Document Comparison
PCI-P2PE-MMS-ROV-Template_v3_1.pdf
→
PCI-P2PE-MMS-ROV-Template-v3.2.pdf
88% similar
61 → 65
Pages
16943 → 17857
Words
158
Content Changes
From Revision History
- July 2025 3.2 1.0 This template includes the following updates:
Content Changes
158 content changes. 70 administrative changes (dates, page numbers) hidden.
Added
p. 2
- Updates from the PCI P2PE Standard v3.2 - Updates based on stakeholder feedback - Errata updates to section 4
Added
p. 9
• Brief description/short answer
• Provide sufficient detail and information to demonstrate a finding of “in place” or “not applicable”
• Don’t include forward-looking statements or project plans in responses
P2PE Assessor Company and Lead Assessor Contact Information Company name: Assessor company credentials: P2PE Assessor P2PE Application Assessor Assessor name: Assessor credentials: P2PE Assessor P2PE Application Assessor Assessor phone number: Assessor e-mail address:
Internal P2PE Assessor Company QA Review Affirm that internal QA was fully performed on the entire P2PE submission.
QA Primary reviewer phone number:
QA Primary reviewer e-mail address:
• Disclose all services offered to the assessed entity by the P2PE Assessor / P2PE Assessor company, including but not limited to whether the assessed entity uses any security-related devices or security-related applications that have been developed or manufactured by the P2PE Assessor company, or to which the P2PE Assessor company owns the rights or that the P2PE Assessor company has configured or manages:
• Provide sufficient detail and information to demonstrate a finding of “in place” or “not applicable”
• Don’t include forward-looking statements or project plans in responses
P2PE Assessor Company and Lead Assessor Contact Information Company name: Assessor company credentials: P2PE Assessor P2PE Application Assessor Assessor name: Assessor credentials: P2PE Assessor P2PE Application Assessor Assessor phone number: Assessor e-mail address:
Internal P2PE Assessor Company QA Review Affirm that internal QA was fully performed on the entire P2PE submission.
QA Primary reviewer phone number:
QA Primary reviewer e-mail address:
• Disclose all services offered to the assessed entity by the P2PE Assessor / P2PE Assessor company, including but not limited to whether the assessed entity uses any security-related devices or security-related applications that have been developed or manufactured by the P2PE Assessor company, or to which the P2PE Assessor company owns the rights or that the P2PE Assessor company has configured or manages:
Added
p. 22
Note 2: P2PE Applications must be considered Validated. Refer to the P2PE Program Guide for additional details. https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_applications Insert additional rows as needed.
Note 4: The use of wildcards MUST be consistent with the POI device approval listing. https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices
Note 4: The use of wildcards MUST be consistent with the POI device approval listing. https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices
Added
p. 30
The entity is expected to retain documentation to show how P2PE scope was determined. The documentation is retained for assessor review and for reference during the entity’s next P2PE scope confirmation activity. For each P2PE assessment, the assessor validates that the scope of the assessment is accurately defined and documented. Describe how the accuracy of the scope for the entire P2PE Merchant-Managed Solution assessment was validated, including:
• Location of critical components within the P2PE decryption environment, such as HSMs and other SCDs, cryptographic key stores, etc., as applicable
• Location of systems performing key-management functions
• Connections into and out of the decryption environment
• Connectivity between the requisite functions of the MMS
• Flows and locations of encrypted account data
• Flows and locations of cleartext account data
• All flows and locations of truncated account data
• Location of critical system components (e.g., HSMs)
• Location of critical components within the P2PE decryption environment, such as HSMs and other SCDs, cryptographic key stores, etc., as applicable
• Location of systems performing key-management functions
• Connections into and out of the decryption environment
• Connectivity between the requisite functions of the MMS
• Flows and locations of encrypted account data
• Flows and locations of cleartext account data
• All flows and locations of truncated account data
• Location of critical system components (e.g., HSMs)
Added
p. 38
3D Management of P2PE Applications
Added
p. 40
All N/A responses require reporting on testing performed (including interviews conducted and documentation reviewed) and must explain how it was determined that the requirement does not apply within the scope of the assessment for the P2PE Product. Note: ‘Not Applicable’ cannot be used by entities that provide only partial aspects of a defined Component Provider service to validate to that Component Provider type. Refer to the “P2PE Applicability of Requirements” in the P2PE Program Guide.
Every requirement denoted as ‘N/A’ in the reporting section below must be documented in this table and vice versa.
List requirements in the order as they appear in the reporting section below. Insert additional rows if needed.
The Assessor may use the reference number throughout the reporting section, rather than providing a narrative for each N/A requirement.
Reference # (optional use) Requirement Document how and why it was determined that the requirement is Not Applicable to the P2PE Product …
Every requirement denoted as ‘N/A’ in the reporting section below must be documented in this table and vice versa.
List requirements in the order as they appear in the reporting section below. Insert additional rows if needed.
The Assessor may use the reference number throughout the reporting section, rather than providing a narrative for each N/A requirement.
Reference # (optional use) Requirement Document how and why it was determined that the requirement is Not Applicable to the P2PE Product …
Added
p. 51
Note: It is imperative that the PIM accurately contains all required information. This is critical for the PTS POI devices and instructions on how to access the PTS POI device HW/FW/Application version information such that it can be verified in the merchant environment against the Validated P2PE Solution details. The PIM must accurately reflect the information required for the merchant, which may warrant separate PIMs for differing merchant environments if the PTS POI devices, instructions, and/or required information differ between merchants.
Added
p. 53
• Applicable merchant instructions 3C-1.2.a Examine documented procedures to verify they include:
Documented procedures examined: <Report Findings Here>
Documented procedures examined: <Report Findings Here>
Added
p. 54
<Report Findings Here> 3D-1.1 All software on PTS POI devices with access to cleartext account data must be validated according to Domain 2 as a P2PE Application.
Added
p. 55
• Version number(s) Identify the P2PE Assessor who confirms that the applications match the P2PE Application listing application name and version number(s):
<Report Findings Here> 3D-1.1.b For applications/software intended for use in the solution that are not on the PCI SSC list of Validated P2PE Applications, the application/software must be assessed to P2PE Domain 2. Note: The validated P2PE Application can be submitted independently to be listed as a Validated P2PE Application, or it can be submitted with the P2PE Solution to be listed as part of, and for use only in, the P2PE Solution as a Solution-specific P2PE Application. Refer to the P2PE Program Guide for details.
Identify the P2PE Assessor who confirms that any such application/software has been assessed to P2PE Domain 2:
<Report Findings Here> 3D-1.2 P2PE Applications must only be deployed on eligible PTS POI device types that are:
• Confirmed per 1A-1.1 as a PTS approved device and associated …
<Report Findings Here> 3D-1.1.b For applications/software intended for use in the solution that are not on the PCI SSC list of Validated P2PE Applications, the application/software must be assessed to P2PE Domain 2. Note: The validated P2PE Application can be submitted independently to be listed as a Validated P2PE Application, or it can be submitted with the P2PE Solution to be listed as part of, and for use only in, the P2PE Solution as a Solution-specific P2PE Application. Refer to the P2PE Program Guide for details.
Identify the P2PE Assessor who confirms that any such application/software has been assessed to P2PE Domain 2:
<Report Findings Here> 3D-1.2 P2PE Applications must only be deployed on eligible PTS POI device types that are:
• Confirmed per 1A-1.1 as a PTS approved device and associated …
Added
p. 56
• Confirmed per 1A-1.1 as a PTS-approved device(s) and associated with the P2PE Solution, either by satisfying the applicable requirements as part of this P2PE Solution assessment, or the requirements already being satisfied as part of a Validated P2PE Component being used by the P2PE Solution
• Confirmed per 1A-1.1 as a PTS-approved device(s) and associated with the P2PE Solution, either by satisfying the applicable requirements as part of this P2PE Solution assessment, or the requirements already being satisfied as part of a Validated P2PE Component being used by the P2PE Solution
• Explicitly included in the Validated P2PE Application’s listing Note: If the P2PE Application is not separately Validated and Listed, and is intended to be, it must be done prior to submitting the P2PE Solution. Refer to the PCI P2PE Program Guide for details.
