TS3 SECURITY ACCREDITATION SCHEME - AUDIT STANDARD

APRIL 2007
Version 1.0

The information contained in this document may be subject to change without prior notice. TS3Alliance does not make any representation, warranty or undertaking (express or implied) with respect to, and does not except any responsibility for (and hereby disclaims liability for), the accuracy or completeness of information contained in this document.

TS3 SECURITY ACCREDITATION SCHEME STANDARD

CONTENTS
GENERAL.................................................................................................................. 4 OBJECTIVES OF THE STANDARD ......................................................................... 4 INTRODUCTION AND SCOPE ................................................................................. 4 INTRODUCTION ..................................................................................................... 4 SCOPE ................................................................................................................ 5 DEFINITIONS ............................................................................................................ 5 MANUFACTURING CYCLE ...................................................................................... 6 THE THREATS .......................................................................................................... 7 ASSET CLASSIFICATION AND SECURITY REQUIREMENTS............................... 8 SECURITY REQUIREMENTS ................................................................................... 8 POLICY, STRATEGY AND DOCUMENTATION .............................................................. 9 Policy....................................................................................................... 9 Strategy ................................................................................................... 9 Business Continuity Plan......................................................................... 9 Internal Audit ........................................................................................... 9 ORGANISATION AND RESPONSIBILITY ................................................................... 10 Organisation .......................................................................................... 10 Responsibility ........................................................................................ 10 Contract and Liability ............................................................................. 10 INFORMATION ..................................................................................................... 10 Classification ......................................................................................... 10 Data and Media Handling ...................................................................... 11 PERSONNEL ....................................................................................................... 11 Job Descriptions .................................................................................... 11 Personnel Vetting .................................................................................. 11 Acceptance of Security Rules................................................................ 11 Disciplinary / Staff Exit Procedures........................................................ 11 PHYSICAL SECURITY ........................................................................................... 12 Environment of the Site ......................................................................... 12 Construction Standards ......................................................................... 12 Security Plan ......................................................................................... 12 Physical Protection ................................................................................ 12 Access Control ...................................................................................... 13 Security Staff ......................................................................................... 14 Security Procedures .............................................................................. 14 Internal Audit ......................................................................................... 14 IT SECURITY ...................................................................................................... 15 Policy..................................................................................................... 15 Segregation of Duties ............................................................................ 15 Access Control ...................................................................................... 15 Network Security ................................................................................... 16 Virus Control.......................................................................................... 16

2 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

Data Backup .......................................................................................... 16 Audit and Monitoring.............................................................................. 16 Insecure Terminal Access ..................................................................... 16 External Facilities Management............................................................. 17 Systems Development and Maintenance .............................................. 17 Security Weaknesses and Incidents...................................................... 17 Media Handling...................................................................................... 17 Internal Audit ......................................................................................... 17 PRODUCTION DATA MANAGEMENT ....................................................................... 18 Data Transfer......................................................................................... 18 Access to Sensitive Data....................................................................... 18 Data Generation .................................................................................... 18 Encryption Keys..................................................................................... 18 Auditability and Accountability ............................................................... 18 Data Integrity ......................................................................................... 19 Duplicate Production ............................................................................. 19 Internal Audit ......................................................................................... 19 LOGISTICS AND PRODUCTION MANAGEMENT ......................................................... 19 Personnel Issues ................................................................................... 19 Order Management and Purchasing...................................................... 19 Control of Raw Materials ....................................................................... 19 Control of Design Media ........................................................................ 19 Control of Production............................................................................. 20 Destruction ............................................................................................ 21 Storage.................................................................................................. 21 Packaging and Delivery......................................................................... 21 Internal Audit ......................................................................................... 21

3 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

GENERAL
Prepaid systems remain a key area of growth within the mobile services arena. The use of physical recharge tokens - scratchcards or vouchers - as a method of distributing pre-paid value to customers also remains commonplace. The manufacture of such recharge tokens carries significant risk for the operator; risk which is sometimes overlooked. Manufacturers themselves may introduce certain risks to operators and many are unaware of the inherent fraud risks surrounding prepaid scratchcards and the potential impact compromise of product could have on an operator. The purpose of this document is to provide operators and manufacturers with a set of minimum security requirements to ensure appropriate security measures are applied to the manufacturing cycle of prepaid scratchcards.

