PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

CPoC_Technical_FAQs-v1.4_.pdf CPoC_Technical_FAQs-v1.5.pdf
90% similar
12 → 12 Pages
4019 → 4105 Words
29 Content Changes

Content Changes

29 content changes. 14 administrative changes (dates, page numbers) hidden.

Added p. 1
Payment Card Industry (PCI) Contactless Payments on COTS (CPoC™) Technical FAQs for use with CPoC 1.0 Version 1.5
Added p. 5
Q 4 [September 2025] Are there situations where a CPoC Solution does not require full evaluation if changing laboratories for an annual checkpoint or implementation change evaluation? A A full evaluation is not required when changing laboratories during a 3-year listing period if the new laboratory has access to the full CPoC report. The new CPoC Laboratory may still determine aspects of the implementation require re-evaluation, even when a previous full evaluation report is provided.
Modified p. 4
Q 1 Is the CPoC Standard intended to support the deployment of CPoC Applications in attended environments? A Yes. The security requirements are intended specifically to address risks associated with attended environments. Other implementations may render environments vulnerable to additional attacks that have not been considered in the security requirements and which may not be mitigated by the underlying controls established in the CpoC Standard.
Q 1 Is the CPoC Standard intended to support the deployment of CPoC Applications in attended environments? A Yes. The security requirements are intended specifically to address risks associated with attended environments. Other implementations may render environments vulnerable to additional attacks that have not been considered in the security requirements, and which may not be mitigated by the underlying controls established in the CPoC Standard.
Modified p. 4
Q 3 Can a CPoC solution provider compose a CPoC solution from third-party elements? A The CPoC Standard does not prohibit using a third-party service provider or elements developed by a third-party as long as the CPoC solution in its entirety and as a whole solution is evaluated by the CPoC laboratory. Regardless of whether the CPoC solution, including CpoC application, has been developed in-house or by a third-party, each CPoC solution provider is ultimately responsible for ensuring that all …
Q 3 Can a CPoC solution provider compose a CPoC solution from third-party elements? A The CPoC Standard does not prohibit using a third-party service provider or elements developed by a third-party as long as the CPoC solution in its entirety and as a whole solution is evaluated by the CPoC laboratory. Regardless of whether the CPoC solution, including CPoC application, has been developed in-house or by a third-party, each CPoC solution provider is ultimately responsible for ensuring that all …
Modified p. 5
Q 4 [December 2021] What is the definition of “tamper-detection”? A A characteristic that allows for the determination that an attempt has been made to compromise security.
Q 5 [December 2021] What is the definition of “tamper-detection”? A A characteristic that allows for the determination that an attempt has been made to compromise security.
Modified p. 5
Q 5 Module 5 references a contactless EMV kernel (singular) for card acceptance. If the CPoC solution involves more than one contactless EMV kernel, do all Module 5 requirements apply to each kernel? A Yes. CPoC solutions generally include multiple contactless EMV kernels, and the Module 5 requirements apply to all kernels in the solution. Any kernels that are added to an approved solution are required to be evaluated, either a full or delta change evaluation, as determined by the …
Q 6 Module 5 references a contactless EMV kernel (singular) for card acceptance. If the CPoC solution involves more than one contactless EMV kernel, do all Module 5 requirements apply to each kernel? A Yes. CPoC solutions generally include multiple contactless EMV kernels, and the Module 5 requirements apply to all kernels in the solution. Any kernels that are added to an approved solution are required to be evaluated, either a full or delta change evaluation, as determined by the …
Modified p. 5
Q 6 [December 2021] What is an assessed or validated RNG, and what is expected from a CPoC lab when evaluating a CPoC solution? A There are two types of RNGs: Deterministic Random Number Generator (DRNG) and Non-deterministic Random Number Generator (NRNG). Typically, DRNG uses an initial seed value from an NRNG to generate deterministic random values.
