Summary

• Page properties (2 modified, 0 added, 0 removed)

Details

Page properties

Author

...	...	@@ -1,1 +1,1 @@
1		-xwiki:XWiki.superuwe
	1	+xwiki:XWiki.uwe

Content

...	...	@@ -1,3 +1,11 @@
	1	+= Q0) Does CQM only care about production? =
	2	+
	3	+Within CQM the following principles apply:
	4	+
	5	+1. All relevant life cycle steps of a CQM certifiable product or component, including development, qualification, and quality monitoring activities, and all production steps, must be conducted by CQM certified entities.
	6	+1. It must not be possible to bypass CQM Certification by subcontracting parts of the life-cycle, for example only production, to a CQM certified subcontractor.
	7	+1. Unless the Vendor of a product is purely a reseller (see Q7), the Vendor of the product must carry their own CQM label covering the activities they conduct with respect to the life-cycle of the product or component they are selling to Mastercard issuers or CQM certified customers.
	8	+
1	1	= Q1) My card is made of another material but newly produced PVC. How does CQM apply? =
2	2
3	3	CQM applies independently of the card material.
...	...	@@ -22,9 +22,44 @@
22	22	* A Vendor has control of the product (including Components) the Vendor supplies, and of the related development, qualification, and manufacturing processes.
23	23	* A subcontractor is an entity that produces a component primarily according to the instructions received from their customer.
24	24
	33	+==== Example 1 ====
	34	+
25	25	An example for a Vendor is Company A who designs an IC, an ICM containing the IC, and an IL that works with the IC, and sells the ICM together with the IL to card manufacturers so they can produce cards.
	36	+
	37	+==== Example 2 ====
	38	+
26	26	An example for a subcontractor is Company B who embeds wire into a sheet of plastic according to a drawing and material specification received from their customer, for example as a subcontractor to Company A.
27	27
	41	+==== Example 3 ====
	42	+
	43	+Card manufacturer M procures an iacICM with ISO/IEC 7816-2 contacts, a BSM with a fingerprint sensor, and an iacIL containing the antenna and to connect the iacICM and the BSM from component supplier S. S is CQM certified for iacICM, BSM, and iacIL. S has developed and qualified the iacICM, BSM, and iacIL. S produces iacICM, BSM, and iacIL themselves, or uses subcontractors.
	44	+
	45	+M's CQM Audit only needs to address M's ability to produce IAC from these components, including verification that S is CQM certified for these components. M only receives a CQM label for IAC.
	46	+
	47	+S's CQM Audit must have included iacICM, BSM, iacIL; S must maintain CQM labels for iacICM, BSM, iacIL.
	48	+
	49	+S is a Component Vendor for iacICM, BSM, iacIL.
	50	+
	51	+==== Example 4 ====
	52	+
	53	+Card manufacturer M procures an iacICM with ISO/IEC 7816-2 contacts, a BSM with a fingerprint sensor, and an iacIL containing the antenna and to connect the iacICM and the BSM from component supplier S.
	54	+
	55	+In addition one of the below points is true:
	56	+
	57	+* S is not CQM certified for iacICM, BSM, or iacIL,
	58	+* M had significant involvement in specifying, developing, or qualifying the iacICM, BSM, or iacIL.
	59	+
	60	+M's CQM Audit must include IAC and each component where
	61	+
	62	+* S is not CQM certified for, or
	63	+* where M had significant involvement in specifying, developing, or qualifying the component,
	64	+
	65	+and M receives CQM labels for IAC and each of the components included in M's CQM Audit.
	66	+
	67	+S's CQM Audit must have include the components M is not audited for; S must maintain CQM labels for the components M is not audited for.
	68	+
	69	+S is a Subcontractor for the components M is not audited for.
	70	+
28	28	= Q4) Do Subcontractors have to have their own CQM Certificate? =
29	29
30	30	It depends on what the Subcontractor is providing.
...	...	@@ -33,11 +33,11 @@
33	33
34	34	* IC
35	35	* ICM
36		-* iacICM
	79	+* --iacICM--
37	37	* IL
38	38	* CB
39	39	* ICC
40		-* iacIL
	83	+* --iacIL--
41	41	* IAC
