PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

P2PE_Qualification_Requirements_v3_0.pdf P2PE_Qualification_%20Requirements%20_v3.1.pdf
80% similar
37 → 39 Pages
12799 → 13191 Words
143 Content Changes

Content Changes

143 content changes. 64 administrative changes (dates, page numbers) hidden.

Added p. 2
• Removed PA-QSA options from the PA-QSA(P2PE) Assessor Qualification.

• Removed SSF Assessment requirements from P2PE Application Assessor Company and P2PE Application Assessor qualification requirements.

• Added requirement that Assessors must be trained on the version of standard(s) to which they are assessing.

• Renamed the PA-QSA(P2PE) to P2PE Application Assessor.

• Renamed the QSA(P2PE) to P2PE Assessor.

• Signature sections have been added to Company and Assessor application forms.
Added p. 4
Throughout this document, the following terms shall have the following meanings:

P2PE Application Assessor Company A P2PE Assessor Company that:

(a) Is qualified by PCI SSC to provide services to P2PE Solution Providers, P2PE Component Providers, and/or P2PE Application Vendors in order to validate that such providers' or vendors' P2PE Solutions, P2PE Components, and/or P2PE Applications adhere to all aspects of the P2PE Standard; and (b) Remains in Good Standing (defined in Section 1.3 of these P2PE Qualification Requirements) or in remediation as a P2PE Application Assessor Company.

P2PE Application Assessor Employee An individual employed by a P2PE Application Assessor Company who has satisfied, and continues to satisfy, all P2PE Application Assessor Requirements.
Added p. 5
(a) Is qualified by PCI SSC to provide services to P2PE Solution Providers and/or P2PE Component Providers in order to validate that such providers' P2PE Solutions and/or P2PE Components adhere to all applicable aspects of the P2PE Standard, and (b) Remains in Good Standing (defined in Section 1.3 of these P2PE Qualification Requirements) or in remediation as a P2PE Assessor Company.

P2PE Assessor Company qualification, alone, does not qualify a company to conduct P2PE Application Assessments. P2PE Application Assessments may only be performed by P2PE Application Assessor Companies.

P2PE Assessor Employee An individual employed by a P2PE Assessor Company who has satisfied, and continues to satisfy, all P2PE Assessor Requirements.

P2PE Assessor Program Refers to PCI SSC's program for qualification of P2PE Assessor Companies, P2PE Assessor Employees, P2PE Application Assessor Companies, and P2PE Application Assessor Employees.

P2PE Assessor Requirements With respect to a given P2PE Assessor Company, P2PE Application Assessor Company, P2PE Assessor Employee …
Added p. 6
P2PE Product A P2PE Application, P2PE Component, or P2PE Solution.

P2PE Qualification Requirements The then-current version of (or successor document to) the Payment Card Industry (PCI) Qualification Requirements for P2PE Assessors and P2PE Application Assessors, as from time to time amended and made available on the Website.

P2PE Report on Validation (P-ROV) A P2PE Report on Validation completed by a P2PE Assessor Company and (except with respect to Merchant-Managed P2PE Solutions) submitted directly to PCI SSC for review and Acceptance (defined in the P2PE Program Guide).

For a P2PE Solution, P2PE Component, or P2PE Application to be included on the corresponding list of" validated solutions, components, or applications on the Website, a corresponding P-ROV must be submitted directly to PCI SSC for review and Acceptance.

QPA Agreement The Qualified PIN Assessor (QPA) Agreement, in the form attached as Appendix A to the QPA Qualification Requirements QPA Qualification Requirements The then-current version of the Payment …
Added p. 8
Note: A P2PE Assessor Company that is in remediation as a QSA Company, QPA Company or P2PE Assessor Company but otherwise satisfies all of the requirements specified in (a) through (e) above is permitted to perform P2PE Solution Assessments and P2PE Component Assessments and market itself as a P2PE Assessor Company, subject to the terms of the applicable remediation program.

• P2PE Application Assessor Company: In order to be and remain qualified as a P2PE Application Assessor Company, and accordingly, in order to validate compliance of P2PE Applications in addition to P2PE Solutions and/or P2PE Components with the P2PE Standard, and otherwise participate as a P2PE Application Assessor Company in the P2PE Assessor Program, the assessor company must:

(a) Be in Good Standing as (i) a QSA Company or QPA Company, (ii) a P2PE Assessor Company, and (iii) a SSF Assessor Company, (b) Comply with all requirements applicable to SSF Assessor Companies, …
Added p. 9
• Secure Software Assessor Program Guide

• Qualified Pin Assessor Qualification Requirements (if applicable)

• Qualified Pin Assessor Program Guide (if applicable)

Note: In addition to the requirements set forth in the P2PE Qualification Requirements, ALL P2PE Assessor Companies must satisfy all QSA Requirements or QPA Requirements, as applicable, and additionally for P2PE Application Assessor Companies, must satisfy all SSF Requirements.

Note: PCI SSC reserves the right to reject any application for any applicant (company or individual) that PCI SSC determines has committed, within three (3) years prior to the application date, any conduct that would have been considered a "Violation" for purposes of the QSA Qualification Requirements or QSA Agreement, if committed by a QSA Company or QSA Employee; or the QPA Qualification Requirements or QPA Agreement, if committed by a QPA Company. The period of ineligibility will be a minimum of one (1) year, as determined by PCI SSC in a reasonable …
Added p. 13
Also, as described in further detail in the QPA Qualification Requirements, each QPA Company must have executed and submitted the QPA Agreement to qualify as a QPA Company.

 Cryptographic techniques including cryptographic algorithms, key management, and key lifecycle  Industry standards for cryptographic techniques and key management, including but not limited to ISO 11568 and 13491, ANSI X9.24 and X9.97, and NIST 140-2 Level 3  Public key infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA)  Hardware Security Modules (HSMs) operations, policies, and procedures  POI key-injection systems and techniques including key-loading devices (KLDs) and key- management methods, such as Master/Session or DUKPT  Physical security techniques for high-security areas  Relevant PTS Security Requirements (e.g., SRED, SCR, OP)  POI integration software development, deployment, and updates  PCI PTS authentication requirements for accessing account data or sensitive services
Added p. 15
 A QSA Company or QPA Company,  A P2PE Assessor Company,  A SSF Assessor Company, and  A P2PE Application Assessor Company

• All other applicable policies and requirements of the applicable PCI SSC program or initiative, as mandated or imposed by PCI SSC from time to time, including but not limited to all requirements in connection with PCI SSC's quality assurance initiatives, remediation, and revocation.

All the above skill sets must be present and fully utilized on every P2PE Application Assessment.

 Cryptographic techniques including cryptographic algorithms, key management, and key lifecycle  Knowledge of industry standards for cryptographic techniques and key management, including but not limited to ISO 11568 and 13491, ANSI X9.24 and X9.97, and NIST 140-2 Level 3  Public key infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA)  Hardware security modules (HSMs) operations, policies, and procedures  …
Added p. 17
 Modern, secure, embedded systems hardware and software architectures  PCI PTS quality and security management requirements related to POI software development  POI software authenticity and integrity verification techniques and self-tests  Attack methodologies through exploitation of logical vulnerabilities  Application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes
Added p. 18
 A QSA Employee or QPA Employee,  A P2PE Assessor Employee, and  A Secure Software Assessor

• Each P2PE Application Assessor Employee (or applicant) must fulfill all SSF Qualification Requirements for Secure Software Assessors
Added p. 21
P2PE Assessor Employees are qualified to perform PCI SSC Assessments only to the version(s) of the PCI SSC Standard(s) for which they have successfully completed training.

Agreement Type (check one): QSA or QPA Agreement Date:

PCI SSC Officer Signature  Date 

iv. "Program Requirements" means all requirements and obligations of Company pursuant to this Addendum, each other agreement entered into between Company and PCI SSC, and any and all other applicable policies, procedures, requirements, standards, or obligations imposed, mandated, provided for, or otherwise established by PCI SSC from time to time in connection with any PCI SSC program in which Company is a participant, including but not limited to all QSA Requirements or QPA Requirements (as applicable), all P2PE Assessor Requirements, all P2PE Application Assessor Requirements (if Company has been qualified as a P2PE Application Assessor Company), and all policies, procedures, requirements, standards, or obligations of applicable PCI SSC training programs, quality …
Added p. 25
ii. "PCI PIN Report on Compliance," "PIN ROC," and "PIN Attestation of Compliance" shall, where applicable, include (without limitation) the terms "P2PE Report of Validation," "P- ROV," and "P2PE Attestation of Validation," respectively, as those terms are used in the P2PE Qualification Requirements.

iii. "Services" shall include (without limitation) the P2PE Services.

iv. "QPA Company clients" shall include (without limitation) P2PE Customers.

