Document Comparison
SPoC_Technical_FAQs-v1.3.pdf
→
SPoC_Technical_FAQs_v1.4.pdf
83% similar
13 → 12
Pages
3332 → 3529
Words
31
Content Changes
Content Changes
31 content changes. 13 administrative changes (dates, page numbers) hidden.
Added
p. 1
Payment Card Industry (PCI) Software-based PIN Entry on COTS (SPoC™) Technical FAQs for use with SPoC Standard Version 1
Added
p. 2
December 2019 1.4 Updated Q1 to align with the definition of COTS in Contactless Payments on COTS™ (CPoC) Standard. Removed Q16 and clarified Q19. Added questions Q26 and Q27 to align with the publication of Contactless Payments on COTS™ Program Guide.
Q 1 [December 2019] What is a COTS Device? A A commercial-off-the-shelf (COTS) Device is a mobile device (smartphone, tablet, or wearable) that is designed for mass-market distribution.
Q 2 Are there any restrictions to specific form factors for COTS Devices and SCRPs that can be approved under the PCI SPoC Program? A No, the SPoC requirements do not dictate a specific form factor for the COTS Device, the SCRP, or the combination thereof for inclusion in an approved and validated SPoC Solution.
Q 8 What is the intent of use of a SPoC Solution in an attended versus an unattended environment? A The SPoC Standard is intended for merchant COTS Devices …
Q 1 [December 2019] What is a COTS Device? A A commercial-off-the-shelf (COTS) Device is a mobile device (smartphone, tablet, or wearable) that is designed for mass-market distribution.
Q 2 Are there any restrictions to specific form factors for COTS Devices and SCRPs that can be approved under the PCI SPoC Program? A No, the SPoC requirements do not dictate a specific form factor for the COTS Device, the SCRP, or the combination thereof for inclusion in an approved and validated SPoC Solution.
Q 8 What is the intent of use of a SPoC Solution in an attended versus an unattended environment? A The SPoC Standard is intended for merchant COTS Devices …
Added
p. 11
Q 26 [December 2019] What is required by SPoC Solution Providers and SPoC Labs regarding the note in section 4.1 Required Vendor Materials of the SPoC Program Guide? A In cases where a Vendor or SPoC Solution/SPoC Element cannot meet a specific requirement as stated, the Vendor must clearly explain why the requirement cannot be met as stated. The Vendor must also provide evidence to clearly show how the corresponding security objective is still being met or exceeded, and that the alternative controls or methods are employed to provide equivalent or greater assurance to that provided by the methods described in the requirement. Vendors should work with their SPoC Lab to determine the evidence required to satisfy a specific security objective or associated requirement. The SPoC Lab is responsible for evaluation of the alternative controls or methods, and must include in the evaluation report a description of the testing they …
Modified
p. 4
Q 1 [May 2019] Are contactless transactions allowed under the SPoC Standard? A Yes. The Standard supports both EMV-based and magnetic stripe mode contactless transactions.
Q 3 Are contactless transactions allowed under the SPoC Standard? A Yes. The Standard supports both EMV-based and magnetic stripe mode contactless transactions.
Modified
p. 4
Q 2 In the SPoC Test Requirements (TRs), where the attack-costing thresholds are required, there is no minimum. When will the attack-costing threshold values be added, and how should labs evaluate the relative requirements in the interim? A The PCI SSC will work directly with the labs that are qualified to perform Solution assessments. Each assessment will be used to contribute relative attack-costing information using actual Solution validation data that will be factored into the development of appropriate attack-costing values. …
Q 4 In the SPoC Test Requirements (TRs), where the attack-costing thresholds are required, there is no minimum. When will the attack-costing threshold values be added, and how should labs evaluate the relative requirements in the interim? A The PCI SSC will work directly with the labs that are qualified to perform Solution assessments. Each assessment will be used to contribute relative attack-costing information using actual Solution validation data that will be factored into the development of appropriate attack-costing values. …
Modified
p. 5
Q 3 Please explain the difference between a “session” and a “transaction” within the context of the SPoC Standard? A A “session” is established when the PIN CVM Application initiates a payment. This session establishes secure channels with the Secure card reader
• PIN (SCRP) and with the Back-end Monitoring System. The session terminates when payment is complete or when any anomalous behavior is detected in The Solution at any point during the payment process.