Identify the P2PE Assessor who confirms this requirement is in place:
<Report Findings Here> 3D-1.2.b For applications not …
• Confirmed per 1A-1.1 as a PTS-approved device(s) and associated with the P2PE Solution, either by satisfying the applicable requirements as part of this P2PE Solution assessment, or the requirements already being satisfied as part of a Validated P2PE Component being used by the P2PE Solution
• Explicitly included in the Validated P2PE Application’s listing Note: If the P2PE Application is not separately Validated and Listed, and is intended to be, it must be done prior to submitting the P2PE Solution. Refer to the PCI P2PE Program Guide for details.
Identify the P2PE Assessor who confirms this requirement is in place:
<Report Findings Here> 3D-1.2.b For applications not …
Modified
p. 1
Payment Card Industry (PCI) Point-to-Point Encryption P2PE Merchant-Managed Solution Template for Report on Validation for use with P2PE v3.1 for P2PE Merchant-Managed Solution Assessments
Payment Card Industry (PCI) Point-to-Point Encryption P2PE Merchant-Managed Solution Template for Report on Validation For use with the PCI P2PE Standard v3.2 for P2PE Merchant-Managed Solution Assessments
Modified
p. 2
- Updates from v3.0 P2PE Standard references to v3.1. - Revisions made within the Introduction through Section 3 to add clarity and consistency, both within this P-ROV and across all v3.1 P-ROVs as applicable. - Context of “PCI-listed” P2PE Products updated to “Validated”. Includes revision to diagram in Introduction. - Revision to the description for the use of Not Applicable to add clarity and guidance. - Reformatting and restructuring of tables in Sections 2 and 3 with additional guidance. - …
- Updates from v3.0 P2PE Standard references to v3.1 - Revisions made within the Introduction through Section 3 to add clarity and consistency, both within this P-ROV and across all v3.1 P-ROVs as applicable. - Context of “PCI-listed” P2PE Products updated to “Validated”. Includes revision to diagram in Introduction - Revision to the description for the use of Not Applicable to add clarity and guidance - Reformatting and restructuring of tables in Sections 2 and 3 with additional guidance. - …
Modified
p. 5
Use of this Reporting Template is mandatory for all P2PE v3.1 Merchant-Managed Solution (MMS) assessments.
Use of this Reporting Template is mandatory for all P2PE v3.2 Merchant-Managed Solution (MMS) assessments.
Modified
p. 7
Encryption Management Services (EMS) Merchant-Managed Solution (MMS) Encryption Management CP (EMCP) POI Deployment CP (PDCP) POI Management CP (PMCP) Encryption Management Services relates to the distribution, management, and use of PTS- approved POI devices in a P2PE [Merchant-Managed] Solution. MMS assessments that have not satisfied the entirety of their Encryption Management Services (Domain 1 with Domain 5) via the use of applicable Validated P2PE Component Providers must complete the EMS P-ROV in addition to the MMS Solution P-ROV.
Encryption Management Services (EMS) Merchant-Managed Solution (MMS) Encryption Management CP (EMCP) POI Deployment CP (PDCP) POI Management CP (PMCP) Encryption Management Services relates to the distribution, management, and use of PCI- approved PTS POI devices in a P2PE [Merchant-Managed] Solution. MMS assessments that have not satisfied the entirety of their Encryption Management Services (Domain 1 with Domain 5) via the use of applicable Validated P2PE Component Providers must complete the EMS P-ROV in addition to the MMS Solution P-ROV.
Modified
p. 7
P2PE Application P2PE Application Any assessment that utilizes software on the PTS-approved POI devices intended for use in a P2PE [Merchant-Managed] Solution that has the potential to access clear-text account data must complete the P2PE Application P-ROV (one for each application).
P2PE Application P2PE Application Any assessment that utilizes software on the PCI-approved PTS POI devices intended for use in a P2PE [Merchant-Managed] Solution that has the potential to access cleartext account data must complete the P2PE Application P-ROV (one for each application).
Removed
p. 8
Note: Checkboxes have been added to the “Summary of Assessment Findings” so that the assessor may double click to check the applicable summary result. Hover over the box you’d like to mark and click once to mark with an ‘x.’ To remove a mark, hover over the box and click again. Mac users may instead need to use the space bar to add the mark.
Modified
p. 8
Section 1: Contact Information and Report Date
• Section 1: Contact Information and Report Date
Modified
p. 8
Section 2: Summary Overview
• Section 2: Summary Overview
Modified
p. 8
Section 3: Details and Scope of P2PE Assessment
• Section 3: Details and Scope of P2PE Assessment
Modified
p. 8
Section 4: Findings and Observations This Reporting Template includes tables with Reporting Instructions built in. Details provided should focus on concise quality of detail, rather than lengthy, repeated verbiage.
• Section 4: Findings and Observations This Reporting Template includes tables with Reporting Instructions built in. Details provided should focus on concise quality of detail, rather than lengthy, repeated verbiage.
Modified
p. 8
P-ROV Summary of Findings This version of the P2PE Reporting Template reflects an ongoing effort to simplify assessor summary reporting. All summary findings for “In Place,” “Not in Place,” and “Not Applicable” are found at the beginning of section 4, “Findings and Observations,” and are only addressed at that high-level. The summary of the overall compliance status is at section 2.8, “Summary of P2PE Assessment Compliance Status.” The following table is a representation when considering which selection to make. Assessors …
P-ROV Summary of Findings All summary findings for “In Place,” “Not in Place,” and “Not Applicable” are found at the beginning of section 4 “Findings and Observations” and are only addressed at that high level. The summary of the overall compliance validation status is at section 2.8 “Summary of P2PE Assessment Compliance Validation Status.” The following table provides guidance for Assessors when considering which selection to make. Assessors must select only one response at the sub- requirement level, and the …
Modified
p. 8
Note: ‘Not Applicable’ cannot be used by entities that provide only partial aspects of a defined Component Provider service to validate to that Component Provider type. Refer to the “P2PE Applicability of Requirements” in the P2PE Program Guide.
Note: ‘Not Applicable’ cannot be used by entities that provide only partial aspects of a defined Component Provider service to validate to th Component Provider type. Refer to the “P2PE Applicability of Requirements” in the P2PE Program Guide. Note: Checkboxes have been added to the “Summary of Assessment Findings” so that the Assessor may double-click to check the applicable summary result. Hover over the box to select and single-click to mark with an ‘x.’ To remove a mark, hover over …
Modified
p. 9
“Identify the P2PE Assessor who confirms…” Indicates only an affirmative response where further reporting is deemed unnecessary by PCI SSC. The P2PE Assessor’s name or a Not Applicable response are the two appropriate responses here. A Not Applicable response will require brief reporting to explain how this was confirmed via testing.
• “Identify the P2PE Assessor who confirms…” Indicates only an affirmative response where further reporting is deemed unnecessary by PCI SSC. The P2PE Assessor’s name or a Not Applicable response are the two appropriate responses here. A Not Applicable response will require brief reporting to explain how this was confirmed via testing.
Modified
p. 9
Document name or interviewee reference At section 3.6, “Documentation Reviewed,” and section 3.7, “Individuals Interviewed,” there is a space for a reference number; it is the P2PE Assessor’s choice to use the document name/interviewee job title or the reference number in responses. A listing is sufficient here, no further detail required.
• Document name or interviewee reference At section 3.6, “Documentation Reviewed,” and section 3.7, “Individuals Interviewed,” there is a space for a reference number; it is the P2PE Assessor’s choice to use the document name/interviewee job title or the reference number in responses. A listing is sufficient here, no further detail required.
Modified
p. 9
Sample reviewed Brief list is expected or sample identifier. Where applicable, it is the P2PE Assessor’s choice to list out each sample within the reporting or to utilize sample identifiers from the sampling summary table.
• Sample reviewed Brief list is expected or sample identifier. Where applicable, it is the P2PE Assessor’s choice to list out each sample within the reporting or to utilize sample identifiers from the sampling summary table.
Modified
p. 9
• “Describe how…” These responses must be a narrative response that provides explanation as to the observation•both a summary of what was witnessed and how that verified the criteria of the testing procedure.
• “Describe how…” These responses must be a narrative response that provides explanation as to the observation•both a summary of what was witnessed and how that verified the criteria of the testing procedure.
Modified
p. 10
Complete all applicable P-ROVs based on the assessment.
• Complete all applicable P-ROVs based on the assessment
Modified
p. 10
Complete all sections in the order specified, with concise detail.