A.3.2 P2PE Services (a) Subject to the terms and conditions of this Addendum and the Agreement, for P2PE Assessor Program purposes, PCI SSC hereby approves Company to: (i) while Company is in Good Standing (or in compliance with the terms of remediation) as a P2PE Assessor Company, conduct P2PE Solution Assessments and/or P2PE Component Assessments for P2PE Customers solely in order to validate compliance of P2PE Solutions and/or P2PE Components with the P2PE Standard and (ii) while Company is in Good Standing (or in compliance with the terms of remediation) as …
Added p. 29
Section 1 − Applicant QSA Company or QPA Company (the “Company”) Information Company Name:

Company Signature Company Officer Name: Job Title:

Company’s Officer Signature  Date 
Added p. 30
3.1.1.a Assessment Clients 3.1.1.a Provide a description of clients and dates for two previous PCI DSS Assessments performed by the Company in its capacity as a QSA Company, or two previous PIN Assessments performed by the Company in its capacity as a QPA Company. Note: Only Assessments performed by the applicant P2PE Assessor Company are eligible to meet this requirement; Assessments performed by a QSA Employee or QPA Employee for another QSA Company or QPA Company will not be considered toward this requirement.

3.1.1.b Knowledge Knowledge of cryptographic techniques including cryptographic algorithms, key management, and key lifecycle:

Describe the Company's expertise and direct responsibility for implementing, operating, and/or assessing cryptographic systems and/or key-management functions. For example, implementing and managing key- management functions, or performing lab evaluations of cryptographic systems against NIST, ANSI, or ISO standards.
Added p. 31
Total time: Years Months Knowledge of relevant PTS Security Requirements⎯e.g., SRED, SCR, OP:

Total time: Years Months Knowledge of modern, secure embedded systems hardware and software architectures:
Added p. 32
Describe the Company's expertise exploiting vulnerabilities. For example, methods employed to exploit vulnerabilities, penetration tests performed at the application layer, and use of arbitrary code during testing.
Added p. 34
3.1.2.d Company acknowledgements The Company acknowledges and agrees that all of the above skill sets will be present and fully utilized on every P2PE Assessment.

The Company acknowledges and agrees that in order to perform or manage any P2PE Application Assessment it must be qualified by PCI SSC as, and in Good Standing or in compliance with remediation as, a QSA Company or QPA company, as applicable, a P2PE Assessor Company, a Secure Software Assessor Company, and a P2PE Application Assessor Company

P2PE Assessor Employee Candidate Information Employee ("Candidate") Name:

Candidate Signature  Date  Each applicant P2PE Assessor Employee must complete the following:

Total time: Years Months Knowledge of relevant PTS Security Requirements⎯e.g., SRED, SCR, OP:
Added p. 39
P2PE Application Assessor Company
Removed p. 4
P2PE Assessor Employee A QSA (P2PE) Employee or PA-QSA (P2PE) Employee.

P2PE Assessor Requirements The QSA (P2PE) Requirements and/or PA-QSA (P2PE) Requirements, as applicable.
Modified p. 4
Please note that the existence of the P2PE Standard does not constitute a recommendation from the Council, nor does it obligate merchants, service providers, or financial institutions to purchase or deploy P2PE Solutions. As with all other PCI SSC standards, any mandates, regulations, or rules regarding compliance with any of the foregoing are provided by the participating payment brands.
Please note that the existence of the P2PE Standard does not constitute a recommendation from PCI SSC, nor does it obligate merchants, service providers, or financial institutions to purchase or deploy P2PE Solutions. As with all other PCI SSC standards, any mandates, regulations, or rules regarding compliance with any of the foregoing are provided by the participating payment brands.
Modified p. 4
P2PE Application Assessment Assessment of a P2PE Application against applicable P2PE Requirements in order to validate compliance with the P2PE Standard as part of the P2PE Program.
P2PE Application Assessment Assessment of a P2PE Application against applicable requirements of the P2PE Standard in order to validate compliance with the P2PE Standard as part of the P2PE Assessor Program.
Modified p. 4 → 5
P2PE Assessor Addendum The Addendum to Qualified Security Assessor (QSA) Agreement for P2PE Assessor Companies in the form attached as Appendix A to the P2PE Qualification Requirements.
P2PE Assessor Addendum The P2PE Assessor Addendum is the form attached as Appendix A to the P2PE Qualification Requirements.
Modified p. 4 → 5
P2PE Assessor Company A company qualified by PCI SSC as either a QSA (P2PE) Company or a PA-QSA (P2PE) Company.
P2PE Assessor Company A Qualified Security Assessor (QSA) Company or Qualified PIN Assessor (QPA) Company that:
Removed p. 5
P2PE Qualification Requirements The then-current version of (or successor document to) the Payment Card Industry (PCI) Qualification Requirements For Point-to-Point Encryption (P2PE) Qualified Security Assessors

• QSA (P2PE) and PA- QSA (P2PE), as from time to time amended and made available on the Website.

P2PE Report on Validation (P-ROV) A "P2PE Report on Validation" completed by a P2PE Assessor Company and (except with respect to Merchant Managed P2PE Solutions) submitted directly to PCI SSC for review and Acceptance (defined in the P2PE Program Guide).

For a P2PE Solution, P2PE Component, or P2PE Application to be included on the corresponding list of validated solutions, components, or applications on the Website, a corresponding P-ROV must be submitted directly to PCI SSC for review and Acceptance.

PA-QSA Addendum The Addendum to Qualified Security Assessor (QSA) Agreement for Payment Application QSAs in the form attached as Appendix A to the PA-QSA Qualification Requirements.
Modified p. 5 → 6
P2PE Glossary The then-current version of (or successor document to) the PCI Point-to- Point Encryption Glossary of Terms, Abbreviations, and Acronyms, as from time to time amended and made available on the Website.
P2PE Glossary The then-current version of (or successor document to) the PCI Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms, as from time to time amended and made available on the Website.
Modified p. 5 → 6
P2PE Solution A combination of secure devices, applications, and processes that encrypt cardholder data from a PCI SSC-approved point-of-interaction (POI) device through to decryption and is eligible for validation and Acceptance as part of the P2PE Program.
P2PE Solution A combination of secure devices, applications, and processes that encrypt cardholder data from a PCI SSC-approved point-of-interaction (POI) device through to decryption and is eligible for validation and Acceptance as part of the P2PE Assessor Program.
Removed p. 6
PA-QSA Qualification Requirements The Payment Card Industry (PCI) Qualification Requirements for Payment Application Qualified Security Assessors (PA-QSA) (or successor document), as from time to time amended and made available on the Website.

PA-QSA (P2PE) Company A Payment Application-Qualified Security Assessor (PA-QSA) Company that:

(a) Is qualified by PCI SSC to provide services to P2PE Solution Providers, P2PE Component Providers, and/or P2PE Application Vendors in order to validate that such providers' or vendors' P2PE Solutions, P2PE Components, and/or P2PE Applications adhere to all aspects of the P2PE Standard, including but not limited to validation that payment applications, when incorporated into or used as part of a P2PE Solution, adhere to all applicable P2PE requirements; and (b) Remains in Good Standing (defined in Section 1.2 of the P2PE Qualification Requirements) or in remediation as a PA-QSA (P2PE) Company.

PA-QSA (P2PE) Employee An individual employed by a PA-QSA (P2PE) Company who has satisfied, and continues to …
Removed p. 7
(a) Is qualified by PCI SSC to provide services to P2PE Solution Providers and/or P2PE Component Providers in order to validate that such providers' P2PE Solutions and/or P2PE Components adhere to all applicable aspects of the P2PE Standard, and (b) Remains in Good Standing (defined in Section 1.2 of the P2PE Qualification Requirements) or in remediation as a QSA (P2PE) Company.

QSA (P2PE) Company qualification, alone, does not qualify a company to conduct P2PE Application Assessments. P2PE Application Assessments may only be performed by PA-QSA (P2PE) Companies.

QSA (P2PE) Employee An individual employed by a QSA (P2PE) Company who has satisfied, and continues to satisfy, all QSA (P2PE) Requirements (defined in the P2PE Qualification Requirements) applicable to employees of QSA (P2PE) Companies who will conduct P2PE Application Assessments, as described in further detail herein.