OBJECTIVES OF THE STANDARD

The objective of the standard is to: Manage to an acceptable level the risks operators expose themselves to by working with a manufacturer. Provide a set of auditable security requirements to allow scratchcard suppliers to provide assurance to their customers that potential risks are under control and that appropriate security measures are in place.

INTRODUCTION AND SCOPE

INTRODUCTION This standard has been developed using the same principle requirements outlined in the GSM Associations Security Accreditation Scheme (see http://www.gsmworld.com/using/sas). This standard recognises that, unlike early participants in the GSM SAS (Eurosmart members), many prepaid scratch card manufacturers have not had exposure to international security standards. Indeed, many manufacturers have migrated from production and printing of lower-risk products. To this end, time has been taken to explain in more detail the specific requirements for each element in the standard but care has also been taken to ensure that the standard is not overly prescriptive. The focus of this standard is aimed at ensuring that the security risk is adequately addressed in an appropriate way, rather than using a specified approach.

4 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

SCOPE The scope of this standard is restricted to security issues relating to the manufacture and supply of prepaid scratch cards only and includes: Manufacturing cycle and processes. Assets to be protected. Risk and threats. Security requirements.

To further reduce the risks for operators it is acknowledged that the security objectives must continue to be met after the personalisation phases where the manufacturer is responsible for delivery. Note: This standard does not relate to the security features applied to the prepaid scratchcard itself or the physical make up of cards in either paper or plastic format. It is assumed that the operator will have conducted off site evaluations of the security strengths of the manufacturers prepaid scratchcards and satisfied itself that these cannot be compromised.

DEFINITIONS
Manufacturer The manufacturer of the recharge token (scratchcard). Although the manufacturer may carry out production at a number of sites, certification under the TS3 scheme will be focused on individual production sites. The organisation which has contracted the manufacturer to produce and supply the recharge tokens. Although this standard and the TS3 certification scheme has been conceived around the manufacture and supply of prepaid scratchcards for telecoms operators, it may also be applied to manufacture of similar assets for other purposes. The recharge token itself - also known as a recharge voucher. This represents a plastic or paper based card with a scratchoff panel that protects a printed secret code. The process of adding more credit to a prepaid account. This can be done by a variety of means including scratchcards, ATMs, electronic payment solutions or credit cards. Fraud committed on a prepaid mobile account. It comprises other types of fraud such as technical fraud, roaming fraud and so on, but also takes advantage of things that are specific to the prepaid market such a recharge methods.

Operator

Scratchcard

Recharge

Prepaid Fraud

5 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

PIN

The Personal Identification Number associated with the recharge token. May also be referred to as a TUN (Top-Up Number) or Hidden Recharge Number (HRN). The PIN is entered by the customer using an interactive response system or on-line application and validated by a system within the operators infrastructure. On successful validation the credit value associated with the recharge token is transferred to the customers pre-paid account. An action that must be performed with two people present also commonly referred to as four eyes principle. The process by which the PIN number and associated information is applied to the scratchcard. The process by which a concealment mechanism is applied to the PIN during the manufacturing process. The Mask is intended to protect the PIN from unauthorised use until the recharge token is purchased for use by a customer. Occurs when the unique PIN does not correspond to the unique card serial number associated to the prepaid scratchcard. An identification number sometimes applied to prepaid recharge tokens, helping to support auditability and traceability. Two or more prepaid scratchcards personalised with the same PIN/TUN or serial number. Partly finished or finished product that may contain sensitive information that has been manually or automatically rejected from the manufacturing cycle.