• Complete all sections in the order specified, with concise detail
Modified
p. 10
Read and understand the intent of each Requirement and Testing Procedure.
• Read and understand the intent of each Requirement and Testing Procedure
Modified
p. 10
Provide a response for every Testing Procedure, even if N/A.
• Provide a response for every Testing Procedure, even if N/A
Modified
p. 10
• Describe how a Requirement was verified as the Reporting Instruction directs, not just that it was verified
Modified
p. 10
Ensure all parts of the Testing Procedure are addressed.
• Ensure all parts of the Testing Procedure are addressed
Modified
p. 10
Ensure the response covers all applicable application and/or system components.
• Ensure the response covers all applicable application and/or system components
Modified
p. 10
Perform an internal quality assurance review of the P-ROV for clarity, accuracy, and quality.
• Perform an internal quality assurance review of the P-ROV for clarity, accuracy, and quality
Modified
p. 10
Perform an internal quality assurance review of all submitted P-ROVs and the details within the PCI SSC Portal.
• Perform an internal quality assurance review of all submitted P-ROVs and the details within the PCI SSC Portal
Modified
p. 10
Provide useful, meaningful diagrams, as directed.
• Provide useful, meaningful diagrams, as directed
Modified
p. 10
Don’t report items in the “In Place” column unless they have been verified as being “in place.” Don’t include forward-looking statements or project plans in responses.
• Don’t report items in the “In Place” column unless they have been verified as being “in place”
Modified
p. 10
Don’t simply repeat or echo the Testing Procedure in the response.
• Don’t simply repeat or echo the Testing Procedure in the response
Modified
p. 10
Don’t copy responses from one Testing Procedure to another.
• Don’t copy responses from one Testing Procedure to another
Modified
p. 10
Don’t copy responses from previous assessments.
• Don’t copy responses from previous assessments
Modified
p. 10
Don’t include information irrelevant to the assessment.
• Don’t include information irrelevant to the assessment
Modified
p. 10
Don’t mark “N/A” without providing an explanation and justification for why it is “N/A”.
• Don’t mark “N/A” without providing an explanation and justification for why it is “N/A”
Removed
p. 11
P2PE Assessor Company and Lead Assessor Contact Information Company name: Assessor company credentials: QSA (P2PE) PA-QSA (P2PE) Company Servicing Markets for P2PE: (see https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_assessors) Assessor name: Assessor credentials: QSA (P2PE) PA-QSA (P2PE) Assessor phone number: Assessor e-mail address:
Confirm that internal QA was fully performed on the entire P2PE assessment documentation, per requirements in the relevant program documentation.
(Leave blank if not applicable) QA reviewer phone number: QA reviewer e-mail address:
Confirm that internal QA was fully performed on the entire P2PE assessment documentation, per requirements in the relevant program documentation.
(Leave blank if not applicable) QA reviewer phone number: QA reviewer e-mail address:
Modified
p. 11
Yes (Internal QA on this submission has been performed in accordance with PCI P2PE Program Requirements) QA Primary reviewer name: QA Primary reviewer credentials:
Modified
p. 11
Assessor name: Assessor credentials: QSA (P2PE) PA-QSA (P2PE) Assessor phone number: Assessor e-mail address:
Assessor name: Assessor credentials: P2PE Assessor P2PE Application Assessor
Removed
p. 12
Disclose all services offered to the assessed entity by the PA-QSA(P2PE) / QSA (P2PE) / P2PE QSA company, including but not limited to whether the assessed entity uses any security-related devices or security-related applications that have been developed or manufactured by the QSA, or to which the QSA owns the rights or that the QSA has configured or manages:
Modified
p. 12
(From DD-MMM-YYYY To DD-MMM-YYYY) 1.3 Additional Services Provided by PA-QSA(P2PE) / QSA(P2PE) / P2PE QSA Company The current version of the “Qualification Requirements for Point-to-Point Encryption (P2PE)TM Qualified Security Assessors
•QSA (P2PE) and PA-QSA (P2PE)” (P2PE QSA Qualification Requirements), section “Independence”, specifies requirements for P2PE QSAs around disclosure of such services and/or offerings that could reasonably be viewed to affect independence of assessment. Complete the sections below after review of this portion of the P2PE QSA Qualification Requirements to ensure …
•
(From DD-MMM-YYYY To DD-MMM-YYYY) 1.3 Additional Services Provided by P2PE Assessor / P2PE Assessor Company The current version of the “Qualification Requirements for Point-to-Point Encryption (P2PE)TM
• P2PE Assessor and P2PE Application Assessors” (P2PE Qualification Requirements), section “Independence”, specifies requirements for P2PE Assessors around disclosure of such services and/or offerings that could reasonably be viewed to affect independence of assessment. Complete the sections below after review of this portion of the P2PE Qualification Requirements to ensure responses are consistent with documented …
• P2PE Assessor and P2PE Application Assessors” (P2PE Qualification Requirements), section “Independence”, specifies requirements for P2PE Assessors around disclosure of such services and/or offerings that could reasonably be viewed to affect independence of assessment. Complete the sections below after review of this portion of the P2PE Qualification Requirements to ensure responses are consistent with documented …
Modified
p. 12
Describe efforts made to ensure no conflict of interest resulted from the above mentioned services provided by the PA-QSA(P2PE) / QSA(P2PE) / QSA company:
• Describe efforts made to ensure no conflict of interest resulted from the above mentioned services provided by the P2PE Assessor / P2PE Assessor company:
Modified
p. 15
Validated EMS P2PE Components P2PE Component Provider Name P2PE Component Name Validated Listing Reference # PTS Approval #(s) (comma delimited) EMCP PDCP PMCP
Validated EMS P2PE Components P2PE Component Provider Name P2PE Component Name Validated P2PE Listing Reference # PTS Approval #(s) (comma delimited) EMCP PDCP PMCP
Modified
p. 17
Validated DMS P2PE Components P2PE Component Provider Name P2PE Component Name Validated Listing Reference # DMCP Decryption Management Services (EMS) Continued Describe how the Validated DMS-related P2PE Component Provider(s) are being used to satisfy applicable DMS P2PE requirements for this MMS assessment. If more than one Validated P2PE Component Provider is being used, clearly distinguish between them in the description.
Validated DMS P2PE Components P2PE Component Provider Name P2PE Component Name Validated Listing Reference # DMCP Decryption Management Services (DMS) Continued Describe how the Validated DMS-related P2PE Component Provider(s) are being used to satisfy applicable DMS P2PE requirements for this MMS assessment. If more than one Validated P2PE Component Provider is being used, clearly distinguish between them in the description.
Modified
p. 20
Is the EMS P-ROV being used? Yes (Document EMS-related Third Parties in the EMS P-ROV) No (Document any EMS-related Third Parties below) Is the DMS P-ROV being used? Yes (Document DMS-related Third Parties in the DMS P-ROV) No (Document any DMS-related Third Parties below) Is the KMS P-ROV being used? Yes (Document KMS-related Third Parties in the KMS P-ROV) No (Document any KMS-related Third Parties below) Are there Third-Parties that are otherwise not documented in another P-ROV? Yes (If Yes, …
Is the EMS P-ROV being used? Yes (Document EMS-related Third Parties in the EMS P-ROV) No (Document any EMS-related Third Parties below) Is the DMS P-ROV being used? Yes (Document DMS-related Third Parties in the DMS P-ROV) No (Document any DMS-related Third Parties below) Is the KMS P-ROV being used? Yes (Document KMS-related Third Parties in the KMS P-ROV) No (Document any KMS-related Third Parties below) Are there Third Parties that are otherwise not documented in another P-ROV? Yes (If …
Modified
p. 21
Non-payment software is any software/files that does not have the potential to access clear-text account data. (Refer to P2PE Glossary) Any software that does have the potential to access clear-text account data must be assessed to Domain 2
• refer to Table 2.4.b.
• refer to Table 2.4.b.
Non-payment software is any software/files that does not have the potential to access cleartext account data. (Refer to P2PE Glossary) Any software that does have the potential to access cleartext account data must be assessed to Domain 2
• refer to Table 2.4.b.
• refer to Table 2.4.b.
Removed
p. 22
Note 2: PCI-listed P2PE Applications must be considered Validated. Refer to the P2PE Program Guide for additional details. https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_applications Insert additional rows as needed.