QSA (P2PE) Requirements The requirements and obligations generally applicable to all QSA (P2PE) Companies as provided for in the …
Modified p. 7
Secure Software Assessor An individual who is employed by an SSF Assessor Company and satisfies and continues to satisfy all SSF Requirements applicable to individuals who are qualified by PCI SSC to conduct Secure Software Assessments.
Secure Software Assessor An individual who is employed by an SSF Assessor Company and satisfies, and continues to satisfy, all SSF Requirements applicable to individuals who are qualified by PCI SSC to conduct Secure Software Assessments.
Modified p. 7
Software Security Framework (SSF) The PCI Software Security Framework, as managed and operated by PCI SSC.
Software Security Framework (SSF) The PCI SSC Software Security Framework, more fully described in the SSF Qualification Requirements and related PCI SSC publications.
Removed p. 8
Together, the QSA Requirements and QSA (P2PE) Requirements

• and for PA-QSA (P2PE) Companies, the PA-QSA (P2PE) Requirements and PA-QSA Requirements (as defined in the PA-QSA Qualification Requirements) or SSF Requirements applicable to Secure Software Assessors

• are intended to serve as a qualification baseline and provide a transparent process for P2PE Assessor Company and P2PE Assessor Employee qualification and re-qualification for P2PE Assessor Program purposes.

All P2PE Assessor Companies appear on the P2PE Assessor List. If a company is not so identified, its work product as a P2PE Assessor Company is not recognized by PCI SSC.

• QSA (P2PE) Company: In order to be and remain qualified as a QSA (P2PE) Company, and accordingly, in order to validate compliance of P2PE Solutions and P2PE Components with the P2PE Standard and otherwise participate as a QSA (P2PE) Company in the P2PE Assessor Program, the assessor company must:

(a) Be in Good Standing as a QSA …
Modified p. 8 → 7
Each company (and employee thereof) wishing to participate in the P2PE Assessor Program must satisfy all applicable P2PE Assessor Requirements prior to applying to the Program.
Each company (and employee thereof) wishing to participate in the P2PE Assessor Program must satisfy all applicable P2PE Assessor Requirements and, if applicable, P2PE Application Assessor Requirements, prior to applying to the Program.
Modified p. 8
An assessor company satisfying all of the above requirements is considered to be in "Good Standing" as a QSA (P2PE) Company and, while it is in such Good Standing, may market itself as a QSA (P2PE) Company.
A company satisfying all the above requirements is considered to be in "Good Standing" as a P2PE Assessor Company and, while it is in such Good Standing, may market itself as a P2PE Assessor Company.
Modified p. 8
Note: A QSA (P2PE) Company that is in remediation as a QSA Company or QSA (P2PE) Company but otherwise satisfies all of the requirements specified in (a) through (e) above is permitted to perform P2PE Solution Assessments and P2PE Component Assessments and market itself as a QSA (P2PE) Company, subject to the terms of the applicable remediation program.
Note: A P2PE Application Assessor Company that is in remediation as a QSA Company, QPA Company, SSF Assessor Company, P2PE Assessor Company, or P2PE Application Assessor Company but otherwise satisfies all of the requirements specified in (a) through (c) above is permitted to perform P2PE Solution Assessments, P2PE Component Assessments, and P2PE Application Assessments and market itself as a P2PE Application Assessment Company, subject to the terms of the applicable remediation program.
Removed p. 9
• PA-QSA (P2PE) Company: In order to be and remain qualified as a PA-QSA (P2PE) Company, and accordingly, in order to validate compliance of P2PE Applications with the P2PE Standard and otherwise participate as a PA-QSA (P2PE) Company in the P2PE Assessor Program, the assessor company must:

(a) Be in Good Standing as (i) a QSA Company, (ii) a QSA (P2PE) Company, and (iii) a SSF Assessor Company (or, solely for purposes of satisfying this clause (iii) through October 28, 2022, as a PA-QSA Company), (b) Comply with all requirements applicable to PA-QSA Companies or SSF Assessor Companies, as applicable, (including but not limited to payment of all applicable fees and satisfaction of all applicable staffing, training, and examination requirements), and (c) Not have had its PA-QSA (P2PE) Company qualification revoked, suspended or terminated.

Note: A PA-QSA (P2PE) Company that is in remediation as a QSA Company, PA-QSA Company, SSF Assessor Company, …
Removed p. 9
Note: In addition to the requirements set forth in the P2PE Qualification Requirements, ALL P2PE Assessor Companies must satisfy all requirements of the QSA Qualification Requirements, and for PA- QSA (P2PE) Companies, all requirements of the PA-QSA or SSF Qualification Requirements.
Modified p. 9 → 8
A PA-QSA (P2PE) Company satisfying all of the requirements specified in (a) through (c) above is considered to be in "Good Standing" as a PA-QSA (P2PE) Company and, while it is in such Good Standing, may market itself as a PA-QSA (P2PE) Company.
A company satisfying all of the requirements specified in (a) through (c) above is considered to be in "Good Standing" as a P2PE Application Assessor Company and, while it is in such Good Standing, may market itself as a P2PE Application Assessor Company.
Modified p. 9
Section 3: P2PE Assessor Company and Employee Capability Requirements reviews the information and documentation necessary to demonstrate the QSA (P2PE) Company and/or PA-QSA (P2PE) Company's service expertise, as well as that of its employees.
Section 3: P2PE Assessor Company and Employee Capability Requirements reviews the information and documentation necessary to demonstrate the P2PE Assessor Company and/or P2PE Application Assessor Company's service expertise, as well as that of its employees.
Modified p. 10 → 9
PA-QSA Qualification Requirements
SSF Qualification Requirements
Modified p. 10
Application and Appendix C: P2PE Assessor Employee
Application,” and Appendix C, “P2PE Assessor Employee
Modified p. 10
Application. All application materials and the signed P2PE Assessor Addendum must be submitted in English. The P2PE Assessor Addendum is binding in English even if it was translated and reviewed in another language. All other documentation provided to PCI SSC by the applicant P2PE Assessor Company at any time in a language other than English must be accompanied by a certified English translation (examples include application materials, P-ROVs, and any other materials provided to PCI SSC).
Application.” All application materials and the signed P2PE Assessor Addendum must be submitted in English. The P2PE Assessor Addendum is binding in English even if it was translated and reviewed in another language. All other documentation provided to PCI SSC by the applicant P2PE Assessor Company or P2PE Application Assessor Company at any time in a language other than English must be accompanied by a certified English translation (examples include application materials, P-ROVs, and any other materials provided to …
Modified p. 13
Once qualified as a QSA Company, there are various other agreements that a QSA Company must execute and submit to PCI SSC, depending on the PCI SSC Programs in which the QSA Company wishes to participate.
Once qualified as a QSA Company or QPA Company, there are various other agreements that a QSA Company or QPA Company must execute and submit to PCI SSC, depending on the PCI SSC Programs in which the QSA Company or QPA Company wish to participate.
Modified p. 13
In order to participate in the P2PE Assessor Program, PCI SSC requires that all related agreements between PCI SSC and the applicant P2PE Assessor Company (including the P2PE Assessor Addendum) be signed by a duly authorized officer of the applicant P2PE Assessor Company, and submitted in unmodified form to PCI SSC via the Portal (see Section 1.5.2) with the completed P2PE Assessor Company application package.
In order to participate in the P2PE Assessor Program, PCI SSC requires that all related agreements between PCI SSC and the applicant P2PE Assessor Company (including the P2PE Assessor Addendum) be signed by a duly authorized officer of the applicant P2PE Assessor Company and submitted in unmodified form to PCI SSC via the Portal (see Section 1.6.2) with the completed P2PE Assessor Company application package.
Removed p. 14
• Each P2PE Assessor Company (or applicant) must have completed at least two PCI DSS Assessments as a QSA Company. Only PCI DSS Assessments performed by the applicant P2PE Assessor Company are eligible to meet this requirement.

