PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

P2PE_Program_Guide_v1.2.pdf P2PE_Program_Guide_v2.0.pdf
31% similar
48 → 71 Pages
17002 → 22090 Words
194 Content Changes

Content Changes

194 content changes. 97 administrative changes (dates, page numbers) hidden.

Added p. 5
 Program Background (Section 1.1)  P2PE Initiative and Overview (Section 1.4)  Program Roles and Responsibilities (Section 2)  Overview of the Validation Process (Section 3)  Preparation for the Review (Section 4)  Managing a Validated P2PE Listing (Section 5)  Reporting Considerations (Section 6)  Assessor Quality Management Program (Section 6.3) 1.1 Program Background In response to requests from merchants and other members of the Payment Card Industry (PCI) for a unified set of point-to-point encryption security requirements, PCI SSC has adopted and maintains the Point-to-Point Encryption Standard (P2PE), the current version of which is available on the PCI SSC Website. When implemented appropriately, a P2PE Solution provides a rigorous defense against data exposure and compromise.

PCI SSC manages the Program, including the development, implementation, and maintenance of validated P2PE Products (P2PE Application, P2PE Component, or P2PE Solution).

Organizations qualified by PCI SSC to validate P2PE Solutions and P2PE …
Added p. 6
Document name Description Payment Card Industry (PCI) Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms (the “P2PE Glossary”) Separate glossary for specific use with the P2PE Standard.

PCI Point-to-Point Encryption Solution Requirements and Testing Procedures (“P2PE Standard”) The P2PE Standard lists and defines the specific technical requirements and assessment procedures.

PCI P2PE Report on Validation Reporting Template (“P-ROV Reporting Template”) The P-ROV Reporting Template is mandatory for completing a P2PE Report on Validation and includes detail on how to document the findings of a P2PE Assessment. There are several versions covering P2PE Solutions, P2PE Components, and P2PE Applications.

PCI P2PE Attestation of Validation (“P- AOV”) The P-AOV is a form for QSA (P2PE) and/or PA- QSA (P2PE) Companies to attest to the results of a P2PE Assessment, as documented in the P2PE Report on Validation. There are several versions covering P2PE Solutions, P2PE Components, and P2PE Applications.

PCI Qualification Requirements for Point-to- Point Encryption …
Added p. 7
(i) received the corresponding P-ROV from the P2PE Assessor Company; (ii) received the corresponding fee and all documentation required with respect to that P2PE Product as part of the Program; (iii) confirmed that the P-ROV is correct as to form (all applicable documents completed appropriately/sufficiently), the P2PE Assessor Company properly determined that the P2PE Solution, P2PE Component, or P2PE Application is eligible to be a P2PE Validated Solution, a P2PE Validated Component, or a P2PE Validated Application, the P2PE Assessor Company adequately reported the P2PE compliance of the P2PE Solution, P2PE Component, or P2PE Application in accordance with Program requirements, and the detail provided in the P-ROV meets PCI SSC’s reporting requirements; and (iv) listed the P2PE Solution, P2PE Component, or P2PE Application on the List of Validated P2PE Solutions, List of Validated P2PE Components, or List of Validated P2PE Applications; provided that PCI SSC may suspend, withdraw, revoke, cancel, …
Added p. 8
List of Validated P2PE Components The Council’s authoritative List of Validated P2PE Components appearing on the PCI SSC website.

Listing Refers to the listing and related information regarding a P2PE Solution on the List of Validated P2PE Solutions, a P2PE Component on the List of Validated P2PE Components, or a P2PE Application on the List of Validated P2PE Applications.

Merchant-managed Solution (or MMS) A P2PE solution managed by a merchant rather than by a Third- Party Solution Provider. These merchant solutions are typically for large retail organizations who centrally manage the solution on behalf of their own encryption environments.

In a merchant-managed solution, part of the merchant business plays the role of a P2PE solution provider (managing POIs, decryption environment, etc.), and part of the business plays the role of a “merchant” that has no access to clear-text account data, etc.

Merchant-managed solutions are not eligible for PCI listing.

P-AOV A P2PE Program “Attestation of …
Added p. 9
P2PE Application Assessment Assessment of a P2PE Application against P2PE Domain 2 in isolation of any point-to-point solution in order to validate compliance with the P2PE Standard as part of the P2PE Program.

P2PE Assessor Employee A QSA (P2PE) Employee or PA-QSA (P2PE) Employee.

P2PE Components A P2PE service (such as encryption management, decryption management, or key injection) that is eligible for validation and Acceptance on a standalone basis as part of the P2PE Program and may be incorporated into and/or referenced as part of a P2PE Solution.

P2PE Component Assessment Assessment of a P2PE Component against applicable P2PE Domains in order to validate compliance with the P2PE Standard as part of the P2PE Program.

P2PE Non-payment Software Refer to definition in P2PE Glossary.

P2PE Product A P2PE Application, P2PE Component, or P2PE Solution
Added p. 10
P2PE Program Guide The then-current version of (or successor documents to) this document•the Payment Card Industry (PCI) Point-to-Point Encryption P2PE Program Guide, as from time to time amended and made available on the Website.

P2PE Solution A combination of secure devices, applications, and processes that encrypt cardholder data from a PCI SSC-approved point-of- interaction (POI) device through to decryption and that is eligible for validation and Acceptance as part of the P2PE Program.

P2PE Standard The then-current version of (or successor document(s) to) the Payment Card Industry (PCI) Point-to-Point Encryption Solution Requirements and Testing Procedures, any and all appendices, exhibits, schedules, and attachments to the foregoing and all materials incorporated therein, in each case, as from time to time amended and made available on the Website.

P2PE Vendor A P2PE Solution Provider, or P2PE Component Provider, or P2PE Application Vendor.

PA-QSA (P2PE) Company A Payment Application Qualified Security Assessor (PA-QSA) Company that:

Participating Payment Brand …
Added p. 13
Note: each brand independently develops and manages its own compliance programs and decisions regarding recognition of P2PE Products.
Added p. 14
Domain Name Description Domain 1: Encryption Device and Application Management The secure management of the PCI-approved POI devices and the resident software.

Domain 2: Application Security The secure development of payment applications designed to have access to clear-text account data intended solely for installation on PCI-approved POI devices.

Domain 3: P2PE Solution Management Overall management of the P2PE solution by the solution provider, including third-party relationships, incident response, and the P2PE Instruction Manual (PIM).

Domain 4: Merchant-managed Separate duties and functions between merchant encryption and decryption environments.

Domain 5: Decryption Environment The secure management of the environment that receives encrypted account data and decrypts it.

Domain 6: P2PE Cryptographic Key Operations and Device Management Establish and administer key-management operations for account data encryption POI devices and decryption HSMs.
Added p. 15
Where a P2PE Application is to be used in a P2PE Solution, the vendor may optionally seek to have that application validated and Accepted as a Validated P2PE Application, and accordingly listed on the List of Validated P2PE Applications. P2PE Applications must be assessed by a PA- QSA (P2PE) Company. For P2PE Applications intended for use in multiple P2PE Solutions, validation and Acceptance as a Validated P2PE Application eliminates the need for the application to be separately reviewed as part of each P2PE Solution in which is it used.
Added p. 15
 Encryption-management services

• Assessed per Domains 1 and 6 including Annex A as applicable.

 Decryption-management services

• Assessed per Domains 5 and 6 including Annex A as applicable.

 Key-Injection Facility services

• Assessed per Annex B of Domain 6 including Annex A as applicable.

 Certification Authority/Registration Authority services

• Assessed per Domain 6 Annex A, Part A2, including Part A1 as applicable.
Added p. 16
If a component service described above is assessed as part of a P2PE Solution but is not on the List of Validated P2PE Components, the entity is not considered a P2PE Component Provider for purposes of that component and is simply referred to as a Third-Party Service Provider with respect to that component. A Third-Party Service Provider must have its services reviewed during the course of each of its solution provider customers’ P2PE Assessments.

All QSA (P2PE) Companies are qualified to assess P2PE Components for Listing on the List of Validated P2PE Components.
Added p. 16
Specific requirements for Decryption-management Entities are set out in Domains 5 and 6 (including Annex A as applicable) of the P2PE Standard. The requirements in Domains 5 and 6 apply to all Decryption-management Entities whether the entity is a P2PE Component Provider, a P2PE Solution Provider, or a Third-Party Service Provider performing functions on behalf of a P2PE Solution Provider.
Added p. 16
Specific requirements for KIFs are set out in Annex B of Domain 6 (including Annex A) of the P2PE Standard. The requirements apply to all KIFs, whether the entity is a P2PE Component Provider, a P2PE Solution Provider, or a Third-Party Service Provider performing functions on behalf of a P2PE Solution Provider.
Added p. 17
Refer to Section 2.1.3, “P2PE Component Providers,” to understand how to address Third-Party Service Providers whose services may be eligible for consideration as a P2PE Component. Without such applicable services being separately PCI-listed on the List of Validated P2PE Components, those services (such as KIF, CA/RA, etc.) are not considered P2PE Components but simply a third-party service provider with respect to the P2PE Solution it is used within.

 Maintains a centralized repository for all P-ROVs for P2PE Products listed on the Website;  Hosts the List of Validated P2PE Solutions, the List of Validated P2PE Components, and the List of Validated P2PE Applications on the Website;  Provides required training for and qualifies QSA (P2PE) and PA-QSA (P2PE) Companies and Employees to assess and validate P2PE Products for P2PE compliance;  Maintains and updates the P2PE Standard and related documentation according to a standards lifecycle management process; and  Reviews …
Added p. 18
 QSA (P2PE): QSA (P2PE) Companies are QSA companies that have been additionally qualified by PCI SSC to perform P2PE Assessments of P2PE Solutions and P2PE Components. QSA (P2PE) Companies are not qualified by PCI SSC to perform P2PE Application Assessments.

 Not all QSA Companies are PA-QSA Companies•there are additional qualification requirements that must be met for a QSA Company to become a PA-QSA Company.

 Not all QSA Companies are QSA (P2PE) Companies•there are additional qualification requirements that must be met for a QSA Company to become a QSA (P2PE) Company.

 Not all PA-QSA Companies are PA-QSA (P2PE) Companies•there are additional qualification requirements that must be met for a PA-QSA Company to become a PA-QSA (P2PE) Company.

 Documenting each P2PE Assessment in a P-ROV using the applicable P2PE P-ROV Reporting Template.

 Where applicable, submitting the applicable P-ROV and/or any change submission to PCI SSC, along with the applicable P-AOV signed …
Added p. 19
 Ensuring that customers are provided (either directly from the Vendor or from the reseller or integrator) with a current copy of the P2PE Instruction Manual.
Added p. 19
PCI Qualified Integrators and Resellers (QIRs) are trained by the Council in PCI DSS and PA-DSS in order to help ensure that they securely implement Payment Applications. However, the QIR Program does not apply to the P2PE Program at this time.
Added p. 21
1) The P2PE Vendor selects a P2PE Assessor Company from the Council’s List of P2PE Qualified Security Assessor Companies and negotiates the cost and any associated P2PE Assessor Company confidentiality and non-disclosure agreements with the P2PE Assessor Company.

2) The P2PE Vendor then provides to the P2PE Assessor Company access to the Solution, Component, or Application to be assessed, POI device types, corresponding Implementation Guides for P2PE Applications, P2PE Instruction Manual for P2PE Solutions, and all associated manuals and other required documentation, including but not limited to the P2PE Vendor’s signed Vendor Release Agreement.
Added p. 22
3) The P2PE Assessor Company then assesses the Solution, Component, or Application, including its security functions and features, to determine whether it complies with the P2PE Standard.

4) If the P2PE Assessor Company determines that the Solution, Component, or Application is in compliance with the P2PE Standard, the P2PE Assessor Company submits a corresponding P-ROV to PCI SSC, attesting to compliance and setting forth the results, opinions, and conclusions of the P2PE Assessor Company on all test procedures along with the P2PE Vendor’s signed VRA and the corresponding P-AOV.

