Returen to PCI services

PCI Card Production Logical Security and Physical Security Standards Assessment Services

What atsec offers
atsec China is accredited as a Card Production Security Assessor (CPSA) Company by the Payment Card Industry (PCI) Security Standards Council (SSC) to validate an entity's adherence to the PCI Card Production and Provisioning Logical Security and Physical Security Requirements (two separate security standards). Currently atsec provides the PCI Card Production Logical Security and Physical Security Standards assessment services in the CEMEA, Canada, Europe, LAC, USA and Asia Pacific market.

The PCI Card Production and Provisioning Logical Security Requirements ("PCI Card Production Logical Security Standard") addresses the logical security controls associated with card production and provisioning such as:

  • EMV data preparation
  • Pre-personalization
  • Card embossing
  • IC and magnetic-stripe personalization
  • PIN generation
  • PIN mailers
  • Card carriers
  • Distribution

PCI Card Production and Provisioning Physical Security Requirements ("PCI Card Production Physical Security Standard") define a comprehensive source of information for entities involved in card production and provisioning, which may include manufacturers, personalizers, pre-personalizers, chip embedders, data-preparation, and fulfillment. The standard specifies the physical security requirements and procedures that entities must follow before, during, and after the following processes:

  • Card Manufacturing
  • Chip embedding
  • Personalization
  • Storage
  • Packaging
  • Mailing
  • Shipping or delivery
  • Fulfillment

In addition to the card production activities above, the two standards describe the logical and physical security requirements for entities that:

  • Perform cloud-based or secure element (SE) provisioning services
  • Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data
  • Manage associated cryptographic keys

atsec's CPSA assessors can work with you to confirm the assessment scope, perform the assessment on-site, complete PCI Card Production ROC (Report on Compliance) and AOC (Attestation of Compliance), submit them to applicable payment brands or cooperative entities, and re-validation can be further performed where applicable.

In addition to the assessment service, atsec offers a full range of consulting services to support your organization in achieving compliance with the PCI Card Production Logical and/or Physical Security Standards. Our consultants have expert experience in each of the requirement areas, and can help you develop appropriate measures in order to achieve your compliance.

Why our services are important to you
The development, manufacture, transport, and personalization of payment cards and their components have a strong impact on the security structures of the payment systems, issuers, and vendors involved in their issuance. Data security is the primary focus of the standards.

atsec has plenty experience and knowledge of following logical and physical security techniques:

  • Data security management
  • Network security design and management
  • System security hardening and management
  • User management and system access control
  • Key management
  • PIN distribution management
  • Personnel security management
  • Premises security protection
  • Production procedures security control
  • Production security audit
  • Security packaging and delivery

In addition to PCI Card Production Logical Security and/or Physical Security Standards, atsec also has plenty experience in other security standards, including but not limited to PCI DSS, PCI PA DSS, PCI SSF, PCI P2PE, PCI PIN Security, PCI 3DS, FIPS 140-2/140-3, Common Criteria (ISO/IEC 15408) and GSMA NESAS. atsec's consultants can help you to achieve the security standards compliance, and improve the overall security for your production environment and business.

For more information
More information about atsec PCI services and our public resources can be found at and at the PCI SSC website at

For more information about this service, please contact us at