• Cryptographic techniques including cryptographic algorithms, key management, and key

• Industry standards for cryptographic techniques and key management, including but not limited to ISO 11568 and 13491, ANSI X9.24 and X9.97, and NIST 140-2 Level 3

• Public key infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA)

• Hardware Security Modules (HSMs) operations, policies, and procedures

• POI key-injection systems and techniques including key-loading devices (KLDs) and key- management methods, such as Master/Session or DUKPT

• Physical security techniques for high-security areas

• Relevant PTS Security Requirements (e.g., SRED, SCR, OP)

• POI integration software development, deployment, and updates

• PCI PTS authentication requirements for accessing account data or sensitive services
Modified p. 14
• Each P2PE Assessor Company performing or managing any P2PE Assessment must be qualified by PCI SSC as, and in Good Standing (or in compliance with remediation) as, both a QSA Company and a QSA (P2PE) Company.
• Each P2PE Assessor Company performing or managing any P2PE Assessment must be qualified by PCI SSC as, and in Good Standing (or in compliance with remediation) as, both a QSA Company or QPA Company and a P2PE Assessor Company.
Modified p. 14
• Each P2PE Assessor Company (or applicant) must fulfill all QSA Qualification Requirements, all QSA (P2PE) Company Requirements, and comply with all terms and provisions of the QSA Agreement, the P2PE Assessor Addendum, any other agreements executed with PCI SSC, and all other applicable policies and requirements of the P2PE Assessor Program, as mandated or imposed by PCI SSC from time to time, including but not limited to all requirements in connection with PCI SSC's quality assurance initiatives, remediation, and …
• Each P2PE Assessor Company (or applicant) must fulfill all QSA Requirements or QPA Requirements, as applicable, all P2PE Assessor Requirements, and comply with all terms and provisions of the QSA Agreement or QPA Agreement, as applicable, the P2PE Assessor Addendum, any other agreements executed with PCI SSC, and all other applicable policies and requirements of the P2PE Assessor Program, as mandated or imposed by PCI SSC from time to time, including but not limited to all requirements in connection …
Modified p. 14
• Each P2PE Assessor Company must have at least one year of experience with direct responsibility for implementing, operating, and/or assessing cryptographic systems and/or key management functions. For example, implementing and managing key management functions, or performing lab evaluations of cryptographic systems against NIST, ANSI, or ISO standards.
• Each P2PE Assessor Company must have at least one year of experience with direct responsibility for implementing, operating, and/or assessing cryptographic systems and/or key- management functions. For example, implementing and managing key-management functions, or performing lab evaluations of cryptographic systems against NIST, ANSI, or ISO standards.
Removed p. 15
• PCI PTS quality and security management requirements related to POI software development

• POI software authenticity and integrity verification techniques and self-tests

• Attack methodologies through exploitation of logical vulnerabilities

• Application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes All of the above skill sets must be present and fully utilized on every P2PE Assessment.

• a QSA (P2PE) Company

• a PA-QSA (P2PE) Company and (i) a SSF Assessor Company, or (ii) *for purposes of satisfying this requirement until October 28, 2022 only, a PA-QSA Company (as defined in the PA-QSA Qualification Requirements).

(i) all SSF Qualification Requirements, or (ii) *for purposes of satisfying this requirement until October 28, 2022 only, all PA-QSA Requirements (including the laboratory requirements attested to and set forth in Appendix B of the PA-QSA Qualification Requirements); and

• Comply with all of the terms and …
Modified p. 15
Note: Only PA-QSA (P2PE) Companies may conduct P2PE Application Assessments.
Note: Only P2PE Application Assessor Companies may conduct P2PE Application Assessments.
Modified p. 15
• Each PA-QSA (P2PE) Company (or applicant) must:
• Each P2PE Application Assessor Company (or applicant) must:
Modified p. 15
(i) the SSF Qualification Requirements and the SSF Assessor Company Agreement (Appendix A to the SSF Qualification Requirements), or (ii) *for purposes of satisfying this requirement until October 28, 2022 only, the PA-DSS Program and the PA-QSA Addendum; and
• All of the terms and provisions of the SSF Qualification Requirements and the SSF Assessor Company Agreement (Appendix A to the SSF Qualification Requirements), and
Modified p. 15
Possess demonstrated competence and knowledge in surrogate PAN-generation techniques, such as format-preserving encryption and tokenization; and
Possess demonstrated competence and knowledge in surrogate PAN-generation techniques such as format-preserving encryption and tokenization.
Removed p. 16
• Cryptographic techniques including cryptographic algorithms, key management, and key

• Public key infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA)

• Hardware security modules (HSMs) operations, policies, and procedures

*Note: The PA-DSS Program will terminate as of October 28, 2022. As a result, satisfaction of requirements identified in Section 3.1.2 with an asterisk can be used to satisfy the requirements of this Section only until October 28, 2022. After October 28, 2022, satisfaction of the requirements identified above with an asterisk will no longer be sufficient for qualification as a PA-QSA (P2PE) Company.

• Knowledge of industry standards for cryptographic techniques and key management, including but not limited to ISO 11568 and 13491, ANSI X9.24 and X9.97, and NIST 140-2 Level 3
Modified p. 16
In addition, each P2PE Assessor Employee performing or managing a P2PE Application Assessment must be qualified by PCI SSC as a PA-QSA Employee and a PA-QSA (P2PE) Employee. Only PA-QSA (P2PE) Employees qualified by PCI SSC are permitted to conduct P2PE Application Assessments.
In addition, each P2PE Assessor Employee performing or managing a P2PE Application Assessment must be qualified by PCI SSC as a P2PE Application Assessor Employee. Only P2PE Application Assessor Employees qualified by PCI SSC are permitted to conduct P2PE Application Assessments.
Modified p. 16
• Performing the applicable P2PE Assessments
• Performing the applicable P2PE Assessments for which they are qualified by PCI SSC
Modified p. 16
• Verifying that the P2PE Assessor Company's work product addresses all applicable P2PE requirements and testing procedures, and supports the compliance status of the applicable P2PE Solution, P2PE Component, or P2PE Application
• Verifying that the P2PE Assessor Company's work product addresses all applicable requirements and testing procedures of the P2PE Standard and all P2PE Assessor Requirements, and supports the compliance status of the applicable P2PE Solution, P2PE Component, or P2PE Application
Modified p. 16
• Be a QSA Employee and comply with all applicable QSA Requirements, including fulfillment of all requirements for QSA Employees specified in the QSA Qualification Requirements
• Be a QSA Employee or QPA Employee and comply with all applicable QSA Requirements or QPA Requirements, as applicable, including fulfillment of all requirements for QSA Employees specified in the QSA Qualification Requirements or for QPA Employees specified in the QPA Qualification Requirements, as applicable.
Modified p. 16
• Have completed at least two PCI DSS Assessments as a QSA Employee
• Have completed at least two PCI DSS Assessments as a QSA Employee, or at least two PCI PIN Assessments as a QPA Employee.
Removed p. 17
• Physical security techniques for high-security areas

• Relevant PTS Security Requirements (e.g., SRED, SCR, OP)

• PCI PTS quality and security management requirements related to POI software development

• POI software authenticity and integrity verification techniques and self-tests

• Attack methodologies through exploitation of logical vulnerabilities

• POI integration software development, deployment and updates

• Modern, secure, embedded systems hardware and software architectures

• Application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes
Modified p. 17
PCI PTS authentication requirements for accessing account data or sensitive services Possess experience with and substantial knowledge of at least three of the following:
• Possess experience with and substantial knowledge of at least three of the following:
Modified p. 17
Attend annual P2PE Assessor Employee training provided by PCI SSC, and legitimately pass

•of his or her own accord without any unauthorized assistance

•all examinations conducted as part of training. If a P2PE Assessor Employee fails to pass any exam in connection with such training, the P2PE Assessor Employee must no longer perform or participate in P2PE Assessments until successfully passing all required exams on a future attempt.
of his or her own accord without any unauthorized assistance