Modified
p. 22
- Included in the POI Device Types supported by a Validated EMCP, or by BOTH a Validated PDCP AND a Validated PMCP, being used in the scope of this Solution assessment, OR, - Be assessed to all unaccounted for Domain 1 and Domain 5 requirements, which will depend on each unique Solution assessment.
- Included in the POI Device Types supported by a Validated EMCP, or by BOTH a Validated PDCP AND a Validated PMCP, being used in the scope of this Solution assessment, OR, - Be assessed to all unaccounted for Domain 1 and Domain 5 requirements, which will depend on each unique Solution assessment Note 1: “P2PE Applications” and “P2PE non-payment software” (refer to P2PE Glossary) do not meet the PTS POI definition of “firmware”, and as such they are not …
Modified
p. 24
- Only list each unique PTS Approval # once. - List ALL associated hardware (HW) and firmware (FW) versions supported by the Solution and tested as part of the P2PE assessment. - Ensure all the information below is correct, accurate, and there are no discrepancies between the information listed here and the information present on the POI device’s associated PTS Approval listing. - Do NOT include POI devices (including HW and/or FW) that are ineligible for P2PE (e.g., non-SRED). - …
- Only list each unique PTS Approval # once. - List ALL associated hardware (HW) and firmware (FW) versions supported by the Solution and tested as part of the P2PE assessment. HW and FW versions MUST be consistent between P-ROV(s), P-AOV and the Portal. - Ensure all the information below is correct, accurate, and there are no discrepancies between the information listed here and the information present on the POI device’s associated PTS Approval listing. - Do NOT include POI …
Modified
p. 24
Note 1: Be advised there can be POI device approval listings that appear similar/identical on the PCI SSC list of Approved PTS devices, however, they are associated with different major versions of the PTS POI Standard. Be sure the correct listing is being referenced and utilized in the assessment.
Note 1: Be advised there can be POI device approval listings that appear similar/identical on the PCI SSC list of Approved PTS POI devices, however, they are associated with different major versions of the PTS POI Standard. Be sure the correct listing is being referenced and utilized in the assessment.
Modified
p. 24
Note 2: Clicking the PTS Approval # on the list of Approved POI Devices will display additional information. Be advised that the designators shown under “Functions Provided” do NOT necessarily apply to every HW and FW version for that PTS approval listing. Ensure that the requisite P2PE requirements are met and satisfied per POI Device Type (refer to the P2PE Glossary) included in the assessment. For each applicable PTS Approval #:
Note 2: Clicking the PTS Approval # on the list of Approved PTS POI Devices will display additional information. Be advised that the designators shown under “Functions Provided” do NOT necessarily apply to every HW and FW version for that PTS approval listing. Ensure that the requisite P2PE requirements are met and satisfied per POI Device Type (refer to the P2PE Glossary) included in the assessment. For each applicable PTS Approval #:
Modified
p. 24
- POI Device Types associated with Validated P2PE Applications are only assessed to Domain 2
• those POI devices must be accounted for via the use of applicable Validated Components, or otherwise they must be assessed to all applicable Domain 1 and 5 requirements that have not been covered under the assessment scope of the Component Types being used in the scope of this MMS assessment (this will be unique for each assessment).https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices Is the EMS P-ROV being used as …
• those POI devices must be accounted for via the use of applicable Validated Components, or otherwise they must be assessed to all applicable Domain 1 and 5 requirements that have not been covered under the assessment scope of the Component Types being used in the scope of this MMS assessment (this will be unique for each assessment).
- POI Device Types associated with Validated P2PE Applications are only assessed to Domain 2
• those POI devices must be accounted for via the use of applicable Validated Components, or otherwise they must be assessed to all applicable Domain 1 and 5 requirements that have not been covered under the assessment scope of the Component Types being used in the scope of this MMS assessment (this will be unique for each assessment).
• those POI devices must be accounted for via the use of applicable Validated Components, or otherwise they must be assessed to all applicable Domain 1 and 5 requirements that have not been covered under the assessment scope of the Component Types being used in the scope of this MMS assessment (this will be unique for each assessment).
Modified
p. 25 → 26
PTS Approval # (One unique # per row) Make / Mfr. Model Name / Number Hardware (HW) #(s) Tested Firmware (FW) #(s) Tested For each PTS Approval #, denote the manner that the PTS-approved POI Device Types were assessed to all applicable requirements in Domains 1 and 5:
PTS Approval # (One unique # per row) PTS Version # Make / Mfr. Model Name / Number Hardware (HW) #(s) Tested Firmware (FW) #(s) Tested For each PTS Approval #, denote the manner that the PCI-approved PTS POI Device Types were assessed to all applicable requirements in Domains 1 and 5:
Modified
p. 26 → 27
Note 1: PTS-approved POI Device information must be entered in Table 2.5. Do not enter it here.
Note 1: PCI-approved PTS POI Device information must be entered in Table 2.5. Do not enter it here.
Modified
p. 26 → 27
Is the EMS P-ROV being used? Yes (Document EMS-related SCDs in the EMS P-ROV) No (Document any EMS-related SCDs below) Is the DMS P-ROV being used? Yes (Document DMS-related SCDs in the DMS P-ROV) No (Document any DMS-related SCDs below) Is the KMS P-ROV being used? Yes (Document KMS-related SCDs in the KMS P-ROV) No (Document any KMS-related SCDs below) Are there SCDs that are otherwise not documented in another P-ROV? Yes (If Yes, provide details below) No (If No, …
Is the EMS P-ROV being used? Yes (Document EMS-related SCDs in the EMS P-ROV) No (Document any EMS-related SCDs below) Is the DMS P-ROV being used? Yes (Document DMS-related SCDs in the DMS P-ROV) No (Document any DMS-related SCDs below) Is the KMS P-ROV being used? Yes (Document KMS-related SCDs in the KMS P-ROV) No (Document any KMS-related SCDs below) Are there SCDs that are otherwise not documented in another P-ROV? Yes (If Yes, provide details below) No (If No, …
Modified
p. 27 → 28
Note 2: While non-payment software is not permitted to have access to clear-text account data, it might still be involved in supporting additional encryption implementations. Non-payment software detailed below must be able to be cross-referenced to Table 2.4.a in the EMS P-ROV.
Note 2: While non-payment software is not permitted to have access to cleartext account data, it might still be involved in supporting additional encryption implementations. Non-payment software detailed below must be able to be cross-referenced to Table 2.4.a in the EMS P-ROV.
Modified
p. 30 → 31
Locations of critical facilities, including the MMS’ decryption environment, key-injection and loading facilities, etc.
• Locations of critical facilities, including the MMS’ decryption environment, key-injection and loading facilities, etc.
Modified
p. 30 → 31
• Other necessary components, as applicable to the MMS Provide any additional information below that is not adequately captured within the diagram(s). Otherwise, check No Additional Details. No Additional Details <Additional Details, as needed> <Insert Solution diagram(s) here>
Modified
p. 31 → 32
• All entities the MMS connects to for payment transmission or processing, including processors/acquirers Note: The diagram should identify where merchant entities fit into the data flow, without attempting to identify individual merchants. For example, encrypted account data could be illustrated as flowing between an icon that represents all merchant customers and an icon that represents the solution provider’s decryption environment. Document if any intermediate proxies exist between merchant customers and the decryption environment.
Modified
p. 32 → 33
• Key Distribution / Loading / Injection onto POI devices • Other Key Distribution / Loading / Injection activities • Key Archiving (if applicable) • Any other relevant information
Modified
p. 34 → 35
There is no need to duplicate documents that appear in other P-ROVs included unless they are relevant to the Solution Management Controls.
There is no need to duplicate documents that appear in other P-ROVs included unless they are relevant to the Solution Management Controls. Please ensure the latest PIM template has been used.