Note: If the P2PE Solution being assessed includes a P2PE Component and/or P2PE Application intended for PCI SSC Listing (but not yet Listed), each such P2PE Product must be individually submitted to PCI SSC via the Portal

• including the corresponding P-AOV, P-ROV, and applicable fees

• to achieve PCI SSC Listing for each P2PE Product. This submission must be Accepted by PCI SSC before …
Added p. 24
Figure 1: P2PE Product Assessment for Products Intended for PCI SSC Listing
Added p. 25
Figure 2: P2PE Product Submission and PCI SSC Review
Added p. 26
1) The Merchant selects a P2PE Assessor Company from the Council’s List of P2PE Qualified Security Assessor Companies and negotiates the cost and any associated P2PE Assessor Company confidentiality and non-disclosure agreements with the P2PE Assessor Company.

2) The Merchant then provides to the P2PE Assessor Company access to the MMS to be assessed, POI device types, corresponding Implementation Guides for P2PE Applications, P2PE Instruction Manual for MMS, and all associated manuals and other required documentation.

3) The P2PE Assessor Company then assesses the MMS, including its security functions and features, to determine whether the MMS complies with the P2PE Standard.

Refer to the sections “P2PE Solutions and Use of Third Parties and/or P2PE Component Providers” and “P2PE Solutions and Use of P2PE Applications and/or P2PE Non-payment Software” in the P2PE Standard to understand options for validating Third- Party Service Providers, P2PE Component Providers, and P2PE Applications. 4) If the P2PE Assessor Company …
Added p. 27
Note: A PA-DSS assessment is not required or necessary for a P2PE Application or Non-payment Software to be used in a P2PE Solution.

The following table should be used to determine requirements and eligibility, along with the relevant reference sections of the P2PE Standard:

Element Program Guidance SCDs Validated P2PE Solutions require the use of various types of SCDs. To assist in evaluating these device types for use in a P2PE Solution:

 Refer to “Definition of Secure Cryptographic Devices (SCDs) to be used in P2PE Solutions” in the Introduction section of the P2PE Standard for requirements for these devices;  Use the “SCD Domain Applicability” matrix in the Introduction section of the P2PE Standard.

Obtaining and maintaining PTS device approval (for those SCDs that require approval) is the responsibility of the secure cryptographic device vendor. For those SCDs required to be approved, such approval is a prerequisite for the devices being assessed as …
Added p. 28
 Refer to “P2PE Solutions and Use of P2PE Applications and/or P2PE Non- payment Software” in the Introduction section of the P2PE Standard.

 Refer to “P2PE Solutions and Use of P2PE Applications and/or P2PE Non- payment Software” in the Introduction section of the P2PE Standard.

 Independently listed on the List of Validated P2PE Applications OR  Not listed on the List of Validated P2PE Applications and therefore only considered an element of the specific Validated P2PE Solution for which it has been submitted.

 If a P2PE Application is currently listed on the List of Validated P2PE Applications AND was assessed against the same major version of the P2PE standard, only the applicable Domain 1 Testing Procedures must be assessed and evidenced in the Solution P-ROV for each P2PE Solution Assessment in which the application is used.  If a P2PE Application is not already on the List of Validated P2PE …
Added p. 29
 Refer to definition in P2PE Glossary.

 Refer to “P2PE Solutions and Use of Third Parties and/or P2PE Component Providers” in the Introduction section of the P2PE Standard.

Independent PCI SSC listing of Third-Party Service Provider component services depends on eligibility and is optional. However, such independent listing is required for a given component service to be recognized as a Validated P2PE Component that can be used in multiple P2PE Solutions without the need for full P2PE Assessment of those services each time it is used with a different P2PE Solution.

 If a P2PE Component is currently listed on the List of Validated P2PE Components, the Component P-ROV has already been Accepted by PCI SSC. As a result, only the applicable Testing Procedures must be assessed and evidenced in the Solution P-ROV for each Validated P2PE Component included in the applicable P2PE Solution  If a P2PE Component is not already …
Added p. 30
Prior to commencing a P2PE review with a P2PE Assessor Company, all parties involved are encouraged to take the following preparatory actions:

 Perform a gap analysis between the Solution’s, Component’s, or Application’s security functionality and the P2PE Standard;  Correct any gaps; and  If desired, the P2PE Assessor Company may perform a pre-assessment or gap analysis of a P2PE Solution, Component, or Application. If the P2PE Assessor Company notes deficiencies that would prevent a compliant result, the P2PE Assessor Company will provide a list of P2PE features to be addressed before the formal review process begins.

 Determine whether the P2PE Application Provider’s Implementation Guide meets P2PE Standard requirements and correct any gaps.

 P2PE Solution Providers are responsible for ensuring that the various components and applications (including those provided by Third-Party Service Providers, P2PE Application Vendors, and/or P2PE Component Providers) used as part of their P2PE Solutions are all compliant …
Added p. 30
 How close the P2PE Product is to being P2PE-compliant at the start of the Assessment  Corrections to the P2PE Product to achieve compliance will delay validation.

 For P2PE Solutions that use P2PE Applications and/or P2PE Components  Those that are being listed on the Website separately must be Listed before the P2PE Solution can be reviewed.
Added p. 31
 Prompt payment of the fees due to PCI SSC  PCI SSC will not commence review of the P-ROV until the applicable fee has been paid.

 Quality of the P2PE Assessor Company's submission to PCI SSC  Incomplete submissions or those containing errors

•for example, missing or unsigned documents, incomplete or inconsistent submissions

•will result in delays in the review process.

 If PCI SSC reviews the P-ROV more than once, providing comments back to the P2PE Assessor Company to address each time, this will increase the length of time for the review process.

Any P2PE Assessment timeframes provided by a P2PE Assessor Company should be considered estimates, since they may be based on the assumption that the P2PE Product is able to successfully meet all P2PE requirements quickly. If problems are found during the review or acceptance processes, discussions between the P2PE Assessor Company, the P2PE Vendor, and/or PCI SSC may be …
Added p. 32
 Guidance on designing P2PE Solutions in accordance with the P2PE Standard  Review of P2PE Solution design, response to questions via e-mail or phone, and participation in conference calls to clarify requirements  Guidance on preparing the P2PE Instruction Manual and/or P2PE Application Implementation Guide  Pre-assessment (gap analysis) services prior to beginning formal P2PE Assessment  Guidance for bringing the Solution, Component, or Application into compliance with the P2PE Standard if gaps or areas of non-compliance are noted during the assessment

Note: When arranging for non-P2PE Assessment services with a P2PE Assessor Company, care should be taken by both the P2PE Assessor Company and its customer to ensure that the P2PE Assessor Company satisfies all independence requirements as set forth in the QSA Qualification Requirements•for example, that a P2PE Assessor Employee does not assess its own work product as part of the actual P2PE Assessment. Conflicts of interest may …
Added p. 32
 Covers confidentiality issues;  Covers the P2PE Vendor’s agreement to P2PE Program requirements, policies and procedures;
Added p. 33
For PCI SSC review of a P-ROV to take place:

 The P2PE Assessor Company must provide to PCI SSC the P2PE Vendor’s signed copy of the then-current VRA, along with the initial P-ROV submitted to PCI SSC in connection with that P2PE Assessment.
Added p. 33
All P2PE Assessment-related fees are payable directly to the P2PE Assessor Company (these fees are negotiated between the P2PE Assessor Company and their customers).

As part of this annual process, P2PE Vendors are required to confirm whether any changes have been made to the P2PE Solution, P2PE Component, or P2PE Application, and that:

a) Changes have been applied in a way that is consistent with the P2PE Standard;

b) The P2PE Solution, P2PE Component, or P2PE Application continues to meet the requirements of the P2PE Standard;

c) The PCI SSC has been advised of any change that necessitates a change to the listing on the Website, in accordance with this Program Guide.

The P2PE Vendor is required to give consideration to the impact of external threats and whether updates to the P2PE Solution, P2PE Component, or P2PE Application are necessary to address changes to the external threat environment.The updated P-AOV should be submitted via email …
Added p. 35
Table 5.2.a

• Changes to P2PE Listings for Solutions and Components Change Type Description Designated Designated Changes to P2PE Solutions or P2PE Components are limited to the following:

 Add/Remove P2PE Component;  Add/Remove PCI-approved POI Device Type;  Add/Remove P2PE Application.

See Section 5.2.2, “Designated Changes for P2PE Solutions and P2PE Components,” for details.

Interim Interim Changes are not reported in detail but are addressed by the P2PE Vendor during the Annual Revalidation process via the Interim Self-Assessment. These changes will include:

 Any change that impacts compliance with the requirements of the P2PE Standard for a P2PE Solution or P2PE Component, but is not considered a “Designated Change.”  Any other change that does not impact compliance with the requirements of the P2PE standard for a given P2PE Product.

Administrative Changes made to a listed P2PE Solution or P2PE Component that have no impact on the compliance of the P2PE Listing with any requirements …
Added p. 36
See Section 5.3, “Change Documentation,” for specifics on the below:

The P2PE Vendor prepares a Vendor Change Analysis (for example, using the corresponding P2PE Change Impact Template in the Appendices) and submits it to the P2PE Assessor Company for review, along with the updated P2PE Application Implementation Guide or P2PE Implementation Manual. The change analysis must contain the following information at a minimum:

Administrative Changes are only permissible to already- listed P2PE Solutions, P2PE Components, and P2PE Applications that have not expired.

 Name and reference number of the Validated P2PE Listing  Description of the change  Description of why the change is necessary It is recommended that the P2PE Vendor submit the Vendor Change Analysis to the same P2PE Assessor Company used for the original P2PE Solution Assessment.
Added p. 37
1) The P2PE Assessor Company must notify the P2PE Vendor that they agree; 2) The P2PE Vendor prepares and signs the corresponding P-AOV, and sends it to the P2PE Assessor Company; 3) If applicable, the P2PE Vendor modifies the P2PE Instruction Manual and/or P2PE Application Implementation Guide and/or completes a new VRA; 4) The P2PE Assessor Company completes the corresponding P2PE Change Impact Template in the Appendix; 5) The P2PE Assessor signs their concurrence on the P-AOV and forwards it, along with the corresponding P2PE Change Impact report, to PCI SSC; 6) PCI SSC will then issue an invoice to the P2PE vendor for the applicable change fee; and 7) Upon payment of the invoice, PCI SSC will review Administrative Change submission for quality assurance purposes.

If the P2PE Assessor Company does not agree with the P2PE Vendor that the change as documented in the Vendor Change Analysis is eligible as …
Added p. 37
 Add/remove a validated POI device; or  Add/remove a validated P2PE Application ; or  Add/remove a validated P2PE Component used in a P2PE Solution Designated Changes result in an amendment to a P2PE Solution or P2PE Component as currently listed on the corresponding List on the Website.

See Section 5.3, “Change Documentation,” for specifics on the below.
Added p. 38
 Name and reference number of the Validated P2PE Listing  Description of the change  Description of why the change is necessary It is recommended that the P2PE Vendor submit the Vendor Change Analysis to the same P2PE Assessor Company used for the original assessment.

1) The P2PE Assessor Company must notify the P2PE Vendor that they agree; 2) If applicable, the P2PE Vendor modifies the P2PE Instruction Manual and/or completes a new VRA and submits this to the P2PE Assessor Company; 3) The P2PE Assessor Company must perform an assessment of the requirements of the P2PE Standard that are affected by the change. Details of the tests that must be performed are available within the “Designated Changes” sections of the corresponding P2PE Change Impact Template in the Appendices.

4) The P2PE Assessor Company completes the corresponding P2PE Change Impact Template in the Appendices and must produce a red-lined P-ROV and …
Added p. 39
Note: Wildcards may only be substituted for elements of the version number that represent non-security- impacting changes; the use of wildcards for any change that has an impact on security or any P2PE Requirements is prohibited.

Only those P2PE applications that have had the P2PE Vendor’s wildcard versioning methodology assessed to P2PE v2 by a PA-QSA (P2PE) Assessor Company are eligible for wildcard usage and listing on the Website with wildcards. Changes falling within the scope of wildcard usage are not required to be advised to PCI SSC; therefore, any such changes will not result in an update to the P2PE Application listing on the Website. See Appendix H, “P2PE Application Software Version Methodology,” for additional information regarding the use of wildcards.