Dual Control

Personalisation -

Masking

Mismatch

Card Serial Number Duplicate

Reject

MANUFACTURING CYCLE
The following stages represent the manufacturing cycle of the prepaid scratchcard from receipt of PIN data through to distribution of the final product: Production The first stage in the prepaid scratchcard manufacturing cycle. Typically includes the following processes: Receipt or generation of the PIN data file. Manipulation of PIN data file for production. Transfer of PIN data file to production. Printing (base card stock) Personalisation / masking.

6 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

Storage -

Fulfilment (product bundling and packaging).

The second phase in the manufacturing cycle. Typically includes: Receipt of both data and product from the production phase and storage prior to transfer to the operator. The final stage in the manufacturing cycle. Typically includes: Physical transfer of product (to either the operator or into the operators distribution network). Notification to the operator of the order / batch numbers distributed for uploading onto the operators platform.

Distribution

THE THREATS
Fraud may be perpetrated throughout the manufacturing cycle in a number of different ways, including both external (contractors, suppliers or engineers) and internal (employees) elements. For this reason, prepaid scratchcards must be protected throughout the entire manufacturing cycle. The risk analysis has been completed to identify the main threats to the scratch card manufacturer. The list is not intended to be exhaustive:
PROCESS Production THREAT Theft illegally obtaining PINs or scratchcards. Forgery reproduction or alteration of prepaid scratchcards. Disclosure visibility or unauthorised observation of secret codes. Duplication two or more cards that have the same unique PIN. Guessing estimation of the PIN where PIN lengths or the quality of random number generator are weak. Access to sensitive data gain access to the secret codes during the manufacturing process. Access to sensitive data during transmission from the operator to manufacturer. Robbery physical attacks on storage facilities of product or data. Collusion/physical access facilitated theft of product or data. Stock reconciliation error discrepancy between physical and theoretical stock. THREAT SOURCE Manufacturers staff authorised to be involved during the production stage. Manufacturers staff not authorised to be involved during the production stage. External elements contractors or subcontractors working onsite or remotely who may have access to the production process. Internal or external personnel with access to intercept data during transmission / transfer. Manufacturers staff. External elements. Manufacturers staff and external elements in collusion.

Storage

7 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

PROCESS Distribution

THREAT Theft of assets theft of vouchers at any stage in the distribution process. Stock reconciliation error variance in the value of stock produced, stored and distributed to the operator. Lost assets loss of vouchers in the distribution process.

THREAT SOURCE Manufacturers staff and external elements in collusion. External transportation or shipping agents.

ASSET CLASSIFICATION AND SECURITY REQUIREMENTS

Recognising that certain risks require greater protection and to ensure that the most appropriate security controls are employed to protect security critical information and equipment, the following classification structure is suggested:
SECURITY CLASSIFICATION ASSET (MATERIAL/DATA) PIN data file. Encryption keys. Personalised product. Design media. Printed unpersonalised product. Customer order details/signatures. Foils, holograms, masking materials, etc. SECURITY RELEVANCE Information or product components likely to cause severe damage or loss if stolen or compromised. Information, equipment or components likely to cause moderate damage/loss if stolen or compromised. STRENGTH OF SECURITY REQUIRED High security installation. Strong security mechanisms. Secure installation. Medium security mechanism.

CLASS 1

CLASS 2

SECURITY REQUIREMENTS
In order to consider whether the card manufacturing and personalisation processes are secure, certain requirements must be met. These requirements, which are outlined below, are considered as minimum security requirements applying to the environment in which the product is manufactured. It is recognised that it is possible to use alternative mechanisms or tools other than those described in this section if they achieve the same security objective.

8 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

POLICY, STRATEGY AND DOCUMENTATION Policy Security policy document(s) should be in place which contain statements defining: The overall security objectives. Rules and procedures relating to the security of the processes. Sensitive information and asset management.

