Document Comparison
P2PE_RT_MMS_v3.pdf
→
PCI-P2PE-MMS-ROV-Template_v3_1.pdf
66% similar
51 → 61
Pages
13092 → 16943
Words
113
Content Changes
From Revision History
- December 2019 P2PE v3.0 Revision 1.0 This template is for P2PE Reports on Validation for Merchant-Managed Solutions
- September 2021 P2PE v3.1 Revision 1.0 This template includes the following updates:
- September 2021 © 2021 PCI Security Standards Council, LLC. All Rights Reserved. Page iii Contents
Content Changes
113 content changes. 78 administrative changes (dates, page numbers) hidden.
Added
p. 2
- Updates from v3.0 P2PE Standard references to v3.1. - Revisions made within the Introduction through Section 3 to add clarity and consistency, both within this P-ROV and across all v3.1 P-ROVs as applicable. - Context of “PCI-listed” P2PE Products updated to “Validated”. Includes revision to diagram in Introduction. - Revision to the description for the use of Not Applicable to add clarity and guidance. - Reformatting and restructuring of tables in Sections 2 and 3 with additional guidance. - Certain tables/context were modified into new tables (e.g., 2.4.x) - Table numbering in sections 1 through 3 modified as needed to better align across all v3.1 P-ROVs. - New table in section 4 to document all requirements determined to be Not Applicable. - Errata updates to section 4. - Added check boxes to section 4 to each individual requirement to capture In Place, N/A, or Not In Place assessment findings.
Added
p. 5
Note: MMS assessments are not submitted to PCI SSC
• refer to the P2PE Program Guide for further details.
Tables have been included in this template to facilitate the reporting process for certain lists and other information as appropriate. The tables in this template may be modified to increase/decrease the number of rows, as necessary. Additional appendices may be added if the assessor feels there is relevant information to be included that is not addressed in the current format. However, the assessor must not remove any details from the tables provided in this document. Personalization, such as the addition of company logos, is acceptable but limited to the title page.
• refer to the P2PE Program Guide for further details.
Tables have been included in this template to facilitate the reporting process for certain lists and other information as appropriate. The tables in this template may be modified to increase/decrease the number of rows, as necessary. Additional appendices may be added if the assessor feels there is relevant information to be included that is not addressed in the current format. However, the assessor must not remove any details from the tables provided in this document. Personalization, such as the addition of company logos, is acceptable but limited to the title page.
Added
p. 7
Encryption Management Services (EMS) Merchant-Managed Solution (MMS) Encryption Management CP (EMCP) POI Deployment CP (PDCP) POI Management CP (PMCP) Encryption Management Services relates to the distribution, management, and use of PTS- approved POI devices in a P2PE [Merchant-Managed] Solution. MMS assessments that have not satisfied the entirety of their Encryption Management Services (Domain 1 with Domain 5) via the use of applicable Validated P2PE Component Providers must complete the EMS P-ROV in addition to the MMS Solution P-ROV.
P2PE Application P2PE Application Any assessment that utilizes software on the PTS-approved POI devices intended for use in a P2PE [Merchant-Managed] Solution that has the potential to access clear-text account data must complete the P2PE Application P-ROV (one for each application).
Decryption Management Services (DMS) Merchant-Managed Solution (MMS) Decryption Management CP (DMCP) Decryption Management Services relates to the management of a decryption environment, including applicable account-data decryption devices used to support a P2PE [Merchant- …
P2PE Application P2PE Application Any assessment that utilizes software on the PTS-approved POI devices intended for use in a P2PE [Merchant-Managed] Solution that has the potential to access clear-text account data must complete the P2PE Application P-ROV (one for each application).
Decryption Management Services (DMS) Merchant-Managed Solution (MMS) Decryption Management CP (DMCP) Decryption Management Services relates to the management of a decryption environment, including applicable account-data decryption devices used to support a P2PE [Merchant- …
Added
p. 15
Are Validated EMS CPs being used to help satisfy requirements of this MMS assessment?
No (If No, complete an EMS P-ROV and leave the remainder of this Encryption Management Services section blank) Yes (If Yes, complete the remainder of this EMS table) Is an EMS P-ROV still required to account for any remaining EMS-related requirements based on the full scope of the assessment? (E.g., where only a PMCP or a PDCP is being used, or otherwise where the MMS is providing functionality/services that are not covered by the Validated EMS P2PE Components being used.) Yes (If Yes, complete an EMS P-ROV) No (If No, ensure all applicable EMS requirements as they relate to the full scope of the MMS are satisfied through the use of Validated EMS CPs below) Document all Validated Encryption Management Services (EMS) Component Providers (CPs) being used to help satisfy requirements for the MMS assessment.
For every Component …
No (If No, complete an EMS P-ROV and leave the remainder of this Encryption Management Services section blank) Yes (If Yes, complete the remainder of this EMS table) Is an EMS P-ROV still required to account for any remaining EMS-related requirements based on the full scope of the assessment? (E.g., where only a PMCP or a PDCP is being used, or otherwise where the MMS is providing functionality/services that are not covered by the Validated EMS P2PE Components being used.) Yes (If Yes, complete an EMS P-ROV) No (If No, ensure all applicable EMS requirements as they relate to the full scope of the MMS are satisfied through the use of Validated EMS CPs below) Document all Validated Encryption Management Services (EMS) Component Providers (CPs) being used to help satisfy requirements for the MMS assessment.
For every Component …
Added
p. 16
Clearly document if the MMS implements additional functionality/services that are not covered by the Validated EMS P2PE Components being used (which means an EMS P-ROV must be used).
Provide more detail than simply, e.g., “The EMCP is satisfying Domains 1 & 5”. Do not leave blank unless there aren’t any Validated EMS CPs being used.
<EMS CPs Description>
Provide more detail than simply, e.g., “The EMCP is satisfying Domains 1 & 5”. Do not leave blank unless there aren’t any Validated EMS CPs being used.
