Document Comparison
PCI-P2PE-SOL-ROV-Template_v3_1.pdf
→
PCI-P2PE-SOL-ROV-Template-v3.2.pdf
87% similar
53 → 57
Pages
13821 → 14927
Words
148
Content Changes
Content Changes
148 content changes. 60 administrative changes (dates, page numbers) hidden.
Added
p. 2
July 2025 3.2 1.0 This template includes the following updates:
• Updates from the PCI P2PE Standard v3.2
• Updates based on stakeholder feedback
• Errata updates to section 4
• Updates from the PCI P2PE Standard v3.2
• Updates based on stakeholder feedback
• Errata updates to section 4
Added
p. 7
Note: A separate Merchant-Managed Solution P-ROV is used as part of validating MMS.
Validation of P2PE Component services provided by an EMCP, PDCP, or a PMCP must use this P- ROV.
This applies for both P2PE Applications intended to be Listed, as well as P2PE Applications that are not intended to be Listed and are assessed only as part of, and allowed for use in, a specific P2PE Solution (Solution-specific P2PE Applications).
Note: Validation of a P2PE Application must be performed by a qualified P2PE Application Assessor Company.
Validation of P2PE Solutions that do not outsource the entirety of their Decryption Management Services to a Listed DMCP must include this P-ROV in addition to a Solution P-ROV.
Validation of P2PE Component services provided by a DMCP must use this P-ROV.
Validation of a P2PE Solution that has not satisfied the key management services requirements (Domain 5) either using Listed P2PE Component Providers and/or through the assessment …
Validation of P2PE Component services provided by an EMCP, PDCP, or a PMCP must use this P- ROV.
This applies for both P2PE Applications intended to be Listed, as well as P2PE Applications that are not intended to be Listed and are assessed only as part of, and allowed for use in, a specific P2PE Solution (Solution-specific P2PE Applications).
Note: Validation of a P2PE Application must be performed by a qualified P2PE Application Assessor Company.
Validation of P2PE Solutions that do not outsource the entirety of their Decryption Management Services to a Listed DMCP must include this P-ROV in addition to a Solution P-ROV.
Validation of P2PE Component services provided by a DMCP must use this P-ROV.
Validation of a P2PE Solution that has not satisfied the key management services requirements (Domain 5) either using Listed P2PE Component Providers and/or through the assessment …
Added
p. 9
• Brief description/short answer
• Provide sufficient detail and information to demonstrate a finding of “in place” or “not applicable”
• Don’t include forward-looking statements or project plans in responses
P2PE Assessor Company and Lead Assessor Contact Information Company name: Assessor company credentials: P2PE Assessor P2PE Application Assessor Assessor name: Assessor credentials: P2PE Assessor P2PE Application Assessor Assessor phone number: Assessor e-mail address:
QA Primary reviewer credentials:
QA Primary reviewer phone number:
QA Primary reviewer e-mail address:
(From DD-MMM-YYYY To DD-MMM-YYYY) 1.3 Additional Services Provided by P2PE Assessor / P2PE Assessor Company The current version of the PCI Qualification Requirements For Point-to-Point Encryption (P2PE)® P2PE Assessors and P2PE Application Assessors (“P2PE Assessor Qualification Requirements”), section “Independence,” specifies requirements for P2PE Assessors around disclosure of such services and/or offerings that could reasonably be viewed to affect assessor independence. Complete the sections below after reviewing this portion of the P2PE Assessor Qualification Requirements to ensure responses are consistent with …
• Provide sufficient detail and information to demonstrate a finding of “in place” or “not applicable”
• Don’t include forward-looking statements or project plans in responses
P2PE Assessor Company and Lead Assessor Contact Information Company name: Assessor company credentials: P2PE Assessor P2PE Application Assessor Assessor name: Assessor credentials: P2PE Assessor P2PE Application Assessor Assessor phone number: Assessor e-mail address:
QA Primary reviewer credentials:
QA Primary reviewer phone number:
QA Primary reviewer e-mail address:
(From DD-MMM-YYYY To DD-MMM-YYYY) 1.3 Additional Services Provided by P2PE Assessor / P2PE Assessor Company The current version of the PCI Qualification Requirements For Point-to-Point Encryption (P2PE)® P2PE Assessors and P2PE Application Assessors (“P2PE Assessor Qualification Requirements”), section “Independence,” specifies requirements for P2PE Assessors around disclosure of such services and/or offerings that could reasonably be viewed to affect assessor independence. Complete the sections below after reviewing this portion of the P2PE Assessor Qualification Requirements to ensure responses are consistent with …
Added
p. 30
The entity is expected to retain documentation to show how P2PE scope was determined. The documentation is retained for assessor review and for reference during the entity’s next P2PE scope confirmation activity. For each P2PE assessment, the assessor validates that the scope of the assessment is accurately defined and documented.
• Location of critical components within the P2PE decryption environment, such as the Host System, HSMs and other SCDs, cryptographic key stores, etc., as applicable
• Location of systems performing key-management functions
• Connections into and out of the decryption environment
• Connectivity between the requisite functions of the Solution
• Flows and locations of encrypted account data
• Flows and locations of cleartext account data
• All flows and locations of truncated account data
• Location of critical system components (e.g., HSMs, Host System)
• Location of critical components within the P2PE decryption environment, such as the Host System, HSMs and other SCDs, cryptographic key stores, etc., as applicable
• Location of systems performing key-management functions
• Connections into and out of the decryption environment
• Connectivity between the requisite functions of the Solution
• Flows and locations of encrypted account data
• Flows and locations of cleartext account data
• All flows and locations of truncated account data
• Location of critical system components (e.g., HSMs, Host System)
Added
p. 35
Please ensure the latest PIM template has been used.
Added
p. 39
3D Management of P2PE Applications 3D-1 All software with access to cleartext account data (P2PE Applications) is validated to P2PE Domain 2 and is only deployed on/to eligible PCI-approved PTS POI devices with SRED.
The Assessor may use the reference number throughout the reporting section, rather than providing a narrative for each N/A requirement.
3A-1.2 Examine the documentation and interview personnel (as needed) to verify (for each intended solution implementation, if they differ, e.g., across different merchant environments):
• All documentation is kept current and updated as needed upon changes to the environment and/or solution Documentation examined: <Report Findings Here> Personnel interviewed: <Report Findings Here> 3A-1.2.1 Cleartext account data must not be disclosed to any component or device outside of the PCI-approved PTS POI devices within the merchant environment until it is securely decrypted in the decryption environment.
3A-1.2.1 Examine documentation (for each intended solution implementation, if they differ, e.g., across different merchant environments) …
The Assessor may use the reference number throughout the reporting section, rather than providing a narrative for each N/A requirement.
3A-1.2 Examine the documentation and interview personnel (as needed) to verify (for each intended solution implementation, if they differ, e.g., across different merchant environments):
• All documentation is kept current and updated as needed upon changes to the environment and/or solution Documentation examined: <Report Findings Here> Personnel interviewed: <Report Findings Here> 3A-1.2.1 Cleartext account data must not be disclosed to any component or device outside of the PCI-approved PTS POI devices within the merchant environment until it is securely decrypted in the decryption environment.
3A-1.2.1 Examine documentation (for each intended solution implementation, if they differ, e.g., across different merchant environments) …
Added
p. 45
• Changes in overall solution architecture 3A-2.2.a Interview responsible personnel and examine documentation to verify the solution provider has a formal process for ensuring P2PE controls are maintained when changes to the P2PE solution occur, including procedures for addressing the following:
Added
p. 52
Note: It is imperative that the PIM accurately contains all required information. This is critical for the PTS POI devices and instructions on how to access the PTS POI device HW/FW/Application version information such that it can be verified in the merchant environment against the Validated P2PE Solution details. The PIM must accurately reflect the information required for the merchant, which may warrant separate PIMs for differing merchant environments if the PTS POI devices, instructions, and/or required information differ between merchants.