• PIN (SCRP) and with the Back-end Monitoring System. The session terminates when payment is complete or when any anomalous behavior is detected in The Solution at any point during the payment process.
Q 5 Please explain the difference between a “session” and a “transaction” within the context of the SPoC Standard? A A “session” is established when the PIN CVM Application initiates a payment. This session establishes secure channels with the Secure card reader
• PIN (SCRP) and with the Back-end Monitoring System. The session terminates when payment is complete or when any anomalous behavior is detected in The Solution at any point during the payment process.
• PIN (SCRP) and with the Back-end Monitoring System. The session terminates when payment is complete or when any anomalous behavior is detected in The Solution at any point during the payment process.
Modified
p. 5
Q 4 [May 2019] Regarding “Customer Data” and “Correlatable Data”, what is the scope of this data? A The scope applies to data that is entered into a PIN CVM Application on a COTS Device as part of the payment transaction process, or sent from the Back-end Monitoring System to the COTS Device. The scope is limited to data entered by the cardholder at the time of the transaction for purposes such as receipt transmission.
Q 6 Regarding “Customer Data” and “Correlatable Data”, what is the scope of this data? A The scope applies to data that is entered into a PIN CVM Application on a COTS Device as part of the payment transaction process, or that is sent from the Back-end Monitoring System to the COTS Device. The scope is limited to data entered by the cardholder at the time of the transaction for purposes such as receipt transmission.
Modified
p. 5
Q 5 What are the use cases for a SPoC Solution? A SPoC Solutions are intended for use in a face-to-face environment where the merchant hands the COTS Device to the customer. The customer then enters a PIN and hands the COTS Device back to the merchant.
Q 7 What are the use cases for a SPoC Solution? A SPoC Solutions are intended for use in a face-to-face environment where the merchant hands the COTS Device to the customer. The customer then enters a PIN and hands the COTS Device back to the merchant.
Modified
p. 5
Attended environments are when the COTS Device is made available to the customer by the merchant during a payment transaction. For example, the merchant hands the COTS Device to the customer. The customer enters a PIN and hands the COTS Device back to the merchant.
Modified
p. 6
Q 7 Is SPoC synonymous with PIN on Glass? A No. The SPoC Standard covers a software-based approach for accepting a PIN as the cardholder verification method on a merchant-owned COTS Device. The phrase “PIN on Glass” is often used to describe a variety of use cases, where a PIN is entered on a glass-based capture mechanism; that is, a touch screen.
Q 9 Is SPoC synonymous with PIN on Glass? A No. The SPoC Standard covers a software-based approach for accepting a PIN as the cardholder verification method on a merchant-owned COTS Device. The phrase “PIN on Glass” is often used to describe a variety of use cases, where a PIN is entered on a glass-based capture mechanism; that is, a touch screen.
Modified
p. 6
A SPoC Solution includes an SCRP (Secure Card Reader
• PIN), a PIN CVM Application, the merchant’s COTS Device, anda Back-end Monitoring/Attestation Systems. These elements work together to ensure the PIN, which has been accepted by a software application on the COTS Device, is isolated within the COTS Device from other sensitive Account data. The Back-end Monitoring/Attestation Systems continuously monitor the entire Solution for anomalous activity and to ensure The Solution has not deviated from the baseline because of tampering, …
• PIN), a PIN CVM Application, the merchant’s COTS Device, and
A SPoC Solution includes an SCRP (Secure Card Reader
• PIN), a PIN CVM Application, the merchant’s COTS Device, and Back-end Monitoring/Attestation Systems. These elements work together to ensure the PIN, which has been accepted by a software application on the COTS Device, is isolated within the COTS Device from other sensitive Account data. The Back-end Monitoring/Attestation Systems continuously monitor the entire Solution for anomalous activity and to ensure The Solution has not deviated from the baseline because of tampering, rooting, …
• PIN), a PIN CVM Application, the merchant’s COTS Device, and Back-end Monitoring/Attestation Systems. These elements work together to ensure the PIN, which has been accepted by a software application on the COTS Device, is isolated within the COTS Device from other sensitive Account data. The Back-end Monitoring/Attestation Systems continuously monitor the entire Solution for anomalous activity and to ensure The Solution has not deviated from the baseline because of tampering, rooting, …
Modified
p. 6
There are numerous PCI PIN Transaction Security (PTS) approved hardware- based POI devices that accept a PIN using a touch screen (PIN-on-Glass). These POI devices are built purposely for payment acceptance. Therefore, care must be taken when using the generic phrase “PIN-on-Glass”: for example, a PTS- approved POI device that accepts PIN-on-Glass is very different from a SPoC Solution that uses a merchant-facing COTS Device to accept a PIN.