Modified
p. 34 → 35
P2PE Instruction Manual (PIM) Reference # (optional use) Document Name (Title of the PIM) Version Number of the PIM Document Date (latest version date) P2PE Application Implementation Guide(s) (IG) Reference # (optional use) Document Name (Title of the IG) Version Number of the IG Document date (latest version date) Which P2PE Application is addressed? (must align with Table 2.4.b) All other documentation reviewed for this P2PE Assessment Reference # (optional use) Document Name (including version, if applicable) Document date (latest …
P2PE Instruction Manual (PIM) Reference # (optional use) Document Name (Title of the PIM) Version Number of the PIM Document Date (latest version date, DD-MMM-YYYY) P2PE Application Implementation Guide(s) (IG) Reference # (optional use) Document Name (Title of the IG) Version Number of the IG Document date (latest version date, DD-MMM-YYYY) Which P2PE Application is addressed? (must align with Table 2.4.b) All other documentation reviewed for this P2PE Assessment Reference # (optional use) Document Name (including version, if applicable) Document …
Modified
p. 37 → 38
P2PE Merchant-Managed Solution
• Summary of Findings P2PE Validation Requirements Summary of Findings (check one for EVERY row) In Place N/A Not inPlace 3A P2PE solution management 3A-1 The solution provider maintains documentation detailing the P2PE solution architecture and data flows.
• Summary of Findings P2PE Validation Requirements Summary of Findings (check one for EVERY row) In Place N/A Not in
P2PE Merchant-Managed Solution
• Summary of Findings P2PE Validation Requirements Summary of Findings (check one for EVERY row) In Place N/A Not in 3A P2PE solution management 3A-1 The solution provider maintains documentation detailing the P2PE solution architecture and data flows.
• Summary of Findings P2PE Validation Requirements Summary of Findings (check one for EVERY row) In Place N/A Not in 3A P2PE solution management 3A-1 The solution provider maintains documentation detailing the P2PE solution architecture and data flows.
Modified
p. 39 → 41
• Identification of P2PE controls covered by each third-party service provider 3A-1.1.a Interview relevant personnel and review documentation to verify that procedures exist for maintaining documentation that describes and/or illustrates the architecture of the overall P2PE solution.
• Identification of P2PE controls covered by each third-party service provider 3A-1.1.a Interview relevant personnel and examine documentation to verify that procedures exist for maintaining documentation that describes and/or illustrates the architecture of the overall P2PE solution.
Modified
p. 39 → 41
Documented procedures reviewed: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here> 3A-1.1.b Interview relevant personnel and review documentation that describes and/or illustrates the architecture of the overall P2PE solution to verify that the document is current.
Documented procedures examined: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here> 3A-1.1.b Interview relevant personnel and examine documentation that describes and/or illustrates the architecture of the overall P2PE solution to verify that the document is current.
Modified
p. 39 → 41
Documented procedures reviewed: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here> 3A-1.1.c Interview relevant personnel and review documentation that describes and/or illustrates the architecture of the overall P2PE solution to verify that the document:
Documented procedures examined: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here> 3A-1.1.c Interview relevant personnel and examine documentation that describes and/or illustrates the architecture of the overall P2PE solution to verify that the document:
Modified
p. 39 → 41
• Identifies all P2PE controls covered by each third-party service provider Documented procedures reviewed: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here>
• Identifies all P2PE controls covered by each third-party service provider Documented procedures examined: <Report Findings Here> Relevant personnel interviewed: <Report Findings Here>
Removed
p. 40
3A-1.2 Examine the data-flow diagram and interview personnel to verify the diagram:
• Is kept current and updated as needed upon changes to the environment.
• Is kept current and updated as needed upon changes to the environment.
Modified
p. 40 → 42
• Shows all account data flows across systems and networks from the point the card data is captured through to the point the card data exits the decryption environment.
• All account data flows across systems and networks from the point the card data is captured by the PTS POI devices through to the point the card data exits the decryption environment
Modified
p. 40 → 42
Documentation examined: <Report Findings Here> 3A-1.3 If there is a legal or regulatory obligation in a region for merchants to print full PAN on merchant receipts, it is allowable for the merchant to have access to full PAN for this purpose but the solution provider must document specifics about the legal or regulatory obligation including at least the following:
Modified
p. 40 → 42
Note: Domain 2 (at 2A-3.1.2) also include requirements that must be met for any PTS POI device and any P2PE application, respectively, that facilitates merchant printing of full PAN where there is a legal or regulatory obligation to do so.
Modified
p. 40 → 43
• To which region/country it applies Documented solution provider’s procedures reviewed:
• To which region/country it applies Documented solution provider’s procedures examined:
Removed
p. 41
Responsible solution provider personnel interviewed:
<Report Findings Here> OR Describe how independent review verified that the exception to facilitate merchants’ access to full PANs is based on a legal/regulatory obligation and not solely for convenience:
Documented procedures reviewed: <Report Findings Here>
<Report Findings Here> OR Describe how independent review verified that the exception to facilitate merchants’ access to full PANs is based on a legal/regulatory obligation and not solely for convenience:
Documented procedures reviewed: <Report Findings Here>
Modified
p. 41 → 43
<Report Findings Here> 3A-2.1 Where P2PE component providers are used, a methodology must be implemented to manage and monitor status reporting from P2PE component providers, including:
<Report Findings Here> 3A-1.3.b TESTING PROCEDURE REMOVED 3A-2.1 If P2PE component providers are used, a methodology must be implemented to manage and monitor status reporting from P2PE component providers, including:
Modified
p. 41 → 43
• Ensuring reports are received from all P2PE component providers as specified in the “Component Providers ONLY: Report Status to Solution Providers” sections of Domains 1, 5, and/or 6 (as applicable to the component provider).
• Ensuring reports are received from all P2PE component providers as specified in the “Component Providers ONLY: Report Status to Solution Providers” sections of Domains 1, 5, and/or 6 (as applicable to the component provider)
Modified
p. 41 → 43
• Confirming reports include at least the details specified in the “Component Providers ONLY: Report Status to Solution Providers” sections of Domains 1, 5, and/or 6 (as applicable to the component provider), and any additional details as agreed between a component provider and the solution provider.
• Confirming reports include at least the details specified in the “Component Providers ONLY: Report Status to Solution Providers” sections of Domains 1, 5, and/or 6 (as applicable to the component provider), and any additional details as agreed between a component provider and the solution provider
Modified
p. 41 → 43
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider.
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider Documented procedures examined: <Report Findings Here>
Removed
p. 42
• Changes in overall solution architecture 3A-2.2.a Interview responsible personnel and review documentation to verify the solution provider has a formal process for ensuring P2PE controls are maintained when changes to the P2PE solution occur, including procedures for addressing the following:
Modified
p. 42 → 44
• Changes in overall solution architecture Documented procedures reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here>
• Changes in overall solution architecture Documented procedures examined: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here>
Modified
p. 43 → 45
Sample of changes reviewed: <Report Findings Here> 3A-3.1 Processes must be implemented to respond to notifications from merchants, component providers, and other third parties about any suspicious activity, and provide immediate notification to all applicable parties of suspicious activity including but not limited to:
Sample of changes examined: <Report Findings Here> 3A-3.1 Processes must be implemented to respond to notifications from merchants, component providers, and other third parties about any suspicious activity, and provide immediate notification to all applicable parties of suspicious activity including but not limited to:
Modified
p. 43 → 45
• Encryption/decryption failures Documented procedures reviewed: <Report Findings Here> Personnel interviewed: <Report Findings Here>
• Encryption/decryption failures Documented procedures examined: <Report Findings Here> Personnel interviewed: <Report Findings Here>
Removed
p. 44
3A-3.2.1 Examine documented procedures and interview personnel to verify the POI devices must not be re-enabled until it is confirmed that either:
Documented procedures reviewed: <Report Findings Here> Personnel interviewed: <Report Findings Here>
Documented procedures reviewed: <Report Findings Here> Personnel interviewed: <Report Findings Here>
Modified
p. 44 → 46
3A-3.2 Review documented procedures and interview responsible personnel to verify that upon detection of any suspicious activity defined at 3A-3.1, POI devices are immediately removed, shut down, or taken offline.
3A-3.2 Examine documented procedures and interview responsible personnel to verify that upon detection of any suspicious activity defined at 3A-3.1, PTS POI devices are immediately removed, shut down, or taken offline.
Modified
p. 44 → 46
Documented procedures reviewed: <Report Findings Here> Personnel interviewed: <Report Findings Here> 3A-3.2.1 The POI device must not be re-enabled until it is confirmed that either:
Documented procedures examined: <Report Findings Here> Personnel interviewed: <Report Findings Here> 3A-3.2.1 The PTS POI device must not be re-enabled until it is confirmed that either:
Modified
p. 44 → 46
• The merchant has provided written notification (signed by a merchant executive officer) formally requesting stopping of P2PE encryption services, according to the solution provider’s procedures (as defined in Requirement 3A-4.1).