<Report Findings Here> 3C-1.1.g REMOVED 3C-1.2 Review P2PE Instruction Manual (PIM) at least annually and upon changes to the solution or the P2PE requirements. Update PIM as needed to keep the documentation current with:
<Report Findings Here> 3C-1.1.g REMOVED 3C-1.2 Review P2PE Instruction Manual (PIM) at least annually and upon changes to the solution or the P2PE requirements. Update PIM as needed to keep the documentation current with:
Added
p. 55
<Report Findings Here> 3D-1.1 All software on PTS POI devices with access to cleartext account data must be validated according to Domain 2 as a P2PE Application.
3D-1.1.a For P2PE Applications on the PCI SSC list of Validated P2PE Applications, examine the list and compare with the applications/software intended for use in the solution to verify that the applications match the P2PE Application listing in the following characteristics:
• Version number(s) Identify the P2PE Assessor who confirms that the applications match the P2PE Application listing application name and version number(s):
3D-1.1.a For P2PE Applications on the PCI SSC list of Validated P2PE Applications, examine the list and compare with the applications/software intended for use in the solution to verify that the applications match the P2PE Application listing in the following characteristics:
• Version number(s) Identify the P2PE Assessor who confirms that the applications match the P2PE Application listing application name and version number(s):
Added
p. 56
Identify the P2PE Assessor who confirms that any such application/software has been assessed to P2PE Domain 2:
<Report Findings Here> 3D-1.2 P2PE Applications must only be deployed on eligible PTS POI device types that are:
• Confirmed per 1A-1.1 as a PTS approved device and associated with the P2PE Solution, either as a part of the P2PE Solution assessment, or as part of a Validated P2PE Component being used by the P2PE Solution
• Explicitly included in the Domain 2 assessment for that P2PE Application
<Report Findings Here> 3D-1.2 P2PE Applications must only be deployed on eligible PTS POI device types that are:
• Confirmed per 1A-1.1 as a PTS approved device and associated with the P2PE Solution, either as a part of the P2PE Solution assessment, or as part of a Validated P2PE Component being used by the P2PE Solution
• Explicitly included in the Domain 2 assessment for that P2PE Application
Added
p. 57
• Confirmed per 1A-1.1 as a PTS-approved device(s) and associated with the P2PE Solution, either by satisfying the applicable requirements as part of this P2PE Solution assessment, or the requirements already being satisfied as part of a Validated P2PE Component being used by the P2PE Solution
• Confirmed per 1A-1.1 as a PTS-approved device(s) and associated with the P2PE Solution, either by satisfying the applicable requirements as part of this P2PE Solution assessment, or the requirements already being satisfied as part of a Validated P2PE Component being used by the P2PE Solution
• Explicitly included in the Validated P2PE Application’s listing Note: If the P2PE Application is not separately Validated and Listed, and is intended to be, it must be done prior to submitting the P2PE Solution. Refer to the PCI P2PE Program Guide for details.
Identify the P2PE Assessor who confirms this requirement is in place:
Identify the P2PE Assessor who confirms this …
• Confirmed per 1A-1.1 as a PTS-approved device(s) and associated with the P2PE Solution, either by satisfying the applicable requirements as part of this P2PE Solution assessment, or the requirements already being satisfied as part of a Validated P2PE Component being used by the P2PE Solution
• Explicitly included in the Validated P2PE Application’s listing Note: If the P2PE Application is not separately Validated and Listed, and is intended to be, it must be done prior to submitting the P2PE Solution. Refer to the PCI P2PE Program Guide for details.
Identify the P2PE Assessor who confirms this requirement is in place:
Identify the P2PE Assessor who confirms this …
Modified
p. 1
Payment Card Industry (PCI) Point-to-Point Encryption P2PE Solution Template for Report on Validation for use with P2PE v3.1 for P2PE Solution Assessments
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE)® P2PE Solution Template for Report on Validation For use with the PCI P2PE Standard v3.2 for P2PE Solution Assessments
Modified
p. 2
• Updates from v3.0 P2PE Standard references to v3.1.
• Updates from v3.0 P2PE Standard references to v3.1
Modified
p. 2
• Revisions made within the Introduction through Section 3 to add clarity and consistency, both within this P-ROV and across all v3.1 P-ROVs as applicable.
• Revisions made within the Introduction through Section 3 to add clarity and consistency, both within this P-ROV and across all v3.1 P-ROVs as applicable
Modified
p. 2
• updated to “Validated”. Includes revision to diagram in Introduction.
• updated to “Validated”. Includes revision to diagram in Introduction
Modified
p. 2
• Revision to the description for the use of Not Applicable to add clarity and guidance.
• Revision to the description for the use of Not Applicable to add clarity and guidance
Modified
p. 2
• Reformatting and restructuring of tables in Sections 2 and 3 with additional guidance.
• Reformatting and restructuring of tables in Sections 2 and 3 with additional guidance
Modified
p. 2
• modified as needed to better align across all v3.1 P-ROVs.
• modified as needed to better align across all v3.1 P-ROVs
Modified
p. 2
• Repurposed cryptographic key information into new table 3.9.
• Repurposed cryptographic key information into new table 3.9
Modified
p. 2
• New table in section 4 to document all requirements determined to be Not Applicable.
• New table in section 4 to document all requirements determined to be Not Applicable
Modified
p. 2
• Updates to section 4 to align with the updates from the P2PE v3.1 Standard, in addition to errata.
• Updates to section 4 to align with the updates from the P2PE v3.1 Standard, in addition to errata
Modified
p. 2
• Added check boxes to section 4 to each individual requirement to capture In Place, N/A, or Not In Place assessment findings.
• Added check boxes to section 4 to each individual requirement to capture In Place, N/A, or Not In Place assessment findings
Modified
p. 5
Use of this Reporting Template is mandatory for all P2PE v3.1 Solution assessments.
Use of this Reporting Template is mandatory for all P2PE v3.2 Solution assessments.
Modified
p. 5
A P2PE compliance assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These work papers contain comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file lists, interview notes, documentation excerpts, references, screenshots, and other evidence collected during the course of the assessment. The P-ROV is effectively a summary of evidence derived from the assessor’s work papers to describe how the assessor performed the validation activities and how …
A P2PE assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These work papers contain comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file lists, interview notes, documentation excerpts, references, screenshots, and other evidence collected during the course of the assessment. The P-ROV is effectively a summary of evidence derived from the assessor’s work papers to describe how the assessor performed the validation activities and how the …
Removed
p. 7
Solution assessments that have not satisfied the entirety of key management services requirements (Domain 5) either through the use of Validated P2PE Component Providers and/or through the assessment of their Encryption Management Services and/or Decryption Management Services must complete the KMS P-ROV. E.g., if the P2PE Solution offers remote key-distribution using asymmetric techniques for the distribution of keys to POI devices for use in connection with account-data encryption or the operation of an applicable CA/RA. Or if any other relevant key management service that has not already been assessed as part of the inclusion of a Validated P2PE Component Provider and/or as part of the Domain 1 and Domain 4 assessment scope of the Solution assessment, then the Solution assessment must include the use of the KMS P-ROV.
Modified
p. 7
Encryption Management Services (EMS) Solution (SP) Encryption Management CP (EMCP) POI Deployment CP (PDCP) POI Management CP (PMCP) Encryption Management Services relates to the distribution, management, and use of PTS-approved POI devices in a P2PE Solution. Solution assessments that have not satisfied the entirety of their Encryption Management Services (Domain 1 with Domain 5) via the use of applicable Validated P2PE Component Providers must complete the EMS P-ROV in addition to the Solution P-ROV. Component Provider assessments for an EMCP, …
Encryption Management Services (EMS) Solution (SP) Encryption Management CP (EMCP) POI Deployment CP (PDCP) POI Management CP (PMCP) “Encryption Management Services” relates to the distribution, management, and use of PCI-approved PTS POI devices in a P2PE Solution. Validation of P2PE Solutions that do not outsource the entirety of their Encryption Management Services to Listed P2PE Component Providers, either to an EMCP or to BOTH a PDCP AND a PMCP, must include this P-ROV in addition to a Solution P-ROV.