 Changes where less than half of the P2PE Application’s functionality is affected; and  Changes where less than half of the Domain 2 Requirements/sub-Requirements are affected; and  Changes …
Added p. 40
1) The P2PE Assessor Company must notify the P2PE Application Vendor that they agree; 2) The P2PE Application Vendor modifies the P2PE Application Implementation Guide and/or completes a new VRA (if applicable) and sends it to the P2PE Assessor Company; 3) The P2PE Assessor Company performs a Delta Assessment of the P2PE Application for the P2PE Requirements affected by the changes; 4) The P2PE Assessor Company tests the P2PE Application’s affected functionality; 5) The P2PE Assessor Company completes the appropriate P2PE Change Impact Template in the Appendices, providing the detail of the changes to the P2PE Application, and must produce a red-lined P-ROV and document the testing completed per PCI SSC requirements; 6) The P2PE Application Vendor prepares and signs the corresponding P-AOV and sends it to the P2PE Assessor Company; 7) The P2PE Assessor signs its concurrence on the P-AOV and forwards it, along with the completed P2PE Change …
Added p. 42
 New Validation: If the P2PE Vendor wishes the P2PE Product listing to remain on the corresponding P2PE Product list on the Website, the P2PE Vendor must contact a P2PE Assessor Company to have the P2PE Product fully re-evaluated against the then-current version of the P2PE Standard, resulting in a new Acceptance, on or before the applicable Reassessment Date. This reassessment must follow the same process as an initial P2PE Assessment of the applicable P2PE Product.

 Expiry: Listings of P2PE Products for which a new Acceptance has not occurred on or before the applicable expiration date/reassessment date, will appear in Orange for the first 90 days, and in Red thereafter.

For any change affecting the listing of a validated P2PE Solution, P2PE Component, or P2PE Application, the applicable fee will be invoiced and must be received by PCI SSC for the changes to be Accepted and added to the corresponding P2PE …
Added p. 43
 Request a copy of the latest version of the P2PE Vendor’s Vulnerability Handling Policies.
Added p. 44
When the P-ROV has all items in place, and where the P2PE Vendor seeks to have the P2PE Product listed on the Website, the P2PE Assessor Company submits the P-ROV and all other required materials to PCI SSC. If the P-ROV does not have all items in place, the P2PE Vendor must address those items, and the P2PE Assessor must update the P-ROV prior to submission to PCI SSC.. Once the P2PE Assessor Company is satisfied that all documented issues have been resolved by the P2PE Vendor, the P2PE Assessor Company submits the P-ROV and all other required materials to PCI SSC.

Once PCI SSC receives the P-ROV and all other required materials and applicable fees, PCI SSC reviews the submission from a quality assurance perspective and determines whether it is acceptable. Subsequent iterations will also be responded to, typically within 30 calendar days of receipt. If the P- ROV meets …
Added p. 46
Note: These status designations are not necessarily progressive: Any P2PE Assessor Company’s status may be revoked or its P2PE Assessor Addendum (defined in the P2PE Qualification Requirements) terminated in accordance with the P2PE Assessor Addendum; and accordingly, if warranted, a P2PE Assessor Company may move directly from “In Good Standing” to “Revocation.” Nonetheless, in the absence of severe quality concerns, P2PE Assessor Companies with quality issues are generally first addressed through the Remediation process in order to promote improved performance.
Added p. 47
If a P2PE Solution, P2PE Component, or P2PE Application included on the List of Validated Solutions, List of Validated Components, or List of Validated Applications is compromised due to P2PE Assessor Company and/or Employee error, that P2PE Assessor Company and/or Employee may immediately be placed into Remediation or its P2PE qualification status revoked.

The P2PE Assessor Company and/or P2PE Assessor Employee may appeal the Revocation but, unless otherwise approved by PCI SSC in writing in each instance, will not be permitted to perform P2PE Assessments, process P-ROVs, or otherwise participate in the P2PE Program. The P2PE Assessor Company and/or P2PE Assessor Employee may reapply at a later date of two years after revocation, so long as it has demonstrated to PCI SSC's satisfaction that it meets all applicable QSA, P2PE Assessor, and, if applicable, PA-QSA requirements, as documented in the relevant PCI SSC program documents.
Added p. 48
• the Alternate Product should not be considered Accepted by PCI SSC, nor promoted as Accepted by PCI SSC.

When granted, PCI SSC Acceptance is provided to ensure certain security and operational characteristics important to the achievement of PCI SSC’s goals, but such acceptance does not under any circumstances include or imply any endorsement or warranty regarding the P2PE Solution Provider or the functionality, quality, or performance of the P2PE Product or any other product or service. PCI SSC does not warrant any products or services provided by third parties. PCI SSC acceptance does not, under any circumstances, include or imply any product warranties from PCI SSC, including, without limitation, any implied warranties of merchantability, fitness for purpose or non-infringement, all of which are expressly disclaimed by PCI SSC. All rights and remedies regarding products and services that have received acceptance from PCI SSC shall be provided by the party providing …
Added p. 50
 P2PE Applications Supported This section identifies the P2PE Applications validated for use with this P2PE Solution and listed on the List of Validated P2PE Applications, and will include the expiry date of the P2PE Application’s approval.

 P2PE Components This section identifies the P2PE Components validated for use with this P2PE Solution and listed on the List of Validated P2PE Components, and will include the expiry date of the P2PE Component’s approval.

While a P2PE Solution may include third-party services (including services potentially eligible for Listing as a P2PE Component, such as CA/RA or KIF), those are not listed within the P2PE Solution or within the List of Validated P2PE Components. Any use of such a component in another P2PE Product would require either independent listing as a P2PE Component, if eligible, or assessment as part of each P2PE Solution the application is part of.
Added p. 51
This entry denotes the P2PE Component Provider for the Validated P2PE Component.

P2PE Component Identifiers P2PE Component Identifier refers to a subset of fields in the listing below the “Company” entry used by PCI SSC to denote relevant information for each Validated P2PE Component, consisting of the following fields (fields are explained in detail below):

 P2PE Component Name  Reference Number  Component Details P2PE Component Identifier: Detail  P2PE Component Name P2PE Component Name is provided by the P2PE Component Provider, and is the name by which the P2PE Component Provider’s services are known.

PCI SSC assigns the Reference number once the Validated P2PE Component is posted to the Website; this number is unique per P2PE Component Provider and will remain the same for the life of the listing.

An example reference number is 2015-XXXXX.XXX consisting of the following:

Field Format Year of listing 4 digits + hyphen Component Provider # 5 digits …
Added p. 52
 PTS Devices Supported  P2PE Application(s) Supported  P2PE Components Not all component details will apply, as each component service is different. For example, Encryption-management services may have PTS Devices Supported, others likely will not.

Component Details: Detail  PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Component and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices.

 P2PE Applications Supported This section identifies the P2PE Applications validated for use with this P2PE Component and listed on the List of Validated P2PE Applications, and will include the expiry date of the P2PE Application’s approval.

 P2PE Components This section …
Added p. 54
See Appendix H: P2PE Application Software Versioning Methodology for details about content to include in the Application P-ROV and P2PE Application Implementation Guide for the Application Vendor’s versioning methods.  Reference Number

 Contradict any PCI SSC program or requirement.

 Make misleading claims about the application.

 Claim the application is valid under another PCI SSC program or standard.
Added p. 56
The P2PE Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change. The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review.

Part 1. P2PE Listing Details, Contact Information, and Change Type P2PE Listing Details P2PE Solution Name Validated Listing Reference # Type of Change (Please check) Administrative (Complete Part 2) Delta (Complete Part 3) Submission Date P2PE Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Added p. 57
Add/Remove POI Device Type (Complete Part 3a) Add Remove Add/Remove P2PE Application (Complete Part 3b) Add Remove Application Version Number:

Add/Remove P2PE Component (Complete Part 3c) Add Remove Description of changes to the P2PE Solution or P2PE Component:

Description of how Designated Change impacts the P2PE Solution’s functionality Additional details, as applicable
Added p. 59
P2PE Requirements (including all testing procedures) All of 1D-1
Added p. 60
Perform a red-lined P-ROV review for the added P2PE Component using the table below as a minimum set of testing procedures.

P2PE Requirements (including all testing procedures) All of 3A-1 3A-2 (as applicable) All of 3B-1 3C-1 (as applicable)

The P2PE Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change. The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review.
Added p. 61
Part 1. P2PE Listing Details, Contact Information, and Change type P2PE Listing Details P2PE Component Provider Type of P2PE Component (select only one) SSC Listing Number KIF CA/RA Encryption Mgmt. Decryption Mgmt.

Type of Change (Please check) Administrative (Complete Part 2) Delta (Complete Part 3) Submission Date P2PE Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Added p. 62
Add/Remove POI Device Type (Complete Part 3a) Add Remove Add/Remove P2PE Application * (Complete Part 3b) Add Remove Version Number of the Application:

Add/Remove P2PE Component (Complete Part 3c) Add Remove Description of changes to the P2PE Component:

Description of real or potential impact to the P2PE Solution(s) it is used in Additional details, as applicable
Added p. 64
P2PE Requirements (including all testing procedures) All of 1D-1
Added p. 65
Perform a red-lined P-ROV review for the added P2PE Component using the table below as a minimum set of testing procedures.

P2PE Requirements (including all testing procedures) All of 3A-1 3A-2 (as applicable) All of 3B-1 3C-1 (as applicable)
Added p. 66
The P2PE Application Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change (see Table 5.2.b

• Changes to P2PE Listings for Applications). The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review.

Part 1. P2PE Application Details, Contact Information, and Change type P2PE Application Details P2PE Application Name Validated Listing Reference # P2PE Application Version #: Revised P2PE Application Version (if applicable) Type of Change (Please check) Administrative (Complete Part 2) Delta (Complete Part 3) Submission Date P2PE Application Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone PA-QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Added p. 68
Delta Change

• Change Summary Add/Remove POI Device Type (Complete Part 3a) Add Remove Not Applicable Additional details, as applicable:

Change Number Detailed description of the Description of why the change is necessary Description of how P2PE functionality is impacted Description of how P2PE Domain 2 Requirements/sub- Requirements are impacted
Added p. 70
H.1 Version Number Format The format of the application version number is set by the P2PE Application Vendor and may be comprised of several elements. The versioning methodology and the P2PE Application Implementation Guide must fully describe the format of the application version number including the following:

 The format of the version scheme, including:

 Number of elements  Numbers of digits used for each element  Format of separators used between elements  Character set used for each element (consisting of alphabetic, numeric, and/or alphanumeric characters)  The hierarchy of the elements  Definition of what each element represents in the version scheme  Type of change: major, minor, maintenance release, wildcard, etc.

 The definition of elements that indicate any use of wildcards  The specific details of how wildcards are used in the versioning methodology H.2 Version Number Usage All changes to the P2PE Application must result in a …
Added p. 71
If the P2PE Application Vendor uses a versioning scheme that involves mapping of internal version numbers to external, published version numbers, all security-impacting changes must result in an update to the external, published version number.

Any version number that is accessible to customers and integrator/resellers must be consistent with the versioning methodology described in the P2PE Application Implementation Guide.

P2PE Application Vendors must ensure traceability between application changes and version numbers such that a customer or integrator/reseller may determine which changes are included in the specific version of the application they are running.