<EMS CPs Description>
Added
p. 17
Are Validated DMS CPs being used to help satisfy requirements of this MMS assessment? No (If No, complete a DMS P-ROV and leave the remainder of this Decryption Management Services section blank) Yes (If Yes, complete the remainder of this DMS table) Is a DMS P-ROV still required to account for any remaining DMS- related requirements based on the full scope of the assessment? (E.g., where the MMS is providing functionality/services that are not covered by the Validated DMS P2PE Components being used.) Yes (If Yes, complete a DMS P-ROV) No (If No, ensure all applicable DMS requirements as they relate to the full scope of the MMS are satisfied through the use of Validated DMS CPs below) Document all Validated Decryption Management Services (DMS) Component Providers (CPs) being used to help satisfy requirements for the MMS assessment. Note: The use of multiple CPs of the same type (e.g., where …
Added
p. 18
It may be possible, depending on the scope of the MMS assessment, that a KMS P-ROV is not required even when there aren’t any KMS CPs being used. This is because a MMS does not assess to Domain 5 in isolation. It is assessed to Domain 5 in the context of Domain 1(EMS) and Domain 4(DMS). The assessor must accurately identify the full scope of the MMS assessment as per Table 3.1.
Note: Remote Key Distribution (RKD) requirements are additional requirements to an assessment. It is not possible to assess the RKD requirements in isolation. Refer to the “P2PE Applicability of Requirements” in the P2PE Program Guide.
Are Validated KMS CPs being used to help satisfy requirements of this MMS assessment? Yes (If Yes, complete the remainder of this KMS table) Is a KMS P-ROV still required to account for any remaining KMS- related requirements based on the scope of the assessment? …
Note: Remote Key Distribution (RKD) requirements are additional requirements to an assessment. It is not possible to assess the RKD requirements in isolation. Refer to the “P2PE Applicability of Requirements” in the P2PE Program Guide.
Are Validated KMS CPs being used to help satisfy requirements of this MMS assessment? Yes (If Yes, complete the remainder of this KMS table) Is a KMS P-ROV still required to account for any remaining KMS- related requirements based on the scope of the assessment? …
Added
p. 19
Provide more detail than simply, e.g., “The KIF is satisfying Domain 5”.
<KMS CP(s) Description>
<KMS CP(s) Description>
Added
p. 20
Note: If the EMS, DMS, and/or KMS P-ROVs are being used as part of this assessment, document the use of Third Parties relative to those services (requirements) in their respective P-ROVs. There is no need to duplicate information regarding Third Parties from those P-ROVs here. However, ensure information is not excluded here where it is not being documented in another P-ROV (e.g., when no other P-ROVs are being used as part of the MMS assessment and/or when there is information unique to the MMS that is otherwise not captured in another P-ROV).
Insert additional rows as necessary.
Is the EMS P-ROV being used? Yes (Document EMS-related Third Parties in the EMS P-ROV) No (Document any EMS-related Third Parties below) Is the DMS P-ROV being used? Yes (Document DMS-related Third Parties in the DMS P-ROV) No (Document any DMS-related Third Parties below) Is the KMS P-ROV being used? Yes (Document KMS-related Third Parties …
Insert additional rows as necessary.
Is the EMS P-ROV being used? Yes (Document EMS-related Third Parties in the EMS P-ROV) No (Document any EMS-related Third Parties below) Is the DMS P-ROV being used? Yes (Document DMS-related Third Parties in the DMS P-ROV) No (Document any DMS-related Third Parties below) Is the KMS P-ROV being used? Yes (Document KMS-related Third Parties …
Added
p. 22
- Included in the POI Device Types supported by a Validated EMCP, or by BOTH a Validated PDCP AND a Validated PMCP, being used in the scope of this Solution assessment, OR, - Be assessed to all unaccounted for Domain 1 and Domain 5 requirements, which will depend on each unique Solution assessment.
Note 1: “P2PE Applications” and “P2PE non-payment software” (refer to P2PE Glossary) do not meet the PTS POI definition of “firmware”, and as such they are not reviewed as part of the POI device’s PTS POI assessment (i.e., they cannot be excluded from the scope of a P2PE assessment). Therefore, any software intended for use in a P2PE solution that does not meet the PTS POI definition of "firmware" must be assessed in accordance with the PCI P2PE Standard and is subject to all applicable P2PE security requirements.
Note 2: PCI-listed P2PE Applications must be considered Validated. Refer to …
Note 1: “P2PE Applications” and “P2PE non-payment software” (refer to P2PE Glossary) do not meet the PTS POI definition of “firmware”, and as such they are not reviewed as part of the POI device’s PTS POI assessment (i.e., they cannot be excluded from the scope of a P2PE assessment). Therefore, any software intended for use in a P2PE solution that does not meet the PTS POI definition of "firmware" must be assessed in accordance with the PCI P2PE Standard and is subject to all applicable P2PE security requirements.
Note 2: PCI-listed P2PE Applications must be considered Validated. Refer to …
Added
p. 27
Note 2: While non-payment software is not permitted to have access to clear-text account data, it might still be involved in supporting additional encryption implementations. Non-payment software detailed below must be able to be cross-referenced to Table 2.4.a in the EMS P-ROV.
Yes (If Yes, provide details below) No (If No, leave details blank) Complete the following information for ONLY the relevant POI devices, P2PE Applications and/or non-payment software that is involved in supporting additional encryption implementations.
PTS Approval # (One unique # per row) POI Device Firmware (comma delimited) P2PE Application Listing Reference # Non-Payment Software Details (Name, version#) Describe the additional account data encryption implementations and the involvement of the POI device firmware, P2PE Application, and/or non-payment software as detailed above. Where there is more than one implementation, clearly describe each implementation along with the applicable entity (e.g., acquirer) managing it.
Yes (If Yes, provide details below) No (If No, leave details blank) Complete the following information for ONLY the relevant POI devices, P2PE Applications and/or non-payment software that is involved in supporting additional encryption implementations.
PTS Approval # (One unique # per row) POI Device Firmware (comma delimited) P2PE Application Listing Reference # Non-Payment Software Details (Name, version#) Describe the additional account data encryption implementations and the involvement of the POI device firmware, P2PE Application, and/or non-payment software as detailed above. Where there is more than one implementation, clearly describe each implementation along with the applicable entity (e.g., acquirer) managing it.