Modified
p. 7
P2PE Application P2PE Application Any assessment that utilizes software on the PTS-approved POI devices intended for use in a P2PE Solution that has the potential to access clear-text account data must complete a P2PE Application P- ROV (one for each application).
P2PE Application P2PE Application Validation of a P2PE Application (software on the PCI-approved POI device intended for use in a P2PE Solution that has the potential to access cleartext cardholder data) must use this P-ROV.
Modified
p. 7
Decryption Management Services (DMS) Solution (SP) Decryption Management CP (DMCP) Decryption Management Services relates to the management of a decryption environment, including applicable account-data decryption devices used to support a P2PE Solution. Solution assessments that have not satisfied the entirety of their Decryption Management Services with applicable Validated P2PE Component Providers must complete the DMS P-ROV in addition to the Solution P-ROV. Component Provider assessments for a DMCP must complete the DMS P-ROV.
Decryption Management Services (DMS) P2PE Solution (SP) Decryption Management CP (DMCP) “Decryption Management Services” relates to the management of a decryption environment, including applicable devices (for example, HSMs) used to support a P2PE Solution.
Modified
p. 7
Key Management Services (KMS) Solution (SP) Key Injection Facility (KIF) Key Management CP (KMCP) Key Loading CP (KLCP) Key Management Services relates to the generation, conveyance, management, and loading of cryptographic keys, including the management of associated devices.
Key Management Services (KMS) P2PE Solution (SP) Key Injection Facility (KIF) Key Management CP (KMCP) Key Loading CP (KLCP) “Key Management Services” relates to the generation, conveyance, management, and loading of cryptographic keys including the management of associated devices (POI devices, HSMs, etc.).
Modified
p. 7 → 8
Component Provider assessments for a KIF, KMCP, KLCP, or a CA/RA must complete the KMS P- ROV.
Validation of P2PE Component services provided by a KIF, KMCP, KLCP, and a CA/RA must complete this P-ROV.
Modified
p. 8
Section 1: Contact Information and Report Date
• Section 1: Contact Information and Report Date
Modified
p. 8
Section 2: Summary Overview
• Section 2: Summary Overview
Modified
p. 8
Section 3: Details and Scope of P2PE Assessment
• Section 3: Details and Scope of P2PE Assessment
Modified
p. 8
Section 4: Findings and Observations This Reporting Template includes tables with Reporting Instructions. Details provided should focus on concise quality of detail, rather than lengthy, repeated verbiage.
• Section 4: Findings and Observations This Reporting Template includes tables with Reporting Instructions. Details provided should focus on concise quality of detail, rather than lengthy, repeated verbiage.
Modified
p. 8
P-ROV Summary of Findings This version of the P2PE Reporting Template reflects an on-going effort to simplify assessor summary reporting. All summary findings for “In Place,” “Not in Place,” and “Not Applicable” are found at the beginning of section 4 “Findings and Observations” and are only addressed at that high-level. The summary of the overall compliance status is at section 2.8“Summary of P2PE Assessment Compliance Status.” The following table is a representation when considering which selection to make. Assessors must …
P-ROV Summary of Findings All summary findings for “In Place,” “Not in Place,” and “Not Applicable” are found at the beginning of section 4 “Findings and Observations” and are only addressed at that high level. The summary of the overall compliance validation status is at section 2.8 “Summary of P2PE Assessment Compliance Validation Status.” The following table provides guidance for Assessors when considering which selection to make. Assessors must select only one response at the sub-requirement level, and the selected …
Modified
p. 8 → 9
Note: Checkboxes have been added to the “Summary of Assessment Findings” so that the assessor may double click to check the applicable summary result. Hover over the box you’d like to mark and click once to mark with an ‘x.’ To remove a mark, hover over the box and click again. Mac users may instead need to use the space bar to add the mark.
Note: Checkboxes have been added to the “Summary of Assessment Findings” so that the Assessor may double-click to check the applicable summary result. Hover over the box to select and single-click to mark with an ‘x.’ To remove a mark, hover over the box and click again. Mac users may instead need to use the space bar to select a box.
Modified
p. 9
“Identify the P2PE Assessor who confirms…” Indicates only an affirmative response where further reporting is deemed unnecessary by PCI SSC. The P2PE Assessor’s name or a Not Applicable response are the two appropriate responses here. A Not Applicable response will require brief reporting to explain how this was confirmed via testing.
• “Identify the P2PE Assessor who confirms…” Indicates only an affirmative response where further reporting is deemed unnecessary by PCI SSC. The P2PE Assessor’s name or a Not Applicable response are the two appropriate responses here. A Not Applicable response will require brief reporting to explain how this was confirmed via testing.
Modified
p. 9
Document name or interviewee reference At section 3.6, “Documentation Reviewed,” and section 3.7, “Individuals Interviewed,” there is a space for a reference number; it is the P2PE Assessor’s choice to use the document name/interviewee job title or the reference number in responses. A listing is sufficient here, no further detail is required.
• Document name or interviewee reference At section 3.6, “Documentation Reviewed,” and section 3.7, “Individuals Interviewed,” there is a space for a reference number; it is the P2PE Assessor’s choice to use the document name/interviewee job title or the reference number in responses. A listing is sufficient here, no further detail is required.
Modified
p. 9
Sample reviewed Brief list is expected or sample identifier. Where applicable, it is the P2PE Assessor’s choice to list out each sample within the reporting or to utilize sample identifiers from the sampling summary table.
• Sample reviewed Brief list is expected or sample identifier. Where applicable, it is the P2PE Assessor’s choice to list out each sample within the reporting or to utilize sample identifiers from the sampling summary table.
Modified
p. 9
• “Describe how…” These responses must be a narrative response that provides explanation as to the observation•both a summary of what was witnessed and how that verified the criteria of the testing procedure.
• “Describe how…” These responses must be a narrative response that provides explanation as to the observation•both a summary of what was witnessed and how that verified the criteria of the testing procedure.
Modified
p. 10
Complete all applicable P-ROVs based on the assessment type.
• Complete all applicable P-ROVs based on the assessment type
Modified
p. 10
Read and understand the intent of each Requirement and Testing Procedure.
• Read and understand the intent of each Requirement and Testing Procedure
Modified
p. 10
Provide a response for every Testing Procedure, even if N/A.
• Provide a response for every Testing Procedure, even if N/A
Modified
p. 10
• Describe how a Requirement was verified as the Reporting Instruction directs, not just that it was verified
Modified
p. 10
Ensure all parts of the Testing Procedure are addressed.
• Ensure all parts of the Testing Procedure are addressed
Modified
p. 10
Ensure the response covers all applicable application and/or system components.
• Ensure the response covers all applicable application and/or system components
Modified
p. 10
Perform an internal quality assurance review of the P-ROV for clarity, accuracy, and quality.
• Perform an internal quality assurance review of the P-ROV for clarity, accuracy, and quality
Modified
p. 10
Perform an internal quality assurance review of all submitted P-ROVs and the details within the PCI SSC Portal.
• Perform an internal quality assurance review of all submitted P-ROVs and the details within the PCI SSC Portal
Modified
p. 10
Provide useful, meaningful diagrams, as directed.
• Provide useful, meaningful diagrams, as directed
Modified
p. 10
Don’t report items in the “In Place” column unless they have been verified as being “in place.” Don’t include forward-looking statements or project plans in responses.