Q 7 [December 2021] What is an assessed or validated RNG, and what is expected from a CPoC lab when evaluating a CPoC solution? A There are two types of RNGs: Deterministic Random Number Generator (DRNG) and Non-deterministic Random Number Generator (NRNG). Typically, DRNG uses an initial seed value from an NRNG to generate deterministic random values.
Modified p. 6
Q 7 [December 2021] Can an EMV Unpredictable Number (UN) be used for security services? A No. An EMV UN used in contactless kernels on COTS acceptance device provides dynamic data for a contactless transaction. However, an EMV UN is not sufficient to provide a seed/entropy for RNG functions used by CPoC solution security services.
Q 8 [December 2021] Can an EMV Unpredictable Number (UN) be used for security services? A No. An EMV UN used in contactless kernels on COTS acceptance device provides dynamic data for a contactless transaction. However, an EMV UN is not sufficient to provide a seed/entropy for RNG functions used by CPoC solution security services.
Modified p. 6
Q 8 [December 2021] Can secret or private cryptographic keys be used for multiple purposes? A No. With exception of software-based protection mechanisms (e.g., white-box cryptography), all secret cryptographic keys and private cryptographic keys used in the solution must be unique per device, per application, and per purpose. For example, the same cryptographic key used to protect attestation messages cannot be used to encrypt account data. Nor can the same cryptographic key be used to protect attestation messages on different …
Q 9 [December 2021] Can secret or private cryptographic keys be used for multiple purposes? A No. With exception of software-based protection mechanisms (e.g., white-box cryptography), all secret cryptographic keys and private cryptographic keys used in the solution must be unique per device, per application, and per purpose. For example, the same cryptographic key used to protect attestation messages cannot be used to encrypt account data. Nor can the same cryptographic key be used to protect attestation messages on different …
Modified p. 6
Q 9 [December 2021] Do public keys have to be signed to be used in the CPoC solution? A No. There are many ways to verify the authenticity of a public key, such as digital signatures, message authentication codes, and certificate pinning.
Q 10 [December 2021] Do public keys have to be signed to be used in the CPoC solution? A No. There are many ways to verify the authenticity of a public key, such as digital signatures, message authentication codes, and certificate pinning.
Modified p. 6
Q 10 [December 2021] Can self-signed certificates be used in the CPoC solution? No. Self-signed certificates cannot be used for security services anywhere in the CPoC solution. While the integrity and authenticity of self-signed certificates can be verified (for example, by using a certificate pinning technique), there are a number of security challenges with their use. The only exceptions are self-signed certificates that exist as part of the base COTS platform or root Certificate Authority (CA) certificates that are part …
Q 11 [December 2021] Can self-signed certificates be used in the CPoC solution? No. Self-signed certificates cannot be used for security services anywhere in the CPoC solution. While the integrity and authenticity of self-signed certificates can be verified (for example, by using a certificate pinning technique), there are a number of security challenges with their use. The only exceptions are self-signed certificates that exist as part of the base COTS platform or root Certificate Authority (CA) certificates that are part …
Modified p. 6
Q 11 [December 2021] Must only secret cryptographic keys and private cryptographic keys that are used to encrypt account data be protected? A No. All secret cryptographic keys and private cryptographic keys that are used for security services in the CPoC solution must be protected. This includes persistent storage of all secret cryptographic keys and private cryptographic keys in one of the approved forms defined in CPoC Security Requirement 1.4.4.
Q 12 [December 2021] Must only secret cryptographic keys and private cryptographic keys that are used to encrypt account data be protected? A No. All secret cryptographic keys and private cryptographic keys that are used for security services in the CPoC solution must be protected. This includes persistent storage of all secret cryptographic keys and private cryptographic keys in one of the approved forms defined in CPoC Security Requirement 1.4.4.