H.3 Wildcards A “wildcard” element is a variable character that may be substituted for a defined subset of possible characters in an application versioning scheme. In the context of P2PE Applications, wildcards can optionally be used to represent non-security-impacting changes between each version represented by the wildcard element. A wildcard is the only variable element of the P2PE Application Vendor’s …
Modified p. 1
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE) Program Guide Version 1.2
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE) Program Guide Version 2.0
Removed p. 2
November 2015 1.2 Updated to correct minor typos and to align processes and listings with the evolving P2PE Program.
Removed p. 4
 Payment Card Industry (PCI) Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms v1.2 (the “P2PE Glossary”)  PCI Data Security Standard Requirements and Security Assessment Procedures  PA-DSS Requirements and Security Assessment Procedures  PTS PIN Security Requirements  PTS Hardware Security Module (HSM) Security Requirements  PTS POI Modular Security Requirements  PTS Device Testing and Approval Program Guide  PCI DSS Glossary of Terms, Abbreviations, and Acronyms  PCI Qualification Requirements for Point-to-Point Encryption (P2PE) Qualified Security Assessors, QSA (P2PE) and PA-QSA (P2PE) (or P2PE Qualification Requirements) 1.2 Updates to Documents and Security Requirements Security is a never-ending race against potential attackers. As a result, it is necessary to regularly review, update and improve the security requirements used to evaluate point-to-point encryption (P2PE) solutions. As such, PCI SSC endeavors to publish formal updates to its P2PE security requirements every 36 months, at a minimum. Additionally, PCI SSC …
Modified p. 4 → 6
The following additional PCI SSC documents are used in conjunction with v1.1.1 of the P2PE Standard:
The most current versions of the following additional documents are used in conjunction with the aforementioned:
Modified p. 4 → 7
PCI SSC reserves the right to change, amend or withdraw security requirements at any time. If such a change is required, PCI SSC will endeavor to work closely with PCI SSC’s community of Participating Organizations, P2PE Solution Providers and P2PE Assessors to help reduce the impact of any changes.
PCI SSC reserves the right to change, amend, or withdraw security requirements at any time. If such a change is required, PCI SSC will endeavor to work closely with PCI SSC’s community of Participating Organizations, P2PE Solution Providers, P2PE Component Providers, P2PE Application Providers, and P2PE Assessor Companies to help minimize the impact of any changes.
Removed p. 5
a) Received the corresponding P-ROV from the P2PE Assessor, in which the P2PE Assessor determines that the P2PE Solution or P2PE Application satisfies all applicable requirements of the P2PE Standard and supporting documents;

b) Received all applicable fees and all documentation required with respect to the P2PE Program;

c) Confirmed that the P-ROV is correct as to form, the P2PE Assessor adequately reported the P2PE compliance of the P2PE Solution or P2PE Application in accordance with the P2PE Program requirements and the detail provided in the P-ROV meets PCI SSC’s reporting requirements; and

d) Listed the P2PE Solution or Application on the applicable Council List, provided that PCI SSC may suspend, withdraw, revoke, cancel or place conditions upon (including without limitation, complying with remediation requirements) Acceptance of any P2PE Solution or Application in accordance with P2PE Program policies and procedures.

Note: As further addressed in Appendix A hereto, “Acceptance” is limited to the specific …
Modified p. 5 → 7
Term Meaning Accepted, Acceptance A P2PE Solution or P2PE Application is deemed to have been “Accepted” (and “Acceptance” is deemed to have occurred) when PCI SSC has:
Term Meaning Accepted, or listed A P2PE Product is deemed to have been “Accepted” or “listed” (and “Acceptance” is deemed to have occurred) when PCI SSC has:
Removed p. 6
P-ROV A “P2PE Report on Validation” completed by a P2PE Assessor and submitted directly to PCI SSC for review and Acceptance.

For a P2PE Solution to be included on the List of Validated P2PE Solutions, a Solution P-ROV must be submitted directly to PCI SSC for review and Acceptance.

For a P2PE Application to be included on the List of P2PE Validated Applications, an Application P-ROV must be submitted directly to PCI SSC for review and Acceptance.

P2PE Application Assessment An assessment of a P2PE Application against the P2PE Domain 2 Application Vendor Testing Procedures in isolation of any point-to-point solution, for purposes of ensuring in connection with the P2PE Assessor Program that the application itself is secure and the vendor has robust application-development processes.

P2PE Domain 2 Application Vendor Assessment Testing Procedures All testing procedures for P2PE Domain 2 specified in the column labeled “Testing Procedures: Application Vendor Assessment” in the P2PE Standard.

P2PE …
Modified p. 6 → 9
P2PE Application Refer to definition in P2PE Glossary v1.2.
P2PE Application Refer to definition in P2PE Glossary.
Modified p. 6 → 9
P2PE Assessment A P2PE Solution Assessment or P2PE Application Assessment.
P2PE Assessment A P2PE Solution Assessment, P2PE Component Assessment, or P2PE Application Assessment.
Modified p. 6 → 9
P2PE Assessor A company then qualified by PCI SSC as either a QSA (P2PE) or PA-QSA (P2PE).
P2PE Assessor Company A company qualified by PCI SSC as either a QSA (P2PE) Company or PA-QSA (P2PE) Company.
Modified p. 6 → 9
P2PE Components Refer to definition in P2PE Glossary v1.2.
P2PE Component Provider Refer to definition in P2PE Glossary.
Modified p. 6 → 9
P2PE Domain or Domain Any of the six control domains of the P2PE Standard, which together represent the core areas where security controls need to be applied and validated in order for a P2PE Solution to be listed on the PCI SSC website.
P2PE Domain or Domain Any of the six control domains of the P2PE Standard, which together represent the core areas where security controls may need to be applied and validated.
Modified p. 6 → 9
P2PE Glossary v1.2 of the PCI Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms, available on the Website.
P2PE Glossary Refers to the then-current version of (or successor document to) the PCI Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms, as from time to time amended and made available on the Website.
Removed p. 7
P2PE Standard Refers to Solution Requirements and Testing Procedures: Encryption, Decryption, and Key Management within Secure Cryptographic Devices (Hardware/Hardware) v1.1.1 and Solution Requirements and Testing Procedures: Encryption, Decryption, and Key Management within Secure Cryptographic Devices (Hardware/Hybrid) v1.1.1.

P2PE Vendor A vendor or other provider seeking Acceptance of a solution or software application.

Participating Payment Brand A payment card brand that, as of the time in question, is also then a formally admitted member of PCI SSC (or affiliate thereof). The Participating Payment Brands as of the release of this version of this document were American Express Travel Related Services Company, Inc., DFS Services LLC, JCB Advanced Technologies, Inc., MasterCard International Incorporated and Visa International Service Association (or their affiliates).
Modified p. 7 → 9
P2PE Solution Provider Refer to definition in P2PE Glossary v1.2.
P2PE Application Vendor Refer to definition in P2PE Glossary.
Modified p. 7 → 10
P2PE Solution Refer to definition in P2PE Glossary v1.2.
P2PE Solution Provider Refer to definition in P2PE Glossary.
Modified p. 7 → 10
P2PE Solution Assessment Assessment of a P2PE Solution in order to validate compliance with the P2PE Standard as part of the P2PE Assessor Program, and with respect to a given PA-QSA (P2PE), includes P2PE Application Assessments of P2PE Applications incorporated into or a part of the P2PE Solutions assessed by such PA-QSA (P2PE).
P2PE Solution Assessment Assessment of a P2PE Solution against applicable P2PE Domains in order to validate compliance with the P2PE Standard as part of the P2PE Program.
Modified p. 7 → 11
PA-QSA (P2PE) Employee An individual employed by a PA-QSA (P2PE) who has satisfied, and continues to satisfy, all PA-QSA (P2PE) Requirements applicable to employees of PA-QSA (P2PE)s who will conduct P2PE Application Assessments, as described in further detail herein.
QSA (P2PE) Employee An individual employed by a QSA (P2PE) who has satisfied, and continues to satisfy, all QSA (P2PE) Requirements applicable to employees of QSA (P2PE) Companies who will conduct P2PE Solution Assessments and/or P2PE Component Assessments, as described in further detail herein.
Removed p. 8
PCI SSC website or Website The then-current PCI SSC web site and its accompanying web pages, which is currently available at www.pcisecuritystandards.org.

QSA Qualification Requirements The then-current version of the Payment Card Industry (PCI) Data Security Standard Validation Requirements for Qualified Security Assessors (QSA) (or successor document), as from time to time amended and made available on the PCI SSC website.

 Is qualified by PCI SSC to provide services to P2PE Solution Providers in order to validate that such providers’ P2PE Solutions adhere to P2PE Standards, and  Remains in Good Standing (as defined in the QSA Qualification Requirements

• Supplement for Point-to-Point Qualified Security Assessors) as a QSA (P2PE).
Modified p. 8 → 10
a) Is qualified by PCI SSC to provide services to P2PE Solution Providers and/or P2PE Application Vendors in order to validate that such providers’ or vendors’ P2PE Solutions and/or P2PE Applications adhere to all aspects of the P2PE Standard, including but not limited to, validation that payment applications, when incorporated into or used as part of a P2PE Solution, adhere to all P2PE Domain 2 Requirements; and b) Remains in Good Standing (as defined in Section 1.3 of the QSA
(a) Is qualified by PCI SSC to provide services to P2PE Solution Providers, P2PE Component Providers, and/or P2PE Application Vendors in order to validate that such providers’ or vendors’ P2PE Solutions, P2PE Components, and/or P2PE Applications adhere to all aspects of the P2PE Standard, including but not limited to, validation that payment applications, when incorporated into or used as part of a P2PE Solution, adhere to all P2PE Domain 2 requirements; and (b) Remains in Good Standing (defined in Section …
Modified p. 8 → 11
PCI Security Standards Council, LLC.
PCI SSC or the Council Refers to the PCI Security Standards Council, LLC.
Modified p. 8 → 11
PCI-approved POI Device Refer to definition in P2PE Glossary v1.2.
PCI-approved POI device Refer to definition in P2PE Glossary.
Modified p. 8 → 11
Qualified Security Assessor for Point-to- Point Encryption or QSA (P2PE) A Qualified Security Assessor (QSA) company that:
QSA (P2PE) Company A Qualified Security Assessor (QSA) Company that:
Modified p. 8 → 11
Secure Cryptographic Device (SCD) Refer to definition in P2PE Glossary v1.2.
Secure Cryptographic Device (SCD) Refer to definition in P2PE Glossary.
Modified p. 8 → 11
Third-Party Service Provider An entity that provides a service or function on behalf of a P2PE Solution Provider, which is incorporated into and/or referenced by the applicable P2PE Solution, such as a Certification Authority (as defined in the P2PE Standard), key-injection facility, payment gateway or data center.
Third-Party Service Provider An entity that provides a service or function on behalf of a P2PE Solution Provider, which is incorporated into and/or referenced by the applicable P2PE Solution, such as a payment gateway or data center.
Removed p. 9
 Customers may choose to implement Validated P2PE Solutions in order to reduce the scope of their PCI DSS assessments.

 Listed P2PE Solutions have been validated as compliant with the P2PE Standard by P2PE Assessors.

P2PE P-ROVs are reviewed and Accepted directly by PCI SSC.
Modified p. 9 → 12
Validated P2PE Solution A P2PE Solution that has been assessed by a QSA (P2PE) or PA-QSA (P2PE) to be in scope for the P2PE Program and to have met all of the requirements of the P2PE Standard and then Accepted by PCI SSC, so long as such Acceptance has not been revoked, suspended, withdrawn or terminated.
Validated P2PE Product A Validated P2PE Application, Validated P2PE Component, or Validated P2PE Solution Validated P2PE Solution A P2PE Solution that has been assessed by a QSA (P2PE) Company or PA-QSA (P2PE) Company to be in scope for the P2PE Program and to have met all of the requirements of the P2PE Standard and then Accepted by PCI SSC, so long as such Acceptance has not been revoked, suspended, withdrawn, or terminated.
Modified p. 9 → 12
Vendor Release Agreement (or “VRA”) The then-current and applicable form of release agreement that PCI SSC:
Vendor Release Agreement (or VRA) The then-current and applicable form of release agreement that PCI SSC:
Modified p. 9 → 12
a) Requires to be executed by P2PE Solution Providers and/or P2PE Application Vendors (as applicable) in connection with the P2PE Assessor Program, and b) Makes available on the PCI SSC website.
(a) Requires to be executed by P2PE Solution Providers, P2PE Component Providers and/or P2PE Application Vendors (as applicable) in connection with the P2PE Assessor Program, and (b) Makes available on the Website.
Modified p. 9 → 12
Stakeholders in the payments value chain benefit from the P2PE Standard in a variety of ways, including but not limited to the following:
Stakeholders in the payments value chain benefit from the P2PE Standard in a variety of ways, including the following:
Modified p. 9 → 13
 P2PE Solutions validated and listed by the Council are recognized by all Participating Payment Brands (however, each brand develops and manages their own compliance programs).
 P2PE Solutions validated and listed by the Council are currently recognized by all Participating Payment Brands.
Modified p. 9 → 13
For more information regarding PCI SSC, please see the PCI SSC website.
For more information regarding PCI SSC, see the Website.
Removed p. 10
Merchants may choose to implement P2PE Solutions to reduce the scope of their PCI DSS assessments in accordance with specific P2PE scenarios (e.g. Hardware/Hardware). Merchants should consult with their acquirers or payment brands to determine any required PCI DSS validation processes.