• Don’t report items in the “In Place” column unless they have been verified as being “in place”
Modified
p. 10
Don’t simply repeat or echo the Testing Procedure in the response.
• Don’t simply repeat or echo the Testing Procedure in the response
Modified
p. 10
Don’t copy responses from one Testing Procedure to another.
• Don’t copy responses from one Testing Procedure to another
Modified
p. 10
Don’t copy responses from previous assessments.
• Don’t copy responses from previous assessments
Modified
p. 10
Don’t include information irrelevant to the assessment.
• Don’t include information irrelevant to the assessment
Modified
p. 10
Don’t mark “N/A” without providing an explanation and justification for why it is “N/A”.
• Don’t mark “N/A” without providing an explanation and justification for why it is “N/A”
Removed
p. 11
P2PE Assessor Company and Lead Assessor Contact Information Company name: Assessor company credentials: QSA (P2PE) PA-QSA (P2PE) Company Servicing Markets for P2PE: (see https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_assessors) Assessor name: Assessor credentials: QSA (P2PE) PA-QSA (P2PE) Assessor phone number: Assessor e-mail address:
(Leave blank if not applicable) QA reviewer phone number: QA reviewer e-mail address:
(Leave blank if not applicable) QA reviewer phone number: QA reviewer e-mail address:
Modified
p. 11
Internal P2PE Assessor Company QA Review Affirm that internal QA was fully performed on the entire P2PE submission.
Modified
p. 11
Yes (Internal QA on this submission has been performed in accordance with PCI P2PE Program Requirements) QA Primary reviewer name:
Modified
p. 11
Assessor name: Assessor credentials: QSA (P2PE) PA-QSA (P2PE) Assessor phone number: Assessor e-mail address:
Assessor name: Assessor credentials: P2PE Assessor P2PE Application Assessor
Removed
p. 12
(From DD-MMM-YYYY To DD-MMM-YYYY) 1.3 Additional Services Provided by PA-QSA(P2PE) / QSA(P2PE) / P2PE QSA Company The current version of the “Qualification Requirements for Point-to-Point Encryption (P2PE)TM Qualified Security Assessors
• QSA (P2PE) and PA-QSA (P2PE)” (P2PE QSA Qualification Requirements), section “Independence”, specifies requirements for P2PE QSAs around disclosure of such services and/or offerings that could reasonably be viewed to affect independence of assessment. Complete the sections below after review of this portion of the P2PE QSA Qualification Requirements to ensure responses are consistent with documented obligations.
Disclose all services offered to the assessed entity by the PA-QSA(P2PE) / QSA(P2PE) / P2PE QSA company, including but not limited to whether the assessed entity uses any security-related devices or security-related applications that have been developed or manufactured by the QSA, or to which the QSA owns the rights or that the QSA has configured or manages:
• QSA (P2PE) and PA-QSA (P2PE)” (P2PE QSA Qualification Requirements), section “Independence”, specifies requirements for P2PE QSAs around disclosure of such services and/or offerings that could reasonably be viewed to affect independence of assessment. Complete the sections below after review of this portion of the P2PE QSA Qualification Requirements to ensure responses are consistent with documented obligations.
Disclose all services offered to the assessed entity by the PA-QSA(P2PE) / QSA(P2PE) / P2PE QSA company, including but not limited to whether the assessed entity uses any security-related devices or security-related applications that have been developed or manufactured by the QSA, or to which the QSA owns the rights or that the QSA has configured or manages:
Modified
p. 12
Describe efforts made to ensure no conflict of interest resulted from the above mentioned services provided by the PA-QSA(P2PE) / QSA (P2PE) / P2PE QSA company:
• Describe efforts made to ensure no conflict of interest resulted from the above mentioned services provided by the P2PE Assessor / P2PE Assessor company:
Modified
p. 15
Are Validated EMS CPs being used to help satisfy requirements of this Solution assessment? No (If No, complete an EMS P-ROV and leave the remainder of this Encryption Management Services section blank) Yes (If Yes, complete the remainder of this EMS table) Is an EMS P-ROV still required to account for any remaining EMS-related requirements based on the full scope of the assessment? (E.g., where only a PMCP or a PDCP is being used, or otherwise where the Solution is …
Are Validated EMS CPs being used to help satisfy requirements of this Solution assessment? No (If No, complete an EMS P-ROV and leave the remainder of this Encryption Management Services section blank) Yes (If Yes, complete the remainder of this EMS table) Is an EMS P-ROV still required to account for any remaining EMS-related requirements based on the full scope of the assessment? (E.g., where only a PMCP or a PDCP is being used, or otherwise where the Solution is …
Modified
p. 15
Validated EMS P2PE Components P2PE Component Provider Name P2PE Component Name Validated Listing Reference # PTS Approval #(s) (comma delimited) EMCP PDCP PMCP
Validated EMS P2PE Components P2PE Component Provider Name P2PE Component Name Validated P2PE Listing Reference # PTS Approval #(s) (comma delimited) EMCP PDCP PMCP
Modified
p. 17
Validated DMS P2PE Components P2PE Component Provider Name P2PE Component Name Validated Listing Reference # DMCP
Validated DMS P2PE Components P2PE Component Provider Name P2PE Component Name Validated P2PE Listing Reference # DMCP
Modified
p. 19
It may be possible, depending on the scope of the Solution assessment, that a KMS P-ROV is not required even when there aren’t any KMS CPs being used. This is because a Solution does not assess to Domain 5 in isolation. It is assessed to Domain 5 in the context of Domain 1(EMS) and Domain 4(DMS). The assessor must accurately identify the full scope of the Solution assessment as per Table 3.1.
It may be possible, depending on the scope of the Solution assessment, that a KMS P-ROV is not required even when there aren’t any KMS CPs being used. This is because a Solution does not assess to Domain 5 in isolation. The Solution is assessed to Domain 5 in the context of Domain 1 (EMS) and Domain 4 (DMS). The assessor must accurately identify the full scope of the Solution assessment as per Table 3.1.
Modified
p. 19
Validated KMS P2PE Components P2PE Component Provider Name P2PE Component Name Validated Listing Reference # KIF KMCP KLCP CA/RA
Validated KMS P2PE Components P2PE Component Provider Name P2PE Component Name Validated P2PE Listing Reference # KIF KMCP KLCP CA/RA
Modified
p. 22
Non-payment software is any software/files that does not have the potential to access clear-text account data. (Refer to P2PE Glossary) Any software that does have the potential to access clear-text account data must be assessed to Domain 2
• refer to Table 2.4.b.
• refer to Table 2.4.b.
Non-payment software is any software/files that does not have the potential to access cleartext account data. (Refer to P2PE Glossary) Any software that does have the potential to access cleartext account data must be assessed to Domain 2
• refer to Table 2.4.b.
• refer to Table 2.4.b.
Modified
p. 22
Note: “P2PE Applications” and “P2PE non-payment software” (refer to P2PE Glossary) do not meet the PTS POI definition of “firmware”, and as such they are not reviewed as part of the POI device’s PTS POI assessment (i.e., they cannot be excluded from the scope of a P2PE assessment). Therefore, any software intended for use in a P2PE solution that does not meet the PTS POI definition of "firmware" must be assessed in accordance with the PCI P2PE Standard and is …
Note: “P2PE Applications” and “P2PE Non-payment Software” (refer to P2PE Glossary) do not meet the PTS POI definition of “firmware,” and as such, they are not reviewed as part of the POI device’s PTS POI assessment (i.e., they cannot be excluded from the scope of a P2PE assessment). Therefore, any software intended for use in a P2PE Solution that does not meet the PTS POI definition of "firmware" must be assessed in accordance with the P2PE Standard and is subject …
Modified
p. 22
Is non-payment software in scope for this Solution assessment? Yes (If Yes, assess and document ALL non-payment software in the EMS P-ROV) No
Is Non-payment Software in scope for this Solution assessment? Yes (If Yes, assess and document ALL Non-payment Software in the EMS P-ROV) No
Modified
p. 23
• Included in the POI Device Types supported by a Validated EMCP, or by BOTH a Validated PDCP AND a Validated PMCP, being used in the scope of this Solution assessment, OR,
• Included in the POI Device Types supported by a Validated EMCP, or by both a Validated PDCP and a Validated PMCP, being used in the scope of this Solution assessment, OR,
Modified
p. 23
• Be assessed to all unaccounted for Domain 1 and Domain 5 requirements, which will depend on each unique Solution assessment.
