Part 1 of a 9-part series on payment security — from card issuance to disputes.

Introduction: The Complexity of Modern-Day Payment Lifecycle

Every card payment you have ever made is the visible tip of a long, tightly choreographed process. Behind a two-second "Approved" message sits a chain of systems, files, networks, and people - each one a potential point of failure, and each one carrying sensitive cardholder data that attackers want.

For security and compliance teams in the payments ecosystem, the challenge is that risk is not concentrated in one place. It is distributed across the entire payment lifecycle. A control that protects the authorisation switch does nothing for the embossing file sitting on a card bureau's server. Threat models, security controls, and compliance obligations shift meaningfully from one stage to the next.

This series unpacks that complexity stage by stage. Across nine parts, we map each phase of the payment lifecycle to its specific threats, the security controls that mitigate them, and the compliance frameworks that govern them. The goal is a practical, end-to-end reference for anyone responsible for securing payments: whether you are an issuer, acquirer, gateway, processor, or merchant.

We begin where the card's life begins: issuance.

The Payment Lifecycle at a Glance

Before zooming into card issuance, it helps to see the full picture. A modern card payment moves through nine broad stages, each with its own systems and security considerations:

1. Card Issuance: KYC collection, embossing, personalisation, and card distribution (this post)

2. Payment Initiation: Card tap/swipe/QR, PAN capture, encryption, and packet construction

3. Authorisation Request: Merchant to gateway to acquirer to network to issuer

4. Issuer Decision & Response: Fraud checks, HSM cryptogram validation, approve/decline

5. Capture / Completion: Locking funds after fulfilment

6. Clearing: Encrypted clearing files exchanged and validated

7. Reconciliation & Reporting: Matching settlements, posting to the GL, generating reports

8. Settlement / Funding: Treasury netting, ACH/camt.054 files, merchant funding

9. Disputes & Chargebacks: Cardholder disputes, evidence, and resolution

Each subsequent post in this series will take one stage and go deep. Together they form a complete view of where payment data lives, how it moves, and what it takes to keep it secure at every step.

Stage 1: Card Issuance — Where Cardholder Data Is Born

Card issuance is the first time a primary account number (PAN), cardholder name, CVV, and expiry date exist together in one place. That makes it one of the most sensitive  and most overlooked stages in the entire lifecycle. Long before a card is ever tapped at a terminal, its data has already passed through multiple systems and third-party hands.

How the Card Issuance Flow Works

The issuance process typically unfolds in five steps:

1. KYC collection. The issuer collects customer identity and verification data in line with regulatory requirements.

2. Embossing file generation. A file is produced containing the PAN, cardholder name, CVV, and expiry date.

3. File transfer to the bureau. The embossing file is shared with a card production vendor (card bureau) for printing.

4. Personalisation and printing. The vendor personalises and prints the physical cards.

5. Distribution. Finished cards are dispatched to customers or branches.

Notice how much of this flow depends on third parties and physical handling. This is what makes issuance distinct from the largely digital stages that follow, and it shapes the threat landscape significantly.

The Threats: Where Card Issuance Goes Wrong

Because issuance combines bulk cardholder data, third-party vendors, and physical logistics, its risk profile is unusually broad. The most significant threats include:

• Rogue firmware in personalisation printers - compromised devices on the production line can silently capture or alter card data.

• Insecure SDKs and applications at the card bureau - vulnerable vendor software widens the attack surface beyond the issuer's own walls.

• PCI scope creep from the card bureau's purview - as the bureau's environment touches cardholder data, PCI obligations expand in ways that are easy to underestimate.

• Card-in-transit interception - physical cards can be intercepted before they reach the customer.

• Embossing portal takeover - a compromised portal can expose card data in bulk, not one record at a time.

• Insider collusion at the print vendor - privileged staff could create duplicate cards undetected.

• PII leakage in embossing and personalisation files - sensitive data sitting in files can be exposed through misconfiguration or weak transfer controls.

The common thread: at issuance, a single weakness can compromise thousands of cards at once. The blast radius is far larger than at the transaction level.

The Security Controls: What It Takes to Secure Issuance

Mitigating these threats requires a layered programme spanning application security, vendor risk, data discovery, physical controls, and continuous monitoring. Effective controls at this stage include:

• Application and API penetration testing (CREST-aligned) on embossing portals to find exploitable flaws before attackers do.

