Recharge Voucher Controls

8/3/2019 Recharge Voucher Controls

1/21

TS3SECURITY ACCREDITATIONSCHEME - AUDIT STANDARD

APRIL 2007

Version 1.0

The information contained in this document may be subject to change without prior notice.TS3Alliance does not make any representation, warranty or undertaking (express or implied)with respect to, and does not except any responsibility for (and hereby disclaims liability for),the accuracy or completeness of information contained in this document.


2/21

TS3SECURITY ACCREDITATION SCHEME STANDARD

CONTENTS

GENERAL..................................................................................................................4OBJECTIVES OF THE STANDARD .........................................................................4INTRODUCTION AND SCOPE .................................................................................4

INTRODUCTION .....................................................................................................4SCOPE ................................................................................................................5

DEFINITIONS ............................................................................................................5MANUFACTURING CYCLE ......................................................................................6THE THREATS ..........................................................................................................7ASSET CLASSIFICATION AND SECURITY REQUIREMENTS...............................8SECURITY REQUIREMENTS ...................................................................................8

POLICY,STRATEGY AND DOCUMENTATION..............................................................9Policy.......................................................................................................9Strategy ...................................................................................................9Business Continuity Plan.........................................................................9Internal Audit ...........................................................................................9

ORGANISATION AND RESPONSIBILITY ...................................................................10Organisation ..........................................................................................10Responsibility ........................................................................................10Contract and Liability .............................................................................10

INFORMATION .....................................................................................................10

Classification .........................................................................................10Data and Media Handling......................................................................11

PERSONNEL .......................................................................................................11Job Descriptions....................................................................................11Personnel Vetting ..................................................................................11Acceptance of Security Rules................................................................11Disciplinary / Staff Exit Procedures........................................................11

PHYSICAL SECURITY ...........................................................................................12Environment of the Site .........................................................................12Construction Standards.........................................................................12Security Plan .........................................................................................12Physical Protection................................................................................12Access Control ......................................................................................13Security Staff .........................................................................................14Security Procedures ..............................................................................14Internal Audit .........................................................................................14

ITSECURITY ......................................................................................................15Policy.....................................................................................................15Segregation of Duties ............................................................................15Access Control ......................................................................................15Network Security ...................................................................................16Virus Control..........................................................................................16

2 of 21


3/21


Data Backup..........................................................................................16Audit and Monitoring..............................................................................16Insecure Terminal Access .....................................................................16

External Facilities Management.............................................................17Systems Development and Maintenance .............................................. 17Security Weaknesses and Incidents......................................................17Media Handling......................................................................................17Internal Audit .........................................................................................17

PRODUCTION DATA MANAGEMENT .......................................................................18Data Transfer.........................................................................................18Access to Sensitive Data.......................................................................18Data Generation ....................................................................................18Encryption Keys.....................................................................................18Auditability and Accountability ...............................................................18Data Integrity .........................................................................................19Duplicate Production .............................................................................19Internal Audit .........................................................................................19

LOGISTICS AND PRODUCTION MANAGEMENT .........................................................19Personnel Issues...................................................................................19Order Management and Purchasing......................................................19Control of Raw Materials .......................................................................19Control of Design Media........................................................................19Control of Production.............................................................................20Destruction ............................................................................................21Storage..................................................................................................21Packaging and Delivery.........................................................................21Internal Audit .........................................................................................21

3 of 21


4/21


GENERAL

Prepaid systems remain a key area of growth within the mobile services arena. Theuse of physical recharge tokens - scratchcards or vouchers - as a method ofdistributing pre-paid value to customers also remains commonplace. Themanufacture of such recharge tokens carries significant risk for the operator; riskwhich is sometimes overlooked.

Manufacturers themselves may introduce certain risks to operators and many areunaware of the inherent fraud risks surrounding prepaid scratchcards and thepotential impact compromise of product could have on an operator.

The purpose of this document is to provide operators and manufacturers with a set

of minimum security requirements to ensure appropriate security measures areapplied to the manufacturing cycle of prepaid scratchcards.

OBJECTIVES OF THE STANDARD

The objective of the standard is to:

Manage to an acceptable level the risks operators expose themselves to byworking with a manufacturer.

Provide a set of auditable security requirements to allow scratchcard suppliers toprovide assurance to their customers that potential risks are under control andthat appropriate security measures are in place.