Modified p. 7
Q 13 [December 2021] Is an HSM the only acceptable method to store cryptographic material used in signing CPoC application executables and scripts? A No. Secret cryptographic keys and private cryptographic keys can be stored in one of the approved forms defined in CPoC Security Requirement 1.4.4.
Q 14 [December 2021] Is an HSM the only acceptable method to store cryptographic material used in signing CPoC application executables and scripts? A No. Secret cryptographic keys and private cryptographic keys can be stored in one of the approved forms defined in CPoC Security Requirement 1.4.4.
Modified p. 7
Q 14 [December 2021] How can a CPoC application protect cryptographic keys used to encrypt account data? When stored, cryptographic keys used to encrypt account data must be maintained in one of the approved forms defined in CPoC Security Requirement 1.4.4.
Q 15 [December 2021] How can a CPoC application protect cryptographic keys used to encrypt account data? When stored, cryptographic keys used to encrypt account data must be maintained in one of the approved forms defined in CPoC Security Requirement 1.4.4.
Modified p. 7
Q 15 [December 2021] What is expected from CPoC labs regarding physical and logical testing of the COTS devices? A While there is no expectation to perform physical or logical testing of a COTS device itself, CPoC labs must confirm whether COTS platforms included in the COTS system baseline have known characteristics, such as physical test, debug, or in-circuit emulation features. For example, some Android mobile devices have an NFC logging service, which is intended to be used for debugging …
Q 16 [December 2021] What is expected from CPoC labs regarding physical and logical testing of the COTS devices? A While there is no expectation to perform physical or logical testing of a COTS device itself, CPoC labs must confirm whether COTS platforms included in the COTS system baseline have known characteristics, such as physical test, debug, or in-circuit emulation features. For example, some Android mobile devices have an NFC logging service, which is intended to be used for debugging …
Modified p. 8
Q 16 [December 2021] Can back-end attestation and monitoring systems be hosted in multiple environments by more than one entity? A Yes. For each environment that is hosting attestation and monitoring systems, the CPoC solution provider expected to do either: 1) Provide an Attestation of Compliance (AOC) that has been completed and signed within the previous 12 months demonstrating that the environment complies with the PCI DSS, including the additional controls outlined in PCI DSS Appendix A3 DESV, or; 2) …
Q 17 [December 2021] Can back-end attestation and monitoring systems be hosted in multiple environments by more than one entity? A Yes. For each environment that is hosting attestation and monitoring systems, the CPoC solution provider expected to do either: 1) Provide an Attestation of Compliance (AOC) that has been completed and signed within the previous 12 months demonstrating that the environment complies with the PCI DSS, including the additional controls outlined in PCI DSS Appendix A3 DESV, or; 2) …
Modified p. 8
Q 17 [December 2021] Does assessment of back-end systems require a physical onsite presence of the lab personnel? A CPoC solution back-end environments include back-end monitoring and attestation environment, and back-end payment processing environment. The back-end payment processing environment must be compliant with PCI Data Security Standard, and whether remote assessment methods are acceptable is defined by the compliance- accepting entities.
Q 18 [December 2021] Does assessment of back-end systems require a physical onsite presence of the lab personnel? A CPoC solution back-end environments include back-end monitoring and attestation environment, and back-end payment processing environment. The back-end payment processing environment must be compliant with PCI Data Security Standard, and whether remote assessment methods are acceptable is defined by the compliance- accepting entities.
Modified p. 8 → 9
Q 18 [July 2024] Can a Mobile Device Management (MDM) solution be used as an ‘OS- store’ for the distribution of a CPoC application? Is additional testing required in such a case? A Yes. An MDM system may be used for the distribution of a CPoC application, instead of the official OS store, if the requirements of 2.6.x of the PCI CPoC standard have been validated as part of the Solution listing.
Q 19 [July 2024] Can a Mobile Device Management (MDM) solution be used as an ‘OS- store’ for the distribution of a CPoC application? Is additional testing required in such a case? A Yes. An MDM system may be used for the distribution of a CPoC application, instead of the official OS store, if the requirements of 2.6.x of the PCI CPoC standard have been validated as part of the Solution listing.
