Document Comparison

Q 11 [November 2023] Can an MPoC Software vendor that is validated and listed under the PCI Secure SLC program perform self-validation of PCI MPoC implementation changes? A No. The process required for changes made to MPoC Products, including MPoC Software products, is entirely outlined within the PCI MPoC Program Guide. The MPoC program does not support different validation paths for PCI Secure SLC validated entities.

Q 12 [November 2023] Can an MPoC evaluation exclude some card-based or PIN- based payment functions of an MPoC SDK or MPoC Application? A No. All functionality included in the MPoC SDK or MPoC Application must be considered by the MPoC Laboratory as part of the assessment, including all card- based or PIN-based payment functions.

Q 13 [November 2023] Can a ‘Calling Application’ interface to two or more MPoC Applications, or another MPOS application not in scope of MPoC validation? A Yes. MPoC validation covers all functionality provided by the MPoC Product under assessment. Calling applications are separate from the MPoC Application and interface to the MPoC Application through secure inter-application APIs (see Figure 3 of the MPoC Standard). A calling application is not in scope MPoC validation, and may interface to multiple MPoC Applications, or other non-MPoC payment applications.

However, any payment processes implemented by a non-MPoC payment application are not covered by the MPoC Program and may impact any associated compliance programs.

Q 8 [November 2023] Can an MPoC Laboratory accept an AOV as evidence of meeting requirement 1A-1.4? A Yes, an AOV can be used as evidence for meeting requirement 1A-1.4 if:

• The Secure Software AOV has been produced and signed by a listed …

Q 2 [November 2023] What testing is required of an MPoC Solution that integrates an MPoC Application which is listed as part of a listed MPoC Software Product? A Testing of an MPoC Application to Domain 2 is not required if that MPoC Application is listed as part of an MPoC Software product, and it is not modified during integration with the MPoC Solution. An MPoC Solution that is solely using MPoC Applications which are already listed is responsible for validation of Domain 4 and Domain 5.

Validation of Domain 3 is also required if the MPoC Solution is not also relying on a listed MPoC A&M Service.

Q 2 [November 2023] Can an entity provide a plan for meeting the requirements of

PCI DSS Appendix A3: Designated Entities Supplemental Validation (PCI DSS DESV), rather than validating against PCI DSS DESV prior to an initial full assessment as part of their validation to …

Q 1 [November 2023] Can an MPoC Solution be implemented by an entity that is not the owner of the merchant account relationship? Yes. The MPoC Standard requires that merchants are securely onboarded and kept up to date with relevant information in a timely manner (requirement 5A-1.x). This communication must be documented and demonstrably in use, as validated under 5A-1.3, but may occur through channels other than those maintained by the direct owner of the merchant relationship (e.g., the merchant’s bank).

Examples may include communication through the MPoC Application directly, or through out of band communication methods established during merchant onboarding.

Validation that merchant communications is occurring as needed will be performed during annual checkpoints and any full revalidation processes.