• Be assessed to all unaccounted-for Domain 1 and Domain 5 requirements, which will depend on each unique Solution assessment.
Modified
p. 23
Note 1: “P2PE Applications” and “P2PE non-payment software” (refer to P2PE Glossary) do not meet the PTS POI definition of “firmware”, and as such they are not reviewed as part of the POI device’s PTS POI assessment (i.e., they cannot be excluded from the scope of a P2PE assessment). Therefore, any software intended for use in a P2PE solution that does not meet the PTS POI definition of "firmware" must be assessed in accordance with the PCI P2PE Standard and …
Note 1: “P2PE Applications” and “P2PE Non-payment Software” (refer to P2PE Glossary) do not meet the PTS POI definition of “firmware,” and as such, they are not reviewed as part of the POI device’s PTS POI assessment (i.e., they cannot be excluded from the scope of a P2PE assessment). Therefore, any software intended for use in a P2PE solution that does not meet the PTS POI definition of "firmware" must be assessed in accordance with the P2PE Standard and is …
Modified
p. 24
Note: “P2PE Applications” and “P2PE non-payment software” (refer to P2PE Glossary) do not meet the PTS POI definition of “firmware”, and as such they are not reviewed as part of the POI device’s PTS POI assessment (i.e., they cannot be excluded from the scope of a P2PE assessment). Therefore, any software intended for use in a P2PE solution that does not meet the PTS POI definition of "firmware" must be assessed in accordance with the PCI P2PE Standard and is …
Note: “P2PE Applications” and “P2PE non-payment software” (refer to P2PE Glossary) do not meet the PTS POI definition of “firmware”, and as such they are not reviewed as part of the POI device’s PTS POI assessment (i.e., they cannot be excluded from the scope of a P2PE assessment). Therefore, any software intended for use in a P2PE solution that does not meet the PTS POI definition of "firmware" must be assessed in accordance with the P2PE Standard and is subject …
Removed
p. 25
Note 1: Be advised there can be POI device approval listings that appear similar/identical on the PCI SSC list of Approved PTS devices, however, they are associated with different major versions of the PTS POI Standard. Be sure the correct listing is being referenced and utilized in the assessment.
Modified
p. 25
• Only list each unique PTS Approval # once.
• Only list each unique PTS Approval # once
Modified
p. 25
• List ALL associated hardware (HW) and firmware (FW) versions supported by the Solution and tested as part of the P2PE assessment.
• List ALL associated hardware (HW) and firmware (FW) versions supported by the Solution and tested as part of the P2PE assessment. HW and FW versions MUST be consistent between P-ROV(s), P-AOV and the Portal
Modified
p. 25
• Ensure all the information below is correct, accurate, and there are no discrepancies between the information listed here and the information present on the POI device’s associated PTS Approval listing.
• Ensure all the information below is correct, accurate, and there are no discrepancies between the information listed here and the information present on the POI device’s associated PTS Approval listing
Modified
p. 25
• Do NOT include POI devices (including HW and/or FW) that are ineligible for P2PE (e.g., non-SRED).
• Do NOT include POI devices (including HW and/or FW) that are ineligible for P2PE (e.g., non-SRED)
Modified
p. 25
• Do NOT include HW and/or FW on the POI device listing that was NOT tested as part of the P2PE assessment.
• Do NOT include HW and/or FW on the POI device listing that was NOT tested as part of the P2PE assessment Note 1: Be advised there can be POI device approval listings that appear similar/identical on the PCI SSC list of Approved PTS POI devices, however, they are associated with different major versions of the PTS POI Standard. Be sure the correct listing is being referenced and utilized in the assessment.
Modified
p. 25
Note 2: Clicking the PTS Approval # on the list of Approved POI Devices will display additional information. Be advised that the designators shown under “Functions Provided” do NOT necessarily apply to every HW and FW version for that PTS approval listing. Ensure that the requisite P2PE requirements are met and satisfied per POI Device Type (refer to the P2PE Glossary) included in the assessment. For each applicable PTS Approval #:
Note 2: Clicking the PTS Approval # on the list of Approved PTS POI Devices will display additional information. Be advised that the designators shown under “Functions Provided” do NOT necessarily apply to every HW and FW version for that PTS approval listing. Ensure that the requisite P2PE requirements are met and satisfied per POI Device Type (refer to the P2PE Glossary) included in the assessment. For each applicable PTS Approval #:
Modified
p. 25
• Do NOT infer every HW and/or FW listed is SRED approved.
• Do NOT infer every HW and/or FW listed is SRED approved
Modified
p. 25
• Do NOT infer the account data capture or communication interface designators apply to every HW and/or FW listed.
• Do NOT infer the account data capture or communication interface designators apply to every HW and/or FW listed Note 3: POI Device Types (including those supported by a Validated P2PE Applications from Table 2.4.b and non-Validated P2PE Applications in Table 2.4.c) must be assessed to all applicable requirements in Domains 1 and Domain 5. The scope of the assessment for POI devices will be unique for each P2PE Solution assessment.
Modified
p. 25
- POI Device Types associated with Validated PDCPs and PMCPs are only assessed to a subset of applicable Domain 1 and Domain 5 requirements. Therefore: o Only a POI Device Type that is supported by an EMCP or BOTH a Validated PDCP and a PMCP, as listed in Table 2.2, is excluded from requiring any additional assessment. OR, o Each POI Device Type must be assessed to all applicable requirements in Domains 1 and 5 that were not covered under …
- POI Device Types associated with Validated PDCPs and PMCPs are only assessed to a subset of applicable Domain 1 and Domain 5 requirements. Therefore: o Only a POI Device Type that is supported by an EMCP or BOTH a Validated PDCP and a PMCP, as listed in Table 2.2, is excluded from requiring any additional assessment. OR, o Each POI Device Type must be assessed to all applicable requirements in Domains 1 and 5 that were not covered under …
Modified
p. 25
- POI Device Types associated with Validated P2PE Applications are only assessed to Domain 2
• those POI devices must be accounted for via the use of applicable Validated Components, or otherwise they must be assessed to all applicable Domain 1 and 5 requirements that have not been covered under the assessment scope of the Component Types being used in the scope of this Solution assessment (this will be unique for eachassessment). https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices Is the EMS P-ROV being used as …
• those POI devices must be accounted for via the use of applicable Validated Components, or otherwise they must be assessed to all applicable Domain 1 and 5 requirements that have not been covered under the assessment scope of the Component Types being used in the scope of this Solution assessment (this will be unique for each
- POI Device Types associated with Validated P2PE Applications are only assessed to Domain 2
• those POI devices must be accounted for via the use of applicable Validated Components, or otherwise they must be assessed to all applicable Domain 1 and 5 requirements that have not been covered under the assessment scope of the Component Types being used in the scope of this Solution assessment (this will be unique for each assessment) Note 4: The use of wildcards MUST be …
• those POI devices must be accounted for via the use of applicable Validated Components, or otherwise they must be assessed to all applicable Domain 1 and 5 requirements that have not been covered under the assessment scope of the Component Types being used in the scope of this Solution assessment (this will be unique for each assessment) Note 4: The use of wildcards MUST be …
Modified
p. 26
PTS Approval # (One unique # per row) Make / Mfr. Model Name / Number Hardware (HW) #(s) Tested Firmware (FW) #(s) Tested For each PTS Approval #, denote the manner that the PTS-approved POI Device Types were assessed to all applicable requirements in Domains 1 and 5:
PTS Approval # (One unique # per row) PTS Version # Make / Mfr. Model Name / Number Hardware (HW) #(s) Tested Firmware (FW) #(s) Tested For each PTS Approval #, denote the manner that the PCI-approved PTS POI Device Types were assessed to all applicable requirements in Domains 1 and 5:
Modified
p. 27
Note 1: PTS-approved POI Device information must be entered in Table 2.5. Do not enter it here.
