Document Comparison

Q 4 August 2022: Vendors can have various options for both hardware and firmware that may be either security or non-security relevant. For non-security relevant options, vendors are allowed to designate in their hardware/firmware identifiers a lower case ‘x’ in the relevant position. Security relevant options must have specific numbers and/or letters assigned and listed as part of the approval. The program guide specifies that options, both security and non-security relevant must be clearly defined and documented as to the options available and their function in the device’s Security Policy. Through oversight, some Security Policies do not have this information. Does this information need to be included? A Yes. All report submittals, whether ‘New’ or ‘Delta’ must ensure that the device’s Security Policy required for the PCI website includes this information. This includes necessary updates to existing Security Policies.

PCI PTS POI Evaluation FAQs