You are here

Card Provisioning & Instant Issuance – New Ways to Delight Customers, Old Standards of Third-Party Management

In the continuous search for customers, there are two trends that you may be considering: Instant Issuance and Card Provisioning. Institutions believe they not only provide a competitive advantage to attract new customers but also help to keep your customers satisfied. As you can imagine, there is an ever growing risk of providing this service and just because it may be a third-party technology, don’t be tempted to believe that you are absolved of security responsibilities.

What are Instant Issuance Cards?
Instant Issuance means the ability to create credit and debit cards in the Branch, while the customer waits. This is considered much more convenient than having to wait seven to ten days for a new card to be delivered in the mail.

What’s the Risk?
By taking on this role, you are manufacturing, transporting, and personalizing the debit cards. The data that is being transferred between the printer and the ordering device is using data lines that need to be secured.

The systems, printers, and vendors that are used to manufacture the card must adhere to the standards set out by the PCI Security Standards Council (“PCI SSC”). The PCI SSC published revised standards in January 2017 ("Card Production and Provisioning Logical Security Requirements" and "Card Production and Provisioning Physical Security Requirements") that go into detail as to what is expected in the development, manufacturing, transporting, and personalization of credit or debit cards and their components. Additionally, the Standards are designed to protect against future fraudulent use, regardless of what instrument is used for payments.

When evaluating instant issuance, you should only work with providers that are Payment Card Industry Data Security Standards (“PCI DSS”) compliant, as to ensure that all data is encrypted and securely transmitted between the financial institution’s printer and the third-party provider. Additionally, you should only install printers that meet security guidelines of card brands, and implement physical safeguards surrounding the storage of and availability to blank cards.  

What is Card Provisioning?
Card Provisioning is growing in popularity as a younger demographic of consumers prefer to use their mobile devices to make payments versus using a physical card. The process of card provisioning is adding a cardholder’s account information to a device via an over-the-air or over-the-internet communication channel. 

What’s the Risk?
A third-party does the provisioning but authenticating and setting up the customer is your institution’s responsibility. Without a strong mobile wallet authentication strategy in place, the registration process will leave the wallet susceptible to fraud. You should follow the same requirements for any other service being offered through the use of a vendor. It is critical that you obtain assurance that the vendor complies with standards such as PCI Card Production and Provisioning Security Requirements.

The Threat is Real
No matter what the emerging product or service is, proper Third-Party Management is always a must.  As the world adopts new payment technologies, criminals will work to exploit weaknesses in the processes supporting them. As card-free commerce becomes more relevant for consumers, financial institutions and mobile wallet issuers must evaluate the vulnerabilities of this channel. Keeping mobile wallet transactions secure has always been a focus, but additional attention should be placed on securing the mobile wallet at the point of card provisioning, and stopping fraud at the first layer. To keep up with this evolution, it is critical that you continue to provide at least the same or better security that your consumers have come to expect from traditional card payments

If you’re interested in learning more about this topic, contact Sean D. Goodwin, CCSP, CISA, CISSP, PCIP, QSA, IT Assurance Senior Consultant, at 617-261-8139 or