PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

SPoC_Technical_FAQs_v1.8.pdf SPoC_Technical_FAQs_v1.9_.pdf
87% similar
19 → 20 Pages
7131 → 7613 Words
14 Content Changes

Content Changes

14 content changes. 20 administrative changes (dates, page numbers) hidden.

Added p. 3
August 2022 1.9 Added Q33 clarifying assessment process for the Unsupported OS Annex Renumbered from Q33 onwards Added Q48 to clarify that a submission can include an SCRP device which is part of a delayed listing.
Added p. 20
Q 48 [June 2022] Can a SPoC solution be submitted using an SCRP that is part of a delayed listing, and not yet live on the PCI website? Can the listing of this SPoC solution also be delayed? A Yes, a SPoC evaluation report can include a delayed SCRP listing that is not yet live on the PCI website, and the listing of that SPoC Solution may also be delayed by up to 6 months from the date of Acceptance of that SPoC Solution by PCI SSC. A SPoC Solution cannot be listed until the SCRP device(s) included in the report are also listed (as part of their PCI PTS listing).
Modified p. 14 → 15
Q 33 Can APIs (i.e., software libraries allowing third parties to interface with the SPoC solution) be validated and listed as part of an SPoC solution? A Yes. In cases where the SPoC solution provider offers libraries or APIs to allow third parties to interface to the solution, evaluation and validation by a SPoC Lab is required as part of each SPoC solution in which such APIs are provided in order to validate that usage of the API can be …
Q 34 Can APIs (i.e., software libraries allowing third parties to interface with the SPoC solution) be validated and listed as part of an SPoC solution? A Yes. In cases where the SPoC solution provider offers libraries or APIs to allow third parties to interface to the solution, evaluation and validation by a SPoC Lab is required as part of each SPoC solution in which such APIs are provided in order to validate that usage of the API can be …
Modified p. 15
Q 34 What is expected from an SPoC lab when evaluating an SPoC solution that offers APIs or software libraries to allow third-party developers to interface with the SPoC solution? A The evaluation and validation of the APIs (together with the SPoC user guidance document described and defined in the SPoC Program Guide) by an SPoC lab are required as part of each SPoC solution in which such libraries or APIs are provided. It is expected the SPoC lab validates …
Q 35 What is expected from an SPoC lab when evaluating an SPoC solution that offers APIs or software libraries to allow third-party developers to interface with the SPoC solution? A The evaluation and validation of the APIs (together with the SPoC user guidance document described and defined in the SPoC Program Guide) by an SPoC lab are required as part of each SPoC solution in which such libraries or APIs are provided. It is expected the SPoC lab validates …
Modified p. 15 → 16
Q 35 What API or software library implementation options can be supported by the SPoC solution? A Whether an implementation of an API or a software library can be supported by the SPoC Program depends largely on whether an SPoC lab can validate the exposed API or a library to SPoC Security Requirements and SPoC Test Requirements.
Q 36 What API or software library implementation options can be supported by the SPoC solution? A Whether an implementation of an API or a software library can be supported by the SPoC Program depends largely on whether an SPoC lab can validate the exposed API or a library to SPoC Security Requirements and SPoC Test Requirements.
Modified p. 16 → 17
Q 36 Can an SPoC lab reference an approval from another PCI SSC standard, such as
Q 37 Can an SPoC lab reference an approval from another PCI SSC standard, such as
Modified p. 16 → 17
Q 37 Can testing results be reused from one evaluation to another of the same vendor? A Yes. Testing from one SPoC evaluation can be reused in another SPoC evaluation from the same solution provider. This situation occurs commonly when two SPoC solutions with similar characteristics are evaluated by the same laboratory in parallel or in close succession. The reused data must be current (less than 12 months old) and must have been completed under the same major version of …
Q 38 Can testing results be reused from one evaluation to another of the same vendor? A Yes. Testing from one SPoC evaluation can be reused in another SPoC evaluation from the same solution provider. This situation occurs commonly when two SPoC solutions with similar characteristics are evaluated by the same laboratory in parallel or in close succession. The reused data must be current (less than 12 months old) and must have been completed under the same major version of …
Modified p. 17 → 18
