Document Comparison

Q 19 What is expected from a CPoC lab when evaluating a CPoC solution that offers APIs or software libraries to allow third-party developers to interface with the solution? A The evaluation and validation of the APIs (together with the CPoC user guidance document described and defined in the CPoC Program Guide) by a CPoC lab are required as part of each CPoC Solution in which such libraries or APIs are provided. The CPoC lab must validate that third-party usage …

Q 20 Can a CPoC Lab reference an approval from another PCI SSC standard, such as

Q 21 Can testing results be reused from one evaluation to another of the same vendor? A Yes. Testing from one CPoC evaluation can be reused in another CPoC evaluation from the same vendor. This situation occurs commonly when more than one CPoC solution with similar characteristics are evaluated by the same CPoC laboratory in parallel or in close succession. The reused data must be current (less than 12 months old) and must have been completed under the same major …

Q 22 Can a CPoC lab rely on testing performed by a different CPoC lab without further testing or validation? A If any element of a CPoC solution was evaluated by an entity other than the CPoC lab performing the evaluation under review, the evaluating CPoC lab must have access to all associated reports and supporting evidence. If those reports are not available for any reason, the evaluating CPoC lab must determine the additional work required to properly evaluate and …

Q 23 What testing and reporting are expected to be performed by CPoC lab as part of an annual checkpoint? A The annual checkpoint confirms that the CPoC solution continues to meet the security and test requirements of the CPoC Standard. The amount of testing that is required will vary. At a minimum, however, the CPoC lab must confirm that:

Q 24 [December 2021] Can a lab submit a single report for multiple versions of COTS device operating systems? A Yes. Support for different major versions of COTS device operating systems (9.x, 10.x, and so on) is permitted in a single CPoC Solution Evaluation and listing on the Website. However, support for different COTS platforms (such as Android and iOS) are considered separate CPoC Solutions, and therefore require separate, full CPoC Evaluation Reports, validation, and listings on the Website.

Q 25 [December 2021] Can a CPoC Solution Listing be delayed at a vendor’s request? A Yes, solution providers may choose to delay listing a newly approved CPoC solution for up to a maximum of six calendar months. Written notification to PCI SSC must be submitted by the CPoC solution provider, through the CPoC laboratory performing the evaluation, along with the completed CPoC Evaluation Report. In addition, the CPoC lab must make a notation in the applicable field of the …

Q 26 [June 2022] What is required of a CPoC Solution once an operating system is no longer supported? A CPoC Solution Providers must start migrating merchants from platforms as soon as an operating system within the baseline is no longer supported. Plans for such migration must exist prior to the expiry of any supported OS, and may include commencement of migration prior to the deprecation of the OS.

Q 27 [June 2022] Is it required that the PCI DSS validation of the payment processing back-end system used in a CPoC solution is performed by a QSA? A The method required be used to validate payment back-end systems to the PCI DSS is a function of the compliance programs managed by each of the relevant payment brands. For details on any specific case please contact the individual payment brands (see How do I contact the payment card brands?).