Domain Name Description Domain 1: Encryption Device Management Use secure encryption devices and protect devices from tampering Domain 2: Application Security Secure applications in the P2PE environment Domain 3: Encryption Environment Secure environments where POI devices are present Domain 4: Segmentation between Encryption and Decryption Environments Segregate duties and functions between encryption and decryption environments Domain 5: Decryption Environment and Device Management Secure decryption environments and decryption devices Domain 6: P2PE Cryptographic Key Management Use strong cryptographic keys and secure key- management functions Further information about these Domains is contained in the P2PE Standard.
Modified p. 10 → 14
 P2PE Solution Requirements  Processes for recognizing P2PE Assessor validated P2PE Solutions and P2PE Applications  Quality assurance processes for P2PE Assessors P2PE Solution Providers may choose to have their P2PE Solutions validated for compliance with the P2PE Standard in accordance with this P2PE Program Guide in order to have those solutions included in the List of Validated P2PE Solutions on the PCI SSC website.
 P2PE security requirements and assessment procedures  Processes for recognizing P2PE Assessor-validated P2PE Solutions, P2PE Components, and P2PE Applications  Quality assurance processes for P2PE Assessor Companies P2PE Solution Providers may choose to have their P2PE Solutions validated for compliance with the P2PE Standard in accordance with this P2PE Program Guide in order to have those solutions included in the List of Validated P2PE Solutions on the PCI SSC website.
Modified p. 10 → 14
PCI SSC reserves the right to require revalidation due to changes to the P2PE Standard and/or due to specifically identified vulnerabilities in listed P2PE Solutions.
Note: PCI SSC reserves the right to require revalidation due to changes to the P2PE Standard and/or due to specifically identified vulnerabilities in listed P2PE Solutions.
Removed p. 11
 Performs quality assurance reviews of P-ROVs to confirm report consistency and quality.

 Lists P2PE Validated Solutions and Applications on the PCI SSC website.

 Qualifies and trains QSA (P2PE) and PA-QSA (P2PE) assessors to perform P2PE reviews.

 Maintains and updates the P2PE Standard and related documentation according to a standards lifecycle management process.

Note that PCI SSC does not approve reports from a validation perspective. The role of the QSA (P2PE) and PA-QSA (P2PE) is to validate the P2PE Solution meets all requirements of the P2PE Standard as of the date of the P2PE Assessment. PCI SSC Accepts P2PE Solutions only after performing quality assurance reviews to help ensure that QSAs (P2PE) and PA-QSAs (P2PE) accurately and thoroughly document the results of their P2PE Assessments.

P2PE Assessors P2PE Assessors are companies that have been qualified by PCI SSC as either QSAs or PA-QSAs, and have satisfied additional requirements to perform P2PE Solution …
Modified p. 11 → 15
P2PE Solution Providers have overall responsibility for ensuring that their P2PE Solutions satisfy all requirements of the P2PE Standard, including ensuring that such requirements are met by any Third- Party Service Providers that perform P2PE functions on behalf of the P2PE Solution Provider, such as Certification Authorities and key-injection facilities.
P2PE Solution Providers have overall responsibility for ensuring that their P2PE Solutions satisfy all applicable requirements of the P2PE Standard.
Modified p. 11 → 17
PCI SSC is the standards body that maintains the payment card industry standards, including the PCI DSS, PA-DSS, PTS, and P2PE. In relation to P2PE, PCI SSC:
PCI SSC is the standards body that maintains the PCI SSC standards including the PCI DSS, P2PE Standard, PTS Standard, and PA-DSS. In relation to the P2PE Standard, PCI SSC:
Modified p. 11 → 18
QSA (P2PE)s are only qualified to perform P2PE Solution Assessments. PA-QSA (P2PE)s are qualified to perform P2PE Solution Assessments and P2PE Application Assessments.
 PA-QSA (P2PE): PA-QSA (P2PE) Companies are PA-QSA companies that have been additionally qualified by PCI SSC to perform P2PE Assessments of P2PE Solutions, P2PE Components, and P2PE Applications.
Removed p. 12
1. QSA (P2PE)s QSA (P2PE)s are companies that have been (and remain) qualified by PCI SSC to perform P2PE Solution Assessments.

 Confirming that the P2PE Instruction Manual specific to a given P2PE Solution effectively documents secure configuration settings, merchant guidance, and other required information for merchants and, where applicable, resellers/integrators.

 Submitting the Solution P-ROV to PCI SSC, along with the Solution AOV (signed by both QSA (P2PE) and P2PE Solution Provider).

 Maintaining an internal quality assurance process for its QSA (P2PE) efforts in accordance with the P2PE Standard.

It is the QSA (P2PE)’s responsibility to validate that the P2PE Solution meets all requirements of the P2PE Standard.

2. PA-QSA (P2PE)s PA-QSA (P2PE)s are companies that have been (and remain) qualified by PCI SSC to perform P2PE Solution Assessments and P2PE Application Assessments.

All requirements for QSA (P2PE)s apply to all PA-QSA (P2PE)s.

Regarding P2PE Application Assessments, PA-QSA (P2PE)s are responsible for:

 Performing P2PE Application …
Modified p. 12 → 18
QSA (P2PE)s are responsible for:
P2PE Assessor Companies are responsible for:
Modified p. 12 → 18
 Performing assessments of P2PE Solutions in accordance with the P2PE Standard.
 Performing assessments of P2PE Solutions and P2PE Components (and P2PE Applications for PA-QSA (P2PE) Assessor Companies) in accordance with the P2PE Standard and the P2PE Qualification Requirements.
Modified p. 12 → 18
 Providing an opinion regarding whether the P2PE Solution and environment satisfies the P2PE Standard.
 Providing an opinion regarding whether the P2PE Solution or P2PE Component (or P2PE Application for PA-QSA (P2PE) Assessor Companies) meets the P2PE Standard.
Modified p. 12 → 18
 Providing adequate documentation within the Solution P-ROV to demonstrate the P2PE Solution and environment‘s compliance with the P2PE Standard.
 Providing adequate documentation within the applicable P-ROV to demonstrate the P2PE Solution’s or P2PE Component’s (or P2PE Application’s for PA-QSA (P2PE) Assessor Companies) P2PE compliance.
Modified p. 12 → 18
 Staying up to date with Council rules, requirements and procedures, and industry trends and best practices.
 Staying up-to-date with Council statements and guidance, P2PE Technical FAQs, industry trends and best practices.
Removed p. 13
PCI Recognized Laboratories Security laboratories qualified by PCI SSC under the PCI SSC laboratory program (“PCI-recognized laboratories”) are responsible for the evaluation of POI devices against PCI SSC’s PTS Standards and requirements (“PTS requirements”). Evaluation reports on devices found compliant with the PTS requirements are submitted by the PCI-recognized laboratories to PCI SSC for approval, and if approved, the device is listed on PCI SSC‘s "List of Approved PTS Devices" on the PCI SSC website.

Payment Device (Hardware) Vendors A POI device vendor submits a POI device for evaluation to an independent PCI PTS security laboratory. Per PTS requirements, device vendors must develop a supplement document describing the secure operation and administration of their equipment to assist merchants and P2PE Solution Providers.

Application (Software) Vendors As part of establishing the P2PE compliance of its applications, an application vendor that develops applications with access to account data on a POI device must have …
Modified p. 13 → 19
 Servicing P2PE devices (for example, troubleshooting, delivering remote updates, and providing remote support) according to the validated processes in the P2PE Instruction Manual.
 Servicing POI devices used in a P2PE Solution

•for example, troubleshooting, delivering remote updates, and providing remote support

•according to the validated processes in the P2PE Instruction Manual.
Modified p. 13 → 19
Integrators and Resellers do not submit P2PE Solutions for P2PE Solution Assessment. Only a P2PE Solution Provider may submit a P2PE Solution for P2PE Solution Assessment.
Integrators and Resellers do not submit P2PE Solutions for P2PE Solution Assessments. Only a P2PE Solution Provider may submit a P2PE Solution for a P2PE Solution Assessment.
Removed p. 14
Specific requirements for CAs involved in remote key distribution are set out in Domain 6, Annex A of the P2PE Standard. CA requirements apply to all entities signing public keys, whether in X.509 certificate- based schemes or other designs. These requirements apply equally to third-party CAs and CAs that are hosted by the P2PE Solution Provider.

Ultimately, it remains the P2PE Solution Provider‘s responsibility to ensure that the CA is in compliance with the requirements set out in the P2PE Standard.

Key-Injection Facilities The term “key-injection facility” (KIF) describes the entities performing key injection into POI devices. Key injection may be performed by the P2PE Solution Provider or by a Third-Party Service Provider such as a POI terminal manufacturer or vendor. Environmental and key-management requirements are defined in Domains 1, 5 and 6 of the P2PE Standard; and Domain 6 Annex B contains additional requirements for KIFs.

Ultimately, it remains the P2PE Solution …
Modified p. 14 → 19
 Adherence to the P2PE Instruction Manual (PIM), provided to the merchant by the P2PE Solution Provider.
 Adherence to the P2PE Instruction Manual (PIM), provided to the merchant by the P2PE Solution Provider and/or integrator/reseller.
Modified p. 14 → 19
If the merchant has other non-P2PE payment channels, ensuring the P2PE environment is adequately segmented (isolated) from any non-P2PE payment channels.
Ensuring

•if the merchant has other non-P2PE payment channels

•that the P2PE environment is adequately segmented (isolated) from any non-P2PE payment channels.
Modified p. 14 → 19
Validating applicable PCI DSS requirements in accordance with payment brand requirements.
Ensuring that their payment environments are validated against applicable PCI DSS requirements in accordance with applicable payment card brand requirements.
Removed p. 15
1. The P2PE Solution Provider selects a P2PE Assessor from the Council’s list of recognized P2PE Assessors and negotiates the cost and any associated P2PE Assessor services or confidentiality agreements with the P2PE Assessor.

2. The P2PE Solution Provider then provides access to the P2PE Solution to the P2PE Assessor, including details of all Third-Party Service Providers used, access to facilities, details of applications and devices used within the solution, Implementation Guides for P2PE Applications used in the solution, P2PE Instruction Manual, and all associated manuals and other required documentation, including but not limited to the P2PE Solution Provider’s signed VRA and all materials required thereby.

3. The P2PE Assessor must determine the scope of the review including:

a) Third-Party Service Providers to be assessed (e.g. key-injection facilities, Certification Authorities and others).

If these Third-Party Service Providers have already been assessed per the P2PE Standard and a Solution P-ROV to that effect has been …
Removed p. 16
5. Once PCI SSC has received all required information, materials, and applicable fees, PCI SSC reviews the Solution P-ROV to confirm that it meets the P2PE Program requirements. Once confirmed, PCI SSC will notify the P2PE Assessor and P2PE Solution Provider that the Solution P- ROV meets requirements.

6. Subsequently, the Council will sign the corresponding Solution AOV and add the P2PE Solution to the List of Validated P2PE Solutions on the PCI SSC website, and the P2PE Solution is deemed to be Accepted.
Modified p. 16 → 22
Note: As further addressed in Appendix A hereto, “Acceptance” is limited to the specific P2PE Solution that has met all Acceptance requirements. See Appendix A, “P2PE Solutions and Acceptance.”
Note: As further addressed in Appendix A hereto, “Acceptance” is limited to the specific P2PE Solution, P2PE Component, or P2PE Application that has met all applicable Acceptance requirements. See Appendix A, “P2PE Products and Acceptance.”
Modified p. 16 → 30
The process for developing and validating P2PE Solutions, including responsibilities for implementing requirements and validating compliance with each Domain, is defined within the P2PE Standard.
Note: The process for developing and validating P2PE Solutions

•including responsibilities for implementing requirements and validating compliance with each Domain

•is defined within the P2PE Standard.
Removed p. 17
 POI devices must be PCI SSC approved PTS devices with SRED (secure reading and exchange of data) listed as a “function provided.”  HSMs must be either FIPS 140-2 Level 3 (or higher) certified or PCI-approved (listed on the PCI SSC website, with a valid SSC listing number, as Approved PCI PTS Devices under the approval class “HSM”).

