Q0) Does CQM only care about production?

Within CQM the following principles apply:

1. All relevant life cycle steps of a CQM certifiable product or component, including development, qualification, and quality monitoring activities, and all production steps, must be conducted by CQM certified entities.
2. It must not be possible to bypass CQM Certification by subcontracting parts of the life-cycle, for example only production, to a CQM certified subcontractor.
3. Unless the Vendor of a product is purely a reseller (see Q7), the Vendor of the product must carry their own CQM label covering the activities they conduct with respect to the life-cycle of the product or component they are selling to Mastercard issuers or CQM certified customers.

Q1) My card is made of another material but newly produced PVC. How does CQM apply?

CQM applies independently of the card material.
Independent of the card material, your card is expected to comply with all applicable CQM requirements.
If your card made from another material is not conform with at least one CQM requirement, then see Q2.

Q2) My card is not fully compliant with all applicable CQM requirements

If your card is not fully compliant with all applicable CQM requirements, then you need to follow this procedure:

1. You complete the qualification testing as required by the applicable product worksheet in the cqmAP form to determine your new product's level of conformity with the applicable CQM requirements.
2. You create a report containing the results, and you fill in the blue section of the applicable product worksheet of the cqmAP form, indicating the requirements your product is compliant with, and those where it is not.
3. You contact Mastercard's CSI team to report that you have a new product that is not fully conform with the applicable CQM requirements, and that conclusively you need to obtain a CSI letter for this product. Include the cqmAP and your own qualification report.
4. The Mastercard CSI team will tell you which information they need to progress your request and help you with the process.

Once you have obtained the CSI Letter, during a CQM Audit you might need to present it as evidence that you have notified the non-conformity to Mastercard's CSI team and that Mastercard has evaluated the resulting risk.

Q3) Is the supplier of my components, as considered within the CQM Scheme, a Component Vendor or a Subcontractor?

As considered within CQM:

• A Vendor has control of the product (including Components) the Vendor supplies, and of the related development, qualification, and manufacturing processes.
• A subcontractor is an entity that produces a component primarily according to the instructions received from their customer.

Example 1

An example for a Vendor is Company A who designs an IC, an ICM containing the IC, and an IL that works with the IC, and sells the ICM together with the IL to card manufacturers so they can produce cards.

Example 2

An example for a subcontractor is Company B who embeds wire into a sheet of plastic according to a drawing and material specification received from their customer, for example as a subcontractor to Company A.

Example 3

Card manufacturer M procures an iacICM with ISO/IEC 7816-2 contacts, a BSM with a fingerprint sensor, and an iacIL containing the antenna and to connect the iacICM and the BSM from component supplier S. S is CQM certified for iacICM, BSM, and iacIL. S has developed and qualified the iacICM, BSM, and iacIL. S produces iacICM, BSM, and iacIL themselves, or uses subcontractors.

M's CQM Audit only needs to address M's ability to produce IAC from these components, including verification that S is CQM certified for these components. M only receives a CQM label for IAC.

S's CQM Audit must have included iacICM, BSM, iacIL; S must maintain CQM labels for iacICM, BSM, iacIL.

S is a Component Vendor for iacICM, BSM, iacIL.

Example 4

Card manufacturer M procures an iacICM with ISO/IEC 7816-2 contacts, a BSM with a fingerprint sensor, and an iacIL containing the antenna and to connect the iacICM and the BSM from component supplier S.

In addition one of the below points is true:

• S is not CQM certified for iacICM, BSM, or iacIL,
• M had significant involvement in specifying, developing, or qualifying the iacICM, BSM, or iacIL.

M's CQM Audit must include IAC and each component where

• S is not CQM certified for, or
• where M had significant involvement in specifying, developing, or qualifying the component,

and M receives CQM labels for IAC and each of the components included in M's CQM Audit.

S's CQM Audit must have include the components M is not audited for; S must maintain CQM labels for the components M is not audited for.

S is a Subcontractor for the components M is not audited for.