There are numerous PCI PIN Transaction Security (PTS) approved hardware-based POI devices that accept a PIN using a touch screen (PIN-on-Glass). These POI devices are built purposely for payment acceptance. Therefore, care must be taken when using the generic phrase “PIN-on-Glass”: for example, a PTS-approved POI device that accepts PIN-on-Glass is very different from a SPoC Solution that uses a merchant- facing COTS Device to accept a PIN.
Modified
p. 6
Q 8 [May 2019] Are magnetic stripe-based transactions allowed by the SPoC Standard? A Yes. The Standard supports both EMV-based and magnetic-stripe mode-based contactless transactions. It also optionally supports the contact magnetic stripe reads. Contact magnetic stripe reads must only occur using a separate Magnetic Stripe Reader (MSR) Device that complies with the SPoC Annex, and the PIN CVM Application must prevent the entry of the PIN.
Q 10 Are magnetic stripe-based transactions allowed by the SPoC Standard? A Yes. The Standard supports both EMV-based and magnetic-stripe mode-based contactless transactions. It also optionally supports the contact magnetic stripe reads.
Removed
p. 7
Q 12 What is a COTS Device? A A commercial-off-the-shelf (COTS) Device is a mobile device (smartphone, tablet, or wearable) that is designed for mass-market distribution, but is not designed specifically for payment processing.
Modified
p. 7 → 6
Q 9 [May 2019] Can a merchant use their existing Secure Card Reader (SCR) to accept payments in a SPoC Solution? A Merchants can use PCI-approved SCRPs for chip-based transactions. Contact magnetic stripe reads must only occur using a separate MSR Device that complies with the SPoC Annex, which might include existing approved PCI PTS SCRs.
Q 11 Can a merchant use their existing Secure Card Reader (SCR) to accept payments in a SPoC Solution? A Merchants can use PCI-approved SCRPs for chip-based transactions. Contact magnetic stripe reads must only occur using a separate MSR Device that complies with the SPoC Annex, which might include existing approved PCI PTS SCRs.
Modified
p. 7
Q 10 Can a merchant put together their own SPoC Solution by choosing an SCRP, PIN CVM Application, and Back-end Monitoring System? A No. Only complete SPoC Solutions will be approved and listed on the PCI SSC Website.
Q 12 Can a merchant put together their own SPoC Solution by choosing an SCRP, PIN CVM Application, and Back-end Monitoring System? A No. Only complete SPoC Solutions will be approved and listed on the PCI SSC Website.
Modified
p. 7
Q 11 [May 2019] What constitutes a SPoC Solution? Does the SPoC Standard cover separate elements or is it a single solution? A The SCRP will have a separate listing because it is evaluated and listed as part of the PTS POI Standard. However, all SCRPs associated with a SPoC Solution will be included as part of the SPoC Solution evaluation and listed as part of that SPoC Solution’s acceptance. It is also possible that an MSR evaluated as part …
Q 13 What constitutes a SPoC Solution? Does the SPoC Standard cover separate elements or is it a single solution? A The SCRP will have a separate listing because it is evaluated and listed as part of the PTS POI Standard. However, all SCRPs associated with a SPoC Solution will be included as part of the SPoC Solution evaluation and listed as part of that SPoC Solution’s acceptance. It is also possible that an MSR evaluated as part of SPoC …
Modified
p. 7
A SPoC Solution consists of PCI-approved SCRPs, an optional MSR that complies with the SPoC Annex, a PIN CVM Application, merchant COTS Devices, and Back-end Monitoring/Attestation Systems. The SPoC Solution will be listed on the
A SPoC Solution consists of PCI-approved SCRPs, an optional MSR that complies with the SPoC Annex, a PIN CVM Application, merchant COTS Devices, and Back-end Monitoring/Attestation Systems. The SPoC Solution will be listed on the PCI SSC Website with the individual elements.
