What is a P2PE Instruction Manual (PIM)?
The P2PE Instruction Manual, also known in the PCI community as the PIM, is a guideline document that PCI Validated P2PE solution providers are required to provide to merchants who have opted into their solution. The purpose of the PIM is to provide a roadmap to compliance for merchants who have opted into a PCI Validated P2PE, scope reduction program. A PCI Validated P2PE program allows merchants to utilize the SAQ P2PE or, for those merchants who complete a full Report on Compliance (ROC), prove/attest only to those controls within the SAQ P2PE. At a high level, merchants who opt into and properly implement (this is a key point, we’ll touch on this in a bit) PCI Validated P2PE Solution will have the most significant scope reduction currently available for PCI DSS. For a full breakdown of the PCI Validated P2PE program and the related PCI DSS compliance benefits, please visit PCI Validated P2PE Explained to learn more. Once you’ve read through, come back here for a full breakdown of the PIM!
What does the P2PE Instruction Manual (PIM) Cover?
In version 1.x of PCI Validated P2PE, the PIM varied greatly based on the solution provider. That being said, the PIM must always include obligations by the merchant as it relates to chain-of-custody, shipping and receiving devices, secure storage of devices, commissioning/decommissioning procedures, device inspections and device inventory requirements. In April 2015, the second version of PCI Validated P2PE was released which changed the standard from being driven entirely by a single solution provider, to a more modular standard. The newest version also templatized the PIM, to standardize this critical instructional guide for merchant consumption. Many merchants struggled with an apples-to-apples PCI Validated P2PE comparative analysis among providers, and the differences in PIM requirements made this even more difficult. Not to mention, that a less stringent PIM could potentially sway a merchant towards that solution due to their reduced obligations, which undermines the PCI Council’s goal in protecting merchant environments.
Image Credit: CBORD: Decoding EMV and P2PE
How do I know if I’m Compliant with the P2PE Instruction Manual (PIM)?
This question often comes up among merchants who have adopted or are in the process of adopting a PCI Validated P2PE solution. Per the PCI Validated P2PE standard, merchants must ensure that they are following the guidelines of the PIM to benefit from the significant scope reduction that a properly implemented PCI P2PE solution provides. As a result, merchants will often request that the PCI Validated P2PE provider provide guidance and ultimately approve the implementation of the solution within the merchant’s environment. Depending on the solution provider, they may or may not be willing to do this. Why? The answer requires an understanding of the merchant services industry, and who is requiring ultimately requiring compliance to the PCI DSS standard. For a better understanding of the merchant services industry, including the complexities around credit card processing, acquirers, processors and security, visit the following post: Credit Card Processing, Encryption and EMV Explained.
The short of it is, a merchant’s merchant services account is underwritten by a banking institution. That banking institution is taking the risk of underwriting your merchant services account, and therefore they require, in partnership with the card brands (Visa, MC, AMEX, Discover, etc.) that a merchant becomes PCI DSS compliant. As a result, they are the party who determines whether or not your are compliant, often in conjunction with an independent Quality Security Assessor (QSA). With that, some PCI Validated P2PE solution providers will offer their P2PE Instruction Manual (PIM) as a “roadmap” document, where merchants are to confirm that they are accomplishing the relevant controls in consultation with their QSA. Other solution providers, however, will maintain that determination of compliance is in their hands, as they are the solution provider.
Our opinion is that it is a joint effort, between the PCI Validated P2PE solution provider and the merchant’s QSA to determine whether or not the merchant is compliant with the P2PE Instruction Manual.
The reason is that the solution provider and QSA/Acquirer both have an important role to play in the process. The P2PE Instruction Manual is authored by the solution provider, based off of the PCI Council’s standards for the PIM, and they best understand the steps for merchant’s to fall under the scope reduction PCI P2PE program. That being said, the solution provider is not a QSA, and do not know the specifics of a merchant’s environment to offer concrete opinions on whether a merchant is achieving a specific control. For example, a PIM requirement for merchants who have implemented a PCI Validated P2PE program is that they “secure” their Point-of-Interaction (POI) devices, a fancy name for payment terminals that represents devices meeting the SRED and PTS requirements of PCI Validated P2PE. The term “secure” is, of course, grey. Some solution providers require that every device be secured with a stand or tethering device. Using that example, let’s say a merchant does not want to secure their POI devices in that manner for whatever reason, but point to 24/7 surveillance of the POI device a means of “securing” them. This is when the merchant’s QSA steps in, to determine whether or not the merchant is accomplishing the controls of the P2PE Instruction Manual (PIM). The solution provider cannot make this determination, because they do not do on-site campaigns to examine the merchant’s environment and confirm the controls are accomplished.
Regardless of the PCI Validated P2PE solution or other security solution that a merchant is considering implementing, a trusted Quality Security Assessor (QSA) should always be consulted during the sales process through implementation.