Q4) Do Subcontractors have to have their own CQM Certificate?

It depends on what the Subcontractor is providing.

Currently the suppliers of the following CQM Components are required to have their own CQM Certificate:

• IC
• ICM
• iacICM
• BSM
• IL
• CB
• ICC
• iacIL
• IAC

Note: this list is a DRAFT, under review, and not authoritative in any way!

Companies conducting certain sub processes as a subcontractor, for example providing wafer backside processing services to an IC or ICM Vendor, might not be required to maintain their own CQM Certificate. But it might be beneficial for them and for their customers if they would. See Q5) and Q6)

Q5) Does a Subcontractor's production have to be CQM audited?

Within CQM every production process that is listed in the cqmAP of the related product, the product and process development processes, the qualification process, and the quality monitoring processes must undergo a CQM Audit.

This is independent of the production activity being conducted in a facility owned by the vendor (for example Company A, the owner and seller of an IC, an ICM, and an IL that works with the IC), or in a facility owned by a subcontractor (for example Company B, providing subcontracted wire embedding services to Company A, with the IL having been developed and qualified by Company A, and Company B producing according to antenna drawing and material specification provided by Company A).

There is no significant difference in the way the IL production processes are assessed, whether they would be conducted in Company A's IL production, or in Company B's.

In both cases the facility producing the IL will be listed on Company A's CQM Certificate.

See CQM requirements #0606#, #0607#, and #0608# for more information.

Q6) Does it matter if a Subcontractor is CQM certified?

While subcontracted services that are part of the production processes as outlined on the related product worksheets in the cqmAP, may be permitted to be subcontracted to a facility that is not holding their own CQM Certificate, there is a difference how the subcontracted services will be assessed as part of the Vendor's CQM Audit.

Assuming that Company B provides as a subcontractor wire embedding services to Vendor A, and Vendor A has developed and qualified the IL, and provides Vendor B with an antenna drawing and material specification:

1. If the subcontractor Company B maintains their own CQM Certificate covering IL production, then during the audit of Vendor A as an IL Vendor, the effort for the auditing of the subcontracted production at Company B may be reduced to an app. 4h remote audit to verify that Company B applies their CQM certified processes to the wire embedding services subcontracted by Company A.
2. If the subcontractor Company B does not maintain their own CQM Certificate covering IL production, then during the audit of Vendor A as an IL Vendor, the subcontracted production at Company B shall be audited as if it were a separate IL manufacturing site of Company A, and hence must undergo a complete CQM Audit, except for the processes conducted by Company A, in our example development and qualification of the IL.

Note: The times above are the times to assess the Vendor's Subcontractor so that the Vendor can receive the respective label. These are not the times needed if the Subcontractor wants to acquire their own CQM label.

See CQM requirements #0606#, #0607#, and #0608# for more information.

Q7) I am purely a Reseller. Do I have to have to have a CQM label for the products I resell?

If the product you are reselling is completely developed, qualified, produced, and its quality monitored by an entity that has a CQM label for this product, then you do not need to have a CQM label for this product.

If you have any significant input into, or conduct the design, the qualification, the production, or subsequent testing of the product, you are not purely a reseller and you need to have a CQM label for this product.

Q8) I have a CSI letter for my Product. Does CQM still apply?

CSI is not a replacement for CQM. CSI is mostly independent from CQM.

CQM will verify if certain things are covered by a CSI letter:

• Certain products must be covered by a CSI letter, in addition to be covered by a CQM label.
• Non-conformities determined during CQM qualification, that the vendor fails to remedy.

Both cases require that the vendor obtains a CSI letter, but this does not replace CQM certification, and the need for the vendor to conduct full qualification testing against the applicable CQM requirements.

Q9) When is CSI required?

CQM requirements #3100#, #3110#, #3120#, #3130# provide some requirements in which cases CQM requires that a CSI letter is obtained for a product or component.

Mastercard's CSI team may have defined additional requirements when a CSI letter is required.

In case of doubt, contact CSI Security (csi.security@mastercard.com).