Document Comparison
MPoC-Technical-FAQs-v1-4.pdf
→
MPoC-Technical-FAQs-v1-5.pdf
76% similar
18 → 17
Pages
5659 → 5517
Words
10
Content Changes
Content Changes
10 content changes. 14 administrative changes (dates, page numbers) hidden.
Added
p. 10
Q 1 [November 2024
• Deleted]
Q 2 [November 2024
• Deleted]
Q 3 [November 2024
• Updated] Is it acceptable for an MPoC Application integrating an MPoC SDK to manage or implement secure channels directly, following guidance provided by the MPoC Software vendor? A Yes. An MPoC SDK may allow for the integrating MPoC Application to implement, or provide configuration to, a secure channel to the payment processing environment.
The guidance provided by the MPoC SDK vendor must detail how the secure channel is to be implemented so that it meets the requirements of 1A-5, and this guidance must be validated by the laboratory to be correct and complete during the evaluation.
The secure channel to any other systems in scope of the MPoC requirements, including the backend A&M environment and any peripheral devices such as a PCI PTS SCRP, must be implemented by the MPoC SDK. This includes implementations where the A&M environment includes the …
• Deleted]
Q 2 [November 2024
• Deleted]
Q 3 [November 2024
• Updated] Is it acceptable for an MPoC Application integrating an MPoC SDK to manage or implement secure channels directly, following guidance provided by the MPoC Software vendor? A Yes. An MPoC SDK may allow for the integrating MPoC Application to implement, or provide configuration to, a secure channel to the payment processing environment.
The guidance provided by the MPoC SDK vendor must detail how the secure channel is to be implemented so that it meets the requirements of 1A-5, and this guidance must be validated by the laboratory to be correct and complete during the evaluation.
The secure channel to any other systems in scope of the MPoC requirements, including the backend A&M environment and any peripheral devices such as a PCI PTS SCRP, must be implemented by the MPoC SDK. This includes implementations where the A&M environment includes the …
Added
p. 11
Q 6 [November 2024 - Updated] Can RSA 2048 bit be used to encrypt AES keys in MPoC Products? A Yes, but only once per application install or if use of larger RSA keys is prevented by the COTS platform being used.
Q 12 [November 2024] Is validation to the PCI Secure Software Standard required for MPoC A&M backend software, as per requirement 1A-1.4? A No. Validation of backend A&M software against the Secure Software requirements is recommended, but is no longer required.
Q 12 [November 2024] Is validation to the PCI Secure Software Standard required for MPoC A&M backend software, as per requirement 1A-1.4? A No. Validation of backend A&M software against the Secure Software requirements is recommended, but is no longer required.
Added
p. 13
Q 3 [November 2024] Is detection of rooted or jailbroken COTS platforms always required? A No. COTS-based MPoC Software that executes entirely outside of the REE of the COTS device, may allow for rooted and jail-broken devices to be included in the COTS platform baseline. In such cases, it must be confirmed that the COTS-based MPoC Software does not allow for sensitive assets, such as account data or cryptographic keys, to be exposed in, passed through, or obtained from the REE.
Q 1 [November 2024 - Deleted]
Q 2 [November 2024] Does the requirement for keys that are exposed in the REE of the COTS platform to be unique per transaction apply to secret or private keys used during the process of provisioning? A No. This requirement does not apply to keys used only once per application install (e.g., during initial provisioning), or keys which are used to generate future keys (but …
Q 1 [November 2024 - Deleted]
Q 2 [November 2024] Does the requirement for keys that are exposed in the REE of the COTS platform to be unique per transaction apply to secret or private keys used during the process of provisioning? A No. This requirement does not apply to keys used only once per application install (e.g., during initial provisioning), or keys which are used to generate future keys (but …
Added
p. 17
Q 2 [November 2024 - Deleted] MPoC Security Requirement 4A
Q 1 [November 2023] Can HSMs validated to FIPS140-2/3 Level 2 be used in an MPoC implementation? A Yes. HSMs validated to FIPS 140-2/3 Level 2 may be used for the storage and operation of keys related to A&M data and non-PIN account data, when operated within a ‘Controlled Environment’ as defined in ISO13491.
Q 1 [November 2023] Can HSMs validated to FIPS140-2/3 Level 2 be used in an MPoC implementation? A Yes. HSMs validated to FIPS 140-2/3 Level 2 may be used for the storage and operation of keys related to A&M data and non-PIN account data, when operated within a ‘Controlled Environment’ as defined in ISO13491.
Removed
p. 10
Q 1 What is the scope of Requirement 1A-1.4? A The software that is used in the backend A&M systems is in scope for assessment under this requirement. This includes any software which would be provided to an A&M Service Provider as part of the MPoC Software Product, or the equivalents to this in a monolithic MPoC implementation.
Q 2 How are the testing results for Requirement 1A-1.4 to be included in an MPoC Report? A Where a listing is not able to be referenced, the laboratory must perform the required testing to confirm that all security requirements of PCI Secure Software Standard are met and document the results of the testing as an appendix to the MPoC Assessment report. This appendix must be referenced in the findings of requirement 1A-1.4.
