Latest changes to PCI SSC frequently asked questions.
The intent of this requirement is to prevent an unauthorized person from using an unattended console/PC to gain access to the user’s computer and accounts, and potentially to the company’s …
Yes, however, PCI SSC recommends the use of PCI-listed P2PE solutions. Please reference FAQ 1158 regarding the use of PCI-listed P2PE solutions regarding PCI DSS.
Merchants using encryption solutions …
No, merchants using P2PE solutions are not required to engage a P2PE assessor [that is, a QSA (P2PE) or PA-QSA (P2PE)] for their PCI DSS assessments.
Merchants using Council-listed …
The P2PE v1.1 standard applies only to third-party P2PE solutions, where all encryption and decryption operations, and all cryptographic keys, are managed by a third party solution provider, and the …
A Council-listed P2PE solution must use a PCI-approved point-of-interaction device (POI), which has been evaluated and approved via the PCI PTS program with SRED (secure reading and exchange of data) …
Generally, encrypted cardholder data stored at a third-party storage provider remains the responsibility of the storage provider's customer who is storing the data. However, determining which party is responsible for …
No, PCI PED 1.x devices are not eligible for SRED validation, and therefore cannot be used in a PCI P2PE solution.
No. While use of a validated, listed P2PE solution can help to reduce the scope of a merchant's cardholder data environment, it does not remove the need for PCI DSS …
The P2PE solution provider is a third-party entity (for example, a processor, acquirer, or payment gateway) that has overall responsibility for the design and implementation of a specific P2PE solution, …