INTRODUCTION AND SCOPE

INTRODUCTION

This standard has been developed using the same principle requirements outlined inthe GSM Associations Security Accreditation Scheme (seehttp://www.gsmworld.com/using/sas).

This standard recognises that, unlike early participants in the GSM SAS (Eurosmartmembers), many prepaid scratch card manufacturers have not had exposure tointernational security standards. Indeed, many manufacturers have migrated fromproduction and printing of lower-risk products. To this end, time has been taken toexplain in more detail the specific requirements for each element in the standard butcare has also been taken to ensure that the standard is not overly prescriptive.

The focus of this standard is aimed at ensuring that the security risk is adequatelyaddressed in an appropriate way, rather than using a specified approach.

4 of 21


5/21


SCOPE

The scope of this standard is restricted to security issues relating to the manufactureand supply of prepaid scratch cards only and includes:

Manufacturing cycle and processes.

Assets to be protected.

Risk and threats.

Security requirements.

To further reduce the risks for operators it is acknowledged that the securityobjectives must continue to be met after the personalisation phases where themanufacturer is responsible for delivery.

Note: This standard does not relate to the security features applied to theprepaid scratchcard itself or the physical make up of cards in eitherpaper or plastic format. It is assumed that the operator will haveconducted off site evaluations of the security strengths of themanufacturers prepaid scratchcards and satisfied itself that thesecannot be compromised.

DEFINITIONS

Manufacturer - The manufacturer of the recharge token (scratchcard).

Although the manufacturer may carry out production at anumber of sites, certification under the TS3 scheme will befocused on individual production sites.

Operator - The organisation which has contracted the manufacturer toproduce and supply the recharge tokens. Although thisstandard and the TS3 certification scheme has been conceivedaround the manufacture and supply of prepaid scratchcards fortelecoms operators, it may also be applied to manufacture ofsimilar assets for other purposes.

Scratchcard - The recharge token itself - also known as a recharge voucher.This represents a plastic or paper based card with a scratch-off panel that protects a printed secret code.

Recharge - The process of adding more credit to a prepaid account. Thiscan be done by a variety of means including scratchcards,ATMs, electronic payment solutions or credit cards.

Prepaid Fraud - Fraud committed on a prepaid mobile account. It comprisesother types of fraud such as technical fraud, roaming fraud and

so on, but also takes advantage of things that are specific tothe prepaid market such a recharge methods.

5 of 21


6/21


PIN - The Personal Identification Number associated with the

recharge token. May also be referred to as a TUN (Top-UpNumber) or Hidden Recharge Number (HRN). The PIN isentered by the customer using an interactive responsesystem or on-line application and validated by a systemwithin the operators infrastructure. On successful validationthe credit value associated with the recharge token istransferred to the customers pre-paid account.

Dual Control - An action that must be performed with two people present alsocommonly referred to as four eyes principle.

Personalisation - The process by which the PIN number and associatedinformation is applied to the scratchcard.

Masking - The process by which a concealment mechanism is applied tothe PIN during the manufacturing process. The Mask isintended to protect the PIN from unauthorised use until therecharge token is purchased for use by a customer.

Mismatch - Occurs when the unique PIN does not correspond to theunique card serial number associated to the prepaidscratchcard.

Card Serial - An identification number sometimes applied to prepaid rechargeNumber tokens, helping to support auditability and traceability.

Duplicate - Two or more prepaid scratchcards personalised with the samePIN/TUN or serial number.

Reject - Partly finished or finished product that may contain sensitiveinformation that has been manually or automatically rejectedfrom the manufacturing cycle.

MANUFACTURING CYCLE

The following stages represent the manufacturing cycle of the prepaid scratchcardfrom receipt of PIN data through to distribution of the final product:

Production - The first stage in the prepaid scratchcard manufacturing cycle.Typically includes the following processes:

Receipt or generation of the PIN data file.

Manipulation of PIN data file for production.

Transfer of PIN data file to production.

Printing (base card stock) Personalisation / masking.

6 of 21


7/21


Fulfilment (product bundling and packaging).

Storage - The second phase in the manufacturing cycle. Typicallyincludes:

Receipt of both data and product from the production phaseand storage prior to transfer to the operator.