Removed p. 9
Q 21 Can a CPoC Lab reference an approval from another PCI SSC standard, such as
Modified p. 9
Q 19 Can APIs (i.e., software libraries allowing third parties to interface with the CPoC solution) be validated and listed as part of a CPoC solution? A Yes. In cases where the CPoC solution provider offers software libraries or APIs to allow third parties to interface to the solution, evaluation and validation by a CPoC lab is required as part of each CPoC solution in which such APIs are provided in order to validate that usage of the API can …
Q 20 Can APIs (i.e., software libraries allowing third parties to interface with the CPoC solution) be validated and listed as part of a CPoC solution? A Yes. In cases where the CPoC solution provider offers software libraries or APIs to allow third parties to interface to the solution, evaluation and validation by a CPoC lab is required as part of each CPoC solution in which such APIs are provided in order to validate that usage of the API can …
Modified p. 9
Q 20 What is expected from a CPoC lab when evaluating a CPoC solution that offers APIs or software libraries to allow third-party developers to interface with the solution? A The evaluation and validation of the APIs (together with the CPoC user guidance document described and defined in the CPoC Program Guide) by a CPoC lab are required as part of each CPoC Solution in which such libraries or APIs are provided. The CPoC lab must validate that third-party usage …
Q 21 What is expected from a CPoC lab when evaluating a CPoC solution that offers APIs or software libraries to allow third-party developers to interface with the solution? A The evaluation and validation of the APIs (together with the CPoC user guidance document described and defined in the CPoC Program Guide) by a CPoC lab are required as part of each CPoC Solution in which such libraries or APIs are provided. The CPoC lab must validate that third-party usage …
Modified p. 9
PCI Software-Based PIN Entry on COTS (SPoC)™, to meet objectives in the CPoC standard without performing the required testing? A No. With the exception of references to the PCI DSS AOC for back-end environments, each CPoC evaluation report must demonstrate that the CPoC solution under review was evaluated and meets the security and the test requirements of the CPoC Standard.
Q 22 Can a CPoC Lab reference an approval from another PCI SSC standard, such as PCI Software-Based PIN Entry on COTS (SPoC)™, to meet objectives in the CPoC standard without performing the required testing? A No. With the exception of references to the PCI DSS AOC for back-end environments, each CPoC evaluation report must demonstrate that the CPoC solution under review was evaluated and meets the security and the test requirements of the CPoC Standard.
Modified p. 9 → 10
Q 22 Can testing results be reused from one evaluation to another of the same vendor? A Yes. Testing from one CPoC evaluation can be reused in another CPoC evaluation from the same vendor. This situation occurs commonly when more than one CPoC solution with similar characteristics are evaluated by the same CPoC laboratory in parallel or in close succession. The reused data must be current (less than 12 months old) and must have been completed under the same major …
Q 23 Can testing results be reused from one evaluation to another of the same vendor? A Yes. Testing from one CPoC evaluation can be reused in another CPoC evaluation from the same vendor. This situation occurs commonly when more than one CPoC solution with similar characteristics are evaluated by the same CPoC laboratory in parallel or in close succession. The reused data must be current (less than 12 months old) and must have been completed under the same major …
Modified p. 10
Q 23 Can a CPoC lab rely on testing performed by a different CPoC lab without further testing or validation? A If any element of a CPoC solution was evaluated by an entity other than the CPoC lab performing the evaluation under review, the evaluating CPoC lab must have access to all associated reports and supporting evidence. If those reports are not available for any reason, the evaluating CPoC lab must determine the additional work required to properly evaluate and …
Q 24 Can a CPoC lab rely on testing performed by a different CPoC lab without further testing or validation? A If any element of a CPoC solution was evaluated by an entity other than the CPoC lab performing the evaluation under review, the evaluating CPoC lab must have access to all associated reports and supporting evidence. If those reports are not available for any reason, the evaluating CPoC lab must determine the additional work required to properly evaluate and …