Vendors of SCDs are responsible for obtaining and maintaining the device approvals required for their devices to be used in P2PE Solutions. P2PE Assessors will request evidence of device approvals being in place and current as part of performing the assessment of a P2PE Solution.

a) Considerations for Vendors of POIs used in P2PE Solutions

PCI SSC approved PTS devices (also called “PCI-approved POI devices”) provide a trusted foundation of physical and logical security that is the foundation of hardware-based P2PE Solutions.

PTS approval validates that all key-management functions can be implemented within the POI …
Removed p. 18
HSM vendors wishing to obtain PTS approval for their devices should consult the PCI SSC website for further information.
Removed p. 18
 Applications that do not have access to clear-text account data must undergo validation to a sub- set of Domain 2 Requirements to validate they do not have any access to clear-text account data.

Requirements in Domain 2 entail protecting account data, developing and maintaining secure applications, and incorporating secure application management processes.

1) Assessments for Applications with Access to Clear-Text Account Data Applications with access to clear-text account data must undergo validation per all P2PE Domain 2 Requirements.

Seeking independent listing of an application on the List of Validated P2PE Applications is optional. However, as described further below, such independent listing may be important for applications used in multiple P2PE Solutions because it avoids the need to repeat a P2PE Application Assessment each time the application is later used within new P2PE Solutions.

Domain 2 includes two sets of Testing Procedures: one for the P2PE Application Assessment (Application Vendor Assessment Testing Procedures) and …
Modified p. 18 → 28
Applications with access to clear-text account data must undergo validation per all P2PE Domain 2 Requirements.
Must undergo validation per all P2PE Domain 2 Requirements by a PA-QSA (P2PE), and will be either:
Removed p. 19
2) Assessments for Applications without Access to Clear-text Account Data For applications that do not have access to account data, only Requirement 2A-3 is applicable. These tests are completed as part of each P2PE Solution Assessment by a QSA (P2PE) to validate that these applications do not have access to clear-text account data, and are not bypassing or overriding any security features provided by the other approved components of the P2PE Solution. Such applications are listed only as components of Validated P2PE Solutions and are not eligible for inclusion in the List of Validated P2PE Applications.
Modified p. 19 → 27
3) PA-DSS Applicability to P2PE Applications used within P2PE Solutions may or may not be eligible for PA-DSS validation. PA-DSS and P2PE are distinct PCI SSC standards with different requirements; validation against one of these standards does not guarantee or provide automatic validation against the other standard.
Note: Applications used within P2PE Solutions may or may not be eligible for PA-DSS validation. PA- DSS and P2PE are distinct PCI SSC standards with different requirements; validation against one of these standards does not guarantee or provide automatic validation against the other standard.
Removed p. 20
 Perform a gap analysis between how the P2PE Solution functions compared to the P2PE Standard.

 If desired, the P2PE Assessor may be engaged separately to perform a pre-assessment or gap analysis of a P2PE Solution Provider’s P2PE Solution. If the P2PE Assessor notes deficiencies that would prevent a clean opinion, the P2PE Assessor should provide to the P2PE Solution Provider a list of P2PE Solution features to be addressed before the formal review process begins.

 Determine which applications used within the P2PE Solution have, or potentially have, access to clear-text account data. Any such applications that do not appear on the List of Validated P2PE Applications require a P2PE Application Assessment using the P2PE Domain 2 Application Vendor Assessment Testing Procedures.

 The P2PE Application Assessment is performed separately from any P2PE Solution Assessment of a P2PE Solution in which the application may be used.

 P2PE Application Assessments may be …
Modified p. 20 → 30
 Review the PCI DSS, the P2PE Standard and all related documentation located at the PCI SSC website.
 Review the requirements of both the PCI DSS and the P2PE Standard and all related documentation located at the Website.
Modified p. 20 → 30
 Determine/assess the P2PE Solution’s readiness to comply with the P2PE Standard.
 Determine/assess the Solution’s, Component’s, or Application’s readiness to comply with P2PE:
Modified p. 20 → 30
 Determine whether the P2PE Solution Provider’s P2PE Instruction Manual for merchants meets the P2PE Standard.
 Determine whether the P2PE Solution Provider’s P2PE Instruction Manual meets P2PE Standard requirements and correct any gaps.
Removed p. 21
Complete versions of all required P2PE Solution-related materials (such as manuals, the P2PE Instruction Manual, the Vendor Release Agreement and all other required materials relating to the review and participation in the P2PE Program) must be delivered to the P2PE Assessor, not to PCI SSC.

Documents and items to submit to the P2PE Assessor include (without limitation):

1. Lists of all components used in the P2PE Solution including but not limited to:

 All PCI-approved POI devices with associated device approval details  All HSMs used with associated device approval details  All applications used in the P2PE Solution identifying which, if any, have access to clear-text account data and which POIs they are used on  Detailed cryptographic key matrix

2. Documentation that relates to installing and configuring the P2PE Solution, or which provides information about the P2PE Solution. Examples of such documentation include:

 P2PE Instruction Manual  Implementation Guides for applications assessed …
Removed p. 22
 Guidance on designing P2PE Solutions in accordance with the P2PE Standard.

 Review of P2PE Solution design, response to questions via e-mail or phone, and participation in conference calls to clarify requirements.

 Guidance on preparing the P2PE Instruction Manual.

 Pre-assessment (gap analysis) services prior to beginning formal P2PE Solution Assessment.

 Guidance for bringing the P2PE Solution into compliance with the P2PE Standard if gaps or areas of non-compliance are noted during the assessment.
Removed p. 22
A P-ROV will not be reviewed by PCI SSC without a current VRA and accompanying materials on file from the relevant P2PE Vendor.

Please Note: When arranging for non-P2PE Solution assessment services with a P2PE Assessor, care should be taken by both the P2PE Solution Provider and the P2PE Assessor to ensure that the P2PE Assessor is not put in a position where it is later required to assess its own work product as part of the actual P2PE Solution Assessment. Conflicts of interest may cause a P2PE Solution to be rejected by PCI SSC.
Modified p. 22 → 33
So long as an executed current version of the VRA is on file with PCI SSC for the relevant P2PE Vendor, it is not required to re-submit a newly executed VRA with each subsequent P-ROV for the same P2PE Vendor.
So long as an executed copy of the current VRA is on file with PCI SSC for the relevant P2PE Vendor, the P2PE Assessor is not required to re-submit the same VRA with each subsequent P- ROV for the same P2PE Vendor.
Modified p. 23 → 33
There are no annual recurring PCI SSC fees associated with the Acceptance. There are, however, PCI SSC fees associated with updates that may be made from time-to-time by P2PE Vendors to Validated submissions. Please see the PCI SSC website for more information.
There are no annual recurring PCI SSC fees associated with the Acceptance of a P2PE Product. There are, however, PCI SSC fees associated with P2PE Vendor delays in annual revalidation of P2PE Validated Products. Please see the Website for more information.
Modified p. 23 → 42
The P2PE Vendor pays all P2PE Assessment and validation fees directly to P2PE Assessor (these fees are negotiated between the P2PE Vendor and the P2PE Assessor).
The P2PE Vendor pays all P2PE Assessment-related fees directly to the P2PE Assessor. (These fees are negotiated between the P2PE Vendor and the P2PE Assessor Company.)
Modified p. 23 → 42
PCI SSC will invoice the P2PE Vendor for all P2PE Acceptance Fees and the P2PE Vendor will pay these fees directly to PCI SSC.
PCI SSC will invoice the P2PE Vendor for all Validation Maintenance Fees, and the P2PE Vendor will pay these fees directly to PCI SSC.
Removed p. 24
 P2PE Solution continues to meet the requirements of the P2PE Standard  P2PE Solution Provider’s change management processes are operating effectively and  P2PE Solution Provider gives consideration to whether updates to the P2PE Solution are necessary to address changes to the external threat environment in which the P2PE Solution operates.

This interim assessment includes a healthcheck, which must be completed by a P2PE Assessor. The tests to be performed in the healthcheck are available on the PCI SSC website.

Upon receipt of the updated Solution AOV, PCI SSC will:

(i) Review the submission for completeness; (ii) Once completeness is established, update the List of Validated P2PE Solutions with the new Revalidation Date; and (iii) Sign and return to both the P2PE Solution Provider and the P2PE Assessor a copy of the updated Solution AOV.

If an updated Solution AOV is not timely submitted for a listed P2PE Solution, the P2PE Solution will …
Modified p. 24 → 42
There are no PCI SSC fees associated with interim assessments.
There is no PCI SSC fee associated with the processing of Interim Self-Assessments.
Removed p. 25
If a new Solution P-ROV and Solution AOV are not submitted in a timely manner for a listed P2PE Solution, the P2PE Solution will be deemed to be subject to expiry, as follows. On the Reassessment Date, the List of Validated P2PE Solutions will be updated to show the P2PE Solution in Orange for a period of 90 days. If the updated and complete required documentation is received within this 90-day period, PCI SSC will update the List of Validated P2PE Solutions with the new Revalidation and Reassessment Dates and remove the Orange status. If the required and complete documentation is not received within this 90-day period, the List of P2PE Validated Solutions will be updated to show the P2PE Solution in Red.
Removed p. 25
 Administrative Changes are changes made to a listed P2PE Solution that have no impact on compliance of the listed P2PE Solution with any requirements of the P2PE Standard. In this case, for the modified P2PE Solution to be listed, the P2PE Solution Provider documents the change for the P2PE Assessor to review

•see Section 5.2.1, “Change Documentation and Process,” for specifics

•and if ultimately approved by PCI SSC, the List of Validated P2PE Solutions is updated to reflect the change. Examples of administrative changes include, but are not limited to, corporate identity changes and P2PE Solution name changes.

 Add or remove a validated POI device;  Add or remove a validated P2PE application with access to clear-text account data; or  Add or remove a P2PE application that does not have access to clear-text account data The P2PE Solution Provider advises the P2PE Assessor of the changes and arranges for a …
Removed p. 26
It is strongly recommended that the P2PE Solution Provider submit the Solution Provider Change Analysis to the same P2PE Assessor used for the original P2PE Solution Assessment.

(i) The P2PE Assessor must so notify the P2PE Solution Provider; (ii) The P2PE Solution Provider prepares and signs a Solution AOV, and sends it to the P2PE (iii) The P2PE Assessor signs their concurrence on the Solution AOV and forwards it, along with the Solution Provider Change Analysis and the P2PE Solution’s updated P2PE Instruction Manual to PCI SSC; and (iv) PCI SSC will then issue an invoice to the P2PE Vendor for the applicable change fee; and (v) Upon payment of the invoice PCI SSC reviews the Solution AOV and Solution Provider Change Analysis for quality assurance purposes.

