Document Comparison
SPoC_Technical_FAQs_v1.5.pdf
→
SPoC_Technical_FAQs_v1.6.pdf
89% similar
13 → 15
Pages
4287 → 5079
Words
14
Content Changes
Content Changes
14 content changes. 19 administrative changes (dates, page numbers) hidden.
Added
p. 2
July 2020 1.6 Added Q28-Q30 to clarify reuse of testing results. Added Q36 to clarify the intent of the annual checkpoint.
Added
p. 12
Q 28 [July 2020] Can a SPoC Lab reference an approval from another PCI SSC standard, such as PCI Contactless Payments on COTS (CPoC™), to meet objectives in the SPoC standard without performing the required testing? A No. With the exception of references to the PCI DSS AOC for back-end environments, each SPoC evaluation report must demonstrate that the SPoC solution under review was evaluated and meets the security and the test requirements of the SPoC Standard.
Q 29 [July 2020] Can testing results be reused from one evaluation to another of the same vendor? A Yes. Testing from one SPoC evaluation can be reused in another SPoC evaluation from the same vendor. This situation occurs commonly when two SPoC solutions with similar characteristics are evaluated by the same laboratory in parallel or in close succession. The reused data must be current (less than 12 months old) and must have been …
Q 29 [July 2020] Can testing results be reused from one evaluation to another of the same vendor? A Yes. Testing from one SPoC evaluation can be reused in another SPoC evaluation from the same vendor. This situation occurs commonly when two SPoC solutions with similar characteristics are evaluated by the same laboratory in parallel or in close succession. The reused data must be current (less than 12 months old) and must have been …
Added
p. 13
Q 30 [July 2020] Can a SPoC lab rely on testing performed by a different SPoC lab without further testing or validation? A If any element of a SPoC solution was evaluated by an entity other than the SPoC lab performing the evaluation under review, the evaluating SPoC lab must have access to all associated reports and supporting evidence. If those reports are not available for any reason, the evaluating SPoC lab must determine the additional work required to properly evaluate and attest to the solution's compliance with the SPoC security and test requirements.
If the evaluating SPoC lab is unable to rely on the information, whether available or not, and the SPoC lab is unable to perform the additional work required to achieve such reliance, PCI SSC will not accept the report.
In all cases, PCI SSC may reject the evaluation report if it does not contain adequate information to substantiate …
If the evaluating SPoC lab is unable to rely on the information, whether available or not, and the SPoC lab is unable to perform the additional work required to achieve such reliance, PCI SSC will not accept the report.
In all cases, PCI SSC may reject the evaluation report if it does not contain adequate information to substantiate …
Added
p. 14
Q 36 [July 2020] What testing and reporting are expected to be performed by SPoC lab as part of an annual checkpoint? A The annual checkpoint confirms that the SPoC solution continues to meet the security and test requirements of the SPoC Standard. The amount of testing that is required will vary. At a minimum, however, the SPoC lab must confirm that:
• Back-end environments remain compliant with PCI DSS or SPoC Appendix A,
• The SCRP devices supported by the SPoC solution are listed on the PCI SSC Approved Device website (i.e., have not been expired), and
• All operating processes (risk assessment, vulnerability management, change management, and so on) are being followed.
The SPoC lab may need to perform additional testing, depending on the extent to which the SPoC solution has changed. For example, if an operating system (OS) vendor no longer supports an OS that was included in the SPoC solution …
• Back-end environments remain compliant with PCI DSS or SPoC Appendix A,
• The SCRP devices supported by the SPoC solution are listed on the PCI SSC Approved Device website (i.e., have not been expired), and
• All operating processes (risk assessment, vulnerability management, change management, and so on) are being followed.
The SPoC lab may need to perform additional testing, depending on the extent to which the SPoC solution has changed. For example, if an operating system (OS) vendor no longer supports an OS that was included in the SPoC solution …
Modified
p. 6
Q 9 [June 2020] Are magnetic stripe-based transactions allowed by the SPoC Standard? A Yes. The Standard supports both EMV-based and magnetic-stripe mode-based contactless transactions. Solutions may optionally support magnetic-stripe readers that meet the security and testing requirements described in Payment Card Industry (PCI) Software-based PIN Entry on COTS Magnetic Stripe Readers Annex.
Q 9 Are magnetic stripe-based transactions allowed by the SPoC Standard? A Yes. The Standard supports both EMV-based and magnetic-stripe mode-based contactless transactions. Solutions may optionally support magnetic-stripe readers that meet the security and testing requirements described in Payment Card Industry (PCI) Software-based PIN Entry on COTS Magnetic Stripe Readers Annex.