Employees should understand and have access to the policy and its application should be checked periodically. Strategy A coherent security strategy must be defined based on a clear understanding of the risks. The strategy should use periodic risk assessment as the basis for defining, implementing and updating the site security system. The strategy should be reviewed regularly to ensure that it reflects the changing security environment through ongoing re-assessment of risks. Business Continuity Plan A Business Continuity Plan should be in place in the event of production-affecting incidents. The plan should demonstrate that all risks including natural and manmade have been taken into consideration. A crisis management team should exist to execute the plan in the event of a disaster scenario. Internal Audit The overall security management system should be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation.

9 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

ORGANISATION AND RESPONSIBILITY Organisation To successfully manage security, a defined organisation structure should be established with appropriate allocation of security responsibilities. The management structure should be capable of co-ordinating security measures through a cross-functional team. Responsibility There should be a senior manager nominated with overall responsibility for all security matters. There should be a nominated employee with day-to-day responsibility for security. The responsibility for the protection of individual assets and for carrying out specific security processes should be explicitly defined and documented in order to protect security critical information, product and equipment. Contract and Liability Any agreement between the operator and manufacturer should clearly apportion responsibility for loss during all stages of production, storage and distribution of prepaid scratchcards. The manufacturer should ensure that appropriate cover is in place for its liabilities. Such cover should be appropriately authorised based on an assessment of risk. Where third parties are responsible for part(s) of the process, the manufacturer should ensure that transfer of, and cover for, liability has been considered. A register of operator authorised ordering personnel should be maintained along with sample signatures. These signatures should be compared for orders received and deviations challenged at a senior level in the operation. INFORMATION Classification Security classifications should be used to indicate the appropriate level of security protection. Protection for classified information should be consistent with business needs. Classified information should be labelled correctly in all its forms, e.g. on paper or output media from a system.

10 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

Data and Media Handling Access to sensitive information and assets must always be governed by an overall need to know principle. Guidelines should be in place governing the handling of data and other media, including a clear desk policy. Guidelines should describe the end-to-end lifecycle management for sensitive assets, considering creation, classification, processing, storage, transmission and disposal. PERSONNEL Job Descriptions Security should be addressed at the job / role definition stage and whenever those definitions are changed. Personnel Vetting Procedures should incorporate the need for pre-employment screening of applicants selected for sensitive positions or those who have access to confidential information. Security staff should be subject to positive vetting and should be recruited from recognised security backgrounds. Acceptance of Security Rules All employees, contractors and temporary staff should sign a confidentiality agreement. Employees should read the security policy and record their understanding of the contents and the conditions they impose. Key individuals should be trained in security procedures and the correct use of facilities. Key individuals should be given adequate security education and technical training. Disciplinary / Staff Exit Procedures Disciplinary procedures should be documented and exit procedures for staff, leaving or dismissed, put in place.

11 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

PHYSICAL SECURITY Environment of the Site The environment of the site should provide layered security measures providing primary preventative measures and secondary detection systems (CCTV / alarms). Aspects of this concept could include the provision of good levels of illumination, the removal of dense, high growing shrubs and trees that interrupt natural surveillance and provide shelter for criminals as well as good crime analysis and the control of both pedestrian and vehicular through traffic. Construction Standards Building construction should be of a solid material offering reasonable resistance to forcible attack. Building materials should be robust and inspected in line with the annual risk reviews. Security Plan Layers of physical security control should be used to protect the sensitive process according to a clearly defined and understood strategy. The strategy should apply controls relevant to the assets and risks identified through risk assessments. The strategy should be encapsulated in a security plan that: Defines a clear site perimeter / boundary. Defines one or more levels of secure area within the boundary of the site perimeter. Maps the creation, storage and processing of sensitive assets to the secure areas. Defines physical security protection standards for each level of the secure area.

Physical Protection The protection standards defined in the security plan should be appropriately deployed throughout the site, to include: Deterrent to attack or unauthorized entry. Physical protection of the building and secure areas capable of resisting attack for an appropriate period. Mechanisms for early detection of attempted attack against, or unauthorized entry into, the secure areas at vulnerable points. Control of access through normal entry / exit points into the building and sensitive process to prevent unauthorized access. Effective controls to manage security during times of emergency egress from the secure areas and buildings.