•all examinations conducted as part of training. If a P2PE Assessor Employee fails to pass any exam in connection with such training, the P2PE Assessor Employee must no longer perform or participate in P2PE Assessments until successfully passing all required exams on a future attempt.
Modified p. 17
For new QSA (P2PE) Employee candidates, there are two training courses and corresponding exams: P2PE Fundamentals and QSA (P2PE). Candidates must achieve a passing grade in the P2PE Fundamentals exam before attempting the QSA (P2PE) exam.
For new P2PE Assessor Employee candidates, there are two training courses and corresponding exams: P2PE Fundamentals and P2PE Assessor. Candidates must achieve a passing grade in the P2PE Fundamentals exam before attempting the P2PE Assessor exam.
Modified p. 17
For new PA-QSA (P2PE) Employee candidates, there is an additional required training course and corresponding exam.
For new P2PE Application Assessor Employee candidates, there is an additional required training course and corresponding exam.
Modified p. 17
• Be employees of the P2PE Assessor Company (meaning this work cannot be subcontracted to non-employees) unless PCI SSC has given prior written consent for each subcontracted worker In addition:
• Be employees of the P2PE Assessor Company (meaning this work cannot be subcontracted to non-employees) unless PCI SSC has given prior written consent for each subcontracted worker.
Modified p. 17
• If a P2PE Assessor Company is actively in process with a P2PE Assessment and loses its QSA (P2PE) Company or PA-QSA (P2PE) Company qualification or foundational QSA Company, PA- QSA Company or SSF Assessor Company qualification, it may be required to obtain the services of another QSA (P2PE) Company, PA-QSA (P2PE) Company or SSF Assessor Company (as applicable) to complete the P2PE Assessments and applicable PCI SSC review processes.
• If a P2PE Assessor Company is actively in process with a P2PE Assessment and loses its P2PE Assessor Company or P2PE Application Assessor Company qualification or foundational QSA Company, QPA Company or SSF Assessor Company qualification, it may be required to obtain the services of another P2PE Assessor Company, P2PE Application Assessor Company (as applicable) to complete the P2PE Assessments and applicable PCI SSC review processes.
Modified p. 17 → 18
• Each PA-QSA(P2PE) Employee must be qualified by PCI SSC as, and in Good Standing (or in compliance with remediation) as:
• Each P2PE Application Assessor Employee must be qualified by PCI SSC as, and in Good Standing (or in compliance with remediation) as:
Removed p. 18
• Have completed at least the following:

• a QSA (P2PE) Employee. and (i) a Secure Software Assessor, or (ii) *for purposes of satisfying this requirement until October 28, 2022 only, a PA-QSA Employee (as defined in the PA-QSA Qualification Requirements).

(i) two Secure Software Assessments as a Secure Software Assessor, or (ii) either (a) two PA-DSS Assessments as a PA-QSA Employee, or (b) one PA-DSS Assessment as a PA-QSA Employee and one Secure Software Assessment performed as a Secure Software Assessor.

• Each PA-QSA (P2PE) Employee (or applicant) must:

(i) all SSF Qualification Requirements, or (ii) *for purposes of satisfying this requirement until October 28, 2022 only, all PA-QSA Requirements
Modified p. 18
Modern, secure, embedded systems hardware and software architectures PCI PTS quality and security management requirements related to POI software development POI software authenticity and integrity verification techniques and self-tests Surrogate PAN-generation techniques, such as format-preserving encryption and tokenization Attack methodology through exploitation of logical vulnerabilities Application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes
Modern, secure, embedded systems hardware and software architectures PCI PTS quality and security management requirements related to POI software development POI software authenticity and integrity verification techniques and self-tests Surrogate PAN-generation techniques, such as format-preserving encryption and tokenization Attack methodology through exploitation of logical vulnerabilities Application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes
Modified p. 19
• The P2PE Assessor Company must have implemented a quality assurance program that covers and includes P2PE Assessment reviews, and must have documented such program in the company's quality assurance program manual (further described in the QSA Qualification Requirements), in each case, in a manner equivalent to the corresponding quality assurance requirements specified in the QSA Qualification Requirements.
• The P2PE Assessor Company must have implemented a quality assurance program that covers and includes P2PE Assessment reviews, and must have documented such program in the company's quality assurance program manual (further described in the QSA Qualification Requirements or QPA Qualification Requirements, as applicable), in each case, in a manner equivalent to the corresponding quality assurance requirements specified in the QSA Qualification Requirements or QPA Qualification Requirements, as applicable.
Modified p. 20
• PCI SSC has issued a corresponding P2PE Attestation of Validation for such P2PE Assessment signed by PCI SSC, to the P2PE Assessor Company, the corresponding P2PE Solution Provider, P2PE Component Provider, or P2PE Application Vendor (as applicable); and
• PCI SSC has issued a corresponding P2PE Attestation of Validation for such P2PE Assessment signed by PCI SSC to the P2PE Assessor Company or P2PE Application Assessor Company, the corresponding P2PE Solution Provider, P2PE Component Provider, or P2PE Application Vendor (as applicable); and
Modified p. 20
• PCI SSC has included the P2PE Solution, P2PE Component, or P2PE Application (as applicable) on the applicable published list of validated P2PE Solutions, P2PE Components, or P2PE Applications.
• PCI SSC has included the P2PE Solution, P2PE Component, or P2PE Application (as applicable) on the applicable published list of validated P2PE Products.
Modified p. 21
Only those P2PE Assessor Companies and P2PE Assessor Employees identified on the P2PE Assessor List or in such search tool (as applicable) are authorized by PCI SSC to perform P2PE Solution Assessments and P2PE Component Assessments, and only those identified as PA-QSA (P2PE) Companies or PA-QSA (P2PE) Employees on the P2PE Assessor List or in such search tool (as applicable) are additionally authorized by PCI SSC to perform P2PE Application Assessments.
Only those P2PE Assessor Companies and P2PE Assessor Employees identified on the P2PE Assessor List or in such search tool (as applicable) are authorized by PCI SSC to perform P2PE Solution Assessments and P2PE Component Assessments. Additionally, only those identified as P2PE Application Assessor Companies or P2PE Application Assessor Employees on the P2PE Assessor List or in such search tool (as applicable) are authorized by PCI SSC to perform P2PE Application Assessments.
Modified p. 21
Companies that fail to meet application requirements will be notified, and will have 30 days to appeal PCI SSC's decision. All appeals must be addressed to the P2PE Program Manager at p2pe@pcisecuritystandards.org.
Companies that fail to meet application requirements will be notified and will have 30 days to appeal PCI SSC's decision. All appeals must be addressed to the P2PE Program Manager at p2pe@pcisecuritystandards.org.
Modified p. 21
All annual re-qualification fees (specified on the Website

• PCI SSC Programs Fee Schedule) must be paid to PCI SSC during the re-qualification process, for both the P2PE Assessor Company and P2PE Assessor Employees.
All annual re-qualification fees (specified on the Website

