back to article Credit card factories given new secure manufacturing rules

The world's payment card producers have released the latest guidelines to help interested businesses to protect payment data. Version 1.1 of the PCI Card Production Security Requirements (pdf) modifies and introduces features for physical and logical security advising on everything from printing PINs to guarding vaults. The …

  1. nematoad

    Oh?

    "admins will need to separate <sensitive data type> "

    "used to protect <sensitive data type>"

    "and ensu[r]ing <sensitive data type> "

    Is there something they are not telling us?

    1. Charles 9

      Re: Oh?

      Seems to me more like a CYA generalization. IOW, it's more an "Insert Sensitive Data Type Here". Name it, and apply it between the <>.

  2. Anonymous Coward
    Anonymous Coward

    hmmm... I wonder if there's a new rule

    ...that prohibits providing any data to the NSA, et al.

    1. Khaptain Silver badge

      Re: hmmm... I wonder if there's a new rule

      No, quite the opposite, they will even supply you the key according to one of today's articles..

      NSA Front door key

  3. wyatt

    Lets all install updates on production before putting them through test.. that won't go wrong will it?

    1. Charles 9

      Better it go down due to a botched update rather than get pwned due to an overabundance of caution leading to the hax0rs getting through during the window of vulnerability. At least it can't be pwned while it's down.

  4. Peter Galbavy

    tl;dr

    Hang on. Card production facilities with WiFi networks? Erm, that's not a bad idea at all. No.

    1. Anonymous Coward
      Anonymous Coward

      Re: tl;dr

      There arent many that would have one in the HSA, if they do they cant use it for any perso data and the wifi network must not have the ability to access any perso data / connect to any of the data prep or perso networks.

      But I agree with your sentiment, wifi networks are bad, hence in our locations it's not allowed in or outside of the HSA..

    2. Tom 13

      Re: tl;dr

      El Reg says:

      Rogue networks must be detected,...

      Any WiFi in the area is obviously a Rogue Network and must be detected. Nothing there implies WiFi is allowed. They would however be the most likely source for Rogue Networks.

  5. Phil O'Sophical Silver badge

    say again?

    fire doors open one-way only

    I'm still trying to figure out what this means. I know that normal fire exit doors only open outwards, for safety, but that doesn't seem relevant here.

    1. Charles 9

      Re: say again?

      But once it's open, people can normally slip in or out as long as the door is open. No, what they demand is that the only way the fire door can open is by closing the way behind you first so that the ONLY direction one can go through the doorway is out. Normally this evokes images of airlocks, but you can also achieve this with the cylindrical doorways sometimes associated with darkrooms (to insure no light enters as people pass through). Imagine a weight-based mechanical latch so that once engaged, the door can only be spun to the outside and stays in that position until the door is emptied, upon which it can be spun inside again from within the building.

      1. Danny 14

        Re: say again?

        Sellafield have turnstiles that only operate in one direction (large ones that can admit wheelchairs). Most of the operation inside is basically "one way".

  6. Anonymous Coward
    Anonymous Coward

    Some changes are for the sake of change

    One of the changes that are in 1.1 is moving the perso DMZ servers into the HSA. Last year we had an NC for having our DMZ servers in the HSA, which i could understand but was put in there as it was a very small location and planned to be moved out. But moving the DMZ servers in the HSA to physically secure them does not improve security, those servers should be considered exposed and likely to be compromised, no data should ever be de-crypted on them and having physical access shouldn't be able to compromise any data on them as all data should be encrypted at all times until required in the HSA.

    Requiring the DMZ servers to be in the HSA in the way they state means no additional logical security, the firewall for that is in a lower security zone, as direct internet access isn't allowed in the HSA, but that means that a person with no HSA access can put internet access into the HSA by simply bypassing the firewall outside of the HSA. Because of this i can see a change in 1.2 stating that option 2 in the described firewall configs becoming the only way to do it, 2 firewalls, 1 inside and 1 outside for the DMZ, just like is required for the perso networks.

    Again, this change is for the sake of change, the DMZ should be considered insecure /low security. What you can obtain there is the same you can obtain by rerouting all data going to those servers and logging it over the internet, so getting physical access does nothing for you. All data is pulled from or pushed to, Data is encrypted and signed and validated before use in the HSA. You could get user credentials but again this shouldnt, if following the rules allow anything apart from access to the lower security zone, which the HSA isnt supposed to trust anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like