Document Comparison
Contactless_Payments_on_COTS_-_Technical_FAQs_v1.1.pdf
→
CPoC_Technical_FAQs-v1.2.pdf
59% similar
7 → 11
Pages
1703 → 3633
Words
15
Content Changes
Content Changes
15 content changes. 9 administrative changes (dates, page numbers) hidden.
Added
p. 1
Payment Card Industry (PCI) Contactless Payments on COTS (CPoC™) Technical FAQs for use with CPoC 1.0 Version 1.2
December 2021 1.2 Added Q4 to update the “tamper-detection” definition. Added Q6-Q14 to clarify numerous cryptography related requirements. Added Q15 to clarify the expected logical and physical testing of COTS devices. Added Q16 to clarify a use-case where back-end attestation and monitoring systems are hosted in multiple environments or hosted by multiple entities. Added Q17 to clarify the onsite assessment requirements. Added Q24 to provide reporting guidance for CPoC labs evaluating a solution that supports multiple versions of COTS device operating systems. Added Q25 to describe the process to delay CPoC solution listing.
Q 3 Can a CPoC solution provider compose a CPoC solution from third-party elements? A The CPoC Standard does not prohibit using a third-party service provider or elements developed by a third-party as long as the CPoC solution in its entirety …
December 2021 1.2 Added Q4 to update the “tamper-detection” definition. Added Q6-Q14 to clarify numerous cryptography related requirements. Added Q15 to clarify the expected logical and physical testing of COTS devices. Added Q16 to clarify a use-case where back-end attestation and monitoring systems are hosted in multiple environments or hosted by multiple entities. Added Q17 to clarify the onsite assessment requirements. Added Q24 to provide reporting guidance for CPoC labs evaluating a solution that supports multiple versions of COTS device operating systems. Added Q25 to describe the process to delay CPoC solution listing.
Q 3 Can a CPoC solution provider compose a CPoC solution from third-party elements? A The CPoC Standard does not prohibit using a third-party service provider or elements developed by a third-party as long as the CPoC solution in its entirety …
Added
p. 6
Q 7 [December 2021] Can an EMV Unpredictable Number (UN) be used for security services? A No. An EMV UN used in contactless kernels on COTS acceptance device provides dynamic data for a contactless transaction. However, an EMV UN is not sufficient to provide a seed/entropy for RNG functions used by CPoC solution security services.
Q 8 [December 2021] Can secret or private cryptographic keys be used for multiple purposes? A No. With exception of software-based protection mechanisms (e.g., white-box cryptography), all secret cryptographic keys and private cryptographic keys used in the solution must be unique per device, per application, and per purpose. For example, the same cryptographic key used to protect attestation messages cannot be used to encrypt account data. Nor can the same cryptographic key be used to protect attestation messages on different devices.
Keys used in the software-based protection mechanisms are required to be unique per purpose, but can …
Q 8 [December 2021] Can secret or private cryptographic keys be used for multiple purposes? A No. With exception of software-based protection mechanisms (e.g., white-box cryptography), all secret cryptographic keys and private cryptographic keys used in the solution must be unique per device, per application, and per purpose. For example, the same cryptographic key used to protect attestation messages cannot be used to encrypt account data. Nor can the same cryptographic key be used to protect attestation messages on different devices.
Keys used in the software-based protection mechanisms are required to be unique per purpose, but can …
Added
p. 7
Q 13 [December 2021] Is an HSM the only acceptable method to store cryptographic material used in signing CPoC application executables and scripts? A No. Secret cryptographic keys and private cryptographic keys can be stored in one of the approved forms defined in CPoC Security Requirement 1.4.4.
Q 14 [December 2021] How can a CPoC application protect cryptographic keys used to encrypt account data? When stored, cryptographic keys used to encrypt account data must be maintained in one of the approved forms defined in CPoC Security Requirement 1.4.4.
Cryptographic keys used to encrypt the account data are expected to be accessible and useable only by the CPoC application. While it is encouraged that CPoC solutions utilize hardware-based security mechanisms, if supported by the COTS platform, it is acceptable for a CPoC application to rely on software-based cryptography.
