
You may have heard about PCI DSS, but if you’re familiar with PCI CP (Payment Card Industry Card Production and Provisioning), chances are you’re a credit card manufacturer (or somewhere in the supply chain). And you also likely understand the risks of insecure file transfers in the PCI CP process.
To level-set, we’ll review the basics of PCI CP requirements, and how GoAnywhere Managed File Transfer (MFT) by Fortra can help you meet them through secure file transfers.
What is PCI CP (Card Production and Provisioning) Compliance?
The PCI CP standard is similar in spirit to PCI DSS, but it provides a set of security standards for the companies involved in the production of the cards themselves, not those taking the payments like in PCI DSS. Instituted in 2013, PCI CP was updated in 2022 to PCI CP version 3.0, and is designed to accomplish the following:
Meet the security and business needs of card vendor environments
Ensure the strongest security measures are in place to protect customer payment information during the card creation process
Protect card manufacturers against evolving threats
Increase security across the payment chain
PCI CP requirements are designed to “help card vendors secure the card production process from design all the way through delivery,” as stated by PCI SSC SVP Standards Officer, Emma Sutcliffe.
Who Needs to Comply with PCI CP?
Because PCI CP establishes the security requirements for the safe production and provisioning of payment cards, it is important to know what falls under that process and by extension, who is responsible for PCI CP compliance.
According to the PCI website, card production includes:
Card manufacturing
Magnetic stripe encoding and embossing
Card personalization
Chip initializing, embedding, and personalization
Card storage
Card shipping and mailing
Card provisioning includes attaching sensitive cardholder information to a device using an over-the-air or over-the-internet communication channel.
These guidelines can have a substantial impact. Consider if an attacker wanted to steal credit card details at the source, they could infiltrate at any point in the card production and provisioning supply chain, rather than steal individual wallets or online payment codes one-by-one. Therefore, all supply chain members responsible for some part of the card production and provisioning process, as outlined above, are responsible for complying with PCI CP standards to prevent unauthorized physical or digital access to the cards.
The Role of Secure File Transfer in PCI CP Compliance
When a customer walks into a bank and signs up for a new account, or simply needs to replace a card, the card production and provisioning process is activated. Banks will send the customer’s credit card data to the card manufacturer, which is legally bound to follow the security mandates of PCI CP requiring segmented network environments to be in place.
The different networks involved in the card production and provisioning process include:
External Network(s) (for financial institutions): These are the networks that house customers’ sensitive financial information, sending it out to be provisioned in payment cards.
DMZ (Demilitarized Zone) (for all card production/provisioning activities): All card production/provisioning activities must go through a dedicated DMZ on the vendor’s network.
High Security Production Network (for printing, chip encoding, PIN generation, etc.): These include the secure management network (administration), production network (card manufacturing), and Cardholder Data Environment (CDE) network (where sensitive cardholder and authentication data are processed).
A detailed depiction can be found below:
The customer’s sensitive personal and financial data must be securely transferred between these isolated networks and yet must be delivered smoothly and in a timely fashion to avoid any delays in workflow.
How GoAnywhere Helps Companies Achieve PCI CP Compliance
Secure Cardholder File Transfers
Under PCI CP, vendors are required to securely transfer data via defined and documented processes. To assist in the secure exchange of files and data between various card production networks, GoAnywhere MFT provides:
End-to-end encryption to protect cardholder data when transferred to an external source or on the cloud-based provisioning network
Controlled data movement between card production networks (firewalls, DMZ, internal secure zones) with supports of network segmentation by enforcing IP allowlisting, firewall restrictions, and secure transmission channels
Access control of cardholder data by implementing role-based access control (RBAC) and multi-factor authentication (MFA) to restrict file access
Retention and deletion of cardholder data to automate secure deletion policies for stored files
Additionally, there are two main deployment models to comply with network security requirements that enable GoAnywhere to work best within your particular workflow:
Agent-based model: Deploy GoAnywhere MFT in the DMZ and GoAnywhere Agents on the other networks manage file transfers between secured environments from a console with end-to-end visibility of the file transfer flows.
Full MFT-based model: Deploy GoAnywhere MFT in each network for direct, secure file processing to securely handle external file transfers while preventing direct access to internal networks.
Logging, Auditing, and Monitoring
To maintain PCI CP compliance, organizations must maintain detailed logging and monitoring of all activities related to cardholder data. To that end, GoAnywhere’s solution provides detailed logging and auditing for regulatory compliance, including:
Comprehensive audit logs for all file transfers, user actions, and system changes
Tamper-proof logging to prevent unauthorized modifications
Real-time alerts and SIEM integration for proactive security monitoring
Automation and Workflow Management
Typically, card producers have tight timelines to produce the credit cards, so it's critical to ensure all file transfers are executed with no delays. To avoid tardiness and keep accuracy rates high, it is advisable to reduce manual intervention and increase automation and workflow management. To aid in this process, GoAnywhere provides:
Automated secure file transfer (SFT) workflows for file transfers and processing
Event-driven triggers (e.g., move files, delete files after transfer)
Automated PGP encryption/decryption for secure data handling
By facilitating secure file transfers between segregated networks, enabling automated workflows, and keeping organizations audit-ready, GoAnywhere simplifies PCI CP compliance and promotes fast, streamlined, zero-trust file transfers for all parties involved in the CP process.
GoAnywhere MFT Helps Meet PCI CP Requirements
To keep learning about what GoAnywhere can do for your organization, read more about data security compliance or request a live demo today.