12 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

Mechanisms for identifying attempted, or successful, unauthorized access to, or within the site. Mechanisms for monitoring and providing auditability of, authorised and unauthorised activities within the sensitive process.

Controls deployed should be clearly documented and up-to-date. Controls should be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation. Where Intruder Detection Systems are installed, they should: Fulfil four key functions: To reliably detect the presence of humans. To reliably detect penetration of physical barriers. To provoke an immediate response to an activation. To minimise false (or nuisance) alarms. Be tested regularly to ensure: Correct operation with appropriate levels of sensitivity. Monitoring and response times are appropriate and timely. Remote signalling via telephone or radio networks functions correctly.

Key areas such as the perimeter, open areas between the perimeter and buildings, pedestrian and vehicle access points and the building interior should be provided with sufficient illumination to aide in direct observation (security manpower) and should be of sufficient strength so as not to impair the recordings from Closed Circuit Television (CCTV). Where CCTV is employed it should: Be covered by a siting plan that highlights any sterile detection zones. Provide appropriate picture quality for the purpose with sufficient recording storage from the time an event was detected back to when the event occurred. Securely store images for a period of not less than three months. Archived recordings should be subject to regular audit to establish the playback quality and secure storage measures. Access Control Access rights to buildings and secure areas should be clearly defined and controlled on a need to be there basis. Appropriate procedures should be in place to control, authorise, and monitor access to, and within, each area. Regular audits should be undertaken to monitor access control to secure areas.

13 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

Access control procedures and systems should be evaluated regularly to ensure that processes are appropriate and observed. The standard of security glazing for ground level and accessible perimeter windows to secure areas should be of sufficient construction to protect against forced entry. Consideration should be given to the use of anti-bandit glazing similar to that used in banks. If anti-bandit type glazing is not fitted then burglar bars or physical barriers should be considered. The construction of doors should be sufficient to afford protection to the perimeter of the building whether they are utilised for pedestrian or vehicle access. Door security must take account of emergency and exit door requirements. Where roof openings are necessary they should be treated, from a security view, as openings located elsewhere in the perimeter of the building premises. Locks should be commensurate with a high security specification and be resistant to wear, manipulation and attack. Security Staff Where security staff (in-house and / or contract) are employed, consideration should be given to the following: Manpower levels. Vetting process. Reporting structures. Training levels. Job descriptions. Rosters. Technical competency. Standard operating procedures. Emergency response procedures. Communications.

In cases where the security guarding function is outsourced additional areas such as contract supervision, contractual agreements and insurance liabilities should be carefully reviewed. Security Procedures Security procedures should be documented and records maintained to establish when they were created and published. Security procedures should be disseminated according to documented criteria and should clearly indicate when they were last updated, amended and tested. Internal Audit Physical security controls should be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation.

14 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

IT SECURITY Policy A documented IT security policy must be in place. The policy must have a dedicated owner, be regularly updated in line with company and product developments and be well understood by employees. Segregation of Duties Responsibilities and procedures for the management and operation of computers and networks should be established. Security related duties should be segregated from operational activities to minimise risk. Access Control Physical access to sensitive computer facilities should be controlled. An access control policy should be in place and procedures should govern the granting of access rights with a limit placed on the use of special privilege users. Detailed processes and procedures should be employed to create, manage and remove user accounts. The authority levels required to request a new user account and the policies that are followed relating to access privileges must be clearly defined. Requests to change user privileges must be authorised and handled and the processes in place should ensure that user accounts are removed when no longer required or are reviewed when a user changes job function. Logical access to IT services should be via a secure logon procedure. Password management processes and procedures should appropriately manage the creation of new user accounts, transmission of the user identity and password to the user, the users first log on and successive logons, the users ability to change and select their own passwords, any password rules that govern the structure of passwords and policies or mechanisms to prompt or force regular changes to passwords. Processes for requesting password resets and for verifying the identity of the user making the request should also be documented. Enhanced authentication (e.g. two-factor) should be deployed where remote access is granted.