Modified
p. 7
Q 13 Is a SPoC Solution eligible for a Point-to-Point Encryption (P2PE) Solution approval? A No. The SPoC Standard and the P2PE Standard are separate PCI SSC standards that are intended for different use cases.
Q 14 Is a SPoC Solution eligible for a Point-to-Point Encryption (P2PE) Solution approval? A No. The SPoC Standard and the P2PE Standard are separate PCI SSC standards that are intended for different use cases.
Removed
p. 8
Q 14 Are there any restrictions to specific form factors for COTS Devices and SCRPs that can be approved under the PCI SPoC Program? A No, the SPoC requirements do not dictate a specific form factor for the COTS Device, the SCRP, or the combination thereof for inclusion in an approved and validated SPoC Solution.
Removed
p. 9
Q 16 Security Requirement 2.2.3 states that the PIN CVM Application must only support platforms that provide for a “trusted boot” mechanism that validates the operating systems authenticity. What are the implications of this requirement recognizing that for certain Android versions (such as Android 4), some OEMs did not support sufficient hardware capabilities to implement the secure boot mechanism? What are the implications associated with scenarios where a clear designation of trust boot support of “yes or no” cannot be determined? A For scenarios where such Android versions and OEM implementation are supported in the COTS System Baseline, the Lab must detail these conditions and any additional controls that are in place to mitigate the risks. Furthermore, the SPoC Lab must demonstrate that such supported COTS systems do not represent a significant portion of the supported customer base.
Modified
p. 9 → 7
Q 17 Does Security Requirement 2.2.3 include OS level or other system applications? A No. This requirement is not intended for OS level or other system applications.
Q 16 Does Security Requirement 2.2.3 include OS level or other system applications? A No. This requirement is not intended for OS level or other system applications.
Modified
p. 10 → 8
Q 18 Security Requirement 2.2.5 states that where white-box cryptography is used, white-box keys must be unique for each PIN CVM Application instance, and that the reliance upon and use of common white-box keys must be minimized after the secure provisioning process. Does this requirement apply to all white-box keys as it relates to unique keys per PIN CVM Application, or just those used for encrypting a PIN? A The intent of the requirement is that where white-box cryptography is …
Q 17 Security Requirement 2.2.5 states that where white-box cryptography is used, white-box keys must be unique for each PIN CVM Application instance, and that the reliance upon and use of common white-box keys must be minimized after the secure provisioning process. Does this requirement apply to all white-box keys as it relates to unique keys per PIN CVM Application, or just those used for encrypting a PIN? A The intent of the requirement is that where white-box cryptography is …
Modified
p. 10 → 8
Q 19 [May 2019] Security Requirement 2.2.4 states that the PIN CVM Application must detect sensor activation and polling of sensor data. Does this requirement apply to all COTS Platforms? A The intent of the requirement is to protect the PIN entry process from manipulation or subversion. Because several attack vectors use COTS Platform sensors and hardware for side-channel attacks, detecting when these sensors are activated or used (i.e., polling sensor data) by untrusted applications can reduce the risk of …
Q 18 Security Requirement 2.2.4 states that the PIN CVM Application must detect sensor activation and polling of sensor data. Does this requirement apply to all COTS Platforms? A The intent of the requirement is to protect the PIN entry process from manipulation or subversion. Because several attack vectors use COTS Platform sensors and hardware for side-channel attacks, detecting when these sensors are activated or used (i.e., polling sensor data) by untrusted applications can reduce the risk of PIN compromise.
Modified
p. 10 → 8
In cases where the COTS Platform does not allow the runtime application to detect sensor status or sensor data pooling, the Solution Provider should verify and document the COTS Platform limitations, and explain how these limitations do not impact the security of the PIN entry process.
In cases where the COTS Platform does not allow the runtime application to detect sensor status or sensor data pooling, the Solution Provider must verify and document the COTS Platform limitations, and explain how these limitations do not impact the security of the PIN entry process.
Modified
p. 11 → 9
Q 21 SPoC Security Requirements 3.6.1 and 5.1.2 state that if the Back-end Monitoring System resides in the Cardholder Data Environment (CDE), then PCI DSS, Appendix A3 “Designated Entities Supplemental Validation (DESV)” will apply.
