There is a bank who has internal system working with card data preparation, generating PANs, and finally preparing personalization files that are sent to third party card manufacturer.
The bank can see in their internal system all PANs in clear text and they are not PCI compliant.
What should be the PCI compliance requirements for such use case? Can the bank be out of scope of PCI requirements?
Issuing banks are subject to a different set of standards than the PCI DSS. See the PCI Card Production standards for their specific rules (use the pull down to select Card Production.)
Yes, banks are required to file a Report Of Compliance, and of course they certainly could be out of compliance. Being out of compliance doesn't mean they close the doors, though. Their assessor would need to see a plan to get them into compliance, and they could keep operating. But operating without a ROC means taking on a lot of risk: they're betting heavily that they won't have a data breach. If they do, the full burden of fraud will fall on them, as well as fines, penalties, and class action lawsuits from their customers.
Of course, any company that's breached gets re-audited, and the auditors who look at them after the breach always find some reason they weren't in compliance. The PCI doesn't appear to be willing to take responsibility for deploying a weak or ineffective standard, just as they're unwilling to own their share of the responsibility for having forced the current insecure protocols and systems on the banking and retail industries.