Added
p. 29
Describe how the accuracy of the scope for the entire P2PE Merchant-Managed Solution assessment was validated, including:
Added
p. 30
Location of critical components within the P2PE decryption environment, such as HSMs and other SCDs, cryptographic key stores, etc., as applicable Location of systems performing key-management functions Connections into and out of the decryption environment Connectivity between the requisite functions of the MMS Other necessary components, as applicable to the MMS Provide any additional information below that is not adequately captured within the diagram(s). Otherwise, check No Additional Details. No Additional Details <Additional Details, as needed> <Insert Solution diagram(s) here>
Provide a high-level data-flow diagram of the MMS that illustrates:
Flows and locations of encrypted account data Flows and locations of clear-text account data All flows and locations of truncated account data Location of critical system components (e.g., HSMs) All entities the MMS connects to for payment transmission or processing, including processors/acquirers Note: The diagram should identify where merchant entities fit into the data flow, without attempting to identify individual merchants. For …
Provide a high-level data-flow diagram of the MMS that illustrates:
Flows and locations of encrypted account data Flows and locations of clear-text account data All flows and locations of truncated account data Location of critical system components (e.g., HSMs) All entities the MMS connects to for payment transmission or processing, including processors/acquirers Note: The diagram should identify where merchant entities fit into the data flow, without attempting to identify individual merchants. For …
Added
p. 50
<Report Findings Here> 3C-1.1.e Examine the PIM to verify the following:
- Any changes to the P2PE solution (including additions or removals of POI device types, P2PE applications, and/or P2PE non-payment software), and - Any changes to the P2PE requirements.
- Any changes to the P2PE solution (including additions or removals of POI device types, P2PE applications, and/or P2PE non-payment software), and - Any changes to the P2PE requirements.
Added
p. 56
MM-A-1.6 Review system configurations and observe processes to verify that all remote access features on all systems within the merchant decryption environment are permanently disabled and/or otherwise prevented from being used.
<Report Findings Here> MM-A-2.1.1 Inbound and outbound traffic to/from the decryption environment must be restricted to only IP addresses within the CDE.
<Report Findings Here> MM-A-2.1.1 Inbound and outbound traffic to/from the decryption environment must be restricted to only IP addresses within the CDE.
Modified
p. 1
Payment Card Industry (PCI) Point-to-Point Encryption P2PE Merchant-Managed Solution Template for Report on Validation for use with P2PE v3.0 for P2PE Merchant-Managed Solution Assessments
Payment Card Industry (PCI) Point-to-Point Encryption P2PE Merchant-Managed Solution Template for Report on Validation for use with P2PE v3.1 for P2PE Merchant-Managed Solution Assessments
Removed
p. 5
Merchant-Managed Solution assessments, at a minimum, must complete this template. For every function that is not outsourced to a PCI-listed component provider, EACH applicable P-ROV must be completed in addition to this P-ROV as per the following diagram and table:
Modified
p. 5
Use of this Reporting Template is mandatory for all P2PE v3.0 P2PE Merchant-Managed Solution assessments.
Use of this Reporting Template is mandatory for all P2PE v3.1 Merchant-Managed Solution (MMS) assessments.
Removed
p. 6
P-ROV Name Used for the Following Assessments Purpose Merchant-Managed Solution Merchant-Managed Solution (MMS) The MMS P-ROV is mandatory for all P2PE MMS assessments, at a minimum. Additional P-ROVs (below) may be required.
Encryption Management Services (EMS) Merchant-Managed Solution (MMS) Encryption Management CP (EMCP) POI Deployment CP (PDCP) POI Management CP (PMCP) Encryption Management Services relates to the distribution, management, and use of POI devices in a P2PE Merchant-Managed Solution.
Merchant-Managed Solution assessments that do not outsource the entirety of their Encryption Management Services to PCI-Listed Component Providers, either to an EMCP or to BOTH a PDCP AND a PMCP, must complete this P-ROV in addition to the Solution P-ROV.
Component Provider assessments for an EMCP, PDCP, or a PMCP must complete this P- ROV.
P2PE Application P2PE Application Any assessment that utilizes software on the POI devices intended for use in a P2PE Merchant-Managed Solution that has the potential to access clear-text cardholder data …
Encryption Management Services (EMS) Merchant-Managed Solution (MMS) Encryption Management CP (EMCP) POI Deployment CP (PDCP) POI Management CP (PMCP) Encryption Management Services relates to the distribution, management, and use of POI devices in a P2PE Merchant-Managed Solution.
Merchant-Managed Solution assessments that do not outsource the entirety of their Encryption Management Services to PCI-Listed Component Providers, either to an EMCP or to BOTH a PDCP AND a PMCP, must complete this P-ROV in addition to the Solution P-ROV.
Component Provider assessments for an EMCP, PDCP, or a PMCP must complete this P- ROV.
P2PE Application P2PE Application Any assessment that utilizes software on the POI devices intended for use in a P2PE Merchant-Managed Solution that has the potential to access clear-text cardholder data …
Removed
p. 7
Merchant-Managed Solution assessments that have not satisfied the key management services requirements (Domain 5) either through the use of PCI-listed Component Providers and/or through the assessment of their Encryption Management Services and/or Decryption Management Services must complete the KMS P-ROV. E.g., if the P2PE Merchant-Managed Solution offers remote key-distribution using asymmetric techniques for the distribution of keys to POI devices for use in connection with account-data encryption, or the operation of an applicable CA/RA, or any other relevant key management service that has not already been assessed as part of the inclusion of a PCI- listed Component Provider, then the Solution assessment must include the use of the KMS P-ROV.
Component Provider assessments for a KIF, KMCP, KLCP, or a CA/RA must complete this P-ROV.
Tables have been included in this template to facilitate the reporting process for certain lists and other information as appropriate. The tables in this template may be …
Component Provider assessments for a KIF, KMCP, KLCP, or a CA/RA must complete this P-ROV.
Tables have been included in this template to facilitate the reporting process for certain lists and other information as appropriate. The tables in this template may be …
Modified
p. 7 → 5
A P2PE compliance assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These work papers contain comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file lists, interview notes, documentation excerpts, references, screenshots, and other evidence collected during the course of the assessment. The P-ROV is effectively a summary of evidence derived from the assessor’s work papers to describe how the assessor performed the validation activities and how …
A P2PE compliance assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These work papers contain comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file lists, interview notes, documentation excerpts, references, screenshots, and other evidence collected during the course of the assessment. The P-ROV is effectively a summary of evidence derived from the assessor’s work papers to describe how the assessor performed the validation activities and how …
Modified
p. 8
Section 1: Contact Information and Report Date
Modified
p. 8
Section 2: Summary Overview
Modified
p. 8
Section 3: Details and Scope of P2PE Assessment
Modified
p. 8
Section 4: Findings and Observations This Reporting Template includes tables with Reporting Instructions built in. Details provided should focus on concise quality of detail, rather than lengthy, repeated verbiage.
