Document Comparison
MPoC-Technical-FAQs-v1-5.pdf
→
MPoC-Technical-FAQs-v1-6.pdf
91% similar
17 → 18
Pages
5517 → 6031
Words
8
Content Changes
Content Changes
8 content changes. 18 administrative changes (dates, page numbers) hidden.
Added
p. 7
For MPoC v1.0.x and MPoC v1.1:
Domain 3: 3C-2.3, 3D-1.1, 3D-1.2, 3D-1.3 Domain 5: 5A-3.1, 5A-3.3 For MPoC v1.1 only:
Domain 3: 3B-1.1, 3B-2.3, 3C-1.2 Each annual checkpoint submission must be made by an MPoC Laboratory and include the submission of an updated MPoC Product AOV to PCI SSC after the MPoC Laboratory reviews all changes that occurred since the last full evaluation or last annual checkpoint (whichever is more recent).
Domain 3: 3C-2.3, 3D-1.1, 3D-1.2, 3D-1.3 Domain 5: 5A-3.1, 5A-3.3 For MPoC v1.1 only:
Domain 3: 3B-1.1, 3B-2.3, 3C-1.2 Each annual checkpoint submission must be made by an MPoC Laboratory and include the submission of an updated MPoC Product AOV to PCI SSC after the MPoC Laboratory reviews all changes that occurred since the last full evaluation or last annual checkpoint (whichever is more recent).
Added
p. 13
Q 13 [May 2025] Are all HSMs able to be used as a suitable source of entropy to meet requirements 1A-2.2 and/or 1A-2.5? A No. Not all HSMs approved to FIPS140-2/3 have been validated as a source of entropy. The HSM approval, and the HSM security policy, should always be referenced to determine how a specific HSM may be securely implemented.
Q 14 [May 2025] Requirement 1A-1.8 notes that COTS-based MPoC software must be able to provide the version number. Is this also a requirement for MPoC Applications which are not assessed through Domain 1? A Yes. All COTS-based MPoC software must provide a mechanism for the version number to be validated against the MPoC approval list.
MPoC Security Requirement 1B
Q 1 [May 2025] Is it acceptable for a software-protected cryptography implementation to output a keystream for use in stream-based modes of operation? A Yes. A software-protected cryptography implementation may be used …
Q 14 [May 2025] Requirement 1A-1.8 notes that COTS-based MPoC software must be able to provide the version number. Is this also a requirement for MPoC Applications which are not assessed through Domain 1? A Yes. All COTS-based MPoC software must provide a mechanism for the version number to be validated against the MPoC approval list.
MPoC Security Requirement 1B
Q 1 [May 2025] Is it acceptable for a software-protected cryptography implementation to output a keystream for use in stream-based modes of operation? A Yes. A software-protected cryptography implementation may be used …
Added
p. 17
Q 4 [May 2025] Does Domain 2B apply to monolithic MPoC Applications? A Yes. Domain 2B applies to monolithic MPoC Applications. Evaluation findings for Domain 2B may reference other sections or results from the MPoC report where applicable.
PCI DSS Appendix A3: Designated Entities Supplemental Validation (DESV) is no longer required.
PCI DSS Appendix A3: Designated Entities Supplemental Validation (DESV) is no longer required.
Modified
p. 4
Q 1 Are A&M Service Providers in scope of the requirements of Domain 4? A Yes. Domain 4 applies to all and any entities which may implement the aspects covered in that domain. This includes A&M Service Providers, who must meet the requirements for Key Management Operations (requirements 4A-2.x) and Penetration Testing and Vulnerability Management (4A-3.x).
Q 1 [May 2025
• Updated] Are A&M Service Providers in scope of the requirements of Domain 4? A Yes. Domain 4 applies to all and any entities which may implement the aspects covered in that domain. This includes A&M Service Providers, who must meet the requirements for Key Management Operations (requirements 4A-2.x) and COTS Baseline and Vulnerability Management (4A-3.x).
• Updated] Are A&M Service Providers in scope of the requirements of Domain 4? A Yes. Domain 4 applies to all and any entities which may implement the aspects covered in that domain. This includes A&M Service Providers, who must meet the requirements for Key Management Operations (requirements 4A-2.x) and COTS Baseline and Vulnerability Management (4A-3.x).
Modified
p. 6
Q 8 [May 2023] What testing and reporting are expected to be performed by an MPoC Laboratory as part of an annual checkpoint? A The annual checkpoint confirms that the MPoC Product continues to meet the security and test requirements of the MPoC Standard. The amount of testing that is required will vary. At a minimum, however, the MPoC Laboratory must confirm that:
Q 8 [May 2025 - Updated] What testing and reporting are expected to be performed by an MPoC Laboratory as part of an annual checkpoint? A The annual checkpoint confirms that the MPoC Product continues to meet the security and test requirements of the MPoC Standard. The amount of testing that is required will vary. At a minimum, however, the MPoC Laboratory must confirm that:
Modified
p. 7
Domain 1: 1A-1.1, 1A-1.2, 1A-1.3, 1A-1.4, 1B-2.4 Domain 2: 2A-1.1, 2A-1.2, 2A-1.7, 2A-1.9 Domain 3: 3A-1.1, 3B-1.2, 3B-1.3, 3B-1.4, 3C-1.1, 3C-2.3, 3D-1.1, 3D-1.2, 3D-1.3 Domain 4: 4A-1.5, 4A-2.1, 4A-2.8, 4A-3.1, 4A-3.2 Domain 5: 5A-1.3, 5A-2.2, 5A-3.1, 5A-3.3 Each annual checkpoint submission must be made by an MPoC Laboratory and include the submission of an updated MPoC Product AOV to PCI SSC after the MPoC Laboratory reviews all changes that occurred since the last full evaluation or last annual checkpoint (whichever …
Domain 1: 1A-1.1, 1A-1.2, 1A-1.3, 1A-1.4, 1B-2.4 Domain 2: 2A-1.1, 2A-1.2, 2A-1.7, 2A-1.9 Domain 3: 3A-1.1, 3B-1.2, 3B-1.3, 3B-1.4, 3C-1.1 Domain 4: 4A-1.5, 4A-2.1, 4A-2.8, 4A-3.1, 4A-3.2 Domain 5: 5A-1.3, 5A-2.2 For MPoC v1.0.x only:
Modified
p. 13
Q 1 [May 2023] Is it acceptable to implement designs where an A&M message is required to enable payment processing, rather than disable payment processing? A Yes. Some designs may be implemented such that an A&M message is required to enable payment processing, rather than disable payment processing.
Q 1 [May 2025 - Updated] Is it acceptable to implement designs where an A&M message is required to enable payment processing, rather than disable payment processing? A Yes. Some designs may be implemented such that an A&M message is required to enable payment processing, rather than disable payment processing.
Removed
p. 16
One of either 3D-1.1 or 3D-1.2 must be assessed as part of a compliant report.