Distribution - The final stage in the manufacturing cycle. Typically includes:

Physical transfer of product (to either the operator or into theoperators distribution network).

Notification to the operator of the order / batch numbersdistributed for uploading onto the operators platform.

THE THREATS

Fraud may be perpetrated throughout the manufacturing cycle in a number ofdifferent ways, including both external (contractors, suppliers or engineers) andinternal (employees) elements. For this reason, prepaid scratchcards must beprotected throughout the entire manufacturing cycle.

The risk analysis has been completed to identify the main threats to the scratch cardmanufacturer. The list is not intended to be exhaustive:

PROCESS THREAT THREAT SOURCEProduction Theft illegally obtaining PINs or

scratchcards. Forgery reproduction or alteration of

prepaid scratchcards. Disclosure visibility or unauthorised

observation of secret codes. Duplication two or more cards that have

the same unique PIN. Guessing estimation of the PIN where

PIN lengths or the quality of random

number generator are weak. Access to sensitive data gain access to

the secret codes during the manufacturingprocess.

Access to sensitive data duringtransmission from the operator tomanufacturer.

Manufacturers staff authorised to beinvolved during theproduction stage.

Manufacturers staff not authorised to beinvolved during theproduction stage.

External elements contractors or sub-

contractors working on-site or remotely whomay have access to theproduction process.

Internal or externalpersonnel with accessto intercept data duringtransmission / transfer.

Storage Robbery physical attacks on storagefacilities of product or data.

Collusion/physical access facilitated theftof product or data.

Stock reconciliation error discrepancybetween physical and theoretical stock.

Manufacturers staff. External elements. Manufacturers staff and

external elements incollusion.

7 of 21


8/21


PROCESS THREAT THREAT SOURCE

Distribution Theft of assets theft of vouchers at any

stage in the distribution process. Stock reconciliation error variance in the

value of stock produced, stored anddistributed to the operator.

Lost assets loss of vouchers in thedistribution process.

Manufacturers staff andexternal elements incollusion.

External transportation orshipping agents.

ASSET CLASSIFICATION AND SECURITY REQUIREMENTS

Recognising that certain risks require greater protection and to ensure that the mostappropriate security controls are employed to protect security critical information andequipment, the following classification structure is suggested:

SECURITYCLASSIFICATION

ASSET(MATERIAL/DATA)

SECURITYRELEVANCE

STRENGTH OFSECURITYREQUIRED

CLASS 1

PIN data file. Encryption keys. Personalised

product.

Information or productcomponents likely tocause severe damageor loss if stolen or

compromised.

High securityinstallation.

Strong securitymechanisms.

CLASS 2

Design media. Printed

unpersonalisedproduct.

Customer orderdetails/signatures.

Foils, holograms,masking materials,etc.

Information,equipment orcomponents likely tocause moderatedamage/loss if stolenor compromised.

Secureinstallation.

Medium securitymechanism.

SECURITY REQUIREMENTS

In order to consider whether the card manufacturing and personalisation processesare secure, certain requirements must be met. These requirements, which areoutlined below, are considered as minimum security requirements applying to theenvironment in which the product is manufactured. It is recognised that it is possibleto use alternative mechanisms or tools other than those described in this section ifthey achieve the same security objective.

8 of 21


9/21


POLICY, STRATEGY AND DOCUMENTATION

Policy

Security policy document(s) should be in place which contain statements defining:

The overall security objectives.

Rules and procedures relating to the security of the processes.

Sensitive information and asset management.

Employees should understand and have access to the policy and its applicationshould be checked periodically.

Strategy

A coherent security strategy must be defined based on a clear understanding of therisks.

The strategy should use periodic risk assessment as the basis for defining,implementing and updating the site security system.

The strategy should be reviewed regularly to ensure that it reflects the changingsecurity environment through ongoing re-assessment of risks.

Business Continuity Plan

A Business Continuity Plan should be in place in the event of production-affectingincidents. The plan should demonstrate that all risks including natural and man-made have been taken into consideration.

A crisis management team should exist to execute the plan in the event of a disasterscenario.

Internal Audit

The overall security management system should be subject to a rigorous programmeof internal monitoring, audit and maintenance to ensure their continued correctoperation.

