What is the scope of the PCI CP & PLS requirements?
The PCI CP & PLS requirements apply to every logical security activity involved in card production and provisioning. This includes both traditional on-premises environments and modern cloud-based provisioning systems. Any organization that handles cryptographic keys or provisioning data falls within scope, even if it does not manufacture physical cards.
These activities typically include:
Data preparation and card personalization
Pre-personalization, PIN generation and PIN mailers
Card carriers and distribution workflows
Cloud provisioning and Secure Element (SE) provisioning
Over-the-Air (OTA) provisioning
Full lifecycle management of cryptographic keys
The standard focuses on ensuring that sensitive data is accessed, transmitted and stored securely at all times.
How are sensitive data classified and protected under PCI CP & PLS?
The standard defines two categories of sensitive data. Secret Data refers to assets whose disclosure would cause major operational or financial harm, including symmetric keys, private asymmetric keys (except those used only for cardholder-data encryption), PIN keys and PINs. Confidential Data concerns information whose compromise would create business or legal exposure, such as PAN, expiration date, service code and encryption keys used to protect cardholder data.
To protect both categories, PCI CP & PLS requires:
Encryption at all times during transmission and storage
Algorithms and key sizes aligned with Normative Annex A
Decryption only for the minimal operational time required
A strict prohibition on decrypting cardholder data on Internet-facing or public networks
What are the key network segregation requirements?
PCI CP & PLS mandates strict segmentation to prevent unauthorized lateral movement and exposure of sensitive systems. Personalization and data-preparation systems must run on dedicated networks that are completely isolated from back-office or Internet-connected networks. A VLAN alone does not provide adequate separation.
In practice, organizations must implement:
A dedicated Card Production and Provisioning DMZ
Mandatory routing of all traffic entering or leaving the personalization network through that DMZ
Physically separate firewalls between:
A fully separate, segmented environment for Host Card Emulation (HCE) provisioning
What principles govern the management of secret cryptographic keys?
PCI CP & PLS enforces two foundational security principles for all key lifecycle operations. Split knowledge ensures that no single key component reveals anything about the complete key. Dual control requires at least two individuals to act together for any sensitive operation, ensuring that no individual can access, reconstruct or use an entire key.
To guarantee secure key creation, the standard specifies that:
What controls are required for User Management, Access Control and Authentication?
Access must be limited to individuals with a legitimate business need and must follow the principle of least privilege. Each account must be tied to a unique user ID to ensure accountability and traceability.
Authentication controls include:
Mandatory multi-factor authentication for administrative access
Multi-factor authentication for any remote access
Password rules requiring:
At least 12 characters, or equivalent strength for 8-character passwords
Maximum password lifetime of 90 days
