Last modified by Uwe Trueggelmann on 2024/06/17 14:16
<
From version < 21.1 >
edited by Uwe Trueggelmann
on 2024/04/25 13:24
To version < 13.1 >
edited by SuperUwe Trueggelmann
on 2024/04/03 12:20
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -xwiki:XWiki.uwe
1 +xwiki:XWiki.superuwe
Content
... ... @@ -1,11 +9,3 @@
1 -= Q0) Does CQM only care about production? =
2 -
3 -Within CQM the following principles apply:
4 -
5 -1. All relevant life cycle steps of a CQM certifiable product or component, including development, qualification, and quality monitoring activities, and all production steps, must be conducted by CQM certified entities.
6 -1. It must not be possible to bypass CQM Certification by subcontracting parts of the life-cycle, for example only production, to a CQM certified subcontractor.
7 -1. Unless the Vendor of a product is purely a reseller (see Q7), the Vendor of the product must carry their own CQM label covering the activities they conduct with respect to the life-cycle of the product or component they are selling to Mastercard issuers or CQM certified customers.
8 -
9 9  = Q1) My card is made of another material but newly produced PVC. How does CQM apply? =
10 10  
11 11  CQM applies independently of the card material.
... ... @@ -30,44 +30,9 @@
30 30  * A Vendor has control of the product (including Components) the Vendor supplies, and of the related development, qualification, and manufacturing processes.
31 31  * A subcontractor is an entity that produces a component primarily according to the instructions received from their customer.
32 32  
33 -==== Example 1 ====
34 -
35 35  An example for a Vendor is Company A who designs an IC, an ICM containing the IC, and an IL that works with the IC, and sells the ICM together with the IL to card manufacturers so they can produce cards.
36 -
37 -==== Example 2 ====
38 -
39 39  An example for a subcontractor is Company B who embeds wire into a sheet of plastic according to a drawing and material specification received from their customer, for example as a subcontractor to Company A.
40 40  
41 -==== Example 3 ====
42 -
43 -Card manufacturer M procures an iacICM with ISO/IEC 7816-2 contacts, a BSM with a fingerprint sensor, and an iacIL containing the antenna and to connect the iacICM and the BSM from component supplier S. S is CQM certified for iacICM, BSM, and iacIL. S has developed and qualified the iacICM, BSM, and iacIL. S produces iacICM, BSM, and iacIL themselves, or uses subcontractors.
44 -
45 -M's CQM Audit only needs to address M's ability to produce IAC from these components, including verification that S is CQM certified for these components. M only receives a CQM label for IAC.
46 -
47 -S's CQM Audit must have included iacICM, BSM, iacIL; S must maintain CQM labels for iacICM, BSM, iacIL.
48 -
49 -S is a Component Vendor for iacICM, BSM, iacIL.
50 -
51 -==== Example 4 ====
52 -
53 -Card manufacturer M procures an iacICM with ISO/IEC 7816-2 contacts, a BSM with a fingerprint sensor, and an iacIL containing the antenna and to connect the iacICM and the BSM from component supplier S.
54 -
55 -In addition one of the below points is true:
56 -
57 -* S is not CQM certified for iacICM, BSM, or iacIL,
58 -* M had significant involvement in specifying, developing, or qualifying the iacICM, BSM, or iacIL.
59 -
60 -M's CQM Audit must include IAC and each component where
61 -
62 -* S is not CQM certified for, or
63 -* where M had significant involvement in specifying, developing, or qualifying the component,
64 -
65 -and M receives CQM labels for IAC and each of the components included in M's CQM Audit.
66 -
67 -S's CQM Audit must have include the components M is not audited for; S must maintain CQM labels for the components M is not audited for.
68 -
69 -S is a Subcontractor for the components M is not audited for.
70 -
71 71  = Q4) Do Subcontractors have to have their own CQM Certificate? =
72 72  
73 73  It depends on what the Subcontractor is providing.
... ... @@ -76,11 +76,11 @@
76 76  
77 77  * IC
78 78  * ICM
79 -* --iacICM--
36 +* iacICM
80 80  * IL
81 81  * CB
82 82  * ICC
83 -* --iacIL--
40 +* iacIL
84 84  * IAC
85 85  
86 86  Note: this list is a DRAFT, under review, and not authoritative in any way!
... ... @@ -89,7 +89,7 @@
89 89  
90 90  = Q5) Does a Subcontractor's production have to be CQM audited? =
91 91  
92 -Within CQM every production process that is listed in the cqmAP of the related product, the product and process development processes, the qualification process, and the quality monitoring processes must undergo a CQM Audit.
49 +Within CQM every production process that is listed in the cqmAP of the related product must undergo a CQM Audit.
93 93  
94 94  This is independent of the production activity being conducted in a facility owned by the vendor (for example Company A, the owner and seller of an IC, an ICM, and an IL that works with the IC), or in a facility owned by a subcontractor (for example Company B, providing subcontracted wire embedding services to Company A, with the IL having been developed and qualified by Company A, and Company B producing according to antenna drawing and material specification provided by Company A).
95 95  
... ... @@ -108,11 +108,11 @@
108 108  
109 109  Note: The times above are the times to assess the Vendor's Subcontractor so that the Vendor can receive the respective label. These are not the times needed if the Subcontractor wants to aquire their own CQM label.
110 110  
111 -== Q7) I am purely a Reseller. Do I have to have to have a CQM label for the products I resell? ==
68 +== Q7) I am a purely a Reseller. Do I have to have to have a CQM label for the products I resell? ==
112 112  
113 113  If the product you are reselling is completely developed, qualified, produced, and its quality monitored by an entity that has a CQM label for this product, then you do not need to have a CQM label for this product.
114 114  
115 -If you have any significant input into, or conduct the design, the qualification, the production, or subsequent testing of the product, you are not purely a reseller and you need to have a CQM label for this product.
72 +If you have any significant input in, or conduct the design, the qualification, the production, or subsequent testing of the product, you are not purely a reseller and you need to have a CQM label for this product.
116 116  
117 117  = Q8) I have a CSI letter for my Product. Does CQM still apply? =
118 118  
... ... @@ -125,12 +125,4 @@
125 125  
126 126  Both cases require that the vendor obtains a CSI letter, but this does not replace CQM certification, and the need for the vendor to conduct full qualification testing against the applicable CQM requirements.
127 127  
128 -= Q9) When is CSI required? =
129 -
130 -CQM requirements #3100#, #3110#, #3120#, #3130# provide some requirements in which cases CQM requires that a CSI letter is obtained for a product or component.
131 -
132 -Mastercard's CSI team may have defined additional requirements when a CSI letter is required.
133 -
134 -In case of doubt, contact [[CSI Security (csi.security@mastercard.com)>>path:mailto:csi.security@mastercard.com]].
135 -
136 136  

Navigation

© 2024 TruCert Assessment Services Inc.
V00-01