Note 1: PCI-approved PTS POI Device information must be entered in Table 2.5. Do not enter it here.
Modified
p. 27
Is the EMS P-ROV being used? Yes (Document EMS-related SCDs in the EMS P-ROV) No (Document any EMS-related SCDs below) Is the DMS P-ROV being used? Yes (Document DMS-related SCDs in the DMS P-ROV) No (Document any DMS-related SCDs below) Is the KMS P-ROV being used? Yes (Document KMS-related SCDs in the KMS P-ROV) No (Document any KMS-related SCDs below) Are there SCDs that are otherwise not documented in another P-ROV? Yes (If Yes, provide details below) No (If No, …
Is the EMS P-ROV being used? Yes (Document EMS-related SCDs in the EMS P-ROV) No (Document any EMS-related SCDs below) Is the DMS P-ROV being used? Yes (Document DMS-related SCDs in the DMS P-ROV) No (Document any DMS-related SCDs below) Is the KMS P-ROV being used? Yes (Document KMS-related SCDs in the KMS P-ROV) No (Document any KMS-related SCDs below) Are there SCDs that are otherwise not documented in another P-ROV? Yes (If Yes, provide details below) No (If No, …
Modified
p. 28
Note 2: While non-payment software is not permitted to have access to clear-text account data, it might still be involved in supporting additional encryption implementations. Non-payment software detailed below must be able to be cross-referenced to Table 2.4.a in the EMS P-ROV.
Note 2: While non-payment software is not permitted to have access to cleartext account data, it might still be involved in supporting additional encryption implementations. Non-payment software detailed below must be able to be cross-referenced to Table 2.4.a in the EMS P-ROV.
Modified
p. 31
Locations of critical facilities, including the solution provider’s decryption environment, key-injection and loading facilities, etc.
• Locations of critical facilities, including the solution provider’s decryption environment, key-injection and loading facilities, etc.
Modified
p. 31
• Other necessary components, as applicable to the Solution Provide any additional information below that is not adequately captured within the diagram(s). Otherwise, check No Additional Details. No Additional Details <Additional Details, as needed> <Insert Solution diagram(s) here>
Modified
p. 32
• All entities to which the Solution connects for payment transmission or processing, including processors/acquirers Note: The diagram should identify where merchant entities fit into the data flow, without attempting to identify individual merchants. For example, encrypted account data could be illustrated as flowing between an icon that represents all merchant customers and an icon that represents the solution provider’s decryption environment. Document if any intermediate proxies exist between merchant customers and the decryption environment.
Modified
p. 33
• Key Distribution / Loading / Injection onto POI devices • Other Key Distribution / Loading / Injection activities • Key Archiving (if applicable) • Any other relevant information
Modified
p. 35
P2PE Instruction Manual (PIM) Reference # (optional use) Document Name (Title of the PIM) Version Number of the PIM Document Date (latest version date) P2PE Application Implementation Guide(s) (IG) Reference # (optional use) Document Name (Title of the IG) Version Number of the IG Document Date (latest version date) Which P2PE Application is addressed? (must align with Table 2.4.b) All other documentation reviewed for this P2PE Assessment Reference # (optional use) Document Name (including version, if applicable) Document Date (latest …
P2PE Instruction Manual (PIM) Reference # (optional use) Document Name (Title of the PIM) Version Number of the PIM Document Date (latest version date, DD- MMM-YYYY) P2PE Application Implementation Guide(s) (IG) Reference # (optional use) Document Name (Title of the IG) Version Number of the IG Document Date (latest version date, DD-MMM-YYYY) Which P2PE Application is addressed? (must align with Table 2.4.b) All other documentation reviewed for this P2PE Assessment Reference # (optional use) Document Name (including version, if applicable) …
Modified
p. 39 → 40
Requirement Document how it was determined that the requirement is Not Applicable to the P2PE Product under assessment
Reference # (optional use) Requirement Document how and why it was determined that the requirement is Not Applicable to the P2PE Product under assessment
Modified
p. 40 → 41
• Identification of P2PE controls covered by each third-party service provider 3A-1.1.a Interview relevant personnel and review documentation to verify that procedures exist for maintaining documentation that describes and/or illustrates the architecture of the overall P2PE solution.
• Identification of P2PE controls covered by each third-party service provider 3A-1.1.a Interview relevant personnel and examine documentation to verify that procedures exist for maintaining documentation that describes and/or illustrates the architecture of the overall P2PE solution.
Modified
p. 40 → 41
Documented procedures reviewed: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here> 3A-1.1.b Interview relevant personnel and review documentation that describes and/or illustrates the architecture of the overall P2PE solution to verify that the document is current.
Documented procedures examined: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here> 3A-1.1.b Interview relevant personnel and examine documentation that describes and/or illustrates the architecture of the overall P2PE solution to verify that the document is current.
Modified
p. 40 → 41
Documented procedures reviewed: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here> 3A-1.1.c Interview relevant personnel and review documentation that describes and/or illustrates the architecture of the overall P2PE solution to verify that the document:
Documented procedures examined: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here> 3A-1.1.c Interview relevant personnel and examine documentation that describes and/or illustrates the architecture of the overall P2PE solution to verify that the document:
Modified
p. 40 → 41
Documented procedures reviewed: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here>
Documented procedures examined: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here>
Removed
p. 41
3A-1.2 Examine the data-flow diagram and interview personnel to verify the diagram:
• Is kept current and updated as needed upon changes to the environment.
• Is kept current and updated as needed upon changes to the environment.
Modified
p. 41 → 42
• Shows all account data flows across systems and networks from the point the card data is captured through to the point the card data exits the decryption environment.
• All account data flows across systems and networks from the point the card data is captured by the PTS POI devices through to the point the card data exits the decryption environment
Modified
p. 41 → 42
Documentation examined: <Report Findings Here> 3A-1.3 If there is a legal or regulatory obligation in a region for merchants to print full PAN on merchant receipts, it is allowable for the merchant to have access to full PAN for this purpose but the solution provider must document specifics about the legal or regulatory obligation including at least the following:
Modified
p. 41 → 42
Note: Domain 2 (at 2A-3.1.2) also includes requirements that must be met for any PTS POI device and any P2PE application, respectively, that facilitates merchant printing of full PAN where there is a legal or regulatory obligation to do so.
