Part I: Understanding the SAQ P2PE for PCI SSC Validated P2PE Solutions

SAQ P2PE

PCI Validated Point-to-Point Encryption (P2PE) has quickly become the standard that merchants are moving towards to remove their POS, network and supporting infrastructure from scope of PCI DSS compliance.  Merchants who are utilizing a PCI Validated P2PE solution and properly implement this solution automatically qualify for the controls under the SAQ P2PE.  In this post, we will be addressing the first section of the SAQ P2PE: 1. Assessment Information. In the coming weeks, we will be providing a Part II, which will cover section two of the SAQ P2PE, 2. Self -Assessment Questionnaire. The official list of PCI Validated P2PE providers can be found on the PCI SSC website here, and the official SAQ P2PE document can be found on our Documents page, or by clicking this link PCI DSS v3.2 SAQ-P2PE.

SAQ P2PE Versions

First and foremost, it’s critical that the proper SAQ P2PE is being utilized when completing your self-assessment questionnaire.  Since the release of the PCI P2PE standard in 2012, there have been five (5) iterations of the SAQ P2PE.  The current version is Version 3.2, Revision 1.0, and is linked above.  The breakdown of each version and changes can be found below:

Release Date PCI DSS Version SAQ

Revision

Description
N/A 1.0 Not used.
May 2012 2.0 To create SAQ P2PE-HW for merchants using only hardware terminals as part of a validated P2PE solution listed by PCI SSC.

This SAQ is for use with PCI DSS v2.0.

February 2014 3.0 To align content with PCI DSS v3.0 requirements and testing procedures and incorporate additional response options.
April 2015 3.1 Updated to align with PCI DSS v3.1.  For details of PCI DSS changes, see PCI DSS – Summary of Changes from PCI DSS Version 3.0 to 3.1. Removed “HW” from SAQ title, as may be used by merchants using either a HW/HW or HW/Hybrid P2PE solution.
July 2015 3.1 1.1 Updated to remove references to “best practices” prior to June 30, 2015.
April 2016 3.2 2.0 Updated to align with PCI DSS v3.2. For details of PCI DSS changes, see PCI DSS – Summary of Changes from PCI DSS Version 3.1 to 3.2.

 

SAQ P2PE Section 1: Assessment Information

SAQ P2PE Part 1. Merchant and Qualified Security Assessor Information

Part I of the SAQ P2PE focuses on merchant information, such as company name, address, and other company information.  This is a simple section, and should only take a minute to complete.

SAQ P2PE: Part 2. Executive Summary

SAQ P2PE: Part2a:  Type of Merchant Business

Here, you simply check the merchant category that you fall into, such as Retailer, Grocery and Supermarkets, Telecommunication, etc.

SAQ P2PE: Part 2b: Description of Payment Card Business

This section only has a single question: How and in what capacity does your business store, process and/or transmit cardholder data?  You will want to use this section to explain the payment acceptance environment, the P2PE solution and the high-level transaction flow involved.  Details such as the types of POI devices that are being utilized, transaction flow diagrams, as well as information on the specific PCI P2P# solution should be included in this section.

SAQ P2PE: Part 2c: Locations

This section should be utilized to notate the different locations and environments that are included in our PCI DSS production environment.  For example, if you are a restaurant chain, you would list something like “Restaurant” under the “Type of Facility” column, the number of restaurants that fall within scope under “Number of facilities of this type,” and the address/locations of each.

SAQ P2PE: Part 2d: P2PE Solution

Part 2d of the SAQ P2PE requires the following information about your PCI P2PE solution provider:

Name of P2PE Solution Provider: 
Name of P2PE Solution:
PCI SSC Reference Number
Listed P2PE POI Devices used by

Merchant (PTS Device Dependencies):

The first three (3) questions can be identified on the official PCI SSC website for P2PE solutions: https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions

The fourth (4) line item, “Listed P2PE POI Devices used by Merchant (PTS Device Dependencies)”  is simply providing a listing of the POI devices (e.g., payment terminals) that are being utilized with your merchant environment.  Before answering this question, confirm that the POI devices that are being utilized within your environment are also listed under the Solution Details section of the PCI P2PE website. Of course, this should be confirmed before implementing any solution, but it’s important to validate this during your annual PCI DSS audit.

We have included an image below to provide an example of the information that you will need for section for Part2d of the SAQ P2PE.

pci p2pe

Please note: we are not recommending/sponsoring the P2PE provider shown in the image above, but are merely providing an example of the specific information needed to complete the SAQ P2PE.

SAQ P2PE: Part 2e: Description of Environment

This section asks for a high-level description of your environment that is used to process payments.  For example, this would be a high-level description of your payment terminals, POS workstations, POS servers, network overview and any related supporting infrastructure.  Remember, SAQ P2PE section 2e specifically requests (in bold) a high-level description only, so there is no need to provide an exhaustive network diagram or data flow.  Being that you’re implementing a PCI SSC Validated P2PE solution, there should be no need for this level of detail anyway.

In addition, this section also asks if you utilize network segmentation to affect the scope of your PCI DSS environment.  Remember, with PCI Validated P2PE solutions, network segmentation is not necessary due to no clear-text, sensitive credit card data entering your system.  Of course, if you utilize network segmentation in addition to your P2PE solution, it should be mentioned and described, at a high level.

SAQ P2PE: Part 2f: Third-Party Service Providers

This section focuses on Qualified Integrator & Resellers (QIR), and whether your company utilizes a QIR for its implementations.  For additional information on the Qualified Integrator & Reseller, view our post here: PCI QIR Program Explained

If you utilize a QIR, this section will require some basic information on your QIR company.

The only other requirement of this section is to list any third-party service provider, such as a QIR (payment terminal installation) companies, payment gateways, online travel agencies, or software vendors, whom your company shares cardholder data with.  This section asks for the company names and a description of the services provided (e.g., payment gateway).

SAQ P2PE: Part 2g: Eligibility to Complete SAQ P2PE

As a merchant who is self-attesting that a PCI Validated P2PE  has been properly implemented within their environment, you must certify eligibility by confirming all of the following criteria:

  • All payment processing is via the validated PCI P2PE solution approved and listed by the PCI SSC (per above)
  • The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCI-listed P2PE solution
  • Merchant does not otherwise receive or transmit cardholder data electronically
  • Merchant verifies there is no legacy storage of electronic cardholder data in the environment
  • If Merchant does not store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically, and
  • Merchant has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider

 

 

About PCI Blog 1064 Articles
PCI Blog is the most trusted PCI Compliance and IT Security blog on the web. Authored by industry experts within the payments and IT security industries, PCI Blog provides insight on the complex world behind modern compliance and security standards. As a wholly independent source of news within the payments industry, PCI Blog focuses on the ever-changing responsibilities of merchants who accept credit cards. PCI Blog also provides reviews on PCI compliance tools and enterprise security solutions to offer a fair, independent critique of product offerings within the payments industry.

Be the first to comment

Leave a Reply