For example, to protect cryptographic keys and processes used to encrypt account data, a solution could …
Q 14 [December 2021] How can a CPoC application protect cryptographic keys used to encrypt account data? When stored, cryptographic keys used to encrypt account data must be maintained in one of the approved forms defined in CPoC Security Requirement 1.4.4.
Cryptographic keys used to encrypt the account data are expected to be accessible and useable only by the CPoC application. While it is encouraged that CPoC solutions utilize hardware-based security mechanisms, if supported by the COTS platform, it is acceptable for a CPoC application to rely on software-based cryptography.
For example, to protect cryptographic keys and processes used to encrypt account data, a solution could …
Added
p. 11
Q 24 [December 2021] Can a lab submit a single report for multiple versions of COTS device operating systems? A Yes. Support for different major versions of COTS device operating systems (9.x, 10.x, and so on) is permitted in a single CPoC Solution Evaluation and listing on the Website. However, support for different COTS platforms (such as Android and iOS) are considered separate CPoC Solutions, and therefore require separate, full CPoC Evaluation Reports, validation, and listings on the Website.
When including multiple versions of an operating system, the CPoC lab must indicate in the report what testing was performed for each operating system.
Q 25 [December 2021] Can a CPoC Solution Listing be delayed at a vendor’s request? A Yes, solution providers may choose to delay listing a newly approved CPoC solution for up to a maximum of six calendar months. Written notification to PCI SSC must be submitted by the CPoC …
When including multiple versions of an operating system, the CPoC lab must indicate in the report what testing was performed for each operating system.
Q 25 [December 2021] Can a CPoC Solution Listing be delayed at a vendor’s request? A Yes, solution providers may choose to delay listing a newly approved CPoC solution for up to a maximum of six calendar months. Written notification to PCI SSC must be submitted by the CPoC …
Removed
p. 4
Q 3 [July 2020] Can a CPoC solution provider compose a CPoC solution from third-party elements? A The CPoC Standard does not prohibit using a third-party service provider or elements developed by a third-party, as long as the CPoC solution in its entirety and as a whole solution is evaluated by the CPoC laboratory. Regardless of whether the CPoC solution, including CPoC application, has been developed in-house or by a third-party, each CPoC solution provider is ultimately responsible for ensuring that all requirements are met and continue to be met throughout the solution’s lifecycle.
Modified
p. 4
Q 1 Is the CPoC Standard intended to support the deployment of CPoC Applications in attended environments? A Yes. The security requirements are intended specifically to address risks associated with attended environments. Other implementations may render environments vulnerable to additional attacks that have not been considered in the security requirements and which may not be mitigated by the underlying controls established in the CPoC Standard.
Q 1 Is the CPoC Standard intended to support the deployment of CPoC Applications in attended environments? A Yes. The security requirements are intended specifically to address risks associated with attended environments. Other implementations may render environments vulnerable to additional attacks that have not been considered in the security requirements and which may not be mitigated by the underlying controls established in the CpoC Standard.
Removed
p. 5
Q 5 [July 2020] Can APIs (i.e., software libraries allowing third parties to interface with the CPoC solution) be validated and listed as part of a CPoC solution? A Yes. In cases where the CPoC solution provider offers software libraries or APIs to allow third parties to interface to the solution, evaluation and validation by a CPoC lab is required as part of each CPoC solution in which such APIs are provided in order to validate that usage of the API can be done without violating or negatively impacting functionality or compliance with the CPoC Standard. Details regarding development, validation and listing of optional third-party APIs are specified throughout the CPoC Program Guide, particularly in Appendix D “CPoC Vendor-provided Libraries or APIs.”
