Document Comparison

July 2022 1.3 Added Q26 to clarify the requirements for unsupported operating systems. Added Q27 to clarify the validation methods required for payment back-ends.

Q 26 [June 2022] What is required of a CPoC Solution once an operating system is no longer supported? A CPoC Solution Providers must start migrating merchants from platforms as soon as an operating system within the baseline is no longer supported. Plans for such migration must exist prior to the expiry of any supported OS, and may include commencement of migration prior to the deprecation of the OS.

The migration process for any operating system that is unsupported during an annual checkpoint (or full assessment) must be completed prior to the next annual assessment. Consecutive CPoC annual assessments noting inclusion of the same unsupported operating system(s) will not be accepted.

Q 27 [June 2022] Is it required that the PCI DSS validation of the payment processing back-end system used in a CPoC solution is performed by a QSA? A The method required be used to validate payment back-end systems to the PCI DSS is a function of the compliance programs managed by each of the relevant payment brands. For details on any specific case please contact the individual payment brands (see How do I contact the payment card brands?).