Removed
p. 9
Response When to use this Response:
(Not Applicable) The requirement does not apply to the P2PE Product.
All Not Applicable responses require reporting on testing testing performed (including interviews conducted and documentation reviewed) and must explain how it was determined that the requirement does not apply. There is no need to repeat lengthy responses where related requirements are not applicable.
(Not Applicable) The requirement does not apply to the P2PE Product.
All Not Applicable responses require reporting on testing testing performed (including interviews conducted and documentation reviewed) and must explain how it was determined that the requirement does not apply. There is no need to repeat lengthy responses where related requirements are not applicable.
Modified
p. 9 → 8
In Place The expected testing has been performed, and all elements of the requirement have been met as stated. This may be a mix of In Place and Not Applicable responses, but no Not in Place response. Requirements fulfilled by other P2PE Components or Third Parties should be In Place, unless the requirement does not apply.
RESPONSE WHEN TO USE THIS RESPONSE In Place The expected testing has been performed, and all elements of the requirement have been met as stated. Requirements fulfilled by other P2PE Components or Third Parties should be In Place, unless the requirement does not apply.
Modified
p. 9 → 8
Note: Checkboxes have been added to the “Summary of Assessment Findings” so that the assessor may double click to check the applicable summary result. Hover over the box you’d like to mark and click once to mark with an ‘x.’ To remove a mark, hover over the box and click again. Mac users may instead need to use the space bar to add the mark
Note: Checkboxes have been added to the “Summary of Assessment Findings” so that the assessor may double click to check the applicable summary result. Hover over the box you’d like to mark and click once to mark with an ‘x.’ To remove a mark, hover over the box and click again. Mac users may instead need to use the space bar to add the mark.
Removed
p. 10
• Brief description/short answer
Modified
p. 10 → 9
“Identify the P2PE Assessor who confirms…” Indicates only an affirmative response where further reporting is deemed unnecessary by PCI SSC. The P2PE Assessor’s name or a Not Applicable response are the two appropriate responses here. A Not Applicable response will require brief reporting to explain how this was confirmed via testing.
Modified
p. 10 → 9
Document name or interviewee reference At section 3.6, “Documentation Reviewed,” and section 3.7, “Individuals Interviewed,” there is a space for a reference number; it is the P2PE Assessor’s choice to use the document name/interviewee job title or the reference number in responses. A listing is sufficient here, no further detail required.
Modified
p. 10 → 9
Sample reviewed Brief list is expected or sample identifier. Where applicable, it is the P2PE Assessor’s choice to list out each sample within the reporting or to utilize sample identifiers from the sampling summary table.
Modified
p. 10 → 9
• “Describe how…” These are the only reporting instructions that will stretch across half of the table; the above are all a quarter-table’s width to serve as a visual indicator of detail expected in response. These responses must be a narrative response that provides explanation as to the observation•both a summary of what was witnessed and how that verified the criteria of the testing procedure.
Brief description/short answer
• “Describe how…” These responses must be a narrative response that provides explanation as to the observation•both a summary of what was witnessed and how that verified the criteria of the testing procedure.
• “Describe how…” These responses must be a narrative response that provides explanation as to the observation•both a summary of what was witnessed and how that verified the criteria of the testing procedure.
Removed
p. 11
• Describe how a Requirement was verified as the Reporting Instruction directs, not just that it was verified.
• Don’t include forward-looking statements or project plans in responses.
• Don’t include forward-looking statements or project plans in responses.
Modified
p. 11 → 10
Complete all applicable P-ROVs based on the assessment.
Modified
p. 11 → 10
Complete all sections in the order specified, with concise detail.
Modified
p. 11 → 10
Read and understand the intent of each Requirement and Testing Procedure.
Modified
p. 11 → 10
Provide a response for every Testing Procedure, even if N/A.
Modified
p. 11 → 10
Provide sufficient detail and information to demonstrate a finding of “in place” or “not applicable.” Describe how a Requirement was verified as the Reporting Instruction directs, not just that it was verified.
Modified
p. 11 → 10
Ensure all parts of the Testing Procedure are addressed.
Modified
p. 11 → 10
Ensure the response covers all applicable application and/or system components.
Modified
p. 11 → 10
Perform an internal quality assurance review of the P-ROV for clarity, accuracy, and quality.
Modified
p. 11 → 10
Perform an internal quality assurance review of all submitted P-ROVs and the details within the PCI SSC Portal.
Modified
p. 11 → 10
Provide useful, meaningful diagrams, as directed.
Modified
p. 11 → 10
Don’t report items in the “In Place” column unless they have been verified as being “in place.” Don’t include forward-looking statements or project plans in responses.
Modified
p. 11 → 10
Don’t simply repeat or echo the Testing Procedure in the response.
Modified
p. 11 → 10
Don’t copy responses from one Testing Procedure to another.
Modified
p. 11 → 10
Don’t copy responses from previous assessments.
Modified
p. 11 → 10
Don’t include information irrelevant to the assessment.
Modified
p. 12 → 11
1. Contact Information and Report Date 1.1 Contact Information P2PE MMS Provider contact information Company name: Company URL:
1. Contact Information and Report Date 1.1 Contact Information MMS Provider Contact Information Company name: Company URL:
Modified
p. 12 → 11
P2PE Company and Lead Assessor contact information Company name: Assessor company credentials: QSA (P2PE) PA-QSA (P2PE) Company Servicing Markets for P2PE: (see https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_assessors) Assessor name: Assessor credentials: QSA (P2PE) PA-QSA (P2PE) Assessor phone number: Assessor e-mail address:
P2PE Assessor Company and Lead Assessor Contact Information Company name: Assessor company credentials: QSA (P2PE) PA-QSA (P2PE) Company Servicing Markets for P2PE: (see https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_assessors) Assessor name: Assessor credentials: QSA (P2PE) PA-QSA (P2PE) Assessor phone number: Assessor e-mail address:
Modified
p. 12 → 11
Confirm that internal QA was fully performed on the entire P2PE submission, per requirements in relevant program documentation.
Confirm that internal QA was fully performed on the entire P2PE assessment documentation, per requirements in the relevant program documentation.