Q 40 How does a minor update to the SPoC Standard affect the expiry date of listed SPoC solutions? A Minor updates of the SPoC Standard (e.g., from version 1.0 to version 1.1) do not change the expiry dates for listed SPoC solutions; they remain as three years from the initial acceptance/listing date shown on the PCI SSC website.
Q 41 How does a minor update to the SPoC Standard affect the expiry date of listed SPoC solutions? A Minor updates of the SPoC Standard (e.g., from version 1.0 to version 1.1) do not change the expiry dates for listed SPoC solutions; they remain as three years from the initial acceptance/listing date shown on the PCI SSC website.
Modified p. 17 → 18
Q 41 Can a Delta change be submitted to update a listed SPoC solution between minor versions of the SPoC Standard? A Yes, the change is submitted to an SPoC lab and it is up to the SPoC lab to determine whether the extent of the change(s) can be validated via delta evaluation. If the changes are extensive or highly impactful to the SPoC security requirements, the SPoC lab may determine that a full evaluation is required. Note that all …
Q 42 Can a Delta change be submitted to update a listed SPoC solution between minor versions of the SPoC Standard? A Yes, the change is submitted to an SPoC lab and it is up to the SPoC lab to determine whether the extent of the change(s) can be validated via delta evaluation. If the changes are extensive or highly impactful to the SPoC security requirements, the SPoC lab may determine that a full evaluation is required. Note that all …
Modified p. 18
Q 42 Can an Administrative change be submitted to transition a listed SPoC solution from SPoC Standard? A No, Administrative changes cannot be used to transition between versions of the SPoC Standard - a full or delta change evaluation, as determined by the SPoC lab, must be performed.
Q 43 Can an Administrative change be submitted to transition a listed SPoC solution from SPoC Standard? A No, Administrative changes cannot be used to transition between versions of the SPoC Standard - a full or delta change evaluation, as determined by the SPoC lab, must be performed.
Modified p. 18
Q 43 What happened to “Designated Change” in the SPoC Program Guide? A Designated changes have been incorporated into the delta change process in SPoC Program Guide version 1.2 to help simplify the change and listing process.
Q 44 What happened to “Designated Change” in the SPoC Program Guide? A Designated changes have been incorporated into the delta change process in SPoC Program Guide version 1.2 to help simplify the change and listing process.
Modified p. 18 → 19
Q 44 What testing and reporting are expected to be performed by SPoC lab as part of an annual checkpoint? A The annual checkpoint confirms that the SPoC solution continues to meet the security and test requirements of the SPoC Standard. The amount of testing that is required will vary. At a minimum, however, the SPoC lab must confirm that:
Q 45 What testing and reporting are expected to be performed by SPoC lab as part of an annual checkpoint? A The annual checkpoint confirms that the SPoC solution continues to meet the security and test requirements of the SPoC Standard. The amount of testing that is required will vary. At a minimum, however, the SPoC lab must confirm that:
Modified p. 19
Q 45 How often must an SPoC Solution’s Back-end Processing Environment undergo a A The SPoC Solution’s Back-end Processing Environment must be assessed and validated by a PCI-qualified PIN Assessor (QPA) annually (i.e., at least every 12 months). Evidence of the PIN Assessment is verified by the SPoC lab during the annual checkup.
Q 46 How often must an SPoC Solution’s Back-end Processing Environment undergo a A The SPoC Solution’s Back-end Processing Environment must be assessed and validated by a PCI-qualified PIN Assessor (QPA) annually (i.e., at least every 12 months). Evidence of the PIN Assessment is verified by the SPoC lab during the annual checkup.
Modified p. 19 → 20
Q 46 [December 2021] Can a SPoC Solution Listing be delayed at a vendor’s request? A Yes, solution providers may choose to delay listing a newly approved SPoC solution for up to a maximum of six calendar months. Written notification to PCI SSC must be submitted by the SPoC solution provider, through the SPoC laboratory performing the evaluation, along with the completed SPoC Evaluation Report. In addition, the SPoC lab must make a notation in the applicable field of the …
Q 47 [December 2021] Can a SPoC Solution Listing be delayed at a vendor’s request? A Yes, solution providers may choose to delay listing a newly approved SPoC solution for up to a maximum of six calendar months. Written notification to PCI SSC must be submitted by the SPoC solution provider, through the SPoC laboratory performing the evaluation, along with the completed SPoC Evaluation Report. In addition, the SPoC lab must make a notation in the applicable field of the …