• Secure code review of personalisation software to catch vulnerabilities at the source.

• Vulnerability assessment and penetration testing (VAPT) on card bureau vendor portals.

• Red teaming for insider-threat and supply-chain scenarios to test how the ecosystem holds up against realistic, motivated adversaries.

• Sensitive-data discovery for proactively hunting for plain-text PAN across vendor storage and file transfers so exposed data is found and remediated.

• Dual-control and split-knowledge enforcement for card dispatch, ensuring no single person can compromise the process.

• Vendor security assessment aligned to card production security standards.

• An ISO 27001 / ISO 22301 compliance programme to embed information security and business continuity into operations.

• Security awareness training for both bureau and issuer staff, since people are central to issuance risk.

• Agentic SOC and SOAR-driven monitoring across issuer infrastructure for continuous detection and rapid response.

Together, these controls address the full spread of issuance risk: the code, the portals, the vendors, the files, the people, and the physical cards.

The Compliance Frameworks Governing Issuance

Card issuance sits at the intersection of several overlapping standards and regulations. Teams operating at this stage typically need to satisfy:

• PCI DSS v4.0 — the foundational standard for protecting cardholder data.

• PCI CPS (Card Production Security) — specifically governing the physical and logical security of card production.

• PCI TSP — token service provider requirements where tokenisation is involved.

• PCI S3 (Secure Software / Software Security Framework) — for the software handling card data.

• RBI KYC Master Direction — the regulatory baseline for customer due diligence in India.

• ISO 27001 — for the overarching information security management system.

• ISO 22301 — for business continuity, ensuring issuance can withstand disruption.

The takeaway is that issuance is not governed by PCI DSS compliance alone. Card-production-specific standards like PCI CPS, plus regional KYC mandates and continuity requirements, all apply, and overlooking the card-production layer is a common compliance gap.

Why Issuance Deserves Your Attention First

It is tempting to focus security investment on the moments of transaction - the tap, the authorisation, the settlement. But issuance is where the most valuable data is concentrated and where a single breach has the widest reach. Securing it well sets the foundation for everything downstream. A card that is compromised before it ever reaches the customer undermines every control that follows.

How SISA's Solutions Help Address These Threats

Securing card issuance requires more than a single tool or audit; it calls for coordinated capabilities across application security, data protection, vendor risk, and continuous monitoring. SISA brings these together into an integrated programme purpose-built for the payments ecosystem:

• Application and API penetration testing. SISA's CREST-aligned testing probes embossing portals, vendor applications, and personalisation software for exploitable flaws — closing gaps before attackers find them.  

• Secure code review. Expert-led review of personalisation and embossing software catches vulnerabilities at the source, where they are cheapest to fix.  

• Red teaming for insider and supply-chain scenarios. SISA simulates the realistic adversaries that matter most at issuance — colluding insiders and compromised vendors — to validate whether your defences actually hold.  

• SISA Radar for sensitive-data discovery and classification. Radar hunts for plain-text PAN and cardholder data across vendor storage and file transfers, surfacing exposed data so it can be remediated and bringing clarity to PCI scope.  

• Vendor security assessment. SISA evaluates card bureau and third-party environments against card-production security standards, helping you manage the supply-chain risk that issuance uniquely concentrates.  

• SISA ProACT Agentic SOC with SOAR-driven response. Continuous monitoring across issuer infrastructure, with automated response actions to contain threats in real time. (Interlink: SISA ProACT Managed Detection & Response.)

• Compliance and certification programmes. From PCI DSS v4.0 and PCI Card Production Security through ISO 27001 and ISO 22301, SISA's assessment and certification teams help you meet the full spread of obligations that govern issuance.  

• CPISI security awareness training. Because people are central to issuance risk, SISA equips bureau and issuer staff to recognise and resist the threats that target them through accredited payment data security certifications.  

The result is defence-in-depth tailored to where issuance risk actually lives - in the code, the portals, the files, the vendors, the people, and the physical cards, rather than a one-size-fits-all checklist.

In the next part of this series, we move from creation to use: Payment Initiation - what happens the moment a card is tapped, swiped, or scanned, and how to secure PAN capture, encryption, and the construction of the authorisation packet.