Modified
p. 5
Q 4 [July 2020] Module 5 references a contactless EMV kernel (singular) for card acceptance. If the CPoC solution involves more than one contactless EMV kernel, do all Module 5 requirements apply to each kernel? A Yes. CPoC solutions generally include multiple contactless EMV kernels, and the Module 5 requirements apply to all kernels in the solution. Any kernels that are added to an approved solution are required to be evaluated, either a full or delta change evaluation, as determined …
Q 5 Module 5 references a contactless EMV kernel (singular) for card acceptance. If the CPoC solution involves more than one contactless EMV kernel, do all Module 5 requirements apply to each kernel? A Yes. CPoC solutions generally include multiple contactless EMV kernels, and the Module 5 requirements apply to all kernels in the solution. Any kernels that are added to an approved solution are required to be evaluated, either a full or delta change evaluation, as determined by the …
Modified
p. 5 → 9
Q 6 [July 2020] What is expected from a CPoC lab when evaluating a CPoC solution that offers APIs or software libraries to allow third-party developers to interface with the solution? A The evaluation and validation of the APIs (together with the CPoC user guidance document described and defined in the CPoC Program Guide) by a CPoC lab are required as part of each CPoC Solution in which such libraries or APIs are provided. The CPoC lab must validate that …
Q 19 What is expected from a CPoC lab when evaluating a CPoC solution that offers APIs or software libraries to allow third-party developers to interface with the solution? A The evaluation and validation of the APIs (together with the CPoC user guidance document described and defined in the CPoC Program Guide) by a CPoC lab are required as part of each CPoC Solution in which such libraries or APIs are provided. The CPoC lab must validate that third-party usage …
Modified
p. 6 → 9
PCI Software-Based PIN Entry on COTS (SPoC)™, to meet objectives in the CPoC standard without performing the required testing? A No. With the exception of references to the PCI DSS AOC for back-end environments, each CPoC evaluation report must demonstrate that the CPoC solution under review was evaluated and meets the security and the test requirements of the CPoC Standard.
Modified
p. 6 → 9
Q 8 [July 2020] Can testing results be reused from one evaluation to another of the same vendor? A Yes. Testing from one CPoC evaluation can be reused in another CPoC evaluation from the same vendor. This situation occurs commonly when two CPoC solutions with similar characteristics are evaluated by the same laboratory in parallel or in close succession. The reused data must be current (less than 12 months old) and must have been completed under the same major version …
Q 20 Can a CPoC Lab reference an approval from another PCI SSC standard, such as Q 21 Can testing results be reused from one evaluation to another of the same vendor? A Yes. Testing from one CPoC evaluation can be reused in another CPoC evaluation from the same vendor. This situation occurs commonly when more than one CPoC solution with similar characteristics are evaluated by the same CPoC laboratory in parallel or in close succession. The reused data must …
Modified
p. 6 → 9
• Clearly indicate that the test is reused data and meets the applicable test requirements.
• Clearly indicate that the test includes reused data and meets the applicable test requirements.
Modified
p. 6 → 10
• Provide evidence of testing, and that the testing is valid for the CPoC solution and the test requirement under review.
• Provide evidence of testing, and that the testing is valid for the CPoC solution and the test requirement(s) under review.
Modified
p. 6 → 10
Q 9 [July 2020] Can a CPoC lab rely on testing performed by a different CPoC lab without further testing or validation? A If any element of a CPoC solution was evaluated by an entity other than the CPoC lab performing the evaluation under review, the evaluating CPoC lab must have access to all associated reports and supporting evidence. If those reports are not available for any reason, the evaluating CPoC lab must determine the additional work required to properly …
Q 22 Can a CPoC lab rely on testing performed by a different CPoC lab without further testing or validation? A If any element of a CPoC solution was evaluated by an entity other than the CPoC lab performing the evaluation under review, the evaluating CPoC lab must have access to all associated reports and supporting evidence. If those reports are not available for any reason, the evaluating CPoC lab must determine the additional work required to properly evaluate and …
Modified
p. 7 → 10
Q 10 [July 2020] What testing and reporting are expected to be performed by CPoC lab as part of an annual checkpoint? A The annual checkpoint confirms that the CPoC solution continues to meet the security and test requirements of the CPoC Standard. The amount of testing that is required will vary. At a minimum, however, the CPoC lab must confirm that:
Q 23 What testing and reporting are expected to be performed by CPoC lab as part of an annual checkpoint? A The annual checkpoint confirms that the CPoC solution continues to meet the security and test requirements of the CPoC Standard. The amount of testing that is required will vary. At a minimum, however, the CPoC lab must confirm that: