PCI Opens RFC for Card Production and Provisioning Security Standards v3.0.1

PCI Security Standards Council Opens RFC for Card Production Standards Update

The Payment Card Industry Security Standards Council (PCI SSC) has announced a 30-day request for comments (RFC) period for the draft PCI Card Production and Provisioning Physical and Logical Security Standards version 3.0.1, running from February 13 through March 16, 2026.

What Are Card Production and Provisioning Standards?

The PCI Card Production and Provisioning Physical and Logical Security Standards establish comprehensive security requirements for organizations involved in the manufacturing, personalization, and provisioning of payment cards. These standards address both physical security measures for card production facilities and logical security controls for digital card provisioning processes.

The standards cover critical areas including:

• Physical access controls and facility security
• Personnel security and background checks
• Secure card manufacturing processes
• Digital key management and cryptographic operations
• Incident response and security monitoring
• Vendor and supply chain security requirements

Who Is Affected by These Standards?

The updated standards will impact several key stakeholder groups in the payment card ecosystem:

Card Manufacturers and Personalizers: Organizations that produce physical payment cards must comply with stringent physical security requirements, including secure facilities, controlled access, and tamper-evident processes.

Digital Card Provisioning Services: Companies providing mobile wallet provisioning and digital card services must implement robust logical security controls to protect sensitive authentication data and cryptographic keys.

Technology Service Providers: Vendors supporting card production and provisioning operations through software, hardware, or services must meet applicable security requirements.

Key Compliance Implications

The version 3.0.1 update likely addresses emerging threats and incorporates lessons learned from the implementation of previous versions. Organizations should expect potential changes in:

Enhanced Security Controls: Updates may introduce more stringent requirements for protecting sensitive authentication data and improving incident detection capabilities.

Supply Chain Security: Given increasing focus on third-party risk management, the update may include expanded vendor oversight and supply chain security requirements.

Digital Transformation Alignment: As payment methods evolve toward digital-first experiences, the standards may better address cloud-based provisioning and mobile payment technologies.

What Organizations Should Do Now

Eligible Stakeholders: PCI SSC participating organizations, qualified security assessors, and other authorized stakeholders should actively participate in the RFC process. This is a critical opportunity to influence standards that will govern operations for years to come.

Review and Feedback: Organizations should thoroughly review the draft standards, focusing on areas that directly impact their operations. Feedback should be specific, actionable, and supported by business justification.

Gap Analysis Preparation: Even non-participating organizations should begin preliminary gap analysis against current compliance posture, as the final standards will eventually require implementation.

Stakeholder Engagement: Internal teams including security, compliance, operations, and legal should collaborate to provide comprehensive feedback that addresses technical feasibility and business impact.

Implementation Timeline Considerations

While the RFC period concludes on March 16, 2026, organizations should anticipate additional time for PCI SSC to incorporate feedback and publish final standards. Typically, implementation timelines provide 12-18 months for organizations to achieve compliance with new requirements.

The proactive engagement during the RFC period not only helps shape industry standards but also provides early insight into upcoming compliance requirements, enabling better strategic planning and resource allocation.