PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI-DSS-v3_2_1-SAQ-P2PE-1_1.pdf PCI-DSS-v3-2-1-SAQ-P2PE%20-r2.pdf
96% similar
24 → 24 Pages
6457 → 6394 Words
22 Content Changes

Content Changes

22 content changes. 17 administrative changes (dates, page numbers) hidden.

Added p. 2
This document aligns with PCI DSS v3.2.1 r1.
Modified p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using a Validated PCI-Listed P2PE Solution Only

• No Electronic Cardholder Data Storage For use with PCI DSS Version 3.2.1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only

• No Electronic Cardholder Data Storage For use with PCI DSS Version 3.2.1 Revision 2
Removed p. 4
* P2PE solutions on the PCI list of Point-to-Point Solutions with Expired Validations are no longer considered “validated” per the P2PE Program Guide. Merchants using an expired P2PE solution should check with their acquirer or individual payment brands about acceptability of this SAQ.
Modified p. 4
SAQ P2PE merchants do not have access to clear-text cardholder data on any computer system and only enter account data via payment terminals from a validated* PCI-listed P2PE solution. SAQ P2PE merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants. For example, a mail/telephone-order merchant could be eligible for SAQ P2PE if they receive cardholder data on paper or over a telephone, and key it directly and only into a payment terminal from a validated* PCI-listed P2PE solution.
SAQ P2PE merchants do not have access to clear-text cardholder data on any computer system and only enter account data via hardware payment terminals from a PCI SSC-approved P2PE solution. SAQ P2PE merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants. For example, a mail/telephone-order merchant could be eligible for SAQ P2PE if they receive cardholder data on paper or over a telephone, and key it directly and only into a validated P2PE hardware device.
Modified p. 4
• All payment processing is via a validated* PCI-listed P2PE solution;
• All payment processing is via a validated PCI P2PE solution approved and listed by the PCI SSC;
Modified p. 4
• The only systems in the merchant environment that store, process or transmit account data are the payment terminals from a validated* PCI-listed P2PE solution;
• The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCI-listed P2PE solution;
Modified p. 4
• There is no storage of electronic cardholder data;
• There is no legacy storage of electronic cardholder data in the environment;
Modified p. 4
• Any cardholder data your company might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically; and
• Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and
Modified p. 4
This SAQ version includes only questions that apply to a specific type of merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to your environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment.
This shortened version of the SAQ includes questions that apply to a specific type of small-merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to your environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment.
Modified p. 6
All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of this SAQ.
All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.
Modified p. 6
(Not Applicable) The requirement does not apply to the organization’s environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.) All responses in this column require a supporting explanation in Appendix C of this SAQ.
(Not Applicable) The requirement does not apply to the organization’s environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.) All responses in this column require a supporting explanation in Appendix C of the SAQ.
Modified p. 7
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Security Assessment Procedures. Complete all sections. The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Modified p. 7
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) Card-present (face-to-face)
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Removed p. 8
P2PE Solution listing “Reference #”:

P2PE Solution “Reassessment Date”:
Modified p. 8
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. P2PE Solution Provide the following information from the PCI SSC listing regarding the validated PCI-listed P2PE solution your organization uses:
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. P2PE Solution Provide the following information regarding the validated PCI P2PE solution your organization uses:
Modified p. 8
Listed POI Devices used by Merchant (found under “PTS POI Devices Supported”):
PCI SSC Reference Number Listed P2PE POI Devices used by Merchant (PTS Device Dependencies):
Modified p. 9
Part 2g. Eligibility to Complete SAQ P2PE Merchant certifies eligibility to complete this version of the Self-Assessment Questionnaire because, for this payment channel:
Part 2g. Eligibility to Complete SAQ P2PE Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:
Modified p. 9
All payment processing is via the validated PCI-listed P2PE solution (per above).
All payment processing is via the validated PCI P2PE solution approved and listed by the PCI SSC (per above).
Modified p. 9
The only systems in the merchant environment that store, process or transmit account data are the payment terminals that are part of the validated PCI-listed P2PE solution.
The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices that are approved for use with the validated and PCI-listed P2PE solution.
Modified p. 9
Merchant verifies there is no storage of electronic cardholder data.
Merchant verifies there is no legacy storage of electronic cardholder data in the environment.
Modified p. 9
Any such cardholder data the Merchant might retain is only on paper (for example, paper reports or copies of paper receipts) and is not received electronically, and Merchant has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically, and Merchant has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
Modified p. 12
(b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?

• Review periodic media destruction policies and procedures.
Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?

• Review periodic media destruction policies and procedures.