• PCI SSC Programs Fee Schedule) must be paid to PCI SSC during the re-qualification process for both companies and employees.
Modified p. 23
In consideration of the mutual covenants herein set forth, the adequacy and sufficiency of which is acknowledged, QSA and PCI SSC agree as follows.
In consideration of the mutual covenants herein set forth, the adequacy and sufficiency of which is acknowledged, Company and PCI SSC agree as follows.
Modified p. 23
PA-QSA Addendum Date (if applicable):
SSF Assessor Company Agreement Date (if applicable):
Removed p. 24
(iv) "Program Requirements" means all requirements and obligations of QSA pursuant to this Addendum, each other agreement entered into between QSA and PCI SSC, and any and all other applicable policies, procedures, requirements, standards, or obligations imposed, mandated, provided for, or otherwise established by PCI SSC from time to time in connection with any PCI SSC program in which QSA is a participant, including but not limited to all QSA Requirements, all QSA (P2PE) Requirements, all PA-QSA (P2PE) Requirements (if QSA has been qualified as a PA- QSA (P2PE)), and all policies, procedures, requirements, standards, or obligations of applicable PCI SSC training programs, quality assurance programs, remediation programs, program guides, and other related PCI Materials, including without limitation those relating to probation, fines, penalties, oversight, remediation, suspension, and/or revocation.
Modified p. 24
(i) "P2PE Customer" means a P2PE Solution Provider, P2PE Component Provider, or P2PE Application Vendor for which QSA provides P2PE Services.
i. "P2PE Customer" means a P2PE Solution Provider, P2PE Component Provider, or P2PE Application Vendor for which Company provides P2PE Services.
Modified p. 24
(ii) "P2PE Product" means a P2PE Solution, P2PE Component, or P2PE Application with respect to which QSA performs a P2PE Assessment.
ii. "P2PE Product" means a P2PE Solution, P2PE Component, or P2PE Application with respect to which Company performs a P2PE Assessment.
Modified p. 24
(iii) "P2PE Services" means P2PE Assessments and any and all other services provided by QSA to its customers or PCI SSC in connection with this Addendum, the P2PE Qualification Requirements, or participation in the P2PE Assessor Program, other than TSP Services (as defined in and subject to the provisions of Schedule 1 hereto).
iii. "P2PE Services" means P2PE Assessments and any and all other services provided by Company to its customers or PCI SSC in connection with this Addendum, the P2PE Qualification Requirements, or participation in the P2PE Assessor Program, other than TSP Services (as defined in and subject to the provisions of Schedule 1 hereto).
Modified p. 24
(d) The following terms appearing in the Agreement are hereby amended as follows:
(d) The following terms appearing in the Company QSA Agreement are hereby amended as follows:
Modified p. 24
(i) "QSA Requirements" shall include (without limitation) the Program Requirements.
i. "QSA Requirements" shall include (without limitation) the Program Requirements.
Modified p. 24
(ii) "Report of Compliance," "ROC," and "Attestation of Compliance" shall, where applicable, include (without limitation) the terms "P2PE Report of Validation," "P-ROV," and "P2PE Attestation of Validation," respectively, as those terms are used in the P2PE Qualification Requirements.
ii. "Report of Compliance," "ROC," and "Attestation of Compliance" shall, where applicable, include (without limitation) the terms "P2PE Report of Validation," "P-ROV," and "P2PE Attestation of Validation," respectively, as those terms are used in the P2PE Qualification Requirements.
Modified p. 24
(iii) "Services" shall include (without limitation) the P2PE Services.
iii. "Services" shall include (without limitation) the P2PE Services.
Modified p. 24
(iv) "QSA Company clients" shall include (without limitation) P2PE Customers.
iv. "QSA Company clients" shall include (without limitation) P2PE Customers.
Removed p. 25
(b) QSA agrees to monitor the Website at least weekly for changes to the Program Requirements and
Modified p. 25
PCI SSC Standards that are relevant to each PCI SSC Assessment and PCI SSC Program in which QSA participates. QSA will incorporate all such changes into all such PCI SSC Assessments initiated on or after the effective date of such changes. QSA acknowledges that any P-ROV or other report regarding any PCI SSC Assessment that is not conducted in accordance with the relevant Program Requirements and PCI SSC Standards as in effect at the initiation date of such PCI SSC …
(b) Company agrees to monitor the Website at least weekly for changes to the Program Requirements and PCI SSC Standards that are relevant to each PCI SSC Assessment and PCI SSC Program in which Company participates. Company will incorporate all such changes into all such PCI SSC Assessments initiated on or after the effective date of such changes. Company acknowledges that any P-ROV or other report regarding any PCI SSC Assessment that is not conducted in accordance with the relevant …
Modified p. 25
(c) QSA will include along with each P-ROV submitted to PCI SSC a P2PE Attestation of Validation in the form available through the Website signed by a duly authorized officer of QSA, in which QSA certifies without qualification that (i) in performing the applicable P2PE Assessment, QSA followed the P2PE Standard and P2PE Qualification Requirements without deviation and (b) application of such requirements and procedures did not indicate any conditions of non-compliance with the P2PE Standard other than those expressly …
(c) Company will include along with each P-ROV submitted to PCI SSC a P2PE Attestation of Validation in the form available through the Website signed by a duly authorized officer of Company, in which Company certifies without qualification that (i) in performing the applicable P2PE Assessment, Company followed the P2PE Standard and P2PE Qualification Requirements without deviation and (b) application of such requirements and procedures did not indicate any conditions of non-compliance with the P2PE Standard other than those expressly …
Modified p. 27
(b) “TSP” means “Token Service Provider”, as further described in the TSP Requirements. A TSP is deemed to be a QSA Company client for purposes of the Agreement and a client and customer of QSA for purposes of the QSA Qualification Requirements and P2PE Qualification Requirements.
(b) “TSP” means “Token Service Provider”, as further described in the TSP Requirements. A TSP is deemed to be a QSA Company client for purposes of the Agreement and a client and customer of Company for purposes of the QSA Qualification Requirements and P2PE Qualification Requirements.
Modified p. 27
(d) “TSP Requirements” means the then-current version of (or successor document to) the Payment Card Industry (PCI) Token Service Providers Additional Security Requirements and Assessment Procedures for Token Service Providers (EMV Payment Tokens), as from time to time amended and made available on the Website. The TSP Requirements are deemed to be a PCI SSC Standard for purposes of the Agreement and QSA Qualification Requirements, and part of the Program Requirements for purposes of the Addendum and P2PE Qualification Requirements.
(d) “TSP Requirements” means the then-current version of (or successor document to) the Payment Card Industry (PCI) Token Service Providers Additional Security Requirements and Assessment Procedures for Token Service Providers (EMV Payment Tokens), as from time to time amended and made available on the Website. The TSP Requirements are deemed to be a PCI SSC Standard for purposes of the Agreement and the QSA Qualification Requirements , and part of the Program Requirements for purposes of the Addendum and P2PE …
Modified p. 27
(d) “TSP Services” means TSP Assessments and any and all other services provided by QSA to its clients or customers or PCI SSC in connection with TSP Assessments, this Schedule 1 or the TSP Requirements. The TSP Services are deemed to be part of the Services for purposes of the Agreement.
(e) “TSP Services” means TSP Assessments and any and all other services provided by Company to its clients or customers or PCI SSC in connection with TSP Assessments, this Schedule 1 or the TSP Requirements. The TSP Services are deemed to be part of the Services for purposes of the Agreement.
Modified p. 27
2. TSP Services. Subject to the terms and conditions of this Schedule 1, the Addendum, and the Agreement, and to QSA’s compliance with all applicable Program Requirements relating to the performance of TSP Assessments:
2. TSP Services. Subject to the terms and conditions of this Schedule 1, the Addendum, and the Agreement, and to Company’s compliance with all applicable Program Requirements relating to the performance of TSP Assessments:
Modified p. 27
(a) QSA is hereby authorized to conduct TSP Assessments for TSPs solely in order to validate the compliance of the TDE(s) of such TSPs with the TSP Requirements.
(a) Company is hereby authorized to conduct TSP Assessments for TSPs solely in order to validate the compliance of the TDE(s) of such TSPs with the TSP Requirements.
Modified p. 27
(b) QSA shall perform each TSP Assessment in accordance with the TSP Requirements and applicable Program Requirements, including but not limited to (i) documenting each TSP Assessment in a report using (and in accordance with the instructions for) the corresponding TSP Report on Compliance template available on the Website (each a “TSP Report”) and (ii) preparing each such TSP Report in accordance with applicable Program Requirements and based on evidence obtained by following the TSP Requirements.
(b) Company shall perform each TSP Assessment in accordance with the TSP Requirements and applicable Program Requirements, including but not limited to (i) documenting each TSP Assessment in a report using (and in accordance with the instructions for) the corresponding TSP Report on Compliance template available on the Website (each a “TSP Report”) and (ii) preparing each such TSP Report in accordance with applicable Program Requirements and based on evidence obtained by following the TSP Requirements.
Modified p. 27
(c) Under no circumstances shall QSA (i) recognize, state, or imply (or permit any of its TSP clients or customers to recognize, state, or imply) that a given TDE is or has been validated under the TSP Requirements when such statement is incorrect or may be misleading or (ii) for purposes of any PCI SSC Program, conduct any TSP Assessment of any TDE of any entity that QSA controls, is controlled by, is under common control with, or in which …
(c) Under no circumstances shall Company (i) recognize, state, or imply (or permit any of its TSP clients or customers to recognize, state, or imply) that a given TDE is or has been validated under the TSP Requirements when such statement is incorrect or may be misleading or (ii) for
Modified p. 28
3. QSA and PCI SSC each acknowledge and agree that, as of the Schedule Effective Date, PCI SSC does not intend to perform quality assurance reviews of TSP Assessments, “Accept” or require the submission of corresponding TSP Reports to PCI SSC, or “list” or otherwise designate TDEs that have been validated against the TSP Requirements on the Website. Accordingly, as of the Schedule Effective Date, the corresponding provisions of the Addendum, Agreement, QSA Qualification Requirements, P2PE Qualification Requirements, and P2PE …
3. Company and PCI SSC each acknowledge and agree that, as of the Schedule Effective Date, PCI SSC does not intend to perform quality assurance reviews of TSP Assessments, “Accept” or require the submission of corresponding TSP Reports to PCI SSC, or “list” or otherwise designate TDEs that have been validated against the TSP Requirements on the Website. Accordingly, as of the Schedule Effective Date, the corresponding provisions of the Addendum, Agreement, QSA Qualification Requirements, P2PE Qualification Requirements, and P2PE …
Removed p. 29
In addition to all QSA requirements specified in the QSA Qualification Requirements, each P2PE Assessor Company must meet all P2PE Assessor Requirements applicable to QSA (P2PE) Companies, including but not limited to the requirements set forth in this application. Each applicant P2PE Assessor Company must complete the following:
Modified p. 29
Primary Contact Name: Job Title:
Primary Contact Name:
Modified p. 29
Secondary Contact Name: Job Title:
Secondary Contact Name:
Modified p. 29
The Company acknowledges and agrees that in order to participate as a P2PE Assessor Company in the P2PE Assessor Program, it must satisfy all of the requirements specified in the P2PE Qualification Requirements and supporting documents.
The Company acknowledges and agrees that in order to participate as a P2PE Assessor Company in the P2PE Assessor Program, it must satisfy all applicable P2PE Assessor Requirements, including without limitation, the requirements specified in this application, the P2PE Qualification Requirements and supporting documents, all QSA Requirements or QPA Requirements, as applicable, and if the Company intends to perform P2PE Application Assessments, all applicable P2PE Application Assessor Requirements.
Modified p. 29 → 30
Note: These sections are intended to draw out specific experience about the company. The company must provide examples (including the timeframe) of how its work experience meets the P2PE Assessor Program requirements.' 3.1.1.A Provide a description of clients and dates for two previous PCI DSS Assessments performed by the Company in its capacity as a QSA Company. Note: Only PCI DSS Assessments performed by the applicant P2PE Assessor Company are eligible to meet this requirement; PCI DSS Assessments performed by …
Note: These sections are intended to draw out specific experience about the Company. The Company must provide examples (including the timeframe) of how its work experience meets the P2PE Assessor Program requirements.
Modified p. 29 → 30
3.1.1.B Knowledge of cryptographic techniques including cryptographic algorithms, key management, and key lifecycle: Describe the company's knowledge and expertise of cryptographic techniques and the Company's role ((e.g., implementation, developer, management, etc.). For example, the types of cryptography, such as hashing, symmetric, asymmetric; the algorithms, such as Diffie-Hellman, elliptic curve, DES, Blowfish, MD5; key management implementations or assessments including descriptions of how keys are stored, access privileges, expected incident response when/if keys were compromised; and lifecycle management (rotation, destruction, revocation).
Describe the Company's knowledge and expertise of cryptographic techniques and the Company's role⎯e.g., implementation, developer, management, etc. For example, the types of cryptography, such as hashing, symmetric, asymmetric; the algorithms, such as Diffie-Hellman, elliptic curve, DES, Blowfish, MD5; key-management implementations or assessments including descriptions of how keys are stored, access privileges, expected incident response when/if keys were compromised; and lifecycle management (rotation, destruction, revocation).
Modified p. 30
Total time: Years Months Knowledge of Public Key Infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA): Describe the Company's expertise with digital certificates. For example, obtaining, generating, and deploying digital certificates, methods to protect or store digital certificates, certificate revocation, etc.
Total time: Years Months Knowledge of Public Key Infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA):
Modified p. 30
Total time: Years Months Knowledge of Hardware Security Modules (HSMs) operations, policies, and procedures: Describe the Company's expertise with HSMs. For example, HSM configuration, deployment, use, and developing related policies/procedures.
Total time: Years Months Knowledge of Hardware Security Modules (HSMs) operations, policies, and procedures:
Modified p. 30 → 31
Total time: Years Months Knowledge of POI key-injection systems and techniques including Key Loading Devices (KLDs) and key management methods, such as "Master/Session Key," "DUKPT": Describe the Company's expertise with key injection. For example, types of keys loaded, KLDs, key management methods, etc.
Describe the Company's expertise with key injection. For example, types of keys loaded, KLDs, key-management methods, etc.
Modified p. 30 → 31
Total time: Years Months Knowledge of physical security techniques for high-security areas: Describe the Company's expertise with physically securing systems and rooms such as badge systems, entry logs, man-traps, physical keys, etc.
Describe the Company's expertise with physically securing systems and rooms such as badge systems, entry logs, man-traps, physical keys, etc.
Modified p. 30 → 31
Total time: Years Months Knowledge of relevant PTS Security Requirements (e.g., SRED, SCR, OP): Describe the Company's expertise with SRED, SCR, and/or OP including the type(s) of devices configured to or tested against the Standard.
Describe the Company's expertise with SRED, SCR, and/or OP including the type(s) of devices configured to or tested against the Standard.
Modified p. 30 → 31
Total time: Years Months POI integration software development, deployment, and updates: Describe any software and related functionality that the Company has experience developing. For example, language(s) used, software deployment, POI integration, platforms, databases, and operating systems with which the Company has expertise, etc.
Total time: Years Months POI integration software development, deployment, and updates:
Modified p. 30 → 31
PCI PTS authentication requirements for accessing account data or sensitive services: Describe the Company's knowledge or expertise with verifying PTS device authentication. For example, data or services with which the Company has knowledge or expertise testing to ensure that PTS authentication requirements were met.
PCI PTS authentication requirements for accessing account data or sensitive services:
Removed p. 31
Total time: Years Months Knowledge of POI software authenticity and integrity verification techniques and self-tests: Describe the Company's knowledge or expertise with tools and techniques to validate the authenticity of POI software. For example, how POI software integrity is verified and how self-testing of a device is observed.

