Last modified by Uwe Trueggelmann on 2024/06/17 14:16
<
From version < 18.1 >
edited by Uwe Trueggelmann
on 2024/04/15 07:24
To version < 21.2 >
edited by XWikiGuest
on 2024/05/07 02:30
>
Change comment: Added comment

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -xwiki:XWiki.uwe
1 +XWiki.XWikiGuest
Content
... ... @@ -1,4 +2,3 @@
1 -(% class="wikigeneratedid" %)
2 2  = Q0) Does CQM only care about production? =
3 3  
4 4  Within CQM the following principles apply:
... ... @@ -31,9 +31,44 @@
31 31  * A Vendor has control of the product (including Components) the Vendor supplies, and of the related development, qualification, and manufacturing processes.
32 32  * A subcontractor is an entity that produces a component primarily according to the instructions received from their customer.
33 33  
33 +==== Example 1 ====
34 +
34 34  An example for a Vendor is Company A who designs an IC, an ICM containing the IC, and an IL that works with the IC, and sells the ICM together with the IL to card manufacturers so they can produce cards.
36 +
37 +==== Example 2 ====
38 +
35 35  An example for a subcontractor is Company B who embeds wire into a sheet of plastic according to a drawing and material specification received from their customer, for example as a subcontractor to Company A.
36 36  
41 +==== Example 3 ====
42 +
43 +Card manufacturer M procures an iacICM with ISO/IEC 7816-2 contacts, a BSM with a fingerprint sensor, and an iacIL containing the antenna and to connect the iacICM and the BSM from component supplier S. S is CQM certified for iacICM, BSM, and iacIL. S has developed and qualified the iacICM, BSM, and iacIL. S produces iacICM, BSM, and iacIL themselves, or uses subcontractors.
44 +
45 +M's CQM Audit only needs to address M's ability to produce IAC from these components, including verification that S is CQM certified for these components. M only receives a CQM label for IAC.
46 +
47 +S's CQM Audit must have included iacICM, BSM, iacIL; S must maintain CQM labels for iacICM, BSM, iacIL.
48 +
49 +S is a Component Vendor for iacICM, BSM, iacIL.
50 +
51 +==== Example 4 ====
52 +
53 +Card manufacturer M procures an iacICM with ISO/IEC 7816-2 contacts, a BSM with a fingerprint sensor, and an iacIL containing the antenna and to connect the iacICM and the BSM from component supplier S.
54 +
55 +In addition one of the below points is true:
56 +
57 +* S is not CQM certified for iacICM, BSM, or iacIL,
58 +* M had significant involvement in specifying, developing, or qualifying the iacICM, BSM, or iacIL.
59 +
60 +M's CQM Audit must include IAC and each component where
61 +
62 +* S is not CQM certified for, or
63 +* where M had significant involvement in specifying, developing, or qualifying the component,
64 +
65 +and M receives CQM labels for IAC and each of the components included in M's CQM Audit.
66 +
67 +S's CQM Audit must have include the components M is not audited for; S must maintain CQM labels for the components M is not audited for.
68 +
69 +S is a Subcontractor for the components M is not audited for.
70 +
37 37  = Q4) Do Subcontractors have to have their own CQM Certificate? =
38 38  
39 39  It depends on what the Subcontractor is providing.
... ... @@ -74,7 +74,7 @@
74 74  
75 75  Note: The times above are the times to assess the Vendor's Subcontractor so that the Vendor can receive the respective label. These are not the times needed if the Subcontractor wants to aquire their own CQM label.
76 76  
77 -== Q7) I am a purely a Reseller. Do I have to have to have a CQM label for the products I resell? ==
111 +== Q7) I am purely a Reseller. Do I have to have to have a CQM label for the products I resell? ==
78 78  
79 79  If the product you are reselling is completely developed, qualified, produced, and its quality monitored by an entity that has a CQM label for this product, then you do not need to have a CQM label for this product.
80 80  
... ... @@ -91,4 +91,12 @@
91 91  
92 92  Both cases require that the vendor obtains a CSI letter, but this does not replace CQM certification, and the need for the vendor to conduct full qualification testing against the applicable CQM requirements.
93 93  
128 += Q9) When is CSI required? =
129 +
130 +CQM requirements #3100#, #3110#, #3120#, #3130# provide some requirements in which cases CQM requires that a CSI letter is obtained for a product or component.
131 +
132 +Mastercard's CSI team may have defined additional requirements when a CSI letter is required.
133 +
134 +In case of doubt, contact [[CSI Security (csi.security@mastercard.com)>>path:mailto:csi.security@mastercard.com]].
135 +
94 94  
XWiki.XWikiComments[0]
Author
... ... @@ -1,0 +1,1 @@
1 +SuperBP
Comment
... ... @@ -1,0 +1,1 @@
1 +Good job SuperUwe !
Date
... ... @@ -1,0 +1,1 @@
1 +2024-05-07 02:30:44.207

Navigation

© 2024 TruCert Assessment Services Inc.
V00-01