Establish, implement, and maintain returned card procedures.
CONTROL ID 13567
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a physical security program., CC ID: 11757
This Control has the following implementation support Control(s):
Refrain from distributing returned cards to staff with the responsibility for payment card issuance., CC ID: 13572
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
When a card sent by registered mail has been returned, it is necessary to properly manage it by a specified method; for example, an officer may fully manage the card by use of a storage and management ledger, etc. (P107.7. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Note that if the reason for the return is "address unknown," in principle, the card must be destroyed. (P107.7. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
In order to prevent and deter misconduct, it is necessary to follow the set procedures for issuing (reissuing is included), storing, delivering, retrieving, and destroying cards. (P107.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Determine whether the institution destroys captured and spoiled cards under dual control and maintains records of all destroyed cards. (App A Tier 2 Objectives and Procedures D.12, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)