Issues for Issuers that Issue

More and more institutions are now payment card issuers.  Ten years ago, in-house payment card production was almost always an outsourced function within community financial institutions (FIs), but that's no longer the case.  As currently observed,  more than 40% of our FI clients have now implemented in-house card printing and/or embossing (personalization) solutions for various reasons.  The most prevalent of those reasons are competitive in nature; to provide customers with quick access to their funds at account opening or following the lost, theft, or compromise of a payment card.

While a large majority of in-house issuance adopters have made strong risk management considerations surrounding their instant card production, some of the most common pitfalls are rhetorically highlighted below:

• Governance
  • Is there a policy and procedure set surrounding the instant issuance program? Is instant issuance reflected in the enterprise risk management program?
  • If you offer customers the ability to have custom images printed on payment cards, does that process include restrictions for trademarks and copyrights?
  • Is a running inventory log maintained for all locations where card stock is stored or used and updated for newly introduced inventory, used stock, spoiled productions, or any other movement of card stock?
  • Does each location that participates in the instant issuance program undergo an annual internal audit of controls and device/media inventory?
  • Are card production responsibilities included in job descriptions, and do those with production responsibilities undergo adequate background checks prior to hire?
  • Does your incident response program include procedures for lost or unaccounted devices, card stock, or printing foil/ribbon media?
• Physical Security
  • Is destruction of old or spoiled card stock and printing foil/ribbons performed in-house under dual control and documented?
  • Are card production operations performed in a room only accessible by those with production responsibilities?
  • Do surveillance cameras cover all entry and exit points to the room(s) where production takes place? Are card printing devices covered by a surveillance camera?  Is motion-detected video of these areas retained for ninety days or more?
  • Are physical device keys, card stock, and unused printing media stored under dual control and stored in a vault or other secure container after hours?
  • Are card printing devices affixed to a desk or countertop using a lock, bolt, or other method of permanence?
  • Have restrictive removable media (CD/DVD/thumb drives) controls been applied to the PC(s) where card production activities are performed?
• Resilience
  • Are provisions, either through a third-party vendor or internal capabilities, available for timely reissuance of regular expiration card batches or mass card compromise events?

If you answer"no" to any of the questions above, your instant issuance program may need some improvement.  There are several resources that can guide you in the right direction:

• The FFIEC's guidance on card and PIN issuance is in the Retail Payment Systems Booklet.
• Visa Global Instant Card Personalization Issuance Security Standards - To access, log into visaonline.com and search by the document name.
• MasterCard Security Guidelines for Instant Card Issuance and Instant Card Personalization - To access, log into MasterCardConnect.com and search within the Library Publications section.
• The PCI Card Production and Provisioning Logical and Physical Security Requirements are focused on third-party vendors that perform card production, not small FIs that do partial in-house issuance/personalization. The individual card brands' rules for in-house issuance are modeled after these.  They're far more rigid than the Visa and MasterCard documents cited above and can provide guidance on developing a card issuance risk management program that goes above and beyond your card brand's expectations.
• 10-D Security's default Independent IT Audit scope for financial institutions includes a limited review of your in-house instant issuance program. Contact your sales associate to discuss scheduling an Audit that includes a risk-based scope expansion in this important area.

By:  Kyle Stelly CISSP, PCIP

  Download Blog