9 of 21


10/21


ORGANISATION AND RESPONSIBILITY

Organisation

To successfully manage security, a defined organisation structure should beestablished with appropriate allocation of security responsibilities.

The management structure should be capable of co-ordinating security measuresthrough a cross-functional team.

Responsibility

There should be a senior manager nominated with overall responsibility for all

security matters.

There should be a nominated employee with day-to-day responsibility for security.

The responsibility for the protection of individual assets and for carrying out specificsecurity processes should be explicitly defined and documented in order to protectsecurity critical information, product and equipment.

Contract and Liability

Any agreement between the operator and manufacturer should clearly apportion

responsibility for loss during all stages of production, storage and distribution ofprepaid scratchcards.

The manufacturer should ensure that appropriate cover is in place for its liabilities.Such cover should be appropriately authorised based on an assessment of risk.

Where third parties are responsible for part(s) of the process, the manufacturershould ensure that transfer of, and cover for, liability has been considered.

A register of operator authorised ordering personnel should be maintained along withsample signatures. These signatures should be compared for orders received and

deviations challenged at a senior level in the operation.

INFORMATION

Classification

Security classifications should be used to indicate the appropriate level of securityprotection.

Protection for classified information should be consistent with business needs.

Classified information should be labelled correctly in all its forms, e.g. on paper oroutput media from a system.

10 of 21


11/21


Data and Media Handling

Access to sensitive information and assets must always be governed by an overallneed to know principle.

Guidelines should be in place governing the handling of data and other media,including a clear desk policy. Guidelines should describe the end-to-end lifecyclemanagement for sensitive assets, considering creation, classification, processing,storage, transmission and disposal.

PERSONNEL

Job Descriptions

Security should be addressed at the job / role definition stage and whenever thosedefinitions are changed.

Personnel Vetting

Procedures should incorporate the need for pre-employment screening of applicantsselected for sensitive positions or those who have access to confidential information.

Security staff should be subject to positive vetting and should be recruited fromrecognised security backgrounds.

Acceptance of Security Rules

All employees, contractors and temporary staff should sign a confidentialityagreement.

Employees should read the security policy and record their understanding of thecontents and the conditions they impose.

Key individuals should be trained in security procedures and the correct use offacilities.

Key individuals should be given adequate security education and technical training.

Disciplinary / Staff Exit Procedures

Disciplinary procedures should be documented and exit procedures for staff, leavingor dismissed, put in place.

11 of 21


12/21


PHYSICAL SECURITY

Environment of the Site

The environment of the site should provide layered security measures providingprimary preventative measures and secondary detection systems (CCTV / alarms).Aspects of this concept could include the provision of good levels of illumination, theremoval of dense, high growing shrubs and trees that interrupt natural surveillanceand provide shelter for criminals as well as good crime analysis and the control ofboth pedestrian and vehicular through traffic.

Construction Standards

Building construction should be of a solid material offering reasonable resistance toforcible attack. Building materials should be robust and inspected in line with theannual risk reviews.

Security Plan

Layers of physical security control should be used to protect the sensitive processaccording to a clearly defined and understood strategy. The strategy should applycontrols relevant to the assets and risks identified through risk assessments.

The strategy should be encapsulated in a security plan that:

Defines a clear site perimeter / boundary.

Defines one or more levels of secure area within the boundary of the siteperimeter.

Maps the creation, storage and processing of sensitive assets to the secureareas.

Defines physical security protection standards for each level of the secure area.

Physical Protection

The protection standards defined in the security plan should be appropriately

deployed throughout the site, to include:

Deterrent to attack or unauthorized entry.

Physical protection of the building and secure areas capable of resisting attackfor an appropriate period.

Mechanisms for early detection of attempted attack against, or unauthorizedentry into, the secure areas at vulnerable points.

Control of access through normal entry / exit points into the building and sensitiveprocess to prevent unauthorized access.

Effective controls to manage security during times of emergency egress from the

secure areas and buildings.

12 of 21


13/21


Mechanisms for identifying attempted, or successful, unauthorized access to, orwithin the site.

Mechanisms for monitoring and providing auditability of, authorised andunauthorised activities within the sensitive process.

Controls deployed should be clearly documented and up-to-date.

Controls should be subject to a rigorous programme of internal monitoring, audit andmaintenance to ensure their continued correct operation.