Q 20 SPoC Security Requirements 3.6.1 and 5.1.2 state that if the Back-end Monitoring System resides in the Cardholder Data Environment (CDE), then PCI DSS, Appendix A3 “Designated Entities Supplemental Validation (DESV)” will apply.
Modified
p. 12 → 9
Q 22 If a version of the COTS OS initially listed in the Solution System Baseline reaches end-of-life such that it is no longer supported by the original OS vendor, does the SPoC Standard disallow transactions on affected COTS Devices until the OS on those devices is updated to a supported OS? A No. If an OS version has been assessed and is listed as part of the COTS System Baseline, (TR C1), and then the OS vendor ends support …
Q 21 If a version of the COTS OS initially listed in the Solution System Baseline reaches end-of-life such that it is no longer supported by the original OS vendor, does the SPoC Standard disallow transactions on affected COTS Devices until the OS on those devices is updated to a supported OS? A No. If an OS version has been assessed and is listed as part of the COTS System Baseline, (TR C1), and then the OS vendor ends support …
Modified
p. 12 → 10
Q 23 If an OS vender issues an update to a COTS OS that was initially listed in the Solution System Baseline, does the SPoC Standard disallow transactions on COTS Devices using the updated OS until the updated OS is evaluated? A No. If an updated version of an OS that is already listed in the COTS System Baseline is made available by the original OS vendor, then the Solution Provider may add that version to the COTS System Baseline …
Q 22 If an OS vender issues an update to a COTS OS that was initially listed in the Solution System Baseline, does the SPoC Standard disallow transactions on COTS Devices using the updated OS until the updated OS is evaluated? A No. If an updated version of an OS that is already listed in the COTS System Baseline is made available by the original OS vendor, then the Solution Provider may add that version to the COTS System Baseline …
Modified
p. 13 → 10
Q 24 SPoC Security Requirements 3.6.1 and 5.1.2 state that if the Back-end Monitoring System resides in the Cardholder Data Environment, then PCI DSS, Appendix A3, “Designated Entities Supplemental Validation (DESV)” will apply. Does an SPoC Solution Provider have to be fully compliant with DESV when submitting an SPoC Solution for initial validation? A If the Solution Provider cannot meet DESV requirements at the point of an initial SPoC Solution validation, the Solution Provider must provide an action plan to …
Q 23 SPoC Security Requirements 3.6.1 and 5.1.2 state that if the Back-end Monitoring System resides in the Cardholder Data Environment, then PCI DSS, Appendix A3, “Designated Entities Supplemental Validation (DESV)” will apply. Does an SPoC Solution Provider have to be fully compliant with DESV when submitting an SPoC Solution for initial validation? A If the Solution Provider cannot meet DESV requirements at the point of an initial SPoC Solution validation, the Solution Provider must provide an action plan to …
Modified
p. 13 → 10
Q 25 [May 2019] Test Requirement TB2.5 calls for the disabling of on-device sensors during PIN entry. Does this requirement apply to all COTS Platforms? A The SPoC Standard does not require the disabling on-device sensors during PIN entry. This requirement applies only if the Solution Provider implemented programmatic methods, manual processes (for example, prompting the end-user to disable a sensor), or a combination of both to disable on-device sensors.
Q 24 Test Requirement TB2.5 calls for the disabling of on-device sensors during PIN entry. Does this requirement apply to all COTS Platforms? A The SPoC Standard does not require disabling on-device sensors during PIN entry.
Modified
p. 13 → 11
Q 26 [May 2019] Can a SPoC Solution be associated with and communicate with multiple SCRPs, or MSRs concurrently? A Yes. A SPoC Solution is permitted to support the use of multiple SCRPs or MSRs (per the SpoC Annex). The use of multiple SCRPs or MSRs in the SPoC Solution is optional. The Back-end Monitoring System must be able to interact with each SCRP. All SCRPs supported by the SPoC Solution must act in accordance with all roles and responsibilities …
Q 25 Can a SPoC Solution be associated with and communicate with multiple SCRPs, or MSRs concurrently? A Yes. A SPoC Solution is permitted to support the use of multiple SCRPs or MSRs (per the SpoC Annex). The use of multiple SCRPs or MSRs in the SPoC Solution is optional. The Back-end Monitoring System must be able to interact with each SCRP. All SCRPs supported by the SPoC Solution must act in accordance with all roles and responsibilities as detailed …