• The merchant has provided written notification (signed by a merchant executive officer) formally requesting stopping of P2PE encryption services, according to the solution provider’s procedures (as defined in Requirement 3A-4.1) 3A-3.2.1 Examine documented procedures and interview personnel to verify the PTS POI devices must not be re-enabled until it is confirmed that either:
Modified
p. 44 → 46
• The merchant has provided written notification (signed by a merchant executive officer) requesting stopping of P2PE encryption services, according to the solution provider’s procedures (as defined in Requirement 3A-4.1).
• The merchant has provided written notification (signed by a merchant executive officer) requesting stopping of P2PE encryption services, according to the solution provider’s procedures (as defined in Requirement 3A-4.1) Documented procedures examined: <Report Findings Here> Personnel interviewed: <Report Findings Here>
Modified
p. 45 → 47
• Details of whether any account data was transmitted from the POI device(s) during the time that encryption was malfunctioning or disabled Documented procedures reviewed: <Report Findings Here> Related records reviewed: <Report Findings Here> Personnel interviewed: <Report Findings Here>
• Details of whether any account data was transmitted from the POI device(s) during the time that encryption was malfunctioning or disabled Documented procedures examined: <Report Findings Here> Related records examined: <Report Findings Here> Personnel interviewed: <Report Findings Here>
Modified
p. 46 → 48
Documented incident-response plans reviewed:
Documented incident-response plans examined:
Modified
p. 46 → 48
• Updating the solution and/or controls to prevent cause from recurring 3A-3.5.a Interview responsible personnel and review documentation to verify the solution provider has a formal process for any P2PE control failures, including procedures for addressing the following:
• Updating the solution and/or controls to prevent cause from recurring 3A-3.5.a Interview responsible personnel and examine documentation to verify the solution provider has a formal process for any P2PE control failures, including procedures for addressing the following:
Modified
p. 46 → 48
• Implementing controls to prevent cause from recurring Responsible personnel interviewed: <Report Findings Here> Documentation reviewed: <Report Findings Here>
• Implementing controls to prevent cause from recurring Responsible personnel interviewed: <Report Findings Here> Documentation examined: <Report Findings Here>
Modified
p. 47 → 49
Sample of P2PE control failures: <Report Findings Here> Supporting document reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> 3B-1.1 Solution provider must have formal agreements in place with all third parties that perform P2PE functions on behalf of the solution provider, including:
Sample of P2PE control failures: <Report Findings Here> Supporting document examined: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> 3B-1.1 If the solution Provider uses third parties that perform P2PE functions on behalf of the Solution Provider, formal agreements must be in place that include:
Modified
p. 48 → 50
• Agreement to provide reports to solution provider as required in the “Component providers ONLY: report status to solution providers” section of the applicable P2PE Domain Documented procedures reviewed: <Report Findings Here> 3B-1.1.b If the solution provider utilizes any third parties, examine the business agreements and verify the elements delineated in 3B-1.1.a are present and adequately accounted for.
• Agreement to provide reports to solution provider as required in the “Component providers ONLY: report status to solution providers” section of the applicable P2PE Domain Documented procedures examined: <Report Findings Here> 3B-1.1.b If the solution provider utilizes any third parties, interview personnel and observe processes to verify the elements delineated in 3B-1.1.a are present and adequately accounted for.
Removed
p. 49
• Evidence of adherence to PCI’s process for P2PE Designated Changes to Solutions 3B-1.2 Verify formal agreements established for all third parties managing SCDs on behalf of the solution provider require:
• Evidence of adherence to PCI’s process for P2PE Designated Changes to Solutions Identify the P2PE Assessor who confirms that the business agreements for third parties managing SCDs on behalf of the solution provider were reviewed and verified to require all elements at 3B-1.2:
• Evidence of adherence to PCI’s process for P2PE Designated Changes to Solutions Identify the P2PE Assessor who confirms that the business agreements for third parties managing SCDs on behalf of the solution provider were reviewed and verified to require all elements at 3B-1.2:
Modified
p. 49 → 51
• Notification of any changes that require a Designated Change per the P2PE Program Guide
• Notification of any changes that require a Delta Change per the P2PE Program Guide
Modified
p. 49 → 51
• Notification of any changes that require a Designated Change per the P2PE Program Guide
• Notification of any changes that require a Delta Change per the P2PE Program Guide
Modified
p. 49 → 51
• Updated list of any dependencies included in the Designated Change (e.g., POI devices, P2PE applications, , and/or HSMs) used in the solution
• Updated list of any dependencies included in the Delta Change (e.g., POI devices, P2PE Applications, and/or HSMs) used in the solution 3B-1.2 Examine documentation for all third parties managing SCDs on behalf of the solution provider and verify the following is required:
Modified
p. 49 → 51
• Updated list of any dependencies included in the Designated Change (e.g., POI devices, P2PE applications, and/or HSMs) used in the solution
• Updated list of any dependencies included in the Delta Change (e.g., PTS POI devices, P2PE Applications, and/or HSMs) used in the solution Identify the P2PE Assessor who confirms that the business agreements for third parties managing SCDs on behalf of the solution provider were reviewed and verified to require all elements at 3B-1.2:
Removed
p. 50
<Report Findings Here> 3C-1.1.f Examine the PIM to verify that all P2PE non-payment software specified in the PIM were assessed as part of this P2PE solution assessment (per Requirement 1C-2).
Identify the P2PE Assessor who confirms that all P2PE non-payment software specified in the PIM were assessed as part of this P2PE solution assessment (per Requirement 1C-2):
<Report Findings Here> 3C-1.1.g Configure each POI device type, settings, etc. in accordance with all instructions in the PIM and confirm the following:
• The PIM provides accurate instructions.
• The PIM instructions facilitate a securely installed P2PE solution.
Describe how it was confirmed that by configuring each POI device type, settings, etc. in accordance with all instructions in the PIM, the PIM provides accurate instructions and those instructions facilitate a securely installed P2PE solution:
Identify the P2PE Assessor who confirms that all P2PE non-payment software specified in the PIM were assessed as part of this P2PE solution assessment (per Requirement 1C-2):
<Report Findings Here> 3C-1.1.g Configure each POI device type, settings, etc. in accordance with all instructions in the PIM and confirm the following:
• The PIM provides accurate instructions.
• The PIM instructions facilitate a securely installed P2PE solution.
Describe how it was confirmed that by configuring each POI device type, settings, etc. in accordance with all instructions in the PIM, the PIM provides accurate instructions and those instructions facilitate a securely installed P2PE solution:
Modified
p. 50 → 52
<Report Findings Here> 3C-1.1.d Examine the PIM to verify that all devices specified in the PIM are PCI-approved POI devices that were assessed as part of this P2PE solution assessment.
<Report Findings Here> 3C-1.1.d Examine the PIM to verify that all devices specified in the PIM are eligible PCI-approved PTS POI devices that were assessed as part of this P2PE solution assessment.
Modified
p. 50 → 52
Identify the P2PE Assessor who confirms that all devices specified in the PIM are PCI-approved POI devices that were assessed as part of this P2PE solution assessment:
Identify the P2PE Assessor who confirms that all devices specified in the PIM are PCI-approved PTS POI devices that were assessed as part of this P2PE solution assessment:
Modified
p. 50 → 52
• All P2PE applications specified in the PIM are assessed for this solution (per Domain 1).
• All P2PE applications specified in the PIM are assessed for this solution.
Modified
p. 50 → 52
• All P2PE applications specified in the PIM are either PCI-listed P2PE applications or assessed to Domain 2 as part of this P2PE solution assessment.
• All P2PE applications specified in the PIM are either PCI-listed P2PE Applications or assessed to Domain 2 as part of this P2PE solution assessment (Solution-specific P2PE Applications) Identify the P2PE Assessor who confirms that all P2PE applications specified in the PIM are assessed for this solution and that all P2PE applications specified in the PIM are either PCI-listed P2PE applications or assessed to Domain 2 as part of this P2PE solution assessment:
Modified
p. 50 → 53
Identify the P2PE Assessor who confirms that all P2PE applications specified in the PIM are assessed for this solution (per Domain 1) and that all P2PE applications specified in the PIM are either PCI-listed P2PE applications or assessed to Domain 2 as part of this P2PE solution assessment:
Identify the P2PE Assessor who confirms that all P2PE non-payment software specified in the PIM has been assessed as part of this P2PE solution assessment (per Requirement 1C-2):
Removed
p. 51
<Report Findings Here> 3C-1.1.f Examine the PIM to verify that all P2PE non-payment software specified in the PIM were assessed as part of this P2PE solution assessment (per Requirement 1C-2).