42	42
43	43	Note: this list is a DRAFT, under review, and not authoritative in any way!
...	...	@@ -46,7 +46,7 @@
46	46
47	47	= Q5) Does a Subcontractor's production have to be CQM audited? =
48	48
49		-Within CQM every production process that is listed in the cqmAP of the related product must undergo a CQM Audit.
	92	+Within CQM every production process that is listed in the cqmAP of the related product, the product and process development processes, the qualification process, and the quality monitoring processes must undergo a CQM Audit.
50	50
51	51	This is independent of the production activity being conducted in a facility owned by the vendor (for example Company A, the owner and seller of an IC, an ICM, and an IL that works with the IC), or in a facility owned by a subcontractor (for example Company B, providing subcontracted wire embedding services to Company A, with the IL having been developed and qualified by Company A, and Company B producing according to antenna drawing and material specification provided by Company A).
52	52
...	...	@@ -63,4 +63,31 @@
63	63	1. If the subcontractor Company B maintains their own CQM Certificate covering IL production, then during the audit of Vendor A as an IL Vendor, the effort for the auditing of the subcontracted production at Company B may be reduced to an app. 4h remote audit to verify that Company B applies their CQM certified processes to the wire embedding services subcontracted by Company A.
64	64	1. If the subcontractor Company B does not maintain their own CQM Certificate covering IL production, then during the audit of Vendor A as an IL Vendor, the subcontracted production at Company B shall be audited as if it were a separate IL manufacturing site of Company A, and hence must undergo a complete CQM Audit, except for the processes conducted by Company A, in our example development and qualification of the IL.
65	65
66		-Note: The times above are the times to assess the Vendor's Subcontractor so that the Vendor can receive the respective label. These are not the times needed if the Subcontractor wants to aquire their own CQM label for the activity.
	109	+Note: The times above are the times to assess the Vendor's Subcontractor so that the Vendor can receive the respective label. These are not the times needed if the Subcontractor wants to aquire their own CQM label.
	110	+
	111	+== Q7) I am purely a Reseller. Do I have to have to have a CQM label for the products I resell? ==
	112	+
	113	+If the product you are reselling is completely developed, qualified, produced, and its quality monitored by an entity that has a CQM label for this product, then you do not need to have a CQM label for this product.
	114	+
	115	+If you have any significant input into, or conduct the design, the qualification, the production, or subsequent testing of the product, you are not purely a reseller and you need to have a CQM label for this product.
	116	+
	117	+= Q8) I have a CSI letter for my Product. Does CQM still apply? =
	118	+
	119	+CSI is not a replacement for CQM. CSI is mostly independent from CQM.
	120	+
	121	+CQM will verify if certain things are covered by a CSI letter:
	122	+
	123	+* Certain products must be covered by a CSI letter, in addition to be covered by a CQM label.
	124	+* Non-conformities determined during CQM qualification, that the vendor fails to remedy.
	125	+
	126	+Both cases require that the vendor obtains a CSI letter, but this does not replace CQM certification, and the need for the vendor to conduct full qualification testing against the applicable CQM requirements.
	127	+
	128	+= Q9) When is CSI required? =
	129	+
	130	+CQM requirements #3100#, #3110#, #3120#, #3130# provide some requirements in which cases CQM requires that a CSI letter is obtained for a product or component.
	131	+
	132	+Mastercard's CSI team may have defined additional requirements when a CSI letter is required.
	133	+
	134	+In case of doubt, contact [[CSI Security (csi.security@mastercard.com)>>path:mailto:csi.security@mastercard.com]].
	135	+
	136	+