Note: If the P2PE Assessor does not agree with the P2PE Solution Provider that the change, as documented, has no impact on the P2PE related …
Modified p. 26 → 37
Following successful PCI SSC quality assurance review of an Administrative Change, PCI SSC will:
Following successful PCI SSC quality assurance review of the change, PCI SSC will:
Modified p. 26 → 39
 Name and reference number of the Validated P2PE Solution  Description of the change  Description of why the change is necessary The updated P2PE Instruction Manual must be submitted with the Solution Provider Change Analysis document.
 Name and reference number of the Validated P2PE Application Listing  Description of the change  Description of why the change is necessary
Modified p. 26 → 40
If the P2PE Assessor agrees that the change as documented by the P2PE Solution Provider has no impact on the P2PE related functions of the P2PE Solution:
If the P2PE Assessor Company agrees that the change as documented by the P2PE Application Vendor is eligible as a Delta Change:
Removed p. 27
(i) The P2PE Assessor must perform an assessment of the requirements of the P2PE Standard that are affected by the change. Details of the tests which must be performed are available from the PCI SSC website. For example, for device changes, a subset of Domain 1 tests will be required; for application changes, a subset of Domain 2 tests will be required; (ii) The P2PE Assessor must complete the P2PE Designated Changes to Solutions:

Hardware/Hardware and Hardware/Hybrid template and document the testing completed per PCI SSC requirements; (iii) The P2PE Solution Provider prepares and signs a Solution AOV and sends it to the P2PE (iv) The P2PE Assessor signs its concurrence on the Solution AOV and forwards it, along with the P2PE Solution’s updated P2PE Instruction Manual and the P2PE Designated Changes to Solutions: Hardware/Hardware and Hardware/Hybrid template Report to PCI SSC; and (v) PCI SSC will then issue an invoice …
Modified p. 27 → 37
For quality issues associated with any aspect of the submission, PCI SSC communicates those issues to the P2PE Assessor Company. PCI SSC reserves the right to reject any P2PE Change Impact document if it determines that a change described therein and purported to be a Designated Change by the P2PE Assessor Company or P2PE Vendor is ineligible for treatment as a Designated Change..
For quality issues associated with any aspect of the submission, PCI SSC communicates those issues to the P2PE Assessor Company. PCI SSC reserves the right to reject any P2PE Change Impact document if it determines that a change described therein and purported to be an Administrative Change by the P2PE Assessor Company or P2PE Vendor is ineligible for treatment as an Administrative Change.
Modified p. 27 → 38
If the P2PE Assessor agrees that the changes as documented in the Solution Provider Change Analysis by the P2PE Solution Provider are eligible Designated Changes then the P2PE Assessor must so notify the P2PE Solution Provider, following which:
If the P2PE Assessor Company agrees that the change as documented by the P2PE Vendor is eligible as a Designated Change:
Modified p. 27 → 38
Following successful PCI SSC quality assurance review of a Designated Change, PCI SSC will:
Following successful PCI SSC quality assurance review of the change, PCI SSC will:
Modified p. 27 → 38
(i) Amend the corresponding List of Validated P2PE Solutions on the Website accordingly with the new information; and (ii) Sign and return a copy of the corresponding P2PE Attestation of Validation to both the P2PE Vendor and the P2PE Assessor Company.
1) Amend the corresponding List of Validated P2PE Solutions or List of Validated P2PE Components on the Website accordingly with the new information; and 2) Sign and return a copy of the corresponding P2PE Attestation of Validation to both the P2PE Vendor and the P2PE Assessor Company. The Revalidation date of the updated listing will be the same as that of the parent listing.
Removed p. 28
Figure 1: Changes to Listed P2PE Solutions
Removed p. 29
For any Administrative or Designated Change to a Validated P2PE Solution, the applicable fee will be invoiced, and must be received by PCI SSC for the change to be Accepted and added to PCI SSC’s List of Validated P2PE Solutions. Upon Acceptance, PCI SSC will sign and return a copy of the Solution AOV to both the P2PE Solution Provider and the P2PE Assessor.
Removed p. 29
Note: Notification must take place no later than 24 hours after the P2PE Solution Provider first discovers the Security Issue.
Modified p. 29 → 33
All P2PE Program fees are non-refundable and are subject to change upon posting of revised fees on the PCI SSC website.
All Program fees are non-refundable and are subject to change upon posting of revised fees on the Website.
Modified p. 29 → 33
PCI SSC will invoice the P2PE Solution Provider for all Validation Maintenance Fees and the P2PE Solution Provider will pay these fees directly to PCI SSC.
PCI SSC will bill the P2PE Vendor for all P2PE Acceptance Fees and the P2PE Vendor will pay these fees directly to PCI SSC.
Modified p. 29 → 42
A P2PE Solution must be listed on the List of Validated P2PE Solutions and not have reached its Reassessment Date in order to have a change Accepted and Listed.
A parent P2PE listing must already exist on the corresponding List and not yet have expired in order to have a change Accepted and Listed.
Modified p. 29 → 43
 The name, PCI SSC approval number and any other relevant identifiers of the P2PE Solution;  A description of the general nature of the Security Issue;  The P2PE Solution Provider’s good faith assessment, to its knowledge at the time, as to the severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS scoring or an alternative industry accepted standard that is reasonably acceptable to PCI SSC); and The P2PE Solution Provider pays all P2PE Solution …
 The name, PCI SSC approval number, and any other relevant identifiers of each of the P2PE Vendor’s P2PE Product(s) affected by the Security Issue;  A description of the general nature of the Security Issue;  The P2PE Vendor’s good-faith assessment, to its knowledge at the time, as to the scope and severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS or other industry-accepted standard scoring); and  Assurance that the P2PE Vendor is following …
Modified p. 30 → 43
 Communicate with the applicable P2PE Solution Provider about the Security Issue and, where possible, share information relating to the Security Issue.
 Communicate with the P2PE Vendor about the Security Issue and, where possible and permitted, share information relating to the Security Issue.
Modified p. 30 → 43
 Support the P2PE Solution Provider’s efforts to try and mitigate or prevent further Security Issues.
 Support the P2PE Vendor’s efforts to mitigate or prevent further Security Issues.
Modified p. 30 → 43
 Support the P2PE Solution Provider’s efforts to correct any Security Issues.
 Support the P2PE Vendor’s efforts to correct any Security Issues.
Modified p. 30 → 43
 Work with the P2PE Solution Provider to communicate and cooperate with appropriate law enforcement agencies to help mitigate or prevent further Security Issues.
 Work with the P2PE Vendor to communicate and cooperate with appropriate law enforcement agencies to help mitigate or prevent further Security Issues.
Modified p. 30 → 43
PCI SSC reserves the right to suspend, withdraw, revoke, cancel or place conditions upon its Acceptance of (and accordingly, remove from the List of Validated P2PE Solutions) any listed P2PE Solution in accordance with the VRA, including but not limited to, when it is clear that the P2PE Solution does not offer sufficient protection against current threats and does not conform to the requirements of the P2PE Program, when the continued Acceptance of the P2PE Solution represents a significant and …
PCI SSC reserves the right to suspend, withdraw, revoke, cancel or place conditions upon its Acceptance of (and accordingly, remove from the List of Validated P2PE Solutions, List of Validated P2PE Components, or List of Validated P2PE Applications) any P2PE Product in accordance with the VRA, in instances including but not limited to, if PCI SSC reasonably determines that (a) the P2PE Product does not provide sufficient protection against current threats and conform to the requirements of the P2PE Program, …
Removed p. 31
The process flow for P-ROV Submission is illustrated in Figure 2, below.

Once PCI SSC receives the P-ROV, all other required materials, and applicable fees, the submission is reviewed from a quality assurance perspective. If the P-ROV meets all applicable quality assurance requirements (as documented in the QSA Qualification Requirements and related P2PE Program materials), PCI SSC sends a P2PE AOV, countersigned by PCI SSC, to both the P2PE Vendor and the P2PE Assessor, and then adds the product to the List of Validated P2PE Solutions or List of Validated P2PE Applications.
Modified p. 31 → 44
PCI SSC communicates any quality issues associated with P-ROVs to the P2PE Assessor, and it is then the responsibility of the P2PE Assessor to resolve those issues with PCI SSC and/or the P2PE Vendor, as applicable. Such issues may be limited or more extensive. Limited issues could simply require updating the P-ROV to reflect adequate documentation to support the P2PE Assessor’s decisions. More extensive issues might require that the P2PE Assessor perform further testing, requiring the P2PE Assessor to notify …
PCI SSC communicates any quality issues associated with P-ROVs to the P2PE Assessor Company. It is the responsibility of the P2PE Assessor Company to resolve those issues with PCI SSC and/or the P2PE Vendor, as applicable. Such issues may be limited or more extensive; limited issues may simply require updating the P-ROV to reflect adequate documentation to support the P2PE Assessor Company’s decisions, whereas more extensive issues may require the P2PE Assessor Company to perform further testing, requiring the P2PE …
Modified p. 31 → 44
Note that all P-ROVs and other materials must be submitted to PCI SSC in English or with certified English translation.
All P-ROVs and other materials submitted to PCI SSC must be in English or with certified English translation.
Removed p. 33
The Portal maintains a first-in-first-out order to all submissions while they await review by the Council. Should a new submission be intended as a replacement for a previously validated P2PE Solution or P2PE Application with known vulnerabilities, the Portal allows such submissions to be brought forward for immediate review.

The Portal is also used by the Council to track all communications relating to a particular submission.
Removed p. 33
 Completed Solution P-ROV  P2PE Solution AOV signed by both the P2PE Solution Provider and the P2PE Assessor  P2PE Instruction Manual for the assessed P2PE Solution  Current version of VRA signed by the P2PE Solution Provider together with any related documentation 6.2.3 New P2PE Applications For all initial submissions to PCI SSC, the P2PE Assessor must submit the following by uploading to the Portal:

 Completed Application P-ROV  P2PE Application AOV signed by both the P2PE Application Vendor and the P2PE Assessor  Implementation Guide for the assessed P2PE Application  Current version of VRA signed by the P2PE Application Vendor together with any related documentation
Modified p. 33 → 45
There must be consistency between the information in documents submitted for review via the Portal and the ‘Details’ fields within the Portal. Common errors in submissions include inconsistent application names or contact information and incomplete or inconsistent documentation. Incomplete or inconsistent submissions may result in a significant delay in the processing of requests for listing and/or may not be Accepted for review by PCI SSC.
There must be consistency between the information in documents submitted for review via the Portal and the “Details fields within the Portal. Common errors in submissions include inconsistent application names or contact information and incomplete or inconsistent documentation. Incomplete or inconsistent submissions may result in a significant delay in the processing of requests for listing and/or may be rejected by PCI SSC.
Removed p. 34
 Solution Provider Change Analysis document  Updated P2PE Instruction Manual for the assessed P2PE Solution  Solution AOV signed by both the P2PE Solution Provider and the P2PE Assessor  If requested by PCI SSC, current version of VRA, together with any related documentation 6.2.6 Designated Changes For all submissions of a Designated Change to an already listed P2PE Solution, the P2PE Assessor must submit the following documents through the Portal.

 Solution Provider Change Analysis document  Specified testing documentation, dependent on the type of change  Updated P2PE Instruction Manual for the assessed P2PE Solution  Solution AOV signed by both the P2PE Solution Provider and the P2PE Assessor  If requested by PCI SSC, current version of VRA, together with any related documentation 6.3 P-ROV Review Process

PCI SSC will base Acceptance of a P2PE Solution or P2PE Application primarily on the results documented in the P-ROV. Upon …
Removed p. 35
For reports related to changes to existing listed P2PE Solutions, based on the P2PE Vendor’s Attestation of Validation, the above P2PE P-ROV Acceptance process is the same, and PCI SSC shall issue a revised AOV and post the revised information to the PCI SSC website unless issues or questions arise, in a manner similar to the aforementioned.

The process flow for P-ROV reviews is illustrated in Figure 3, below.

The information shown on the List of Validated P2PE Solutions is specified in Appendix B, “Elements for List of Validated P2PE Solutions.” Refer to Appendix C for the information included in the listing of the List of Validated P2PE Applications.
Modified p. 35 → 44
P-ROVs that have been returned to the P2PE Assessor for correction must be resubmitted to PCI SSC within 30 days. If this is not possible, the P2PE Assessor must inform PCI SSC of the timeline for response. Lack of response on P-ROVs returned to the P2PE Assessor for correction may result in the submission being closed. Submissions that have been closed will not be reopened and must be resubmitted as if they are new P-ROV submissions.
P-ROVs that have been returned to the P2PE Assessor Company for correction must be resubmitted to the PCI SSC within 30 days of the preceding submission. If this is not possible, the P2PE Assessor Company must inform the PCI SSC of the timeline for response. Lack of response on P-ROVs returned to the P2PE Assessor Company for correction may result in the submission being closed. Submissions that have been closed will not be reopened and must be resubmitted as if …
Removed p. 36
Figure 3: P-ROV Review Process
Removed p. 37
The AQM Analyst will review the P2PE submission first to determine whether it is eligible for validation as described in the P2PE Program Guide. If there is question as to eligibility, the AQM Analyst will contact the P2PE Assessor Company for additional information. If the P2PE submission is determined to be ineligible for validation under the P2PE Program, the P-ROV will be rejected. The P2PE Assessor Company will receive a letter of rejection with optional instructions for appealing this rejection.
Removed p. 37
These levels are not progressive. A P2PE Assessor may move directly from “In Good Standing” to “Revocation” if warranted.