Modified p. 10
Q 24 What testing and reporting are expected to be performed by CPoC lab as part of an annual checkpoint? A The annual checkpoint confirms that the CPoC solution continues to meet the security and test requirements of the CPoC Standard. The amount of testing that is required will vary. At a minimum, however, the CPoC lab must confirm that:
Q 25 What testing and reporting are expected to be performed by CPoC lab as part of an annual checkpoint? A The annual checkpoint confirms that the CPoC solution continues to meet the security and test requirements of the CPoC Standard. The amount of testing that is required will vary. At a minimum, however, the CPoC lab must confirm that:
Modified p. 11
Q 25 [December 2021] Can a lab submit a single report for multiple versions of COTS device operating systems? A Yes. Support for different major versions of COTS device operating systems (9.x, 10.x, and so on) is permitted in a single CPoC Solution Evaluation and listing on the Website. However, support for different COTS platforms (such as Android and iOS) are considered separate CPoC Solutions, and therefore require separate, full CPoC Evaluation Reports, validation, and listings on the Website.
Q 26 [December 2021] Can a lab submit a single report for multiple versions of COTS device operating systems? A Yes. Support for different major versions of COTS device operating systems (9.x, 10.x, and so on) is permitted in a single CPoC Solution Evaluation and listing on the Website. However, support for different COTS platforms (such as Android and iOS) are considered separate CPoC Solutions, and therefore require separate, full CPoC Evaluation Reports, validation, and listings on the Website.
Modified p. 11
Q 26 [December 2021] Can a CPoC Solution Listing be delayed at a vendor’s request? A Yes, solution providers may choose to delay listing a newly approved CPoC solution for up to a maximum of six calendar months. Written notification to PCI SSC must be submitted by the CPoC solution provider, through the CPoC laboratory performing the evaluation, along with the completed CPoC Evaluation Report. In addition, the CPoC lab must make a notation in the applicable field of the …
Q 27 [December 2021] Can a CPoC Solution Listing be delayed at a vendor’s request? A Yes, solution providers may choose to delay listing a newly approved CPoC solution for up to a maximum of six calendar months. Written notification to PCI SSC must be submitted by the CPoC solution provider, through the CPoC laboratory performing the evaluation, along with the completed CPoC Evaluation Report. In addition, the CPoC lab must make a notation in the applicable field of the …
Modified p. 11 → 12
Q 27 [June 2022] What is required of a CPoC Solution once an operating system is no longer supported? A CPoC Solution Providers must start migrating merchants from platforms as soon as an operating system within the baseline is no longer supported. Plans for such migration must exist prior to the expiry of any supported OS, and may include commencement of migration prior to the deprecation of the OS.
Q 28 [June 2022] What is required of a CPoC Solution once an operating system is no longer supported? A CPoC Solution Providers must start migrating merchants from platforms as soon as an operating system within the baseline is no longer supported. Plans for such migration must exist prior to the expiry of any supported OS, and may include commencement of migration prior to the deprecation of the OS.
Modified p. 12
Q 28 [June 2022] Is it required that the PCI DSS validation of the payment processing back-end system used in a CPoC solution is performed by a QSA? A The method required be used to validate payment back-end systems to the PCI DSS is a function of the compliance programs managed by each of the relevant payment brands. For details on any specific case please contact the individual payment brands (see How do I contact the payment card brands?).
Q 29 [June 2022] Is it required that the PCI DSS validation of the payment processing back-end system used in a CPoC solution is performed by a QSA? A The method required to be used to validate payment back-end systems to the PCI DSS is a function of the compliance programs managed by each of the relevant payment brands. For details on any specific case please contact the individual payment brands (see How do I contact the payment card brands?).