Modified
p. 7
Q 12 [June 2020] What constitutes an SPoC solution? Does the SPoC Standard cover separate elements or is it a single solution? A The SCRP will have a separate listing because it is evaluated and listed as part of the PTS POI Standard. However, all SCRPs associated with an SPoC solution will be included as part of the SPoC solution evaluation and listed as part of that SPoC solution’s acceptance. It is also possible that an MSR evaluated as part …
Q 12 What constitutes an SPoC solution? Does the SPoC Standard cover separate elements or is it a single solution? A The SCRP will have a separate listing because it is evaluated and listed as part of the PTS POI Standard. However, all SCRPs associated with an SPoC solution will be included as part of the SPoC solution evaluation and listed as part of that SPoC solution’s acceptance. It is also possible that an MSR evaluated as part of SPoC …
Modified
p. 7
Q 13 [June 2020] Can a SPoC solution provider compose a SPoC solution from third- party elements? A The SPoC Standard does not prohibit using a third-party service provider or elements developed by a third-party, as long as the SPoC solution in its entirety and as a whole solution is evaluated by the SPoC laboratory. Regardless of whether the SPoC solution, including a PIN CVM application, has been developed in-house or by a third-party, each SPoC solution provider is ultimately …
Q 13 Can a SPoC solution provider compose a SPoC solution from third-party elements? A The SPoC Standard does not prohibit using a third-party service provider or elements developed by a third-party, as long as the SPoC solution in its entirety and as a whole solution is evaluated by the SPoC laboratory. Regardless of whether the SPoC solution, including a PIN CVM application, has been developed in-house or by a third-party, each SPoC solution provider is ultimately responsible for ensuring …
Modified
p. 8
Q 15 [June 2020] Is it possible to include an operating system (OS) version in the COTS system baseline of the full solution evaluation that is not supported by the OS vendor at the time of evaluation? A No. Security Requirement 2.2.2 requires that PIN CVM applications must be developed only for operating systems that are still supported by the operating system vendor. All SPoC solutions must operate only on supported platforms. The COTS system baseline must not include any …
Q 15 Is it possible to include an operating system (OS) version in the COTS system baseline of the full solution evaluation that is not supported by the OS vendor at the time of evaluation? A No. Security Requirement 2.2.2 requires that PIN CVM applications must be developed only for operating systems that are still supported by the operating system vendor. All SPoC solutions must operate only on supported platforms. The COTS system baseline must not include any version of …
Modified
p. 9
Q 19 [June 2020] If a version of the COTS OS initially listed in the solution system baseline reaches end-of-life such that it is no longer supported by the original OS vendor, does the SPoC Standard disallow transactions on affected COTS devices until the OS on those devices is updated to a supported OS? A Yes. Security Requirement 2.2.2 mandates that PIN CVM Applications are developed only for supported COTS platforms, and Security Requirement 3.1.6 mandates that COTS devices using …
Q 19 If a version of the COTS OS initially listed in the solution system baseline reaches end-of-life such that it is no longer supported by the original OS vendor, does the SPoC Standard disallow transactions on affected COTS devices until the OS on those devices is updated to a supported OS? A Yes. Security Requirement 2.2.2 mandates that PIN CVM Applications are developed only for supported COTS platforms, and Security Requirement 3.1.6 mandates that COTS devices using unsupported OS …
Modified
p. 9
Q 20 [June 2020] If an OS vendor issues an update to a COTS OS that was initially listed in the solution system baseline, does the SPoC Standard disallow transactions on COTS devices using the updated OS until the updated SPoC solution is evaluated? A When an OS vendor releases a minor update to the COTS OS included in the SPoC solution system baseline, the solution provider may support the additional COTS OS version as long as it does not …
Q 20 If an OS vendor issues an update to a COTS OS that was initially listed in the solution system baseline, does the SPoC Standard disallow transactions on COTS devices using the updated OS until the updated SPoC solution is evaluated? A When an OS vendor releases a minor update to the COTS OS included in the SPoC solution system baseline, the solution provider may support the additional COTS OS version as long as it does not increase the …
Modified
p. 11
Q 25 [June 2020] Can an SPoC solution be associated with and communicate with multiple SCRPs or MSRs concurrently? A Yes. An SPoC solution is permitted to support the use of multiple SCRPs or MSRs that meet the security and testing requirements described in the Payment Card Industry (PCI) Software-based PIN Entry on COTS Magnetic Stripe Readers Annex. The use of multiple SCRPs or MSRs in the SPoC solution is optional. The back-end monitoring system must be able to interact …
Q 25 Can an SPoC solution be associated with and communicate with multiple SCRPs or MSRs concurrently? A Yes. An SPoC solution is permitted to support the use of multiple SCRPs or MSRs that meet the security and testing requirements described in the Payment Card Industry (PCI) Software-based PIN Entry on COTS Magnetic Stripe Readers Annex. The use of multiple SCRPs or MSRs in the SPoC solution is optional. The back-end monitoring system must be able to interact with each …
Modified
p. 12
Q 27 [June 2020] What is expected from a SPoC Lab when evaluating a SPoC solution that offers APIs or software libraries to allow third-party developers to interface with the SPoC solution? A The evaluation and validation of the APIs (together with the SPoC user guidance document described and defined in the SPoC Program Guide) by a SPoC Lab are required as part of each SPoC solution in which such libraries or APIs are provided. It is expected the SPoC …
Q 27 What is expected from a SPoC Lab when evaluating a SPoC solution that offers APIs or software libraries to allow third-party developers to interface with the SPoC solution? A The evaluation and validation of the APIs (together with the SPoC user guidance document described and defined in the SPoC Program Guide) by a SPoC Lab are required as part of each SPoC solution in which such libraries or APIs are provided. It is expected the SPoC Lab validates …
Removed
p. 13
Q 30 [June 2020] Can a Delta change be submitted to update a listed SPoC solution between minor versions of the SPoC Standard? A Yes, the change is submitted to a SPoC Lab and it is up to the SPoC Lab to determine whether the extent of the change(s) can be validated via delta evaluation. If the changes are extensive or highly impactful to the SPoC security requirements, then the SPoC Lab may determine that a full evaluation is required. Note that all changes must be accompanied by current SPoC Attestation of Validation (AOV), and in accordance with SPoC Program Guide.
Modified
p. 13 → 14
Q 31 [June 2020] Can an Administrative change be submitted to transition a listed SPoC solution from SPoC Standard? A No, Administrative changes cannot be used to transition between versions of the SPoC Standard - a full or delta change evaluation, as determined by the SPoC lab, must be performed.
Q 34 Can an Administrative change be submitted to transition a listed SPoC solution from SPoC Standard? A No, Administrative changes cannot be used to transition between versions of the SPoC Standard - a full or delta change evaluation, as determined by the SPoC lab, must be performed.