Where Intruder Detection Systems are installed, they should:

Fulfil four key functions:

To reliably detect the presence of humans. To reliably detect penetration of physical barriers. To provoke an immediate response to an activation. To minimise false (or nuisance) alarms.

Be tested regularly to ensure: Correct operation with appropriate levels of sensitivity. Monitoring and response times are appropriate and timely. Remote signalling via telephone or radio networks functions correctly.

Key areas such as the perimeter, open areas between the perimeter and buildings,

pedestrian and vehicle access points and the building interior should be providedwith sufficient illumination to aide in direct observation (security manpower) andshould be of sufficient strength so as not to impair the recordings from Closed CircuitTelevision (CCTV).

Where CCTV is employed it should:

Be covered by a siting plan that highlights any sterile detection zones.

Provide appropriate picture quality for the purpose with sufficient recordingstorage from the time an event was detected back to when the event occurred.

Securely store images for a period of not less than three months. Archivedrecordings should be subject to regular audit to establish the playback quality andsecure storage measures.

Access Control

Access rights to buildings and secure areas should be clearly defined and controlledon a need to be there basis.

Appropriate procedures should be in place to control, authorise, and monitor accessto, and within, each area.

Regular audits should be undertaken to monitor access control to secure areas.

13 of 21


14/21


Access control procedures and systems should be evaluated regularly to ensure thatprocesses are appropriate and observed.

The standard of security glazing for ground level and accessible perimeter windowsto secure areas should be of sufficient construction to protect against forced entry.Consideration should be given to the use of anti-bandit glazing similar to that used inbanks. If anti-bandit type glazing is not fitted then burglar bars or physical barriersshould be considered.

The construction of doors should be sufficient to afford protection to the perimeter ofthe building whether they are utilised for pedestrian or vehicle access. Door securitymust take account of emergency and exit door requirements. Where roof openingsare necessary they should be treated, from a security view, as openings located

elsewhere in the perimeter of the building premises. Locks should be commensuratewith a high security specification and be resistant to wear, manipulation and attack.

Security Staff

Where security staff (in-house and / or contract) are employed, consideration shouldbe given to the following:

Manpower levels.

Vetting process.

Reporting structures.

Training levels. Job descriptions.

Rosters.

Technical competency.

Standard operating procedures.

Emergency response procedures.

Communications.

In cases where the security guarding function is outsourced additional areas such ascontract supervision, contractual agreements and insurance liabilities should be

carefully reviewed.

Security Procedures

Security procedures should be documented and records maintained to establishwhen they were created and published. Security procedures should bedisseminated according to documented criteria and should clearly indicate when theywere last updated, amended and tested.

Internal Audit

Physical security controls should be subject to a rigorous programme of internalmonitoring, audit and maintenance to ensure their continued correct operation.

14 of 21


15/21


IT SECURITY

Policy

A documented IT security policy must be in place. The policy must have a dedicatedowner, be regularly updated in line with company and product developments and bewell understood by employees.

Segregation of Duties

Responsibilities and procedures for the management and operation of computersand networks should be established. Security related duties should be segregatedfrom operational activities to minimise risk.

Access Control

Physical access to sensitive computer facilities should be controlled.

An access control policy should be in place and procedures should govern thegranting of access rights with a limit placed on the use of special privilege users.

Detailed processes and procedures should be employed to create, manage andremove user accounts. The authority levels required to request a new user accountand the policies that are followed relating to access privileges must be clearly

defined.

Requests to change user privileges must be authorised and handled and theprocesses in place should ensure that user accounts are removed when no longerrequired or are reviewed when a user changes job function.

Logical access to IT services should be via a secure logon procedure.

Password management processes and procedures should appropriately manage thecreation of new user accounts, transmission of the user identity and password to theuser, the users first log on and successive logons, the users ability to change and

select their own passwords, any password rules that govern the structure ofpasswords and policies or mechanisms to prompt or force regular changes topasswords. Processes for requesting password resets and for verifying the identityof the user making the request should also be documented.

Enhanced authentication (e.g. two-factor) should be deployed where remote accessis granted.

15 of 21


16/21


Network Security

Systems and data networks used for the processing and storage of sensitive datashould be housed in an appropriate environment and logically or physicallyseparated from insecure networks.