Modified
p. 41 → 43
• To which region/country it applies Documented solution provider’s procedures reviewed:
• To which region/country it applies Documented solution provider’s procedures examined:
Removed
p. 42
Responsible solution provider personnel interviewed:
<Report Findings Here> OR Describe how independent review verified that the exception to facilitate merchants’ access to full PANs is based on a legal/regulatory obligation and not solely for convenience:
<Report Findings Here> OR Describe how independent review verified that the exception to facilitate merchants’ access to full PANs is based on a legal/regulatory obligation and not solely for convenience:
Modified
p. 42 → 43
<Report Findings Here>
<Report Findings Here> 3A-1.3.b TESTING PROCEDURE REMOVED
Removed
p. 43
3A-2.1 Where component providers are used, interview responsible personnel, review documentation, and observe processes to verify the solution provider has implemented a methodology for managing and monitoring status reporting from P2PE component providers, including processes for:
Documented procedures reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> Describe the processes observed that verified that the solution provider has implemented a methodology for managing and monitoring status reporting from P2PE component providers, including processes for:
Documented procedures reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> Describe the processes observed that verified that the solution provider has implemented a methodology for managing and monitoring status reporting from P2PE component providers, including processes for:
Modified
p. 43 → 44
• Ensuring reports are received from all P2PE component providers as specified in the “Component Providers ONLY: Report Status to Solution Providers” sections of Domains 1, 5, and/or 6 (as applicable to the component provider).
• Ensuring reports are received from all P2PE component providers as specified in the “Component Providers ONLY: Report Status to Solution Providers” sections of Domains 1, 5, and/or 6 (as applicable to the component provider)
Modified
p. 43 → 44
• Confirming reports include at least the details specified in the “Component Providers ONLY: Report Status to Solution Providers” sections of Domains 1, 5, and/or 6 (as applicable to the component provider), and any additional details as agreed between a component provider and the solution provider.
• Confirming reports include at least the details specified in the “Component Providers ONLY: Report Status to Solution Providers” sections of Domains 1, 5, and/or 6 (as applicable to the component provider), and any additional details as agreed between a component provider and the solution provider
Modified
p. 43 → 44
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider.
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider 3A-2.1 Interview responsible personnel, examine documentation, and observe processes to verify the solution provider has implemented a methodology for managing and monitoring status reporting from P2PE component providers, including processes for:
Modified
p. 43 → 44
• Ensuring reports are received from all P2PE component providers as specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider).
• Ensuring reports are received from all P2PE component providers as specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider)
Modified
p. 43 → 44
• Ensuring reports are received from all P2PE component providers as specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider).
• Ensuring reports are received from all P2PE component providers as specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider)
Modified
p. 43 → 44
• Confirming reports include at least the details specified in the “Component providers ONLY: report status to solution providers” sections of this. Standard (as applicable to the component provider), and any additional details as agreed between a component provider and the solution provider.
• Confirming reports include at least the details specified in the “Component providers ONLY: report status to solution providers” sections of this. Standard (as applicable to the component provider), and any additional details as agreed between a component provider and the solution provider
Modified
p. 43 → 44
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider.
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider Documented procedures examined: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> Describe the processes observed that verified that the solution provider has implemented a methodology for managing and monitoring status reporting from P2PE component providers, including processes for:
Modified
p. 43 → 44
• Confirming reports include at least the details specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider), and any additional details as agreed between a component provider and the solution provider.
• Confirming reports include at least the details specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider), and any additional details as agreed between a component provider and the solution provider Following up with the component provider to resolve any questions or changes in expected performance of the component provider.
Removed
p. 44
• Changes in overall solution architecture 3A-2.2.a Interview responsible personnel and review documentation to verify the solution provider has a formal process for ensuring P2PE controls are maintained when changes to the P2PE solution occur, including procedures for addressing the following:
Modified
p. 44 → 45
• Changes in overall solution architecture Documented procedures reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> 3A-2.2.b For a sample of changes, verify changes were documented and the solution updated accordingly.
• Changes in overall solution architecture Documented procedures examined: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> 3A-2.2.b For a sample of changes, examine the changes to verify they were documented and the solution updated accordingly.
Modified
p. 44 → 45
Sample of changes reviewed: <Report Findings Here>
Sample of changes examined: <Report Findings Here>
Modified
p. 45 → 46
• Encryption/decryption failures Documented procedures reviewed: <Report Findings Here> Personnel interviewed: <Report Findings Here> 3A-3.2 Upon detection of any suspicious activity defined at 3A-3.1, the POI device must be immediately removed, shut down, or taken offline until the integrity of the device is verified and the P2PE encryption mechanism is restored.
• Encryption/decryption failures Documented procedures examined: <Report Findings Here> Personnel interviewed: <Report Findings Here> 3A-3.2 Upon detection of any suspicious activity defined at 3A-3.1, the PTS POI device must be immediately removed, shut down, or taken offline until the integrity of the device is verified and the P2PE encryption mechanism is restored.
Modified
p. 45 → 46
3A-3.2 Review documented procedures and interview responsible personnel to verify that upon detection of any suspicious activity defined at 3A-3.1, POI devices are immediately removed, shut down, or taken offline.
3A-3.2 Examine documented procedures and interview responsible personnel to verify that upon detection of any suspicious activity defined at 3A-3.1, PTS POI devices are immediately removed, shut down, or taken offline.
Modified
p. 45 → 46
Documented procedures reviewed: <Report Findings Here> Personnel interviewed: <Report Findings Here>
Documented procedures examined: <Report Findings Here> Personnel interviewed: <Report Findings Here>
Modified
p. 46 → 47
3A-3.2.1 Examine documented procedures and interview personnel to verify the POI devices must not be re-enabled until it is confirmed that the issue has been resolved and P2PE encryption functionality is restored and re-enabled.
3A-3.2.1 Examine documented procedures and interview personnel to verify the PTS POI devices must not be re-enabled until it is confirmed that the issue has been resolved and P2PE encryption functionality is restored and re-enabled.
Modified
p. 46 → 47
Documented procedures reviewed: <Report Findings Here> Personnel interviewed: <Report Findings Here> 3A-3.3 The solution provider must maintain a record, at minimum of one year, of all suspicious activity, to include the following:
Documented procedures examined: <Report Findings Here> Personnel interviewed: <Report Findings Here> 3A-3.3 The solution provider must maintain a record, at minimum of one year, of all suspicious activity, to include the following:
Modified
p. 46 → 47
• Details of whether any account data was transmitted from the POI device(s) during the time that encryption was malfunctioning or disabled Documented procedures reviewed: <Report Findings Here> Related records reviewed: <Report Findings Here> Personnel interviewed: <Report Findings Here>
• Details of whether any account data was transmitted from the POI device(s) during the time that encryption was malfunctioning or disabled Documented procedures examined: <Report Findings Here> Related records examined: <Report Findings Here> Personnel interviewed: <Report Findings Here>
Modified
p. 47 → 48
Documented incident-response plans reviewed:
Documented incident-response plans examined:
Modified
p. 47 → 48
• Updating the solution and/or controls to prevent cause from recurring 3A-3.5.a Interview responsible personnel and review documentation to verify the solution provider has a formal process for any P2PE control failures, including procedures for addressing the following:
• Updating the solution and/or controls to prevent cause from recurring 3A-3.5.a Interview responsible personnel and examine documentation to verify the solution provider has a formal process for any P2PE control failures, including procedures for addressing the following:
Modified
p. 47 → 48
• Implementing controls to prevent cause from recurring Responsible personnel interviewed: <Report Findings Here> Documentation reviewed: <Report Findings Here>
• Implementing controls to prevent cause from recurring Responsible personnel interviewed: <Report Findings Here> Documentation examined: <Report Findings Here>
Modified
p. 48 → 49
Sample of P2PE control failures: <Report Findings Here> Supporting document reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> 3B-1.1 Solution provider must have formal agreements in place with all third parties that perform P2PE functions on behalf of the solution provider, including:
Sample of P2PE control failures: <Report Findings Here> Supporting document examined: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> 3B-1.1 If the solution Provider uses third parties that perform P2PE functions on behalf of the Solution Provider, formal agreements must be in place that include:
Modified
p. 48 → 49
• Agreement to provide reports to solution provider as required in the “Component Providers ONLY: Report Status to Solution Providers” section of the applicable P2PE Domain.