Q 3 [May 2023] Is it acceptable for an MPoC Application integrating an MPoC SDK to manage secure channels directly, following …
Q 2 How are the testing results for Requirement 1A-1.4 to be included in an MPoC Report? A Where a listing is not able to be referenced, the laboratory must perform the required testing to confirm that all security requirements of PCI Secure Software Standard are met and document the results of the testing as an appendix to the MPoC Assessment report. This appendix must be referenced in the findings of requirement 1A-1.4.
Q 3 [May 2023] Is it acceptable for an MPoC Application integrating an MPoC SDK to manage secure channels directly, following …
Removed
p. 14
Q 1 [November 2023] Some key management systems which implement forward secrecy require the storage and use of ‘future keys’, or other cryptographic material, that are used to derive transaction unique keys. Can this secret material be exposed in the REE of the COTS device? A No. MPoC requires that any cryptographic keys related to account data encryption that are exposed in the REE implement forward secrecy and are unique per transaction (1D-1.5). This includes keys and other cryptographic material which may be used to generate keys into the future.
Key management systems which require the storage and use of cryptographic keys or material (that is not unique per transaction) for the derivation of transaction unique keys must protect that data (the cryptographic keys or material) so that it is never exposed in the REE of the COTS device.
Key management systems which require the storage and use of cryptographic keys or material (that is not unique per transaction) for the derivation of transaction unique keys must protect that data (the cryptographic keys or material) so that it is never exposed in the REE of the COTS device.
Modified
p. 14 → 13
MPoC Security Requirement 1E
MPoC Security Requirement 1D
Removed
p. 17
In all other cases, where sufficient isolation is not provided, the A&M environment must be compliant to the requirements of the PCI DSS, including Appendix A3:
Designated Entities Supplemental Validation (DESV).
Q 2 [November 2023] Can an entity provide a plan for meeting the requirements of
PCI DSS Appendix A3: Designated Entities Supplemental Validation (PCI DSS DESV), rather than validating against PCI DSS DESV prior to an initial full assessment as part of their validation to requirement 3D-1.1? A Yes. An entity can provide a plan and schedule for meeting PCI DSS DESV requirements prior to an initial full assessment and listing. However, the entity must have already validated against PCI DSS (without DESV requirements), and the plan must show that all applicable PCI DSS DESV requirements will be met prior to the first annual checkpoint.
Any PCI MPoC annual checkpoint or revalidation submissions will not be accepted without evidence of PCI DSS DESV …
Designated Entities Supplemental Validation (DESV).
Q 2 [November 2023] Can an entity provide a plan for meeting the requirements of
PCI DSS Appendix A3: Designated Entities Supplemental Validation (PCI DSS DESV), rather than validating against PCI DSS DESV prior to an initial full assessment as part of their validation to requirement 3D-1.1? A Yes. An entity can provide a plan and schedule for meeting PCI DSS DESV requirements prior to an initial full assessment and listing. However, the entity must have already validated against PCI DSS (without DESV requirements), and the plan must show that all applicable PCI DSS DESV requirements will be met prior to the first annual checkpoint.
Any PCI MPoC annual checkpoint or revalidation submissions will not be accepted without evidence of PCI DSS DESV …
Modified
p. 17 → 16
Q 1 Requirements 3D-1.1 and 3D-1.2 outline the need for the security assessment of the A&M backend environment. Are these requirements the only options, and if so when do they apply? A A&M backend environments must be assessed to either Appendix A or to PCI DSS DESV. One of either 3D-1.1 or 3D-1.2 must be assessed as part of a compliant report. Assessment to Appendix A is only suitable if the A&M systems are sufficiently isolated from the payment processing …
Q 1 [November 2024
• Updated] Requirements 3D-1.1 and 3D-1.2 outline the need for the security assessment of the A&M backend environment. Are these requirements the only options, and if so when do they apply? A A&M backend environments must be assessed to either Appendix A or to PCI DSS.
• Updated] Requirements 3D-1.1 and 3D-1.2 outline the need for the security assessment of the A&M backend environment. Are these requirements the only options, and if so when do they apply? A A&M backend environments must be assessed to either Appendix A or to PCI DSS.
Modified
p. 17
Q 1 [November 2023] Can an MPoC Solution be implemented by an entity that is not the owner of the merchant account relationship? Yes. The MPoC Standard requires that merchants are securely onboarded and kept up to date with relevant information in a timely manner (requirement 5A-1.x). This communication must be documented and demonstrably in use, as validated under 5A-1.3, but may occur through channels other than those maintained by the direct owner of the merchant relationship (e.g., the merchant’s …
Q 1 [November 2023] Can an MPoC Solution be implemented by an entity that is not the owner of the merchant account relationship? A Yes. The MPoC Standard requires that merchants are securely onboarded and kept up to date with relevant information in a timely manner (requirement 5A-1.x). This communication must be documented and demonstrably in use, as validated under 5A-1.3, but may occur through channels other than those maintained by the direct owner of the merchant relationship (e.g., the …