Modified
p. 12 → 11
No (if no, this is not in accordance with PCI Program requirements) QA reviewer name: Assessor credentials: (Leave blank if not applicable) QA reviewer phone number: Assessor e-mail address:
No (If No, this is not in accordance with PCI Program requirements) QA reviewer name: QA reviewer credentials:
Modified
p. 12 → 11
Assessor name: Assessor credentials: QSA (P2PE) PA-QSA (P2PE) Assessor phone number: Assessor e-mail address:
Modified
p. 13 → 12
Additional services provided by PA-QSA(P2PE)/QSA (P2PE)/QSA company The P2PE QSA (P2PE) and PA-QSA (P2PE) Qualification Requirements v2.1, Section 2.2 “Independence” specifies requirements for QSAs around disclosure of such services and/or offerings that could reasonably be viewed to affect independence of assessment. Complete the sections below after review of this portion of the Validation Requirements, to ensure responses are consistent with documented obligations.
(From DD-MMM-YYYY To DD-MMM-YYYY) 1.3 Additional Services Provided by PA-QSA(P2PE) / QSA(P2PE) / P2PE QSA Company The current version of the “Qualification Requirements for Point-to-Point Encryption (P2PE)TM Qualified Security Assessors
• QSA (P2PE) and PA-QSA (P2PE)” (P2PE QSA Qualification Requirements), section “Independence”, specifies requirements for P2PE QSAs around disclosure of such services and/or offerings that could reasonably be viewed to affect independence of assessment. Complete the sections below after review of this portion of the P2PE QSA Qualification Requirements to ensure …
• QSA (P2PE) and PA-QSA (P2PE)” (P2PE QSA Qualification Requirements), section “Independence”, specifies requirements for P2PE QSAs around disclosure of such services and/or offerings that could reasonably be viewed to affect independence of assessment. Complete the sections below after review of this portion of the P2PE QSA Qualification Requirements to ensure …
Modified
p. 13 → 12
Disclose all services offered to the assessed entity by the PA-QSA(P2PE) / QSA (P2PE) / P2PE QSA company, including but not limited to whether the assessed entity uses any security-related devices or security-related applications that have been developed or manufactured by the QSA, or to which the QSA owns the rights or that the QSA has configured or manages:
Modified
p. 13 → 12
Describe efforts made to ensure no conflict of interest resulted from the above mentioned services provided by the PA-QSA(P2PE) / QSA(P2PE) / QSA company:
Removed
p. 14
Description of the typical use/implementation of this solution (Include specific industries or channels the solution is intended for):
Modified
p. 14 → 13
2. Summary Overview 2.1 P2PE Submission Details P2PE MMS name (and version if applicable):
2. Summary Overview 2.1 Merchant-Managed Solution Details Merchant-Managed Solution Name:
Modified
p. 14 → 13
Description of P2PE MMS Provider’s business:
Description of the Merchant-Managed Solution Provider:
Removed
p. 15
PCI-Listed Components Additional P- ROV included in submission Included as a Listed Component Component Provider Name Component Name
PCI SSC Reference # Comments If the MMS does not use a PCI-listed EMCP, or only uses either a PDCP or a PMCP, then the Encryption Management Services (EMS) P-ROV must be completed for all applicable requirements and submitted in addition to this MMS P-ROV.
Encryption Management Component Provider (EMCP) Yes No Yes No POI Deployment Component Provider (PDCP) Yes No Yes No POI Management Component Provider (PMCP) Yes No Yes No If the MMS uses applications that can access clear-text account data that is not PCI-listed P2PE Applications, then the P2PE Application P-ROV must be completed and submitted in addition to this MMS P-ROV for each P2PE Application.
P2PE Application Yes No Yes No Please include Applications in Table 2.3 below If the MMS does not use a PCI-listed Decryption Management Component Provider, then …
PCI SSC Reference # Comments If the MMS does not use a PCI-listed EMCP, or only uses either a PDCP or a PMCP, then the Encryption Management Services (EMS) P-ROV must be completed for all applicable requirements and submitted in addition to this MMS P-ROV.
Encryption Management Component Provider (EMCP) Yes No Yes No POI Deployment Component Provider (PDCP) Yes No Yes No POI Management Component Provider (PMCP) Yes No Yes No If the MMS uses applications that can access clear-text account data that is not PCI-listed P2PE Applications, then the P2PE Application P-ROV must be completed and submitted in addition to this MMS P-ROV for each P2PE Application.
P2PE Application Yes No Yes No Please include Applications in Table 2.3 below If the MMS does not use a PCI-listed Decryption Management Component Provider, then …
Removed
p. 16
“Other details” is to be used as needed. For example, if there is a third-party service provider providing decryption services but it not a P2PE Component at 2.2, use “Other details” to address data such as P2PE endpoint system identifier (e.g., Host System and HSM). Mark as “n/a” if no other details are needed.
Entity Name: Role/Function: Entity Location(s): Other Details, if needed:
Note: If the Merchant-managed Solution uses applications that can access clear-text account data that are not PCI-listed P2PE Applications, then a P2PE Application P-ROV must be completed - i.e., the application must undergo a full assessment against Domain 2 by a PA-QSA (P2PE) - in addition to this P-ROV for each P2PE Application that is not already listed.
Application Vendor Name: Application Name: Application Version #: PCI SSC Reference #
Entity Name: Role/Function: Entity Location(s): Other Details, if needed:
Note: If the Merchant-managed Solution uses applications that can access clear-text account data that are not PCI-listed P2PE Applications, then a P2PE Application P-ROV must be completed - i.e., the application must undergo a full assessment against Domain 2 by a PA-QSA (P2PE) - in addition to this P-ROV for each P2PE Application that is not already listed.
Application Vendor Name: Application Name: Application Version #: PCI SSC Reference #
Removed
p. 17
Model Name/ Number: Hardware #: Firmware #(s):
Any additional Applications on POI devices (add rows as needed to report all applications) Application Name: Version # CHD Access? (see note below)
Note: If the Merchant-Managed Solution uses applications that can access clear-text account data and are not PCI-listed P2PE Applications, a P2PE Application P-ROV must be completed⎯i.e., the application must undergo a full assessment against Domain 2 by a PA-QSA (P2PE)⎯ in addition to this P-ROV for each P2PE Application that is not already listed.