Data transfer between secure and insecure networks must be strictly controlledaccording to a documented policy defined on a principle of minimum access.

Virus Control

Anti-virus protection should be employed throughout the networks and all computersshould have anti-virus software installed.

A defined process should be employed to keep virus protection up-to-date.

Data Backup

The manufacturer should demonstrate its capability to protect against, and recoverfrom, data loss. Backup and restore processes together with the frequency ofbackups, type of backup (incremental or full), content of backup, media used forbackup, format of backup data, location of stored backups, physical and logicalaccess to and protection of backups, production of backup logs and responsibility forbackups should all be clearly defined and documented.

A restore programme should be operated to test the effectiveness of backups andresults regularly evaluated.

Audit and Monitoring

System activity logs should be maintained and reviewed on a regular basis. Auditrules applied should, as a minimum, include logging of all user sign in and sign out,unsuccessful login attempts, changes to user privileges, access to specific files, etc.and what level of information is provided in the audit log (e.g. date, time, useridentity, machine identity, activity performed, etc.).

Records should be of a sufficient standard to generate network security statisticswhich in the event of an attack could be used by the administrator to determine whathappened, who did it and when it occurred.

Insecure Terminal Access

Appropriate measures should be in place to protect insecure workstations fromunauthorised use. The password-protected time-out of workstations and physicaldrive locks should be regularly reviewed and drive lock key control proceduresimplemented.

16 of 21


17/21


Access to diagnostic and network ports should be securely controlled.

External Facilities Management

External facilities management contracts must provide for appropriate controls toprotect the business from the additional exposure.

Systems Development and Maintenance

Security requirements of systems should be identified at the outset of theirprocurement and these factors should be taken into account when sourcing them.

Where IT development facilities for issues such as the development of applications

or of routines to manipulate customer data are employed, there must be clearseparation of the development environment from the operational environment.

Security Weaknesses and Incidents

Procedures should be provided which outline the reporting of security weaknesses inthe network. Systems should be in place to inform the correct management functionof a weakness or of a software malfunction. The reporting channel should be testedto evaluate its efficiency.

Documented procedures should be in place to correct and recover from a security

breach. Only clearly identified and authorised recovery staff should be allowedaccess to live systems and data and all emergency actions taken should bedocumented in detail and reported to the correct management function.

Media Handling

Media management procedures and processes should be defined to ensure that allremovable computer media is handled in a secure manner.

The processes should include labelling, destruction method and how it is protected interms of availability and integrity.

Disposal of equipment must be carried out according to a secure procedure thatconsiders the risk of sensitive data being present on the equipment for disposal.

Internal Audit

IT security controls should be subject to a rigorous programme of internal monitoring,audit and maintenance to ensure their continued correct operation.

17 of 21


18/21


PRODUCTION DATA MANAGEMENT

Data Transfer

Manufacturers should take responsibility to ensure that electronic data transferbetween themselves and other third parties is appropriately secured.

Access to Sensitive Data

Manufacturers should prevent direct access to sensitive production data. Useraccess to sensitive data should be possible only where absolutely necessary. Allaccess must be auditable to identify the date, time, activity and person responsible.

Data Generation

As part of the personalisation process secret data may be generated forpersonalisation. Where such generation takes place:

The quality of the number generator in use should be subject to appropriatetesting on a periodic basis. Evidence of testing, and successful results, shouldbe available.

Clear, auditable, controls should be in place surrounding the use of the numbergenerator to ensure that data is taken from the appropriate source.

Appropriate controls should be in place to prevent generation of duplicates.

Encryption Keys

Encryption keys used for data protection should be generated, exchanged andstored securely.

Auditability and Accountability

The production process should be controlled by an audit trail that provides acomplete record of, and individual accountability for:

Data generation and processing. Personalisation.

Re-personalisation.

Access to sensitive data.

Production of customer output files.

Auditable dual-control and 4-eyes principle should be applied to sensitive steps ofdata processing.

18 of 21


19/21


Data Integrity

Controls should be in place to ensure that the same authorized data from the correctsource is used for production and supplied to the customer.

Where PIN data is transmitted non-repudiation mechanisms must be applied and thereceiving party should acknowledge the transmission of data.

Duplicate Production

Controls should be in place to prevent duplicate production.

