-
PCI SSC Validated Point To Point Encryption (P2PE) Solution
(21 Assessment Requirements)
All payment processing is via a validated♦ PCI-listed P2PE solution;
The only systems in the merchant environment that store, process or transmit account data are the payment terminals from a validated♦ PCI-listed P2PE solution;
The merchant does not otherwise receive, transmit, or store account data electronically.
Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically; and
The merchant has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
-
Goal 2: Protect Account Data
-
Requirement 3: Protect Stored Account Data
SAQ Completion Guidance:
Selection of any of the In Place responses for Requirement 3.1.1 means that, if the merchant has paper storage of account data, the merchant has policies and procedures in place that govern merchant activities for Requirement 3. This helps to ensure personnel are aware of and following security policies and documented operational procedures for managing the secure storage of any paper records with account data.
If merchant does not store paper records with account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
-
3.1 Processes and mechanisms for protecting stored account data are defined and understood.
Note: For SAQ P2PE, Requirement 3 applies only to merchants with paper records that include account data (for example, receipts or printed reports).
- 3.1.1 Data Lifecycle Management policies & procedures.
-
3.2 Storage of account data is kept to a minimum.
- 3.2.1 Storage of account data is minimised.
SAQ Completion Guidance:
Selection of any of the In Place responses for Requirement 3.2.1 means that the merchant has data disposal policies that govern account data storage and if a merchant stores any paper (for example, receipts or paper reports) that contain account data, the merchant stores the paper per that policy (for example, only as long as it is needed for business, legal, and/or regulatory reasons) and destroys the paper once it is no longer needed.
If a merchant never prints or stores any paper containing account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
-
3.3 Sensitive authentication data (SAD) is not stored after authorization.
SAQ Completion Guidance:
Selection of any of the In Place responses for Requirement 3.3.1.2 means that if the merchant writes down the card verification code while a transaction is being conducted, the merchant either securely destroys the paper (for example, with a shredder) immediately after the transaction is complete, or obscures the code (for example, by “blacking it out” with a marker) before the paper is stored.
If the merchant never requests the three-digit or four-digit number printed on the front or back of a payment card (“card verification code”), mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
- 3.3.1. SAD retention limitation.
- 3.3.1.2 CVV data retention limitation.
-
3.4 Access to displays of full PAN and ability to copy PAN is restricted.
- 3.4.1 PAN display restriction.
-
Goal 4:
Implement Strong Access Control Measures
-
Requirement 7:
Restrict Access to System Components and Cardholder Data by Business Need to Know
-
7.2 Access to system components and data is appropriately defined and assigned.
- 7.2.2 Least Privilege principle
-
Requirement 9:
Restrict Physical Access to Cardholder Data
-
9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
- 9.1.1 Physical Security & Access Management policies & procedures.
SAQ Completion Guidance:
Selection of any of the In Place responses for Requirement 9.1.1 means that the merchant has policies and procedures in place that govern merchant activities for Requirement 9, including how any paper media with cardholder data is secured, and how POI devices are protected.
-
9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed.
Note: For SAQ P2PE, Requirements at 9.4 only apply to merchants with paper records (for example, receipts or printed reports) with account data, including primary
account numbers (PANs)
SAQ Completion Guidance:
Selection of any of the In Place responses for Requirements at 9.4 means that the merchant securely stores any paper media with account data, for example by storing the paper in a locked drawer, cabinet, or safe, and that the merchant destroys such paper when no longer needed for business purposes. This includes a written document or policy for employees, so they know how to secure paper with account data and how to destroy the paper when no longer needed.
If the merchant never stores any paper with account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as
Not Applicable.
- 9.4.1 Physically secure media
- 9.4.1.1 Secure offline media backups
- 9.4.2 Data classification
- 9.4.3 Secure media distribution
- 9.4.4 Management approval
- 9.4.6 Hardcopy secure destruction
-
9.5 Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.
Note: For SAQ P2PE, these requirements apply to the POI devices used by the merchant at part of the P2PE solution.
SAQ Completion Guidance:
Selection of any of the In Place responses for Requirements at 9.5 means that the merchant has policies and procedures in place for Requirements 9.5.1, 9.5.1.1, 9.5.1.2, and 9.5.1.3, and that they maintain a current list of devices, conduct periodic device inspections, and train employees about what to look for to detect tampered or substituted devices.
- 9.5.1 Measures to protect POI devices
- 9.5.1.1 Maintain asset inventory
- 9.5.1.2 Maintain physical inspection schedule
- 9.5.1.3 Staff POI physical security training
-
Goal 6:
Maintain an Information Security Policy
-
Requirement 12: Support Information Security with Organizational Policies and Programs
-
12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
SAQ Completion Guidance:
Selection of any of the In Place responses for Requirements 12.1.1 and 12.1.2 means that the merchant has a security policy that is reasonable for the size and complexity of the merchant’s operations, and that the policy is reviewed at least once every 12 months and updated if needed. For example, such a policy could be a simple document that covers how to protect the store and payment devices in accordance with the solution provider’s guidance/instruction manual, and who to call in an emergency.
- 12.1.1 Implement an Information Security Policy
- 12.1.2 Maintain an Information Security Policy
- 12.1.3 Information Security roles & responsibilities are clearly defined
SAQ Completion Guidance:
Selection of any of the In Place responses for Requirement 12.1.3 means that the merchant’s security policy defines basic security responsibilities for all personnel,
consistent with the size and complexity of the merchant’s operations. For example, security responsibilities could be defined according to basic responsibilities by employee levels, such as the responsibilities expected of a manager/owner and those expected of clerks.
-
12.6 Security awareness education is an ongoing activity.
- 12.6.1 Formal Information Security awareness program
SAQ Completion Guidance:
Selection of any of the In Place responses for Requirement 12.6.1 means that the merchant has a security awareness program in place, consistent with the size and complexity of the merchant’s operations. For example, a simple awareness program could be a flyer posted in the back office, or a periodic e-mail sent to all employees. Examples of awareness program messaging include descriptions of security tips all employees should follow, such as how to lock doors and storage
containers, how to determine whether a payment terminal has been tampered with, and processes to confirm the identity and verify there is a legitimate business
reason for any service workers when they arrive to service payment terminals.
-
12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
SAQ Completion Guidance:
Selection of any of the In Place responses for Requirements 12.8.1 through 12.8.5 means that the merchant has a list of, and agreements with, service providers they share account data with or that could impact the security of the merchant’s cardholder data environment. For example, such agreements would be applicable if a merchant uses a document-retention company to store paper documents that include account data or if a merchant’s vendor accesses merchant systems remotely to perform maintenance.
- 12.8.1 Maintain a list of TPSP
- 12.8.2 Manage TPSP written agreements
- 12.8.3 TPSP due diligence
- 12.8.4 TPSP PCI DSS compliance status management
- 12.8.5 Understand outsourced responsibilities.
-
12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately.
- 12.10.1 Implement an effective Incident Response Plan
SAQ Completion Guidance:
Selection of any of the In Place responses for Requirement 12.10.1 means that the merchant has documented an incident response and escalation plan to be used for
emergencies, consistent with the size and complexity of the merchant’s operations. For example, such a plan could be a simple document posted in the back office
that lists who to call in the event of various situations with an annual review to confirm it is still accurate, but could extend all the way to a full incident response plan
including backup “hotsite” facilities and thorough annual testing. This plan should be readily available to all personnel as a resource in an emergency.
-
PCI Point to Point Encryption Solutions
- Vendor's P2PE Implementation Manual
(PIM)