PCI SSC as, and in Good Standing or in compliance with remediation as, both a QSA Company and a QSA (P2PE) Company.
Modified p. 31
Total time: Years Months Knowledge of PCI PTS quality and security management requirements related to POI software development: Describe the Company's knowledge or expertise with POI software development quality assurance measures. For example, managing security during POI software development.
Total time: Years Months Knowledge of PCI PTS quality and security management requirements related to POI software development:
Modified p. 31 → 32
Total time: Years Months Knowledge of attack methodologies through exploitation of logical vulnerabilities: Describe the Company's expertise with various attack methods and vulnerability exploitation.
Total time: Years Months Knowledge of attack methodologies through exploitation of logical vulnerabilities:
Modified p. 31 → 32
Total time: Years Months Knowledge of application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes: Describe the Company's expertise exploiting vulnerabilities. For example, methods employed to exploit vulnerabilities, penetration tests performed at the application layer and use of arbitrary code during testing.
Total time: Years Months Knowledge of application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes:
Modified p. 31 → 32
Total time: Years Months 3.1.1.C Company acknowledgements The Company acknowledges and agrees that all of the above skill sets will be present and fully utilized on every P2PE Assessment.
Total time: Years Months 3.1.1.c Company acknowledgements The Company acknowledges and agrees that all of the above skill sets will be present and fully utilized on every P2PE Assessment.
Modified p. 31 → 32
The Company acknowledges and agrees that in order to perform or manage any P2PE Assessment it must be qualified by
The Company acknowledges and agrees that in order to perform or manage any P2PE Assessment it must be qualified by PCI SSC as, and in Good Standing or in compliance with remediation as, both a QSA Company or QPA company, as applicable and a P2PE Assessor Company.
Modified p. 31 → 32
The Company acknowledges and agrees that it must fulfill all QSA Qualification Requirements, all QSA (P2PE) Company Requirements, and comply with all terms and provisions of the QSA Agreement, the P2PE Assessor Addendum, any other agreements executed with PCI SSC, and all other applicable policies and requirements of the P2PE Assessor Program, as mandated or imposed by PCI SSC from time to time, including but not limited to all requirements in connection with PCI SSC's quality assurance initiatives, remediation, and …
The Company acknowledges and agrees that it must fulfill all QSA Qualification Requirements or QPA Qualification Requirements, as applicable, all P2PE Assessor Requirements, and comply with all terms and provisions of the QSA Agreement or QPA Agreement, as applicable, the P2PE Assessor Addendum, any other agreements executed with PCI SSC, and all other applicable policies and requirements of the P2PE Assessor Program, as mandated or imposed by PCI SSC from time to time, including but not limited to all requirements …
Removed p. 32
• A requirement that all P2PE Assessor Employees must adhere to the P2PE Standard and all applicable P2PE Assessor Requirements

P2PE Assessor Addendum signed: Yes No 3.1.2 Additional Deliverables for PA-QSA (P2PE) Companies 3.1.2.A Description of clients and dates for two previous PCI PA-DSS Assessments or Secure Software Assessments (or one of each) performed by the Company in its capacity as a PA-QSA Company or SSF Assessor Company. Note: Assessments performed by a current Assessor Employee for another Assessor Company will not be considered toward this requirement.
Removed p. 32
3.1.2.B Description of the Company's relevant areas of specialization in understanding:
Modified p. 32 → 33
• Evidence-retention policy and procedures including physical, electronic, and procedural safeguards consistent with industry-accepted standards for the retention of sensitive and confidential information obtained during the course of P2PE Assessments (consistent with Sections 4.4 and 4.5 of QSA Qualification Requirements) Where a P2PE Assessment is undertaken for the purposes of listing a P2PE Product on the Website, the Company acknowledges and agrees (by signing the P2PE Assessor Addendum) that it will not (and will ensure that its P2PE Assessor Employees …
• A requirement that all P2PE Assessor Employees must adhere to the P2PE Standard and all applicable P2PE Requirements