Internal Audit

Production data controls should be subject to a rigorous programme of internalmonitoring, audit and maintenance to ensure their continued correct operation.

LOGISTICS AND PRODUCTION MANAGEMENT

Personnel Issues

Clear security rules should govern the manner in which employees engaged in suchactivities should operate within the sensitive process. Relevant guidelines should bein place and communicated to all relevant staff.

Personnel security issues such as the wearing of appropriate uniforms in high-riskareas and search procedures for employees leaving the site should also bedocumented and enforced.

Order Management and Purchasing

Comprehensive procedures should be documented to govern all elements of theprocurement process. Procedures should address levels of authority to purchaseitems, order formats and the process of signature comparison. Segregation betweenpoints of order and points of receipt must be clearly defined.

Control of Raw Materials

Detailed procedures should be documented to control the management (receipt,storage, distribution and reconciliation) of all raw materials.

Control of Design Media

Design media should be under appropriate control in both electronic and physicalforms, to help reduce the risk of counterfeiting.

19 of 21


20/21


Control of Production

The production process should be controlled by an audit trail that:

Ensures that the numbers of class 1 and 2 assets created, processed, rejectedand destroyed are completely accounted for.

Ensures that the responsible individuals are traceable and can be heldaccountable.

Demands escalation where discrepancies or other security incidents areidentified.

The stock of all Class 1 assets must be subject to end-to-end reconciliation in orderthat every element can be accounted for.

Auditable dual-control and 4-eyes principle should be applied to sensitive steps ofthe production process, including:

Control of the quantity of assets entering the personalisation process.

Control of the quantity of assets packaged for dispatch to customers.

Destruction of rejected assets.

Application of 4-eyes principle should be auditable through production records andCCTV.

Regular audits should be undertaken to ensure the integrity of production controlsand the audit trail.

Suppliers must demonstrate an ability to prevent unauthorised duplication within theproduction process during personalisation and re-personalisation.

Access to PIN data should be appropriately controlled through the manufacturingprocess:

The manufacturer should ensure that the PIN is not visible to employees or any

other external elements prior to the application of the security mask. PINs should not be visible to the employees whilst the personalisation process is

taking place.

The manufacturer should take all reasonable steps to ensure the time betweenpersonalisation and masking is kept to a minimum (ideally 2 5 seconds) wherean in-line printing process is employed.

Where in-line printing is not employed and the process for personalisation andmasking is physically separate, personalised product, whether in single or sheetformat, should be covered and secured during transit periods. Personalised butunmasked product and finished product should always be stored in a securelocation (vault/cage). Access to these products must be strictly controlled.

20 of 21


21/21


Live data (real PINs) should not be used for the pre-print runs or machine setup.All machine set up prints should be securely destroyed in line with those applied

to bad product / rejects. Where machine breakdowns, production interruption or the remaking of damaged

or spoiled cards occurs, PINs should not be visible.

Destruction

A detailed procedure and auditable process should be implemented to manage thedestruction of all bad production. The integrity of the disposal process should beguaranteed through the application of dual control measures (four eyes principle).PINs should never be exposed regardless of the circumstances.

The physical process of destruction should be backed up by documentary, visualevidence and CCTV recordings together with logs and records should be audited ona regular basis to ensure compliance. Where the destruction process is out-sourced,methods and non-disclosure agreements should be examined and the manufacturershould satisfy itself that confidentiality and integrity are not compromised.

Storage

There should be detailed procedures outlining the manner in which finished stock,stock awaiting despatch and other stock items are segregated and secured in thestore.

Personalised product should be stored securely prior to dispatch to preserve theintegrity of the batches. Where personalised product is stored for extended periodsadditional controls should be in place.

Packaging and Delivery

The way in which finished stock is packed and the tamper resistance of the packingmaterials should be physically tested.

Secure delivery procedures should be agreed between the customer and the

manufacturer which should include agreed delivery addresses and the method ofdelivery.

Collection and delivery notes must be positively identified. Goods should only behanded over following the production of the appropriate authority documents. Areceipt should be obtained.

Internal Audit

Production security controls should be subject to a rigorous programme of internal

monitoring, audit and maintenance to ensure their continued correct operation.

Date post:	07-Apr-2018
Category:	Documents
Upload:	siddharth73
View:	218 times
Download:	0 times

Recharge Voucher Controls

Documents