• Agreement to provide reports to solution provider as required in the “Component Providers ONLY: Report Status to Solution Providers” section of the applicable P2PE Domain
Modified
p. 49 → 50
• Agreement to provide reports to solution provider as required in the “Component providers ONLY: report status to solution providers” section of the applicable P2PE Domain Documented procedures reviewed: <Report Findings Here> 3B-1.1.b If the solution provider utilizes any third parties, examine the business agreements and verify the elements delineated in 3B-1.1.a are present and adequately accounted for.
• Agreement to provide reports to solution provider as required in the “Component providers ONLY: report status to solution providers” section of the applicable P2PE Domain Documented procedures examined: <Report Findings Here> 3B-1.1.b If the solution provider utilizes any third parties, interview personnel and observe processes to verify the elements delineated in 3B-1.1.a are present and adequately accounted for.
Removed
p. 50
• Evidence of adherence to PCI’s process for P2PE Designated Changes to Solutions 3B-1.2 Verify formal agreements established for all third parties managing SCDs on behalf of the solution provider require:
• Evidence of adherence to PCI’s process for P2PE Designated Changes to Solutions Identify the P2PE Assessor who confirms that the business agreements for third parties managing SCDs on behalf of the solution provider were reviewed and verified to require all elements at 3B-1.2:
• Evidence of adherence to PCI’s process for P2PE Designated Changes to Solutions Identify the P2PE Assessor who confirms that the business agreements for third parties managing SCDs on behalf of the solution provider were reviewed and verified to require all elements at 3B-1.2:
Modified
p. 50 → 51
• Notification of any changes that require a Designated Change per the P2PE Program Guide
• Notification of any changes that require a Delta Change per the P2PE Program Guide
Modified
p. 50 → 51
• Notification of any changes that require a Designated Change per the P2PE Program Guide
• Notification of any changes that require a Delta Change per the P2PE Program Guide
Modified
p. 50 → 51
• Updated list of any dependencies included in the Designated Change (e.g., POI devices, P2PE applications, , and/or HSMs) used in the solution
• Updated list of any dependencies included in the Delta Change (e.g., POI devices, P2PE Applications, and/or HSMs) used in the solution 3B-1.2 Examine documentation for all third parties managing SCDs on behalf of the solution provider and verify the following is required:
Modified
p. 50 → 51
• Updated list of any dependencies included in the Designated Change (e.g., POI devices, P2PE applications, and/or HSMs) used in the solution
• Updated list of any dependencies included in the Delta Change (e.g., PTS POI devices, P2PE Applications, and/or HSMs) used in the solution Identify the P2PE Assessor who confirms that the business agreements for third parties managing SCDs on behalf of the solution provider were reviewed and verified to require all elements at 3B-1.2:
Removed
p. 51
<Report Findings Here> 3C-1.1.f Examine the PIM to verify that all P2PE non-payment software specified in the PIM were assessed as part of this P2PE solution assessment (per Requirement 1C-2).
<Report Findings Here> 3C-1.1.g Configure each POI device type, settings, etc. in accordance with all instructions in the PIM and confirm the following:
• The PIM provides accurate instructions.
• The PIM instructions facilitate a securely installed P2PE solution.
Describe how it was confirmed that by configuring each POI device type, settings, etc. in accordance with all instructions in the PIM, the PIM provides accurate instructions and those instructions facilitate a securely installed P2PE solution:
<Report Findings Here> 3C-1.1.g Configure each POI device type, settings, etc. in accordance with all instructions in the PIM and confirm the following:
• The PIM provides accurate instructions.
• The PIM instructions facilitate a securely installed P2PE solution.
Describe how it was confirmed that by configuring each POI device type, settings, etc. in accordance with all instructions in the PIM, the PIM provides accurate instructions and those instructions facilitate a securely installed P2PE solution:
Modified
p. 51 → 52
<Report Findings Here> 3C-1.1.d Examine the PIM to verify that all devices specified in the PIM are PCI- approved POI devices that were assessed as part of this P2PE solution assessment.
<Report Findings Here> 3C-1.1.d Examine the PIM to verify that all devices specified in the PIM are eligible PCI-approved PTS POI devices that were assessed as part of this P2PE solution assessment.
Modified
p. 51 → 52
Identify the P2PE Assessor who confirms that all devices specified in the PIM are PCI-approved POI devices that were assessed as part of this P2PE solution assessment:
Identify the P2PE Assessor who confirms that all devices specified in the PIM are PCI-approved PTS POI devices that were assessed as part of this P2PE solution assessment:
Modified
p. 51 → 53
<Report Findings Here> 3C-1.1.e Examine the PIM to verify the following:
<Report Findings Here> 3C-1.1.f Examine the PIM to verify that all P2PE non-payment software specified in the PIM has been assessed as part of this P2PE solution assessment (per Requirement 1C-2).
Modified
p. 51 → 53
• All P2PE applications specified in the PIM are assessed for this solution (per Domain 1).
• All P2PE applications specified in the PIM are assessed for this solution .
Modified
p. 51 → 53
• All P2PE applications specified in the PIM are either PCI-listed P2PE applications or assessed to Domain 2 as part of this P2PE solution assessment.
• All P2PE applications specified in the PIM are either PCI-listed P2PE Applications or assessed to Domain 2 as part of this P2PE solution assessment (Solution-specific P2PE Applications).
Modified
p. 51 → 53
Identify the P2PE Assessor who confirms that all P2PE applications specified in the PIM are assessed for this solution (per Domain 1) and that all P2PE applications specified in the PIM are either PCI-listed P2PE applications or assessed to Domain 2 as part of this P2PE solution assessment:
Identify the P2PE Assessor who confirms that all P2PE non-payment software specified in the PIM has been assessed as part of this P2PE solution assessment (per Requirement 1C-2):
Modified
p. 51 → 53
Identify the P2PE Assessor who confirms that all P2PE non-payment software specified in the PIM were assessed as part of this P2PE solution assessment (per Requirement 1C-2):
Identify the P2PE Assessor who confirms that all P2PE applications specified in the PIM are assessed for this solution and that all P2PE applications specified in the PIM are either PCI-listed P2PE applications or assessed to Domain 2 as part of this P2PE solution assessment:
Removed
p. 52
Documented procedures reviewed: <Report Findings Here> 3C-1.2.b Observe processes for reviewing and updating the PIM, and interview responsible personnel to verify:
Modified
p. 52 → 53
• Any changes to the P2PE solution (including additions or removals of POI device types, P2PE applications, and/or P2PE non-payment software), and
• Any changes to the P2PE solution (including additions or removals of PTS POI device types, P2PE applications, and/or P2PE non-payment software), and
Modified
p. 52 → 53
• Any changes to the requirements in this document.
• Any changes to the requirements in this document
Modified
p. 52 → 53
3C-1.2.a Examine documented procedures to verify they include:
• Applicable merchant instructions 3C-1.2.a Examine documented procedures to verify they include:
Modified
p. 52 → 53
- Any changes to the P2PE solution (including additions or removals of POI device types, P2PE applications, and/or P2PE non-payment software), and - Any changes to the P2PE requirements.
- Any changes to the P2PE solution (including additions or removals of PTS POI device types, P2PE applications, and/or P2PE non-payment software), and - Any changes to the P2PE requirements - Applicable merchant instructions Documented procedures examined: <Report Findings Here>
Modified
p. 53 → 55
Documented procedures reviewed: <Report Findings Here> 3C-1.2.1.b Observe processes for reviewing and updating the PIM, and interview responsible personnel to verify PIM updates are communicated to affected merchants and an updated PIM is provided to merchants as needed.
Documented procedures examined: <Report Findings Here> 3C-1.2.1.b Observe processes for reviewing and updating the PIM, and interview responsible personnel to verify PIM updates are communicated to affected merchants and an updated PIM is provided to merchants as needed.