Audit Services

When manufacturing payment cards, any failings in your systems could compromise the security of your organisation and sensitive data. How do you currently assess security to ensure compliance? 


As a service provider to both MasterCard and Visa Inc., we provide PCI Card Production certification audits globally. NCC Group will ensure that your logical and physical security measures are up to the job and are compliant with industry standards.


We provide the following services:

  • PCI Card Production Audits and Consultancy
  • Over-The-Air (OTA) Personalisation Audits
  • Cloud-Based Payment Platform Security Audits
  • 3-D Secure Audits
  • PCI Pin Security Audits
  • GSMA Security Accreditation Scheme


PCI Card Production Audits & Consultancy

NCC Group is accredited by MasterCard, Visa, American Express and China Union Pay to perform audits of card production facilities including certification against PCI Card Production logical and physical security requirements. We were the first company accredited to conduct audits of smart card vendors and have gained unrivalled experience in helping card vendors worldwide achieve compliance and certification to industry standards. The NCC Group Audit team has expertise in all areas of card production including personalisation, manufacturing, PIN distribution, EMV & key management and mobile provisioning.

We also provide a broad range of consultancy services for card vendors to assist card vendors building up their facilities from ‘zero’, introducing new service lines or undergoing changes. We provide sound advice and practical assistance in reviewing construction plans and physical layouts of the facility, correct implementation of the access control system, intrusion detection system and CCTV cameras, designing the network architecture and developing the ISMS policy suite. All consultancy projects are different and we work with the client to understand their unique needs and concerns and develop a consultancy service that addresses all requirements.

It is important that card production staff have knowledge of the production process, site security and logical security procedures. We work with card vendors to develop and deliver targeted training sessions for the relevant audience. Topics that are particularly important to clients include the following:

  • HR security, pre-employment and ongoing screening
  • Visitor handling processes
  • Production process and audit trail
  • Key management
  • Guard responsibilities
  • Security policies and procedures
  • Business continuity and disaster recovery


Over-The-Air (OTA) Personalisation Audits

Over the air (OTA) personalisation also known as mobile provisioning is the process whereby consumer payment account details are securely transferred onto their NFC (Near Field Communication) enabled mobile phone. OTA personalisation occurs remotely allowing the provisioning of mobile handsets with MasterCard or Visa payment credentials over wireless networks. These mobile devices can then be used to perform payment transactions at merchant locations with enabled contactless point of sale terminals.

NCC Group has significant experience in delivering consultancy services and certification audits of the mobile provisioning facilities wishing to take advantage of this growing market. Our understanding of the commonalities and differences between the OTA provisioning standards of the major payment schemes helps us efficiently deliver combined certification audits in a single visit.


Cloud-based Payment Platform Security Audits

NCC Group is accredited to perform audits of Cloud-Based Payment Platform providers. Introduction of Host Card Emulation (HCE) technology is a significant development in the mobile payment industry which supports contactless payments made using NFC-enable mobile devices that removes the need to have a secure element on these devices. During a contactless transaction, secure element (or smart card) is emulated by the HCE software deployed on the mobile device which calls upon the payment account details stored in a secure virtual cloud instead of the mobile devices itself. NCC Group works with the Cloud-Based Payment Platform providers to assess physical and logical security systems supporting all stages of the HCE-based payment including data provisioning, active account management, verification for payment, transaction processing, lifecycle management and post payment processing.


3-D Secure Audits

To reduce fraud and increase consumer confidence in online shopping, payment schemes introduced a mechanism of 3-D (Three Domain) authentication allowing issuers to verify that the person making e-commerce transactions is an authorised cardholder. The 3 Domains of the 3-D Secure service (Issuer, Acquirer and Interoperability Domains) provide secure protocols enabling enrolment of cardholders in the 3-D Secure service and secure exchange of data between the issues and merchant in order to authenticate the cardholder during the e-commerce purchase.

3-D Secure service enables cardholders to get enrolled into the scheme and develop a set of security credentials which will authenticate them during online transactions. Participating merchants implement a Merchant Server Plug-in onto their e-commerce system. Via a secure exchange of messages with the payment scheme and the issuer, this Plug-in allows merchants to verify if a cardholder is enrolled into the 3-D Secure service and authenticate them with the security credentials registered by the cardholder at the time of enrolment.

NCC Group is accredited to perform certification audits of facilities seeking Visa Inc. 3-D Secure certification (also known as Verified by Visa or VbV) of Access Controls Server and Enrolment Server services.


PCI PIN Security Audits

PCI PIN Security Requirements form a part of the PCI PTS group of standards and apply to all acquirers and their agents processing personal identification numbers (PINs) for payment card transactions. The standard also applies to entities operating key-injection facilities for the injection of keys used for the acquisition of PIN data.

NCC Group is a certified security assessor for PCI PIN Security requirements. We offer audit and consultancy services to the PIN Programme participants in all aspects of secure management, processing, and transmission of PIN data during online and offline payment transactions processing at ATMs and attended and unattended POS terminals.


GSMA Security Accreditation Scheme

GSMA Security Accreditation Supplier Logo

There is an increasing use of embedded SIMs (eUICC) in phones, automobiles, smart meters and other products, facilitating ‘over the air’ provisioning of subscriber tailored services. Products with eUICCs are commonly referred to as machine to machine (M2M) devices.

Many machine-to-machine devices are not easily reachable for the purpose of subscription management. Subscription Managers (i.e. provisioning providers) and mobiles network operators have been collaborating to develop ‘Subscription Management’ solutions to accommodate this emerging market.

The GSMA’s Security Accreditation Scheme (SAS) was set up to assure and provide confidence to the mobile network operators and their customers that the management of subscription profiles would be carried out against stipulated minimum logical and physical security standards.  Thereby, guaranteeing the security, integrity and confidentiality of the subscriber’s personal and profile information.

There are two activities which are carried out to complete the subscription management process; Data Preparation (SM-DP) and Secure Routing (SM-SR).

Being one of the two independent SAS auditor companies approved by the GSMA, NCC Group can conduct an audit against the SAS SM-DP and SAS SM-SR standard worldwide. All audits are carried out to GSMA current standards to meet full compliance. These security audits ensure measures are in place to protect the mobile network operator (MNO).

GSMA Security Accreditation Diagram

The audit covers the following areas:

  • Security policy, strategy and documentation
  • Security organisation and responsibility, including internal audit and control
  • Information security
  • Personnel security
  • Physical security
  • Production data management
  • Logistics and production management
  • Computer and network management
  • Data and service management specific to data preparation and secure routing functions of Embedded SIM remote provisioning

Contact us