Identify the P2PE Assessor who confirms that all P2PE non-payment software specified in the PIM were assessed as part of this P2PE solution assessment (per Requirement 1C-2):
<Report Findings Here> 3C-1.1.g Configure each POI device type, settings, etc. in accordance with all instructions in the PIM and confirm the following:
• The PIM provides accurate instructions.
• The PIM instructions facilitate a securely installed P2PE solution.
Describe how it was confirmed that by configuring each POI device type, settings, etc. in accordance with all instructions in the PIM, the PIM provides accurate instructions and those instructions facilitate a securely installed P2PE solution:
3C-1.1.e Examine the PIM to verify the following:
• All P2PE applications specified in the PIM are assessed for this solution (per Domain 1).
• All …
Identify the P2PE Assessor who confirms that all P2PE non-payment software specified in the PIM were assessed as part of this P2PE solution assessment (per Requirement 1C-2):
<Report Findings Here> 3C-1.1.g Configure each POI device type, settings, etc. in accordance with all instructions in the PIM and confirm the following:
• The PIM provides accurate instructions.
• The PIM instructions facilitate a securely installed P2PE solution.
Describe how it was confirmed that by configuring each POI device type, settings, etc. in accordance with all instructions in the PIM, the PIM provides accurate instructions and those instructions facilitate a securely installed P2PE solution:
3C-1.1.e Examine the PIM to verify the following:
• All P2PE applications specified in the PIM are assessed for this solution (per Domain 1).
• All …
Modified
p. 51 → 53
• Any changes to the P2PE solution (including additions or removals of POI device types, P2PE applications, and/or P2PE non-payment software), and
• Any changes to the P2PE solution (including additions or removals of PTS POI device types, P2PE applications, and/or P2PE non-payment software), and
Modified
p. 51 → 53
• Any changes to the requirements in this document.
• Any changes to the requirements in this document
Modified
p. 51 → 53
<Report Findings Here> 3C-1.2 Review P2PE Instruction Manual (PIM) at least annually and upon changes to the solution or the P2PE requirements. Update PIM as needed to keep the documentation current with:
<Report Findings Here> 3C-1.1.g REMOVED 3C-1.2 Review P2PE Instruction Manual (PIM) at least annually and upon changes to the solution or the P2PE requirements. Update the PIM as needed to keep the documentation current with:
Removed
p. 52
Documented procedures reviewed: <Report Findings Here> 3C-1.2.b Observe processes for reviewing and updating the PIM, and interview responsible personnel to verify:
Modified
p. 52 → 53
- Any changes to the P2PE solution (including additions or removals of POI device types, P2PE applications, and/or P2PE non-payment software), and - Any changes to the P2PE requirements.
- Any changes to the P2PE solution (including additions or removals of PTS POI device types, P2PE applications, and/or P2PE non-payment software), and - Any changes to the P2PE requirements - Applicable merchant instructions.
Modified
p. 52 → 54
• PIM is reviewed at least annually and upon changes to the solution or changes to the PCI P2PE requirements.
• PIM is reviewed at least annually and upon changes to the solution or changes to the PCI P2PE requirements
Modified
p. 52 → 54
- Any changes to the P2PE solution (including additions or removals of POI device types, P2PE applications, and/or P2PE non-payment software), and - Any changes to the P2PE requirements.
- Any changes to the P2PE solution (including additions or removals of POI device types, P2PE applications, and/or P2PE non-payment software), and - Any changes to the P2PE requirements Responsible personnel interviewed: <Report Findings Here> Describe how processes for reviewing and updating the PIM verified that the PIM is updated at least annually, upon changes to the solution or changes to the PCI P2PE requirements, and as needed to keep the document current with any changes to the P2PE solution …
Modified
p. 52 → 54
Documented procedures reviewed: <Report Findings Here> 3C-1.2.1.b Observe processes for reviewing and updating the PIM, and interview responsible personnel to verify PIM updates are communicated to affected merchants and an updated PIM is provided to merchants as needed.
Documented procedures examined: <Report Findings Here> 3C-1.2.1.b Observe processes for reviewing and updating the PIM, and interview responsible personnel to verify PIM updates are communicated to affected merchants and an updated PIM is provided to merchants as needed.
Modified
p. 53 → 56
<Report Findings Here> APPENDIX A MM-A-1.1 Current documentation must be maintained that describes, or illustrates, the architecture of the merchant- managed P2PE solution, including the flow of data and cryptographic key exchanges, and interconnectivity between all systems within the encryption environment, the merchant decryption environment, and any other CDEs.
Modified
p. 53 → 57
Documented procedures reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> MM-A-1.1.b Interview responsible personnel and review merchant documentation that describes/illustrates the architecture of the merchant- managed P2PE solution, including the flow of data and cryptographic key exchanges, and interconnectivity between all systems within the encryption environment, the merchant decryption environment, and any other CDEs to verify that the document is kept current.
Documented procedures examined: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> MM-A-1.1.b Interview responsible personnel and examine merchant documentation that describes/illustrates the architecture of the merchant- managed P2PE solution, including the flow of data and cryptographic key exchanges, and interconnectivity between all systems within the encryption environment, the merchant decryption environment, and any other CDEs to verify that the document is kept current.
Modified
p. 53 → 57
Merchant documentation reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> MM-A-1.2 Decryption systems must reside on a network that is dedicated to decryption operations.
Merchant documentation examined: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> MM-A-1.2 Decryption systems must reside on a network that is dedicated to decryption operations.
Modified
p. 53 → 57
Network diagram(s) reviewed: <Report Findings Here> MM-A-1.2.b Inspect network and system configurations to verify that decryption systems are located on a network that is dedicated to decryption operations.
Network diagram(s) examined: <Report Findings Here> MM-A-1.2.b Examine network and system configurations to verify that decryption systems are located on a network that is dedicated to decryption operations.
Modified
p. 54 → 58
• Services, protocols, daemons, etc. necessary for performing and/or supporting decryption operations must be documented and justified.
• Services, protocols, daemons, etc. necessary for performing and/or supporting decryption operations must be documented and justified
Modified
p. 54 → 58
• Functions not required for performing or supporting decryption operations must be disabled or isolated (e.g., using logical partitions) from decryption operations.
• Functions not required for performing or supporting decryption operations must be disabled or isolated (e.g., using logical partitions) from decryption operations
Modified
p. 54 → 58
MM-A-1.3.a Inspect network and system configuration settings to verify that only necessary services, protocols, daemons, etc. are enabled, and any functions not required for performing or supporting decryption operations are disabled or isolated from decryption operations.
MM-A-1.3.a Examine network and system configuration settings to verify that only necessary services, protocols, daemons, etc. are enabled, and any functions not required for performing or supporting decryption operations are disabled or isolated from decryption operations.
Modified
p. 54 → 58
<Report Findings Here> MM-A-1.3.b Review the documented record of services, protocols, daemons, etc. that are required by the decryption systems and verify that each service includes justification.
<Report Findings Here> MM-A-1.3.b Examine the documented record of services, protocols, daemons, etc. that are required by the decryption systems and verify that each service includes justification.
Modified
p. 54 → 58
Documented record of services, protocols, daemons, etc. reviewed:
Documented record of services, protocols, daemons, etc. examined:
Modified
p. 55 → 59
• Be dedicated to supporting the decryption environment.
• Be dedicated to supporting the decryption environment
Modified
p. 55 → 59
<Report Findings Here> Responsible personnel interviewed: <Report Findings Here> MM-A-1.4.b Review system configurations and observe processes to verify that systems providing authentication services to system components within the decryption environment reside within the decryption environment and are dedicated to supporting the decryption environment.
<Report Findings Here> Responsible personnel interviewed: <Report Findings Here> MM-A-1.4.b Examine system configurations and observe processes to verify that systems providing authentication services to system components within the decryption environment reside within the decryption environment and are dedicated to supporting the decryption environment.