Any additional Applications on POI devices (add rows as needed to report all applications) Application Name: Version # CHD Access? (see note below)
Note: If the Merchant-Managed Solution uses applications that can access clear-text account data and are not PCI-listed P2PE Applications, a P2PE Application P-ROV must be completed⎯i.e., the application must undergo a full assessment against Domain 2 by a PA-QSA (P2PE)⎯ in addition to this P-ROV for each P2PE Application that is not already listed.
Removed
p. 18
Model Name/ OP ICCR MSR Contactless PTS Listing P2PE PTS Listing P2PE PTS Listing P2PE PTS Listing P2PE Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N
Note: If there is a different response for PTS Listing compared to P2PE Functionality for account-data-capture interfaces provided with the POI device, this will need to be addressed (including at applicable Domain 1 1 testing procedures) to ensure such functionality is specifically disabled or configured to prevent their use in P2PE Solutions.
External communication methods (for all POI device types supported) Report in each column whether the device configurations for …
Note: If there is a different response for PTS Listing compared to P2PE Functionality for account-data-capture interfaces provided with the POI device, this will need to be addressed (including at applicable Domain 1 1 testing procedures) to ensure such functionality is specifically disabled or configured to prevent their use in P2PE Solutions.
External communication methods (for all POI device types supported) Report in each column whether the device configurations for …
Removed
p. 20
P2PE Merchant-Managed Solution Management Yes No N/A Encryption Management Services Encryption Management Yes No N/A POI Deployment Yes No N/A POI Management Yes No N/A P2PE Application Yes No N/A Decryption Management Services Decryption Management Yes No N/A Key Management Services Key Injection Facility Yes No N/A Key Management Yes No N/A Key Loading Yes No N/A Certification Authority / Registration Authority Yes No N/A
Removed
p. 21
• Location of critical components within the P2PE decryption environment, such as the Host System, HSMs and other SCDs, cryptographic key stores, etc., as applicable
• Location of systems performing key-management functions
• Connections into and out of the decryption environment
• Other necessary components, as applicable to the particular MMS <Insert P2PE Merchant-Managed Solution network diagram(s)>
• Location of systems performing key-management functions
• Connections into and out of the decryption environment
• Other necessary components, as applicable to the particular MMS <Insert P2PE Merchant-Managed Solution network diagram(s)>
Modified
p. 21 → 29
3. Details and Scope of P2PE Assessment 3.1 Scoping Details Describe how the P2PE assessor validated the accuracy of the P2PE scope for the assessment, including:
3. Details and Scope of P2PE Assessment 3.1 Scoping Details Complete this table as it applies to the entire Merchant-Managed Solution, even where EMS, DMS, KMS and/or P2PE Application P-ROVs are being used as part of this assessment.
Modified
p. 21 → 29
• Describe the methods or processes used to identify all elements in scope of the P2PE assessment:
• The methods or processes used to identify all elements in scope of the P2PE assessment:
Modified
p. 21 → 29
• Describe how the P2PE assessor confirmed that the scope of the assessment is accurate and covers all components and facilities for the MMS assessment:
• How it was confirmed that the scope of the assessment is accurate and covers all components and facilities for the MMS:
Modified
p. 21 → 30
Locations of critical facilities, including the MMS’ decryption environment, key-injection and loading facilities, etc.
Removed
p. 22
• Flows and locations of encrypted account data
• Flows and locations of clear-text account data
• Location of critical system components (e.g., HSMs, Host System)
• All entities the solution connects to for payment transmission or processing, including processors/acquirers.
Note: the diagram should identify where merchant entities fit into the data flow, without attempting to identify individual merchants. For example, encrypted account data could be illustrated as flowing between an icon that represents all merchant locations and an icon that represents the MMS provider’s decryption environment.
<Insert P2PE Merchant-Managed Solution data-flow diagram(s)>
• Flows and locations of clear-text account data
• Location of critical system components (e.g., HSMs, Host System)
• All entities the solution connects to for payment transmission or processing, including processors/acquirers.
Note: the diagram should identify where merchant entities fit into the data flow, without attempting to identify individual merchants. For example, encrypted account data could be illustrated as flowing between an icon that represents all merchant locations and an icon that represents the MMS provider’s decryption environment.
<Insert P2PE Merchant-Managed Solution data-flow diagram(s)>
Removed
p. 23
• Key Distribution / Loading / Injection onto POI devices
• Other Key Distribution / Loading / Injection activities
• Key Archiving (if applicable)
<Insert applicable diagram(s) showing all key-management processes>
• Other Key Distribution / Loading / Injection activities
• Key Archiving (if applicable)
<Insert applicable diagram(s) showing all key-management processes>
Removed
p. 24
Key type / description Purpose/ function of the key
Removed
p. 25
P2PE Assessor’s Lab MMS Provider’s Lab Address of the lab environment used for this assessment:
Describe the lab environment used for this assessment:
List of all facilities INCLUDED in this MMS assessment Description and purpose of facility included in assessment Address of facility List of facilities used in MMS assessment that were EXCLUDED from this Merchant-Managed Solution assessment* Description and purpose of facility excluded from assessment Address of facility Explanation why the facility was excluded from the assessment Details of any separate assessments performed for the facility, including how the other assessment was verified to cover all components in scope for this Merchant-Managed Solution * Note: Does not include merchant locations.
Describe the lab environment used for this assessment:
List of all facilities INCLUDED in this MMS assessment Description and purpose of facility included in assessment Address of facility List of facilities used in MMS assessment that were EXCLUDED from this Merchant-Managed Solution assessment* Description and purpose of facility excluded from assessment Address of facility Explanation why the facility was excluded from the assessment Details of any separate assessments performed for the facility, including how the other assessment was verified to cover all components in scope for this Merchant-Managed Solution * Note: Does not include merchant locations.
Removed
p. 26
Note: If the PIM or P2PE Application Implementation Guide consists of more than one document, the brief description below should explain the purpose of each document it includes, such as if it is for a different POIs, for different functions, etc.
Reference # (optional use) Document Name (Title of the IG) Version Number of the IG Document date (latest version date) Which P2PE Application is addressed? (Must align with Section 2.3) All other documentation reviewed for this P2PE Assessment:
Reference # (optional use) Document Name (Title of the IG) Version Number of the IG Document date (latest version date) Which P2PE Application is addressed? (Must align with Section 2.3) All other documentation reviewed for this P2PE Assessment:
Modified
p. 26 → 34
There is no need to duplicate documents that appear in other P-ROVs included unless they are relevant to the MMS Management Controls.
