Document Comparison

July 2020 1.1 Updated Q3 Added new FAQs Q4

• Q10.

Updates: New or questions modified for clarity are in red.

Q 3 [July 2020] Can a CPoC solution provider compose a CPoC solution from third-party elements? A The CPoC Standard does not prohibit using a third-party service provider or elements developed by a third-party, as long as the CPoC solution in its entirety and as a whole solution is evaluated by the CPoC laboratory. Regardless of whether the CPoC solution, including CPoC application, has been developed in-house or by a third-party, each CPoC solution provider is ultimately responsible for ensuring that all requirements are met and continue to be met throughout the solution’s lifecycle.

Q 4 [July 2020] Module 5 references a contactless EMV kernel (singular) for card acceptance. If the CPoC solution involves more than one contactless EMV kernel, do all Module 5 requirements apply to each kernel? A Yes. CPoC solutions generally include multiple contactless EMV kernels, and the Module 5 requirements apply to all kernels in the solution. Any kernels that are added to an approved solution are required to be evaluated, either a full or delta change evaluation, as determined by the CPoC lab, where all Module 5 security requirements and test requirements must be considered.

Q 5 [July 2020] Can APIs (i.e., software libraries allowing third parties to interface with the CPoC solution) be validated and listed as part of a CPoC solution? A Yes. In cases where the CPoC solution provider offers software libraries or APIs to allow third parties to interface to the solution, evaluation and validation by …

Q 7 [July 2020] Can a CPoC Lab reference an approval from another PCI SSC standard, such as PCI Software-Based PIN Entry on COTS (SPoC)™, to meet objectives in the CPoC standard without performing the required testing? A No. With the exception of references to the PCI DSS AOC for back-end environments, each CPoC evaluation report must demonstrate that the CPoC solution under review was evaluated and meets the security and the test requirements of the CPoC Standard.

Q 8 [July 2020] Can testing results be reused from one evaluation to another of the same vendor? A Yes. Testing from one CPoC evaluation can be reused in another CPoC evaluation from the same vendor. This situation occurs commonly when two CPoC solutions with similar characteristics are evaluated by the same laboratory in parallel or in close succession. The reused data must be current (less than 12 months old) and must have …

Q 10 [July 2020] What testing and reporting are expected to be performed by CPoC lab as part of an annual checkpoint? A The annual checkpoint confirms that the CPoC solution continues to meet the security and test requirements of the CPoC Standard. The amount of testing that is required will vary. At a minimum, however, the CPoC lab must confirm that:

• Back-end environments remain compliant with PCI DSS or CPoC Appendix A, and,

• All operating processes (risk assessment, vulnerability management, change management, and so on) are being followed.

The CPoC lab may need to perform additional testing, depending on the extent to which the CPoC solution has changed. For example, if an operating system (OS) vendor no longer supports an OS that was included in the CPoC solution system baseline, the CPoC lab must verify that the CPoC solution provider has updated its system baseline and is actively working with …