa, and friends.

Altered and new fields introduced by the Payment Card Industry Security Standard (PCI SSC) includes access controls, alarms, and emergency exits and fire doors.

Should enterprises wish to protect their cards to the level of say card producer Placard, admins will need to separate <sensitive data type> from the rest of the network via a demilitarised zone, check anti-virus updates daily, and run quarterly internal and external vulnerability 'scans'.

Gone will be the days of leaving that POODLE patch in the corner for more than a week; critical patches must be promptly slapped on all internet-facing things unless senior management volunteer their necks for fixes to be stalled for a month.

Rogue networks must be detected; those on a budget can use WiFi Phisher, a free tool that spots nasty copycat access points, and floods it with traffic to boot.

Third party vendors will need to detail the nuts and bolts for any of their crypto used to protect <sensitive data type>, while private crypto keys should be treated like dirty hankies and not reused beyond the individual system, nor for longer than the expiry date.

Those not content with binary security will ensure fire doors open one-way only, install silent alarms for motion detection, and ensuing <sensitive data type> is shipped in company vans with drivers who do not have the keys to access it.

PCI SSC Chief Technology Officer Troy Leach says the outfit will keep updating the requirements.

“We continue updating our standards to match the needs of today’s threat and business environments and to further increase security across the payment chain,” Leach says.

“These updated card production requirements will help card vendors secure the card production process from design all the way through delivery.” ®