15 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

Network Security Systems and data networks used for the processing and storage of sensitive data should be housed in an appropriate environment and logically or physically separated from insecure networks. Data transfer between secure and insecure networks must be strictly controlled according to a documented policy defined on a principle of minimum access. Virus Control Anti-virus protection should be employed throughout the networks and all computers should have anti-virus software installed. A defined process should be employed to keep virus protection up-to-date. Data Backup The manufacturer should demonstrate its capability to protect against, and recover from, data loss. Backup and restore processes together with the frequency of backups, type of backup (incremental or full), content of backup, media used for backup, format of backup data, location of stored backups, physical and logical access to and protection of backups, production of backup logs and responsibility for backups should all be clearly defined and documented. A restore programme should be operated to test the effectiveness of backups and results regularly evaluated. Audit and Monitoring System activity logs should be maintained and reviewed on a regular basis. Audit rules applied should, as a minimum, include logging of all user sign in and sign out, unsuccessful login attempts, changes to user privileges, access to specific files, etc. and what level of information is provided in the audit log (e.g. date, time, user identity, machine identity, activity performed, etc.). Records should be of a sufficient standard to generate network security statistics which in the event of an attack could be used by the administrator to determine what happened, who did it and when it occurred. Insecure Terminal Access Appropriate measures should be in place to protect insecure workstations from unauthorised use. The password-protected time-out of workstations and physical drive locks should be regularly reviewed and drive lock key control procedures implemented.

16 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

Access to diagnostic and network ports should be securely controlled. External Facilities Management External facilities management contracts must provide for appropriate controls to protect the business from the additional exposure. Systems Development and Maintenance Security requirements of systems should be identified at the outset of their procurement and these factors should be taken into account when sourcing them. Where IT development facilities for issues such as the development of applications or of routines to manipulate customer data are employed, there must be clear separation of the development environment from the operational environment. Security Weaknesses and Incidents Procedures should be provided which outline the reporting of security weaknesses in the network. Systems should be in place to inform the correct management function of a weakness or of a software malfunction. The reporting channel should be tested to evaluate its efficiency. Documented procedures should be in place to correct and recover from a security breach. Only clearly identified and authorised recovery staff should be allowed access to live systems and data and all emergency actions taken should be documented in detail and reported to the correct management function. Media Handling Media management procedures and processes should be defined to ensure that all removable computer media is handled in a secure manner. The processes should include labelling, destruction method and how it is protected in terms of availability and integrity. Disposal of equipment must be carried out according to a secure procedure that considers the risk of sensitive data being present on the equipment for disposal. Internal Audit IT security controls should be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation.

17 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

PRODUCTION DATA MANAGEMENT Data Transfer Manufacturers should take responsibility to ensure that electronic data transfer between themselves and other third parties is appropriately secured. Access to Sensitive Data Manufacturers should prevent direct access to sensitive production data. User access to sensitive data should be possible only where absolutely necessary. All access must be auditable to identify the date, time, activity and person responsible. Data Generation As part of the personalisation process secret data may be generated for personalisation. Where such generation takes place: The quality of the number generator in use should be subject to appropriate testing on a periodic basis. Evidence of testing, and successful results, should be available. Clear, auditable, controls should be in place surrounding the use of the number generator to ensure that data is taken from the appropriate source. Appropriate controls should be in place to prevent generation of duplicates.

Encryption Keys Encryption keys used for data protection should be generated, exchanged and stored securely. Auditability and Accountability The production process should be controlled by an audit trail that provides a complete record of, and individual accountability for: Data generation and processing. Personalisation. Re-personalisation. Access to sensitive data. Production of customer output files.

Auditable dual-control and 4-eyes principle should be applied to sensitive steps of data processing.