There is no need to duplicate documents that appear in other P-ROVs included unless they are relevant to the Solution Management Controls.
Modified
p. 26 → 34
P2PE Instruction Manual (PIM) Reference # (optional use) Document Name (Title of the PIM) Version Number of the PIM Document date (latest version date) Which P2PE Application is addressed? (Must align with Section 2.3) P2PE Application Implementation Guide(s) (IG):
P2PE Instruction Manual (PIM) Reference # (optional use) Document Name (Title of the PIM) Version Number of the PIM Document Date (latest version date) P2PE Application Implementation Guide(s) (IG) Reference # (optional use) Document Name (Title of the IG) Version Number of the IG Document date (latest version date) Which P2PE Application is addressed? (must align with Table 2.4.b) All other documentation reviewed for this P2PE Assessment Reference # (optional use) Document Name (including version, if applicable) Document date (latest …
Removed
p. 27
Reference # (optional use) Interviewee’s Name Company Job Title 3.8 Device Samples for P2PE Assessment Complete for all sampled devices in the P2PE assessment, including for every POI device type at Section 2.4 above and every other SCD type at Section 2.5 above.
Note: Use of the “Sample Reference #” is optional, but if not used here, all of the sample’s serial numbers or other identifiers in the third column will need to be included in the reporting findings.
There is no need to duplicate devices that appear in other P-ROVs included unless they are relevant to the Solution Management Controls.
Sample Ref #: (optional) Sample Size Serial Numbers of Tested Devices/Other Identifiers Sampling Rationale
Note: Use of the “Sample Reference #” is optional, but if not used here, all of the sample’s serial numbers or other identifiers in the third column will need to be included in the reporting findings.
There is no need to duplicate devices that appear in other P-ROVs included unless they are relevant to the Solution Management Controls.
Sample Ref #: (optional) Sample Size Serial Numbers of Tested Devices/Other Identifiers Sampling Rationale
Removed
p. 28
4. Findings and Observations Where functions are marked as “Additional P-ROV included in submission” in Table 2.2 Summary of Components Consumed by Merchant-Managed Solution, please ensure the relevant P-ROVs are included with the submission.
Modified
p. 28 → 37
Reference Appendix I: P2PE Applicability of Requirements in the P2PE v3.0 Program Guide.
Reference Appendix I: P2PE Applicability of Requirements in the P2PE v3.x Program Guide.
Modified
p. 28 → 37
P2PE Merchant-Managed Solution
• Summary of Findings P2PE Validation Requirements Summary of Findings (checkone) In Place N/A Not in Place 3A P2PE solution management 3A-1 The solution provider maintains documentation detailing the P2PE solution architecture and data flows.
• Summary of Findings P2PE Validation Requirements Summary of Findings (check
P2PE Merchant-Managed Solution
• Summary of Findings P2PE Validation Requirements Summary of Findings (check one for EVERY row) In Place N/A Not in Place 3A P2PE solution management 3A-1 The solution provider maintains documentation detailing the P2PE solution architecture and data flows.
• Summary of Findings P2PE Validation Requirements Summary of Findings (check one for EVERY row) In Place N/A Not in Place 3A P2PE solution management 3A-1 The solution provider maintains documentation detailing the P2PE solution architecture and data flows.
Modified
p. 28 → 37
3A-4 If the solution provider allows a merchant to stop P2PE encryption of account data, the solution provider manages the related process for merchants 3B Third-party management 3B-1 The solution provider facilitates and maintains formal agreements with all third parties contracted to perform P2PE functions on behalf of the solution provider.
3A-4 If the solution provider allows a merchant to stop P2PE encryption of account data, the solution provider manages the related process for merchants.
Modified
p. 29 → 38
MM-C-1 Merchant in-store (encryption environment) personnel do not have logical access to the decryption environment, any CDEs, or account-data decryption keys.
Modified
p. 30 → 39
• Identifies all P2PE controls covered by each third-party service provider Documented procedures reviewed: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here> 3A-1.2 Current documentation (including a data-flow diagram) must include details of the account-data flow from the POI device (the point the card data is captured and encrypted) through to the point the encrypted card data is decrypted and the clear-text data exits the decryption environment.
• Identifies all P2PE controls covered by each third-party service provider Documented procedures reviewed: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here>
Modified
p. 32 → 42
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider Documented procedures reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> Describe the processes observed that verified that the solution provider has implemented a methodology for managing and monitoring status reporting from P2PE component providers, including processes for:
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider Responsible personnel interviewed: <Report Findings Here> Describe the processes observed that verified that the solution provider has implemented a methodology for managing and monitoring status reporting from P2PE component providers, including processes for:
Modified
p. 32 → 42
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider <Report Findings Here>
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider <Report Findings Here> 3A-2.2 Processes must be implemented to ensure P2PE controls are maintained when changes to the P2PE solution occur including, but not limited to:
Modified
p. 33 → 42
• Changes in overall solution architecture Documented procedures reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> 3A-2.2.b For a sample of changes, verify changes were documented and the solution updated accordingly.
• Changes in overall solution architecture Documented procedures reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here>
Modified
p. 33 → 43
Note: “Immediate” means promptly or as soon as possible.
Modified
p. 34 → 43
• Encryption/decryption failures Documented procedures reviewed: <Report Findings Here> Personnel interviewed: <Report Findings Here> 3A-3.2 Upon detection of any suspicious activity defined at 3A-3.1, the POI device must be immediately removed, shut down, or taken offline until the integrity of the device is verified and the P2PE encryption mechanism is restored.
• Encryption/decryption failures Documented procedures reviewed: <Report Findings Here> Personnel interviewed: <Report Findings Here>
Modified
p. 36 → 46
• Implementing controls to prevent cause from recurring Responsible personnel interviewed: <Report Findings Here> Documentation reviewed: <Report Findings Here> 3A-3.5.b For a sample of P2PE control failures, interview personnel and review supporting document to verify that:
• Implementing controls to prevent cause from recurring Responsible personnel interviewed: <Report Findings Here> Documentation reviewed: <Report Findings Here>
Modified
p. 36 → 47
Sample of P2PE control failures: <Report Findings Here> Supporting document reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here>
Sample of P2PE control failures: <Report Findings Here> Supporting document reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> 3B-1.1 Solution provider must have formal agreements in place with all third parties that perform P2PE functions on behalf of the solution provider, including:
Modified
p. 37 → 47
• All functions each third party is responsible for
• All functions for which each third party is responsible
Modified
p. 37 → 47
• Notification and documentation of any changes affecting the third party governed by P2PE requirements
• Notification and documentation of any changes affecting the third party governed by P2PE requirements.