• Evidence-retention policy and procedures including physical, electronic, and procedural safeguards consistent with industry-accepted standards for the retention of sensitive and confidential information obtained during the course of P2PE Assessments (consistent with Sections 4.4 and 4.5 of the QSA Qualification Requirements or the QPA Qualification Requirements, as applicable) Where a P2PE Assessment is undertaken for the purpose of listing a P2PE Product …
Modified p. 32 → 34
Total time: Years Months 3.1.2.C Attestation that all of the above skill sets will be present and fully utilized on every P2PE Application Assessment:
Total time: Years Months 3.1.2.b Attestation that all of the above skill sets will be present and fully utilized on every P2PE Application Assessment:
Modified p. 32 → 34
3.1.2.D Two client references from relevant security engagements within the last 12 months:
3.1.2.c Two client references from relevant security engagements within the last 12 months:
Removed p. 34
Employee ("Candidate") Name: Job Title:
Modified p. 34 → 35
In addition to all requirements applicable to QSA Employees pursuant to the QSA Qualification Requirements, each P2PE Assessor Employee must meet all requirements applicable to QSA (P2PE) Employees pursuant to the P2PE Qualification Requirements, including but not limited to the requirements set forth in this application. Each applicant P2PE Assessor Employee must complete the following:
In addition to satisfying all requirements applicable to QSA Employees or QPA Employees pursuant to the QSA Qualification Requirements or QPA Qualification Requirements, as applicable, the undersigned Candidate acknowledges and agrees that each P2PE Assessor Employee must meet all requirements applicable to P2PE Assessor Employees pursuant to the P2PE Qualification Requirements, including but not limited to the requirements set forth in this application, and in the case of a P2PE Application Assessor Employee, all requirements applicable to P2PE Application Assessor …
Modified p. 34 → 35
3.2.1.A Provide a description of clients and duties performed for two previous PCI DSS Assessments performed by the Candidate

• include dates for each:
3.2.1.a Provide a description of clients and duties performed for two previous PCI DSS Assessments or PIN Assessments performed by the Candidate

• include dates for each:
Modified p. 34 → 36
Examples of work or description of the Candidate's experience with cryptographic algorithms: Describe the types of cryptography the Candidate has used, such as hashing, symmetric, asymmetric, and algorithms used such as Diffie-Hellman, elliptic curve, DES, Blowfish, MD5.
Describe the types of cryptography the Candidate has used, such as hashing, symmetric, asymmetric, and algorithms used such as Diffie-Hellman, elliptic curve, DES, Blowfish, MD5.
Modified p. 34 → 36
From (date): To (date): Total time: Years Months Examples of work or description of the Candidate's experience with key management: Describe the Candidate's knowledge of implementing key management, for example, key storage, access control, incident response in the event of compromise, and lifecycle management (rotation, destruction, revocation).
Describe the Candidate's knowledge of implementing key management, for example, key storage, access control, incident response in the event of compromise, and lifecycle management (rotation, destruction, revocation).
Modified p. 34 → 36
From (date): To (date): Total time: Years Months 3.2.1.C Provide examples of work or a description of the Candidate's knowledge and experience with cryptography and key management with a minimum of one year (total) in at least four of the following disciplines:
From (date): To (date): Total time: Years Months 3.2.1.c Provide examples of work or a description of the Candidate's knowledge and experience with cryptography and key management with a minimum of one year (total) in at least four of the following disciplines:
Modified p. 35 → 36
Total time: Years Months Knowledge of Public Key Infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA): Describe the Candidate's experience with digital certificates. For example, obtaining, generating, and deploying digital certificates, methods to protect or store digital certificates, certificate revocation, etc.
Total time: Years Months Knowledge of Public Key Infrastructure (PKI) and the role and operations of a Certification Authority (CA) and Registration Authority (RA):
Modified p. 35 → 36
Total time: Years Months Knowledge of Hardware Security Modules (HSMs) operations, policies, and procedures: Describe the Candidate's experience with HSMs. For example, HSM configuration, deployment, use, and developing related policies and procedures.
Total time: Years Months Knowledge of Hardware Security Modules (HSMs) operations, policies, and procedures:
Modified p. 35 → 37
Total time: Years Months Knowledge of POI key-injection systems and techniques including Key Loading Devices (KLDs) and key management methods, such as "Master/Session Key," "DUKPT": Describe the Candidate's experience with key injection. For example, types of keys loaded, KLDs, key management methods, etc.
Describe the Candidate's experience with key injection. For example, types of keys loaded, KLDs, key management methods, etc.
Modified p. 35 → 37
Total time: Years Months Knowledge of physical security techniques for high-security areas: Describe the Candidate's experience with physically securing systems and rooms. For example, badge systems, entry logs, man-traps, physical keys, etc.
Describe the Candidate's experience with physically securing systems and rooms. For example, badge systems, entry logs, man-traps, physical keys, etc.
Modified p. 35 → 37
Total time: Years Months Knowledge of relevant PTS Security Requirements (e.g., SRED, SCR, OP): Describe the Candidate's experience with SRED, SCR, and/or OP including the type(s) of devices configured to or tested against the Standard.
Describe the Candidate's experience with SRED, SCR, and/or OP including the type(s) of devices configured to or tested against the Standard.
Modified p. 35 → 37
PCI PTS authentication requirements for accessing account data or sensitive services: Describe the Candidate's experience with verifying PTS device authentication. For example, data or services with which the Candidate has knowledge and experience testing to ensure that PTS authentication requirements were met.
PCI PTS authentication requirements for accessing account data or sensitive services:
Removed p. 36
Total time: Years Months Knowledge of POI software authenticity and integrity verification techniques and self-tests: Describe the Candidate's knowledge and experience with tools and techniques to validate the authenticity of POI software. For example, how POI software integrity is verified and how self-testing of a device is observed.
Removed p. 36
Description of work/specific duties performed:

Description of work/specific duties performed:
Modified p. 36 → 37
Knowledge of modern, secure embedded systems hardware and software architectures: Describe the Candidate's knowledge and experience with secure embedded systems architectures. For example, operating systems configured, functionality of software written or installed, hardware implemented, etc.
Knowledge of modern, secure embedded systems hardware and software architectures:
Modified p. 36 → 37
Total time: Years Months Knowledge of PCI PTS quality and security management requirements related to POI software development: Describe the Candidate's knowledge and experience with POI software development quality assurance measures. For example, managing security during POI software development.
Total time: Years Months Knowledge of PCI PTS quality and security management requirements related to POI software development:
Modified p. 36 → 38
Total time: Years Months Knowledge of attack methodologies through exploitation of logical vulnerabilities: Describe the Candidate's knowledge and experience with various attack methods and vulnerability exploitation.
Total time: Years Months Knowledge of attack methodologies through exploitation of logical vulnerabilities:
Modified p. 36 → 38
Total time: Years Months Knowledge of application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes: Describe the Candidate's knowledge and experience with application-layer penetration testing. For example, tools and methods employed to exploit vulnerabilities and use of arbitrary code during testing.
Total time: Years Months Knowledge of application penetration testing methodologies, to include use of forensic tools/methods, ability to exploit vulnerabilities, and ability to execute arbitrary code to test processes:
Modified p. 36 → 38
Total time: Years Months 3.2.1.D A current copy of the Candidate's resume or Curriculum Vitae Paste text into the field provided below or transmit the file separately from this form.
Total time: Years Months 3.2.1.d A current copy of the Candidate's resume or Curriculum Vitae Paste text into the field provided below or transmit the file separately from this form.
Modified p. 36 → 38
Surrogate PAN-generation techniques, such as format-preserving encryption and tokenization: Describe any knowledge or experience the Candidate has with surrogate PANs generation techniques, including the Candidate's role and specifics about the techniques implemented or reviewed.
Describe any knowledge or experience the Candidate has with surrogate PANs generation techniques, including the Candidate's role and specifics about the techniques implemented or reviewed.
Removed p. 37
PA-QSA (P2PE) Company
Modified p. 37 → 39
Domain QSA (P2PE) PA-QSA (P2PE) Domain 1 Yes Yes Domain 2 No Yes Domain 3 Yes Yes Domain 4 Yes Yes Domain 5 Yes Yes
Domain P2PE Assessor Company P2PE Application Assessor Company Domain 1 Yes Yes Domain 2 No Yes Domain 3 Yes Yes Domain 4 Yes Yes Domain 5 Yes Yes