18 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

Data Integrity Controls should be in place to ensure that the same authorized data from the correct source is used for production and supplied to the customer. Where PIN data is transmitted non-repudiation mechanisms must be applied and the receiving party should acknowledge the transmission of data. Duplicate Production Controls should be in place to prevent duplicate production. Internal Audit Production data controls should be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation. LOGISTICS AND PRODUCTION MANAGEMENT Personnel Issues Clear security rules should govern the manner in which employees engaged in such activities should operate within the sensitive process. Relevant guidelines should be in place and communicated to all relevant staff. Personnel security issues such as the wearing of appropriate uniforms in high-risk areas and search procedures for employees leaving the site should also be documented and enforced. Order Management and Purchasing Comprehensive procedures should be documented to govern all elements of the procurement process. Procedures should address levels of authority to purchase items, order formats and the process of signature comparison. Segregation between points of order and points of receipt must be clearly defined. Control of Raw Materials Detailed procedures should be documented to control the management (receipt, storage, distribution and reconciliation) of all raw materials. Control of Design Media Design media should be under appropriate control in both electronic and physical forms, to help reduce the risk of counterfeiting.

19 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

Control of Production The production process should be controlled by an audit trail that: Ensures that the numbers of class 1 and 2 assets created, processed, rejected and destroyed are completely accounted for. Ensures that the responsible individuals are traceable and can be held accountable. Demands escalation where discrepancies or other security incidents are identified.

The stock of all Class 1 assets must be subject to end-to-end reconciliation in order that every element can be accounted for. Auditable dual-control and 4-eyes principle should be applied to sensitive steps of the production process, including: Control of the quantity of assets entering the personalisation process. Control of the quantity of assets packaged for dispatch to customers. Destruction of rejected assets.

Application of 4-eyes principle should be auditable through production records and CCTV. Regular audits should be undertaken to ensure the integrity of production controls and the audit trail. Suppliers must demonstrate an ability to prevent unauthorised duplication within the production process during personalisation and re-personalisation. Access to PIN data should be appropriately controlled through the manufacturing process: The manufacturer should ensure that the PIN is not visible to employees or any other external elements prior to the application of the security mask. PINs should not be visible to the employees whilst the personalisation process is taking place. The manufacturer should take all reasonable steps to ensure the time between personalisation and masking is kept to a minimum (ideally 2 5 seconds) where an in-line printing process is employed. Where in-line printing is not employed and the process for personalisation and masking is physically separate, personalised product, whether in single or sheet format, should be covered and secured during transit periods. Personalised but unmasked product and finished product should always be stored in a secure location (vault/cage). Access to these products must be strictly controlled.

20 of 21

TS3 SECURITY ACCREDITATION SCHEME STANDARD

Live data (real PINs) should not be used for the pre-print runs or machine setup. All machine set up prints should be securely destroyed in line with those applied to bad product / rejects. Where machine breakdowns, production interruption or the remaking of damaged or spoiled cards occurs, PINs should not be visible.

Destruction A detailed procedure and auditable process should be implemented to manage the destruction of all bad production. The integrity of the disposal process should be guaranteed through the application of dual control measures (four eyes principle). PINs should never be exposed regardless of the circumstances. The physical process of destruction should be backed up by documentary, visual evidence and CCTV recordings together with logs and records should be audited on a regular basis to ensure compliance. Where the destruction process is out-sourced, methods and non-disclosure agreements should be examined and the manufacturer should satisfy itself that confidentiality and integrity are not compromised. Storage There should be detailed procedures outlining the manner in which finished stock, stock awaiting despatch and other stock items are segregated and secured in the store. Personalised product should be stored securely prior to dispatch to preserve the integrity of the batches. Where personalised product is stored for extended periods additional controls should be in place. Packaging and Delivery The way in which finished stock is packed and the tamper resistance of the packing materials should be physically tested. Secure delivery procedures should be agreed between the customer and the manufacturer which should include agreed delivery addresses and the method of delivery. Collection and delivery notes must be positively identified. Goods should only be handed over following the production of the appropriate authority documents. A receipt should be obtained. Internal Audit Production security controls should be subject to a rigorous programme of internal monitoring, audit and maintenance to ensure their continued correct operation.

21 of 21