Establish and maintain the physical security of non-issued payment cards.
CONTROL ID 06402
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a physical security program., CC ID: 11757
This Control has the following implementation support Control(s):
Establish, implement, and maintain payment card disposal procedures., CC ID: 16137
Control the issuance of payment cards., CC ID: 06403
Inventory payment cards, as necessary., CC ID: 13547
Store non-issued payment cards in a lockable cabinet or safe., CC ID: 06404
Deliver payment cards to customers using secure methods., CC ID: 06405
Establish, implement, and maintain payment card usage security measures., CC ID: 06406
Notify customers about payment card usage security measures., CC ID: 06407
Establish, implement, and maintain payment card disposal procedures., CC ID: 16135
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
O51: For its computer center, head and branch offices, and affiliates, the organization shall establish a method for managing cards that includes following procedures for issuing, granting, retrieving, storing, and destroying cards to ensure security and to smoothly perform card-related operations.
… (O51, O99, O99.2, O101, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
It is necessary to define the procedures for the disposal of cards that cannot be used due to creation errors, design changes, etc., and cards that are not delivered for a long time or retrieved due to account closure, such as disposing of cards by cutting and burning them with the attendance of a r… (P107.8., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Assess whether inventory controls for plastic card stock make them physically secure. (App A Tier 2 Objectives and Procedures D.4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)