At any of these status levels, PCI SSC may require an onsite visit with the P2PE Assessor to audit their internal Quality Assurance program, at the expense of the P2PE Assessor.
Modified p. 37 → 45
PCI SSC’s Assessor Quality Management Team (“AQM”) reviews each P-ROV submission after the invoice for the P2PE Acceptance Fee has been paid by the P2PE Vendor. Administrative review will be performed in “pre- screening” to ensure that the submission is complete, and then an AQM Analyst will review the submission in its entirety.
PCI SSC’s Assessor Quality Management Team (“AQM”) reviews each P-ROV submission after the invoice for the P2PE Acceptance Fee has been paid by the P2PE Vendor. Administrative review will be performed in “pre-screening” to ensure that the submission is complete; then an AQM Analyst will review the submission in its entirety The AQM Analyst will review the P2PE submission first to determine whether the candidate P2PE Product is eligible for validation as described in the P2PE Program Guide. If there …
Modified p. 37 → 46
QSA Company audits are provided for in the QSA Qualification Requirements, and P2PE Assessor Companies are subject to audits of their work as P2PE Assessor Companies under the QSA Qualification Requirements at any time. This may include, but not be limited to, review of completed reports, work papers and onsite visits with P2PE Assessor Companies to audit internal QA programs, at the expense of the P2PE Assessor Company. Refer to the QSA Qualification Requirements for information on PCI SSC’s audit …
QSA Company audits are provided for in the QSA Qualification Requirements, and P2PE Assessor Companies are subject to audits of their work as P2PE Assessor Companies under the QSA Qualification Requirements at any time. This may include, but not be limited to, review of completed reports, work papers, and onsite visits with P2PE Assessor Companies to audit internal QA programs, at the expense of the P2PE Assessor Company. Refer to the QSA Qualification Requirements for information on PCI SSC’s audit …
Removed p. 38
Note: If a P2PE Solution or P2PE Application listed on the PCI SSC website is compromised due to P2PE Assessor error, that P2PE Assessor may immediately be placed into Remediation.

The P2PE Assessor quality status levels used by the Council are as follows:

PCI SSC may place a P2PE Assessor into Remediation if significant quality problems are detected. Remediation is a mandatory program. If the Council determines that Remediation is warranted, the P2PE Assessor must participate in Remediation in order to continue to participate in the P2PE Program. A P2PE Assessor that is in Remediation is required to submit its Quality Assurance Manual to PCI SSC for review and may be asked to submit other documentation such as work papers for some or all of its P-ROV submissions.

A P2PE Assessor in Remediation must also submit a Remediation plan to PCI SSC, detailing how the P2PE Assessor plans to improve quality of its …
Removed p. 40
When granted, PCI SSC Acceptance is provided to ensure certain security and operational characteristics important to the achievement of PCI SSC’s goals, but such acceptance does not under any circumstances include or imply any endorsement or warranty regarding the P2PE Solution Provider, P2PE Application Vendor or the functionality, quality, or performance of the P2PE Solution, P2PE Application or any other product or service. PCI SSC does not warrant any products or services provided by third parties. PCI SSC acceptance does not, under any circumstances, include or imply any product warranties from PCI SSC, including, without limitation, any implied warranties of merchantability, fitness for purpose or non-infringement, all of which are expressly disclaimed by PCI SSC. All rights and remedies regarding products and services that have received acceptance from PCI SSC shall be provided by the party providing such products or services, and not by PCI SSC or any Participating Payment …
Modified p. 40 → 48
No P2PE Solution Provider, P2PE Application Vendor or other third party may refer to a P2PE Solution or P2PE Application as “PCI Approved,” or “PCI SSC Approved” nor otherwise state or imply that PCI SSC has, in whole or part, approved any aspect of a P2PE Solution Provider, , P2PE Application Vendor or its P2PE Solution or P2PE Application, except to the extent and subject to the terms and restrictions expressly set forth in a written agreement with PCI SSC, …
No P2PE Vendor or other third party may refer to a P2PE Product as “PCI Approved,” or “PCI SSC Approved” or otherwise state or imply that PCI SSC has, in whole or part, approved any aspect of a P2PE Vendor or its P2PE Product, except to the extent and subject to the terms and restrictions expressly set forth in a written agreement with PCI SSC, or in a corresponding P-AOV provided by PCI SSC. All other references to PCI SSC’s …
Modified p. 41 → 49
P2PE Solution Identifier P2PE Solution Identifiers refers to a subset of fields in the listing below the “Company” entry is used by PCI SSC to denote relevant information for each Validated P2PE Solution, consisting of the following fields (fields are explained in detail below):
P2PE Solution Identifier P2PE Solution Identifiers refers to a subset of fields in the listing below the “Company” entry used by PCI SSC to denote relevant information for each Validated P2PE Solution, consisting of the following fields (fields are explained in detail below):
Modified p. 41 → 49
PCI SSC assigns the Reference number once the Validated P2PE Solution is posted to the PCI SSC website; this number is unique per P2PE Solution Provider and will remain the same for the life of the listing.
PCI SSC assigns the Reference number once the Validated P2PE Solution is posted to the Website; this number is unique per P2PE Solution Provider and will remain the same for the life of the listing.
Modified p. 41 → 49
PTS Devices Supported P2PE Application(s) Supported Solution Details: Detail  PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Solution and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link will be provided to the appropriate entry on the List of Approved PIN …
PTS Devices Supported P2PE Application(s) Supported  P2PE Components Solution Details: Detail  PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Solution and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link
Modified p. 42 → 50
While a P2PE Solution may include applications that were evaluated per relevant requirements in the P2PE Standard, those are not listed within the P2PE Solution or within the List of Validated P2PE Applications. Any use of such an application in another P2PE Solution would require either independent listing as a P2PE Application, if eligible, or assessment as part of each P2PE Solution the application is part of.
While a P2PE Solution may include applications that were evaluated per relevant requirements in the P2PE Standard, those are not listed within the P2PE Solution or within the List of Validated P2PE Applications. Any use of such an application in another P2PE Product would require either independent listing as a P2PE Application, if eligible, or assessment as part of each P2PE Solution the application is part of.
Modified p. 42 → 50
P2PE Assessor This entry denotes the name of qualified P2PE Assessor Company that performed the validation and determined that the P2PE Solution is compliant with the P2PE Standard.
P2PE Assessor This entry denotes the name of the qualified P2PE Assessor Company that performed the validation and determined that the P2PE Solution is compliant with the P2PE Standard.
Modified p. 42 → 50
Regions Served This section allows for the submission of a description of geographic regions in which this P2PE Solution is available e.g. Europe, Asia-Pacific.
Regions Served This section allows for the submission of a description of geographic regions in which this P2PE Solution is available•e.g., Europe, Asia-Pacific.
Modified p. 42 → 50
Description Provided by Solution Provider This section allows for the Solution Provider’s submission in the Portal via the QSA (P2PE) of a description of the P2PE Solution to be used in the List of Validated P2PE Solutions, should the Solution P-ROV be Accepted.
Description Provided by Solution Provider This section allows for the Solution Provider’s submission in the Portal via the QSA (P2PE) of a description for the P2PE Solution to be used in the List of Validated P2PE Solutions, should the Solution P-ROV be Accepted.
Removed p. 43
C.2 Applications with Access to Clear-text Account Data Applications that have access to clear-text account data must be evaluated against all P2PE Domain 2 Requirements.

Domain 2 testing procedures falls into two categories: Application Vendor and Solution Provider.

P2PE Application Vendor Testing Procedures validate the development environment and SDLC procedures, as well as the application’s Implementation Guide. Application Vendor Testing Procedures can only be validated by a PA-QSA (P2PE) and are independent of a P2PE Solution Assessment.

P2PE Solution Provider Testing Procedures validate that the application is correctly configured and integrated into a P2PE Solution. These procedures cannot therefore be validated standalone and must be tested by a QSA (P2PE) for all applications in each P2PE Solution.

An Application Vendor may choose to:

a) Include the application in the List of Validated P2PE Applications.

This is subject to Acceptance by PCI SSC of an Application P-ROV completed by a PA-QSA (P2PE) validating the Domain 2 Application …
Removed p. 44
This annual process has been adopted to encourage vendors to not only reaffirm that there have been no updates to the application (if applicable), but also to encourage vendors to periodically consider whether updates are necessary to address changes to the external threat environment in which the application operates. If changes to the threat environment do necessitate changes to the payment application, the product should be updated accordingly and reassessed by a PA-QSA (P2PE), preferably the PA-QSA (P2PE) that originally validated the application for P2PE compliance.

If an updated Application AOV is not submitted for a listed application, that application will be subject to an early administrative expiry. As such, the List of Validated P2PE Applications will be updated to identify this by showing the application in Orange color for up to 90 days. If the updated Application AOV is received within this 90-day period PCI SSC will, providing it is …
Removed p. 45
The application validation and Reassessment Dates are not affected by this type of change.

(ii) Changes that have an impact on compliance with requirements of the P2PE Standard or P2PE functionality require a full re-assessment against P2PE Domain 2 Requirements. This requires preparation and submission to PCI SSC of an Application P-ROV and all applicable fees. Essentially this scenario is treated as a new P2PE Application. Upon Acceptance by PCI SSC of an appropriate Application P-ROV and Application AOV, the Listing of Validated P2PE Applications will be updated with new application validation and Reassessment Dates.

C.3.1.3 Renewing P2PE Applications As an application approaches its Reassessment Date, PCI SSC will notify the vendor of the pending expiration. The two options available for application vendor consideration are full review or expiry:

(i) Full Review: If the vendor intends to continue to sell the application then the vendor contacts a PA-QSA (P2PE) and has the application …
Modified p. 46 → 54
P2PE Application Identifiers P2PE Application Identifiers refers to a subset of fields in the listing below the “Company” entry used by PCI SSC to denote relevant information for each validated P2PE Application, consisting of the following fields (fields are explained in detail below):
P2PE Application Identifiers P2PE Application Identifiers refers to a subset of fields in the listing below the Company entry used by PCI SSC to denote relevant information for each Validated P2PE Application, consisting of the following fields (fields are explained in detail below):
Modified p. 46 → 54
 P2PE Application Version # P2PE Application Version # represents the specific application version reviewed in the P2PE Application Assessment against P2PE Domain 2 Application Vendor Assessment Testing Procedures. The format of the version number:
 P2PE Application Version # P2PE Application Version # represents the specific application version reviewed in the P2PE Application Assessment. The format of the version number:
Modified p. 46 → 54
Is set by the vendor, May consist of a combination of alphanumeric characters and Must be consistent with the Application Vendor’s published versioning methodology for this product as documented in the P2PE Application Implementation Guide.
Is set by the vendor, May consist of a combination of alphanumeric characters and Must be consistent with the Application Vendor’s published versioning methodology for this product as documented in the P2PE Application Implementation Guide.
Modified p. 47 → 55
 PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Application and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices.
 PTS Devices Supported Application Details: Detail  PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Application and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices.
Modified p. 47 → 55
Reassessment Date The Reassessment Date for Validated P2PE Application is the date by which the P2PE Application Vendor must have the application re-evaluated in order to maintain Acceptance.
Reassessment Date The Reassessment Date for Validated P2PE Application is the date by which the P2PE Application Vendor must have the application re-evaluated against the current P2PE Standard in order to maintain Acceptance.
Modified p. 47 → 55
Description Provided by Application Vendor This section allows for the Application Vendor’s submission in the Portal via the PA-QSA (P2PE) of a description of the P2PE Application that is to be used in the List of Validated P2PE Applications should the Application P-ROV be Accepted. This must be a factual description of the application functionality. The description must not;  Contradict any PCI SSC program or requirement  Make misleading claims about the application  Claim the application is valid …
Description Provided by Application Vendor This section allows for the Application Vendor’s submission in the Portal via the PA-QSA (P2PE) of a description of the P2PE Application that is to be used in the List of Validated P2PE Applications should the Application P-ROV be Accepted. This must be a factual description of the application functionality. The description must not:
Removed p. 48
PA-QSA (P2PE)  Performs P2PE Solution Assessments: Can assess all P2PE Solution requirements, including P2PE Domain 2 Solution Provider Assessment Testing Procedures.

 Performs P2PE Application Assessments: Can assess all P2PE Application requirements using P2PE Domain 2 Application Vendor Assessment Testing Procedures.

Type of Assessment QSA (P2PE) PA-QSA (P2PE)

PCI P2PE Solution Assessment  Domain 1  Domain 2

• Solution Provider Assessment  Domain 3  Domain 4  Domain 5  Domain 6

PCI P2PE Application Assessment  Domain 2

• Application Vendor Assessment