Modified
p. 37 → 47
• Agreement to provide reports to solution provider as required in the “Component Providers ONLY: Report Status to Solution Providers” section of the applicable P2PE Domain.
• Agreement to provide reports to solution provider as required in the “Component Providers ONLY: Report Status to Solution Providers” section of the applicable P2PE Domain
Modified
p. 37 → 48
• Agreement to provide reports to solution provider as required in the “Component providers ONLY: report status to solution providers” section of the applicable P2PE Domain Documented procedures reviewed: <Report Findings Here>
• Agreement to provide reports to solution provider as required in the “Component providers ONLY: report status to solution providers” section of the applicable P2PE Domain Documented procedures reviewed: <Report Findings Here> 3B-1.1.b If the solution provider utilizes any third parties, examine the business agreements and verify the elements delineated in 3B-1.1.a are present and adequately accounted for.
Removed
p. 38
<Report Findings Here> 3B-1.2 For all third parties that have been contracted by the solution provider to manage any of the SCD types used in the P2PE solution, the solution provider must establish formal agreements with the third parties to ensure those third parties provide the Solution Provider with the following:
Modified
p. 38 → 48
Identify the P2PE Assessor who confirms that the business agreements for third parties utilized by the solution provider were reviewed and verified to have the elements delineated in 3B-1.1.a present and adequately accounted for:
Identify the P2PE Assessor who confirms that the business agreements for third parties utilized by the solution provider were reviewed and verified to have the elements delineated in 3B- 1.1.a present and adequately accounted for:
Modified
p. 39 → 49
Documented procedures reviewed: <Report Findings Here> 3C-1.1.c Interview responsible personnel and observe processes to verify PIM is distributed to all merchants using the P2PE solution and that the PIM is provided to merchants upon request.
Documented procedures reviewed: <Report Findings Here>
Removed
p. 41
<Report Findings Here> 3C-1.2 Review P2PE Instruction Manual (PIM) at least annually and upon changes to the solution or the P2PE requirements. Update PIM as needed to keep the documentation current with:
Modified
p. 42 → 52
• PIM must be reviewed at least annually and upon changes to the solution or changes to the P2PE requirements
• PIM must be reviewed at least annually and upon changes to the solution or changes to the P2PE requirements.
Modified
p. 42 → 52
• PIM is reviewed at least annually and upon changes to the solution or changes to the PCI P2PE requirements
• PIM is reviewed at least annually and upon changes to the solution or changes to the PCI P2PE requirements.
Modified
p. 42 → 52
Responsible personnel interviewed: <Report Findings Here> Describe how processes for reviewing and updating the PIM verified that the PIM is updated at least annually, upon changes to the solution or changes to the PCI P2PE requirements, and as needed to keep the document current with any changes to the P2PE solution and any changes to the P2PE requirements:
Removed
p. 44
<Report Findings Here> MM-A-1.4 Systems providing logical authentication services to system components within the decryption environment must:
Modified
p. 44 → 55
MM-A-1.4.a Examine documented policies and procedures, and interview responsible personnel to verify that systems providing logical authentication services to system components within the decryption environment reside within Documented policies and procedures reviewed:
MM-A-1.4.a Examine documented policies and procedures, and interview responsible personnel to verify that systems providing logical authentication services to system components within the decryption environment reside within the decryption environment and are dedicated to supporting the decryption environment.
Modified
p. 45 → 55
Responsible personnel interviewed: <Report Findings Here> MM-A-1.4.b Review system configurations and observe processes to verify that systems providing authentication services to system components within the decryption environment reside within the decryption environment and are dedicated to supporting the decryption environment.
<Report Findings Here> Responsible personnel interviewed: <Report Findings Here> MM-A-1.4.b Review system configurations and observe processes to verify that systems providing authentication services to system components within the decryption environment reside within the decryption environment and are dedicated to supporting the decryption environment.
Modified
p. 45 → 56
<Report Findings Here> MM-A-1.6 All remote access features on all systems in the merchant decryption environment must be permanently disabled and/or otherwise prevented from being used MM-A-1.6 Review system configurations and observe processes to verify that all remote access features on all systems within the merchant decryption Describe how system configurations verified that all remote access features on all systems within the merchant decryption environment are permanently disabled and/or otherwise prevented from being used:
<Report Findings Here> MM-A-1.6 All remote access features on all systems in the merchant decryption environment must be permanently disabled and/or otherwise prevented from being used.
Modified
p. 46 → 56
Personnel interviewed:
Personnel interviewed: <Report Findings Here>
Removed
p. 49
<Report Findings Here> Describe how firewall configurations verified that any traffic between the encryption environment and any other CDE is limited to only traffic that is necessary for transaction processing and/or terminal management purposes:
Modified
p. 49 → 59
• Only traffic that is necessary for transaction processing and/or terminal management purposes
• Only traffic that is necessary for transaction processing and/or terminal management purposes.
Modified
p. 49 → 59
• Only those systems (e.g., POI devices) directly related to supporting P2PE transactions, and
• Only those systems (e.g., POI devices) directly related to supporting P2PE transactions, and Describe how firewall configurations verified that any traffic between the encryption environment and any other CDE is limited to only those systems directly related to supporting P2PE transactions:
Modified
p. 49 → 60
• Only traffic that is necessary for transaction processing and/or terminal management purposes
• Only traffic that is necessary for transaction processing and/or terminal management purposes.
Modified
p. 49 → 60
Describe how firewall configurations verified that any traffic between the encryption environment and any other CDE is limited to only those systems directly related to supporting P2PE transactions:
Describe how firewall configurations verified that any traffic between the encryption environment and any other CDE is limited to only traffic that is necessary for transaction processing and/or terminal management purposes:
Removed
p. 50
<Report Findings Here> MM-C-1.1 Separation of duties must exist such that encryption environment personnel are prohibited from accessing any system components in the decryption environment or any CDE. Access-control mechanisms must include both physical and logical controls. Note: Access restrictions between the encryption and decryption environment are not intended to prohibit employees who work in the decryption environment or CDE from shopping in the stores. This requirement is focused on logical access controls, not physical.