Modified
p. 56 → 60
MM-A-1.6 Review system configurations and observe processes to verify that all remote access features on all systems within the merchant decryption environment are permanently disabled and/or otherwise prevented from being used.
MM-A-1.6 Examine system configurations and observe processes to verify that all remote access features on all systems within the merchant decryption environment are permanently disabled and/or otherwise prevented from being used.
Modified
p. 56 → 60
MM-A-1.7.a Review configurations of all devices and systems in the merchant decryption environment to confirm none of the systems store account data.
MM-A-1.7.a Examine configurations of all devices and systems in the merchant decryption environment to confirm none of the systems store account data.
Modified
p. 56 → 60
<Report Findings Here> MM-A-1.7.b Review data flows and interview personnel to verify that account data is not stored in the merchant decryption environment.
<Report Findings Here> MM-A-1.7.b Examine data flows and interview personnel to verify that account data is not stored in the merchant decryption environment.
Modified
p. 57 → 61
MM-A-2.1 Review documentation and observe network configurations to verify that firewalls are in place between the merchant decryption environment and all other networks.
MM-A-2.1 Examine documentation and observe network configurations to verify that firewalls are in place between the merchant decryption environment and all other networks.
Modified
p. 57 → 61
Documentation reviewed: <Report Findings Here> Describe how network configurations verified that firewalls are in place between the merchant decryption environment and all other networks:
Documentation examined: <Report Findings Here> Describe how network configurations verified that firewalls are in place between the merchant decryption environment and all other networks:
Modified
p. 57 → 61
MM-A-2.1.2.a Review firewall configuration standards to verify that inbound and outbound traffic necessary for performing and/or supporting decryption operations is identified and documented.
MM-A-2.1.2.a Examine firewall configuration standards to verify that inbound and outbound traffic necessary for performing and/or supporting decryption operations is identified and documented.
Modified
p. 57 → 61
Firewall configuration standards reviewed:
Firewall configuration standards examined:
Removed
p. 58
MM-A-2.3.a Review document policies and procedures to verify that wireless connections to the decryption environment are prohibited.
Modified
p. 58 → 62
<Report Findings Here> MM-A-2.2 Inbound and outbound traffic between the merchant CDE and the encryption environment must be restricted to approved POI devices located within the encryption environment.
<Report Findings Here> MM-A-2.2 Inbound and outbound traffic between the merchant CDE and the encryption environment must be restricted to PCI-approved PTS POI devices located within the encryption environment.
Modified
p. 58 → 62
MM-A-2.2 Examine network and system configurations to verify that inbound and outbound traffic between the merchant CDE and the encryption environment is restricted to approved POI devices located within the encryption environment.
MM-A-2.2 Examine network and system configurations to verify that inbound and outbound traffic between the merchant CDE and the encryption environment is restricted to PCI-approved PTS POI devices located within the encryption environment.
Modified
p. 58 → 62
Describe how network and system configurations verified that inbound and outbound traffic between the merchant CDE and the encryption environment is restricted to approved POI devices located within the encryption environment:
Describe how network and system configurations verified that inbound and outbound traffic between the merchant CDE and the encryption environment is restricted to PCI-approved PTS POI devices located within the encryption environment:
Modified
p. 58 → 62
• Wireless connections to the decryption environment are prohibited.
• Wireless connections to the decryption environment are prohibited
Modified
p. 58 → 62
• Processes are implemented to detect and immediately (as soon as possible) respond to physical connections (e.g., wireless connections) to the decryption environment.
• Processes are implemented to detect and immediately (as soon as possible) respond to physical connections (e.g., wireless connections) to the decryption environment MM-A-2.3.a Examine document policies and procedures to verify that wireless connections to the decryption environment are prohibited.
Removed
p. 59
MM-B-1.1.a Review documentation to verify that inbound and outbound traffic necessary for transaction processing and/or terminal management purposes is identified and documented.
Modified
p. 59 → 63
• Only traffic that is necessary for transaction processing and/or terminal management purposes.
• Only traffic that is necessary for transaction processing and/or terminal management purposes
Modified
p. 59 → 63
• All other traffic between the encryption environment and any other CDE must be specifically denied.
• All other traffic between the encryption environment and any other CDE must be specifically denied MM-B-1.1.a Examine documentation to verify that inbound and outbound traffic necessary for transaction processing and/or terminal management purposes is identified and documented.
Modified
p. 59 → 63
Documentation reviewed: <Report Findings Here> MM-B-1.1.b Examine firewall configurations to verify that any traffic between the encryption environment and any other CDE is limited as follows:
Documentation examined: <Report Findings Here> MM-B-1.1.b Examine firewall configurations to verify that any traffic between the encryption environment and any other CDE is limited as follows:
Removed
p. 60
• Verify all other traffic between those two networks is specifically denied (e.g., by using an explicit “deny all” or an implicit deny after an allow statement).
Modified
p. 60 → 64
• Only traffic that is necessary for transaction processing and/or terminal management purposes.
• Only traffic that is necessary for transaction processing and/or terminal management purposes Verify all other traffic between those two networks is specifically denied (e.g., by using an explicit “deny all” or an implicit deny after an allow statement).
Modified
p. 60 → 64
<Report Findings Here> MM-B-1.1.c Observe traffic between the encryption environment and any other CDE to verify the traffic is limited to systems directly related to supporting P2PE transactions, transaction processing, and/or terminal-management functions.
<Report Findings Here> MM-B-1.1.c Observe traffic between the encryption environment and any other CDE to verify the traffic is limited to systems directly related to supporting P2PE transactions, transaction processing, and/or terminal- management functions.
Modified
p. 60 → 64
<Report Findings Here> MM-B-1.2 Processes must be implemented to prevent clear-text account data from being transmitted from the CDE back to the encryption environment.
<Report Findings Here> MM-B-1.2 Processes must be implemented to prevent cleartext account data from being transmitted from the CDE back to the encryption environment.
Modified
p. 60 → 64
MM-B-1.2.a Review documented policies and procedures for the CDE to verify that the transmission of clear-text account data from the CDE back to the encryption environment is prohibited.
MM-B-1.2.a Examine documented policies and procedures for the CDE to verify that the transmission of cleartext account data from the CDE back to the encryption environment is prohibited.
Modified
p. 60 → 64
Documented policies and procedures for the CDE. reviewed:
Documented policies and procedures for the CDE examined:
Modified
p. 60 → 64
<Report Findings Here> MM-B-1.2.b Observe processes and interview personnel to verify clear-text account data is prevented from being transmitted from the CDE back to the encryption environment.
<Report Findings Here> MM-B-1.2.b Observe processes and interview personnel to verify cleartext account data is prevented from being transmitted from the CDE back to the encryption environment.
Modified
p. 60 → 64
<Report Findings Here> MM-B-1.2.c Using forensic techniques, observe traffic between the encryption environment and the CDE to verify clear-text account data is not transmitted from the CDE back to the encryption environment.
<Report Findings Here> MM-B-1.2.c Test using forensic techniques, observe traffic between the encryption environment and the CDE to verify cleartext account data is not transmitted from the CDE back to the encryption environment.
Modified
p. 60 → 64
Forensic techniques used: <Report Findings Here> Describe how the observed traffic between the encryption environment and the CDE verified that clear-text account data is not transmitted from the CDE back to the encryption environment:
Forensic techniques used: <Report Findings Here> Describe how the observed traffic between the encryption environment and the CDE verified that cleartext account data is not transmitted from the CDE back to the encryption environment:
Modified
p. 61 → 65
<Report Findings Here> Responsible personnel interviewed: <Report Findings Here> MM-C-1.1.b For a sample of system components in the CDE and the decryption environment, review system configurations and access-control lists to verify that encryption environment personnel do not have access to any system components in the decryption environment or the CDE.
<Report Findings Here> Responsible personnel interviewed: <Report Findings Here> MM-C-1.1.b For a sample of system components in the CDE and the decryption environment, examine system configurations and access-control lists to verify that encryption environment personnel do not have access to any system components in the decryption environment or the CDE.
Modified
p. 61 → 65
<Report Findings Here> Describe how the observed traffic between the encryption environment and the CDE verified that clear-text account data is not transmitted from the CDE back to the encryption environment:
<Report Findings Here> Describe how the observed traffic between the encryption environment and the CDE verified that cleartext account data is not transmitted from the CDE back to the encryption environment: