PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

P2PE_Program_Guide_v2.0_r1.2_Mar_2020.pdf PCI-P2PE-Program-Guide-v3.1.pdf
23% similar
71 → 70 Pages
22357 → 23653 Words
233 Content Changes

From Revision History

  • June 2012 1.0 Initial release of the PCI P2PE Program Guide

Content Changes

233 content changes. 113 administrative changes (dates, page numbers) hidden.

Added p. 2
December 2020 3.0 r1.0 Errata revision

• resolved requirements in Appendix G part 3a Resolved definition of P2PE Expired Listings Other general revisions made for increased consistency and clarity

September 2024 3.1 General updates throughout document Added links to internal section references Former P2PE QSA terms have been updated in accordance with new terms in the currently published P2PE Qualification Requirements (QRs) regarding assessor companies and employees New terminology added as well as terminology revised New Publication references added as well as minor revisions to certain descriptions Partial section/structure reordering Added section regarding P2PE Technical FAQs Added content from published P2PE Technical FAQs where appropriate Revised content regarding PTS POI device and HSM expiry Added content regarding PTS POI device testing Added new Listed P2PE Product Outsourcing Matrix New figures regarding listing lifecycle and expiry Revisions to Appendices B, C, & D Removal of Appendices E, F, & G. External Change Impact …
Added p. 5
i. Terminology Throughout this document the following terms have the meanings set forth or referenced below or in the PCI P2PE Glossary of Terms, Abbreviations, and Acronyms (available on the PCI SSC Website), as applicable:

Term Meaning Accepted, Acceptance A P2PE Product is deemed to have been “Accepted” (and “Acceptance” is deemed to have occurred, so long as such Acceptance has not been revoked, suspended, withdrawn, or terminated) when PCI SSC has:

(i) received the corresponding Validated P2PE Product submission in the Portal, including the completed P-ROV(s), P-AOV, and all other documentation and information as required by the P2PE Standard and P2PE Program Requirements, from the P2PE Assessor Company qualified to perform the P2PE Assessment of the P2PE Product; (ii) received the corresponding P2PE Program fee for the P2PE Product submission; and (iii) confirmed that:

- the P2PE Product submission to the Portal is complete (all applicable documents completed appropriately/sufficiently), and

- the P2PE …
Added p. 6
A Full Assessment is NOT an:

- Administrative Change, or a

- Delta Change A New Assessment and a Reassessment both require a Full Assessment.

List of Validated P2PE Products Refers to the List of Validated P2PE Solutions, List of Validated P2PE Components, and List of Validated P2PE Applications. The List of Validated P2PE Products is the authoritative source of on-going Acceptance by PCI SSC of Validated P2PE Products.

Listed A Validated P2PE Product has been published on the Website after corresponding Acceptance has occurred, so long as such Acceptance has not been revoked, suspended, withdrawn, or terminated.

See also: List of Validated P2PE Products, Acceptance Listing The information regarding a Validated P2PE Product appearing on the applicable List of Validated P2PE Products after Acceptance has occurred. Listings contain information about Validated P2PE Products, as described in Appendix B, Appendix C, and Appendix D herein.

New Assessment A Full Assessment of a P2PE Product where that …
Added p. 7
P2PE Assessor Employee Refer to the P2PE Qualification Requirements.

P2PE Attestation of Validation (P-AOV) A form for P2PE Assessors and P2PE Vendors to declare the validation status of a P2PE Product to the P2PE Standard and Program Requirements.

See also: P-AOV in Related Publications P2PE Component A P2PE service that is eligible for validation as a “P2PE Component” (as defined in the P2PE Glossary and herein) intended for use in a P2PE Solution as part of the P2PE Program.

P2PE Component Provider An entity providing a service on behalf of other P2PE Solution Providers or P2PE Component Providers, intended for use in P2PE Solutions.

P2PE Expired Listings (Expired List / Expired Listings) The Council’s authoritative list of Expired P2PE Products appearing on the Website. Expired P2PE Products are no longer considered Validated P2PE Products.

P2PE Program (Program) The PCI SSC program for Point-to-Point Encryption (P2PE)® whereby an entity can choose to have their P2PE Product …
Added p. 9
Solution-specific P2PE Application A Validated P2PE Application included as part of a P2PE Solution assessment for use in that P2PE Solution only that is not separately Listed on the List of Validated P2PE Applications.

Validated P2PE Application A P2PE Application that has undergone a Full Assessment by a P2PE Application Assessor Company that satisfies the P2PE Standard and Program Requirements, as documented in the corresponding P-ROV(s), AOV, and all other associated supporting material and information.

See also: List of Validated P2PE Applications Validated P2PE Component A P2PE Component that has undergone a Full Assessment by a P2PE Assessor Company that satisfies the P2PE Standard and P2PE Program, as documented in the corresponding P-ROV(s), AOV, and all other associated supporting material and information.

See also: List of Validated P2PE Components Validated P2PE Product A Validated P2PE Application, Validated P2PE Component, or Validated P2PE Solution.

See also: List of Validated P2PE Products Validated P2PE Solution A …
Added p. 11
ii. Related Publications This Program Guide shall be used in conjunction with the latest versions of (or successor documents to) the following PCI SSC publications, each as available through the Website. Related Publications are italicized within this document.

Document name Description Payment Card Industry (PCI) Point- to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms (“P2PE Glossary”) The then-current version of (or successor document to) the PCI Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms, as from time to time amended and made available on the Website.

PCI Point-to-Point Encryption Security Requirements and Testing Procedures (“P2PE Standard”) Contains the requisite security requirements and associated test procedures for the assessment and validation of P2PE Products.

PCI Point-to-Point Encryption Technical FAQs for use with PCI P2PE version 3.x (“P2PE Technical FAQs”) Technical FAQs are normative and are an integral and mandatory part of the PCI P2PE Standard and Program. Technical FAQs must be fully considered during …
Added p. 12
PCI SSC Remote Assessments Guidelines and Procedures Describes how remote assessment methods may be incorporated into practices for validating environments, solutions, and products to PCI SSC standards.

PCI PIN Transaction Security (PTS) Device Testing and Approval Program Guide (“PTS Program Guide”) Program information for the PTS Program, which includes program information for PTS POI devices and PTS HSMs.

Note: Capitalized terms used but not otherwise defined herein have the meanings set forth in Section i Terminology, in the P2PE Glossary or the P2PE Qualification Requirements (found on the Website), as applicable.

This document, the PCI Point-to-Point Encryption (P2PE)® Program Guide, provides information on the P2PE Program operated and managed by the PCI Security Standards Council, LLC (PCI SSC).

Note: Information regarding the qualification of P2PE Assessor Companies and their employees can be found in the PCI P2PE Qualification Requirements on the Website.

1.1. P2PE Program Overview A P2PE Vendor may choose to have its P2PE …
Added p. 14
Figure 1: P2PE Products Overview 1.2. Updates to Documents and Security Requirements This Program Guide is reviewed regularly and may be modified to reflect continual improvement and quality management of the P2PE Program.

PCI SSC reserves the right to add, change, amend, or withdraw security requirements, test requirements, guidance, training, or other requirements at any time.

PCI SSC may provide interim updates to the PCI community through a variety of means, including required training, e-mail bulletins and newsletters, frequently asked questions (which may include technical/normative FAQs), the Website, and other communication methods.

If change to the P2PE Program is required, PCI SSC endeavors to work closely with stakeholders to help minimize the impact.

1.3. Technical FAQs The PCI P2PE Technical FAQs provide answers to questions regarding the PCI P2PE Standard and Program. The P2PE Technical FAQs are a separate document from the P2PE Standard and are effective immediately upon publication.

Technical FAQs are normative and …
Added p. 16
2.1.3. P2PE Component Providers P2PE Component Providers are entities that provide one or more services that:

 Require a P2PE Assessment for Program purposes, and  Are performed on behalf of a P2PE Solution Provider or a P2PE Component Provider for use in P2PE Solutions. These services (and their respective P2PE Component Providers) are described further below.

Only P2PE Components validated by a P2PE Assessor Company and Accepted on an “Individual basis” by PCI SSC are separately Listed on the Website.

“Individual basis” here refers to the requirements for each component service’s individual PCI SSC submission in the Portal

•including the corresponding P-AOV, P-ROV, and applicable fees

•for each individual component service.

Each P2PE Component requires its own PCI SSC submission. A separate P-ROV must be submitted to PCI SSC for each P2PE Component assessed as part of the Program for it to be Accepted and Listed. If a P2PE Component service described above is assessed …
Added p. 17
 Decryption Management Component Provider is an entity that manages the decryption environment that can support a P2PE solution.

The DMS P-ROV must be used to validate P2PE Components included within Decryption Management Services.

Key Management Services (KMS) Key Management Services relates to the generation, conveyance, management, and loading of cryptographic keys including the management of associated devices.

 Key Injection Facility (KIF) is an entity that performs cryptographic key services for PCI- approved PTS POI devices and HSMs (including, but not limited to, key generation, conveyance, and/or key loading).

 Key Loading Component Provider (KLCP) is an entity that manages the cryptographic key loading for PCI-approved PTS POI devices and HSMs that can support a P2PE solution.

 Key Management Component Provider (KMCP) is an entity that manages cryptographic key generation and key conveyance for PCI-approved PTS POI devices and HSMs that can support a P2PE Solution.

The KMS P-ROV must be used to validate …
Added p. 18
2) Have their P2PE Component services reviewed during and as part of each of their customers’ corresponding P2PE Assessments.

Accordingly, a P2PE Solution or P2PE Component can be reviewed via the following scenarios:

1) A P2PE Solution Provider or P2PE Component Provider (or a merchant as a P2PE Solution Provider in the case of a Merchant-Managed Solution (MMS)) can outsource services to Third- Party Service Providers and have the services assessed as part of the overall P2PE Assessment of that P2PE Solution or P2PE Component; and/or 2) A P2PE Solution Provider or P2PE Component Provider (or a merchant as a P2PE Solution Provider in the case of an MMS) can outsource certain P2PE Component services to Listed P2PE Component Providers and report use of those Listed P2PE Component(s) in its P2PE Solution P- ROV or applicable P2PE Component P-ROV.

P2PE Solution Providers (or merchants as P2PE Solution Providers in the case of an …
Added p. 19
 Maintaining an internal quality assurance process for their P2PE Assessment efforts.

 Staying up to date with PCI SSC statements and guidance, P2PE Technical and General FAQs, industry trends, and best practices.

As indicated above, PCI SSC does not approve P-ROVs from a technical compliance perspective but performs quality assurance to confirm that P-ROVs adequately document the demonstration of compliance.

 Hosts the List of Validated P2PE Products on the Website;  Hosts the P2PE Expired Listings on the Website;  Provides required training for and qualifies P2PE Assessor Companies (and their P2PE Assessor Employees), P2PE Application Assessor Companies (and their P2PE Application Assessor Employees), to assess and validate P2PE Products against the P2PE Standard and Program;  Maintains and updates the P2PE Standard, Program, and related documentation;  Reviews all P-ROVs (and other related documents) submitted to PCI SSC and related change submissions for compliance with baseline quality standards, including but …
Added p. 22
A table is included in the associated P2PE Technical FAQs on the Website that provides the current PTS POI device expiry dates and the corresponding Reassessment window for Listed P2PE Products using these devices. The P2PE Technical FAQs also contain information regarding POI v6+ device firmware expiry.

The following information applies to PTS POI v6+ device firmware expiry. Refer to the PTS Program Guide on the Website for additional details.

PTS POI v6+ Firmware Expiry New Assessments: As per the P2PE Standard, the PTS POI device approval must not be expired. In addition, for PTS POI v6 and later devices, the firmware must not be expired and past its 4-month grace period (i.e., it must not be red status). If at any time prior to Acceptance of the P2PE Product submission, including during the PCI SSC AQM review process, the PTS POI device firmware status turns red, the P2PE Product submission will …
Added p. 24
With respect to the PTS POI device hardware/firmware (HW/FW) combinations, at least one unique combination of PTS POI device HW and FW (Figure 3, Example #1 below) supported by the P2PE Product must be validated and functionally tested (as determined by the P2PE Standard requirements and associated testing procedures) from each PTS approval that is being associated with the P2PE Product assessment.

Where the FW is not monolithic (Figure 3, Example #2 below), i.e., it is split into separate FW functionality (e.g., OS, SRED, OP), every FW required for the device to function as intended must be validated and functionally tested (as determined by the P2PE Standard requirements and associated testing procedures).

The P2PE Assessor must document in the appropriate P-ROV, for each associated PTS approval, the supported PTS POI device HW/FW(s) combinations that were validated and functionally tested, in addition to all eligible HW and FW from the same PTS approval …
Added p. 25
Obtaining and maintaining PCI PTS HSM or FIPS 140 device approval is the responsibility of the secure cryptographic device vendor. The P2PE Assessor Company will request evidence of device approvals being in place and current as part of performing a P2PE Assessment, where applicable.

A Listed (not Expired) P2PE Product may undergo a Reassessment up to but not exceeding three years past the expiry date of any PCI-listed HSMs already included in the corresponding Listed P2PE Product. This will be checked as part of the Reassessment and submittal process to PCI SSC. As the Reassessment (provided it results in an updated P2PE Listing) has the potential to be valid for three years, this will allow P2PE Product Vendors to continue to use the expired HSMs for up to a total of six years after any associated PCI PTS HSM listings have expired, depending on their reassessment date.

A table is included in …
Added p. 27
3.7. Remote Assessments P2PE Assessors are expected to perform onsite assessments for P2PE Products, where applicable. While onsite assessments continue to be the expected method for PCI SSC assessments, the use of remote assessment methods may provide a suitable alternative in legitimate scenarios where an onsite assessment is not feasible. Refer to the PCI SSC Remote Assessments Guidelines and Procedures for details of remote assessment procedures and methods that may be used when an onsite assessment cannot be performed.

If remote assessment methods are used in place of an onsite assessment, the P2PE Assessor must complete the Addendum for ROC/ROV: Remote Assessments, as provided in Appendix A of the PCI SSC Remote Assessment Guidelines and Procedures document, for submission to PCI SSC along with the applicable P- ROV(s).

3.8. New Assessments and Reassessments using Expired P2PE Products New Assessments and Reassessments of P2PE Products will not be Accepted if they use Expired …
Added p. 29
4. Overview of the Validation Processes The following sections provide a general overview of the validation processes for P2PE Products.

Refer to Section 4.2 for information regarding validation of Merchant-managed Solutions (MMS).

Refer to Section 2.1.4 to understand options for validating Third-Party Service Providers.

P2PE Application Assessments may only be performed by P2PE Application Assessor Companies.

1) The P2PE Vendor selects a P2PE Assessor Company from PCI SSC’s list of PCI Point-to-Point Encryption (P2PE)® Assessors on the Website and negotiates the cost and other terms of the assessor engagement directly with the P2PE Assessor Company.

3) Refer to Section 2.1.4 Third-Party Service Providers in this document to understand options for validating P2PE Component functions and services provided by Third-Party Service Providers. The P2PE Assessor Company then assesses the P2PE Product, including its security functions and features, using the appropriate P-ROV(s), to determine whether it complies with the P2PE Standard and Program Requirements.

5) PCI SSC issues …
Added p. 32
Refer to Section 2.1.4 to understand options for validating Third-Party Service Providers.

P2PE Application Assessments may only be performed by P2PE Application Assessor Companies.
Added p. 32
The P2PE Assessment process for P2PE Solutions managed by the merchant that uses that P2PE Solution (each a “Merchant-Managed P2PE Solution” or “MMS”) is initiated by the applicable merchant. The Website has all the associated documents needed to navigate the assessment process for MMS. The following is a high-level overview of the process:

1) The merchant selects a P2PE Assessor Company from PCI SSC’s list of PCI Point-to-Point Encryption (P2PE)® Assessors on the Website and negotiates the cost and other terms of the assessor engagement directly with the P2PE Assessor Company.

4) If the P2PE Assessor Company determines that the MMS is in accordance with the P2PE Standard and Program Requirements, the P2PE Assessor Company prepares and submits to the merchant a corresponding P2PE Merchant-Managed Solution P-ROV (and all additional P- ROVs as required for the P2PE Assessment) attesting to compliance and setting forth the results and observations of the P2PE Assessor …
Added p. 33
4.4. P2PE Product Validation Required Documentation The P2PE Vendor and P2PE Assessor work together to account for all P2PE Assessment-related materials (such as, but not limited to, P-ROVs, P-AOV, the P2PE Instruction Manual (PIM), P2PE Application Implementation Guide (IG), the Vendor Release Agreement (VRA), and all other materials related to the P2PE Product assessment and participation in the P2PE Program). The P2PE Vendor does not submit any documentation directly to PCI SSC as part of a P2PE Assessment.

 The scope of the P2PE Product assessment and validation effort. The use of Listed P2PE Components and/or Listed P2PE Applications can reduce the scope.

The greater the scope of the P2PE Product assessment, which usually requires additional P- ROVs to be used, will increase the review time of the P2PE Product submission.
Added p. 34
4.6. P2PE Assessor Information By definition, a P2PE Application Assessor Company is also a P2PE Assessor Company.

PCI SSC qualifies and provides required training for P2PE Assessor Companies and P2PE Application Assessor Companies to assess and validate P2PE Products to the P2PE Standard and Program Requirements.

To perform P2PE Solution Assessments and/or P2PE Component Assessments, a P2PE Assessor Company must have been qualified by PCI SSC and remain in Good Standing (as defined in the QSA or QPA Qualification Requirements and P2PE Qualification Requirements, as applicable) or in remediation as both a QSA or QPA Company and P2PE Assessor Company.

To perform P2PE Application Assessments, a P2PE Assessor Company must have been additionally qualified by PCI SSC and remain in Good Standing (as defined in the QSA or QPA Qualification Requirements and P2PE Qualification Requirements, as applicable) or in remediation as both a P2PE Assessor Company and a P2PE Application Assessor Company.

All recognized …
Added p. 37
Delta Change submissions to add Expired P2PE Products will not be Accepted. If at any time prior to Acceptance of the Delta Change submission, including during the PCI SSC AQM review process, a P2PE Product being added as part of the Delta Change is expired or expires, the Delta Change submission will be rejected. Delta Changes to add P2PE Components/Applications to an existing Listed P2PE Solution or Listed P2PE Component without further assessment requires the P2PE Component/Application being added to be on the List of Validated P2PE Components or the List of Validated P2PE Applications, respectively.

The Change Impact Template on the Website must be used for Delta Changes.

Delta Changes are security-impacting changes (not Administrative Changes) made to a Listed P2PE Product as defined and accounted for in the Change Impact Template that affect a Listing element as defined in Appendix B, Appendix C, and Appendix D. Generally, Delta Changes include, …
Added p. 38
1) Amend the Listed P2PE Product details on the corresponding List of Validated P2PE Products on the Website accordingly based on the Delta Change submission; and 2) Sign and return a copy of the corresponding P-AOV to both the P2PE Vendor and the P2PE Assessor Company. A Delta Change does not change the Listed P2PE Product’s Annual Revalidation date or its Reassessment date.

5.2.2. P2PE Application Changes and Version Numbers All P2PE Application changes must result in a new application version number; however, whether this affects the version number specified within the P2PE Product Listing on the Website depends on the nature of the change and the Vendor’s validated versioning methodology. The use of wildcards may be permitted for managing the versioning methodology for non-security-impacting changes only.

Only those P2PE Applications that have had the P2PE Vendor’s wildcard versioning methodology validated to P2PE v3.x by a P2PE Application Assessor Company are eligible …
Added p. 41
As a Listed P2PE Product approaches its 3-year Reassessment date, PCI SSC will provide a courtesy notification to the P2PE Vendor via email notification of the pending expiration. However, it is the sole responsibility of the P2PE Vendor to initiate a Reassessment of their P2PE Product regardless of any such courtesy reminder(s). The P2PE Vendor can choose to perform a Reassessment, otherwise, the P2PE Product will become an Expired P2PE Product and move to the P2PE Expired Listings as described below.

Figure 8: Reassessment Timeline & Listing Expiry 6.2.1. Listing Expiry A Listed P2PE Product for which a new Acceptance based on a Full Assessment has not occurred on or before the Listed P2PE Product’s applicable Reassessment date will immediately appear in Orange for up to 90 consecutive calendar days, and in Red thereafter for up to 90 additional consecutive calendar days.

If a new Acceptance has not occurred within 180 consecutive …
Added p. 45
• regardless of if the P2PE Application being assessed is intended to be Listed on the List of Validated P2PE Applications or is not intended to be Listed and is only being validated and submitted as part of an overall P2PE Solution Assessment. If any aspect of a P2PE Product is different from that which was validated by the P2PE Assessor Company qualified to assess the specific P2PE Product, and Accepted by PCI SSC

 POI Device Key Loading Supported Denotes Local Key Injection and/or Remote Key Distribution being supported by the P2PE Product as determined and validated as part of the P2PE Product Assessment. The “Remote Key” distribution requirements are additional requirements that apply to any entity implementing remote key distribution using asymmetric techniques for the distribution of keys to PCI-approved PTS POI devices for use in connection with account-data encryption.

 Key Types Supported Denotes Symmetric and/or Asymmetric key types …
Added p. 47
While a P2PE Solution may include third-party services (including services potentially eligible for being Listed as a P2PE Component) those third-party services are not identified within the P2PE Solution’s Listing or on the List of Validated P2PE Components. Any use of such a service in another P2PE Product would require either an independent Listing as a P2PE Component, if eligible, or an assessment as part of each P2PE Product where the third-party services are used.

Note: A P2PE Solution may include P2PE Applications that were validated as part of the Solution assessment that are not separately Listed on the List of Validated P2PE Applications (referred to as a ‘Solution-specific P2PE Application’).

P2PE Applications in this case are denoted on the P2PE Solution Listing, however they do not have an associated Reference Number or an independent Reassessment Date. The P2PE Application name and its validated version(s) will be displayed under the associated P2PE …
Added p. 48
Reassessment Date The 3-year date from the last date of Acceptance based on a Full Assessment by which time the P2PE Solution Provider can choose to undergo and submit another Full Assessment of the P2PE Solution to the P2PE Standard and Program Requirements to, provided Acceptance occurs, maintain their Listing.

 POI Device Key Loading Supported Denotes Local Key Injection and/or Remote Key Distribution being supported by the P2PE Product as determined and validated as part of the P2PE Product Assessment. The “Remote Key” distribution requirements are additional requirements that apply to any entity implementing remote key distribution using asymmetric techniques for the distribution of keys to PCI-approved PTS POI devices for use in connection with account-data encryption.

 Key Types Supported Denotes Symmetric and/or Asymmetric key types being supported as a result of the assessment and validation of the P2PE Product. The requisite set of requirements in the P2PE Standard must …
Added p. 49
Note: A Listed P2PE Component that undergoes a Reassessment to the same major version of the P2PE Standard that is subsequently Accepted and Listed will retain the existing Reference Number.

A Listed P2PE Component that undergoes a Reassessment to a new major version of the P2PE Standard that is subsequently Accepted and Listed will result in an updated (new) Reference Number.
Added p. 50
Note: Certain Component Types can outsource to other predefined Listed Component types. Refer to the Outsourcing Matrix in Section 3.1.

• PCI-Approved PTS POI Devices Supported This section identifies PCI-approved PTS POI devices, including the PTS POI device hardware and firmware versions, validated for use with this P2PE Component and will include relevant PCI PTS reference numbers and expiry dates of the PTS approval. A Website link to the associated PTS Approval on the PCI List of Approved PIN Transaction Security (PTS) Devices is included for each device supported.

• PCI-Approved PTS HSMs Supported This section identifies PCI-approved PTS HSM devices validated for use with this P2PE Component and will include the relevant PCI PTS reference numbers and expiry dates of the PCI PTS approval. A Website link to the associated PTS Approval on the PCI List of Approved PIN Transaction Security (PTS) Devices is included for each device supported.

• FIPS 140 …
Added p. 51
Reassessment Date The 3-year date from the last date of Acceptance based on a Full Assessment by which time the P2PE Component Provider can choose to undergo and submit another Full Assessment of the P2PE Component to the P2PE Standard and Program Requirements to, provided Acceptance occurs, maintain their Listing.

Note: The P2PE Application Name cannot contain any variables or special characters.

Represents the validated application version. The format of the version number:

Note: A Listed P2PE Application that undergoes a Reassessment that is subsequently Accepted and Listed on the Website results in a new Reference Number.

P2PE Application Identifier 3 digits This value uniquely identifies the P2PE Application of the P2PE Application Vendor.

 P2PE Application Details Details specific to the P2PE Application consisting of underlying dependencies that include the following:
Added p. 53
P2PE Standard Version The version of the P2PE Standard used to validate the P2PE Application.

P2PE Application Assessor Company The qualified P2PE Application Assessor Company that performed the validation and determined that the P2PE Application is in accordance with the P2PE Standard and Program Requirements.

Annual Revalidation Date The date by which the P2PE Application Vendor must satisfy the Annual Revalidation process, which occurs at the 12- and 24-month mark from the last date of Acceptance based on a Full Assessment.

Reassessment Date The 3-year date from the last date of Acceptance based on a Full Assessment by which time the P2PE Application Vendor can choose to undergo and submit another Full Assessment of the P2PE Application to the P2PE Standard and Program Requirements to, provided Acceptance occurs, maintain their Listing.

• The specific details of how wildcards are used in the versioning methodology.

a) Wildcard elements may only be used for non-security-impacting changes, which …
Added p. 56
Table 2: P-ROV Templates P-ROV Name (Abbreviated) Used for the Following Assessments Purpose Template for Report on Validation for use with P2PE v3.1 for P2PE Solution Assessments P2PE Solution Validation of a P2PE Solution requires, at a minimum, a P2PE Solution P-ROV. Additional P-ROVs (below) may be required for Validating a P2PE Solution depending on whether Listed P2PE Components and/or P2PE Applications are included.

Note: A separate Merchant-Managed Solution P-ROV is used as part of validating MMS.

Template for Report on Validation for use with P2PE v3.1 for P2PE Encryption Management Services Assessments P2PE Solution (as needed) Encryption Management POI Deployment POI Management “Encryption Management Services” relates to the distribution, management, and use of PCI-approved PTS POI devices in a P2PE Solution.

Validation of P2PE Solutions that do not outsource the entirety of their Encryption Management Services to Listed P2PE Component Providers, either to an EMCP or to BOTH a PDCP AND a …
Added p. 57
Validation of P2PE Solutions that do not outsource the entirety of their Decryption Management Services to a Listed DMCP must include this P-ROV in addition to a Solution P-ROV.

Validation of P2PE Component services provided by a DMCP must use this P-ROV.

Template for Report on Validation for use with P2PE v3.1 for Key Management Services Assessments P2PE Solution (as needed) Key Management Key Loading “Key Management Services” relates to the generation, conveyance, management, and loading of cryptographic keys including the management of associated devices (POI devices, HSMs, etc.).

Validation of a P2PE Solution that has not satisfied the key management services requirements (Domain 5) either using Listed P2PE Component Providers and/or through the assessment of their Encryption Management Services and/or Decryption Management Services must complete the KMS P-ROV. E.g., if the P2PE Solution offers remote key- distribution using asymmetric techniques for the distribution of keys to PCI-approved PTS POI devices for use …
Added p. 58
P-ROV Preparation and Submission:

The P2PE Assessor Company must complete the applicable P-ROV(s) in accordance with the Program Requirements. If the P2PE Assessor determines there are items that need to be addressed, the P2PE Vendor must address those items, and the P2PE Assessor Company must update the P- ROV(s) prior to submission to PCI SSC. Once the P2PE Assessor Company is satisfied that all documented issues have been resolved by the P2PE Vendor, the P2PE Assessor Company submits the P-ROV(s) and all other required materials to PCI SSC on behalf of the P2PE Vendor. As stated in the P2PE Qualification Requirements and the P2PE Assessor Addendum, P2PE Assessors are required to meet all quality assurance standards set by PCI SSC.

PCI SSC P-ROV Submission Review Once PCI SSC receives the completed P-ROV(s) and all other required materials and applicable fees, PCI SSC reviews the submission from a quality-assurance perspective and determines whether …
Added p. 59
P-ROV(s) that have been returned to the P2PE Assessor Company for correction must be resubmitted to PCI SSC within 30 calendar days of the preceding submission (clearly denoting and communicating the cumulative changes within the document(s), including redline as applicable). If resubmitting to PCI SSC within 30 calendar days is not possible, the P2PE Assessor Company must inform PCI SSC of the timeline for response. Lack of response on P-ROV(s) returned to the P2PE Assessor Company for correction may result in the submission being closed. Submissions that have been closed will not be reopened and must be resubmitted as if they are new P-ROV submissions.
Added p. 60
Notes: Each requirement denoted includes all sub-requirements unless indicated otherwise.

When undergoing a P2PE Assessment, ‘Not Applicable’ cannot be used by entities that provide only partial aspects of a defined P2PE Component Provider service to validate to that P2PE Component Provider type.

Notes for the P2PE Standard Requirement Applicability Matrix:
Added p. 60
E.g., if the P2PE Solution offers remote key-distribution using asymmetric techniques for the distribution of keys to PCI-approved POI devices for use in connection with account-data encryption, or the operation of an applicable CA/RA, or any other relevant key management service that has not already been assessed as part of the inclusion of a Listed P2PE Component Provider, then the P2PE Solution assessment must include all applicable key management services requirements (Domain 5).
Added p. 60
• i.e., they cannot be assessed in isolation

• they must be assessed in addition to all applicable Domain 5 requirements relevant to the assessment. Refer to Domain 5 in the P2PE Standard for more information.
Added p. 61
P2PE Standard Security Requirements P2PE Requirement Encryption Management Services P2PE Application Decryption Management Key Management Services (or MMS) 1,4,6 POI Deployment4 POI Management4 Encryption Management2,4 Decryption Management4 Key Management4 Key Loading4 KIF3,4 CA/RA5 Remote 1A-1 X X X 1A-2 X X X 1B-1.1 X X X 1B1.2 X X X 1B-2 X X X 1B-3 X X X 1B-4 X X X 1B-5 X X X 1C-1 X X X 1C-2 X X X X 1D-1 X X X 1D-2 X X X X
Added p. 62
Note: If a hybrid decryption environment is being used, the following requirements (4D) will apply
Added p. 69
Note: If a hybrid decryption environment is being used, the following additional requirements (5H) will apply

Note: 5I-1 is applicable to Component Providers performing key management services for POI devices and/or HSMs 5I-1 X X X X X X X X X APPENDIX A
Added p. 70
** Listed P2PE Solutions and applicable Listed P2PE Components are prohibited from performing a P2PE Reassessment with any expired HSMs that exceed the reassessment date shown relative to the specified PCI PTS HSM Standard version. Note that a successful Reassessment is valid for three years.

*** Listed P2PE Solutions and applicable Listed P2PE Components must have replaced any expired HSMs with current (non-expired) HSMs by the date shown here relative to the specified PCI PTS HSM Standard version.

Figure 9: PCI-Approved PTS HSM Expiry Flowchart
Modified p. 1
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE) Program Guide Version 2.0 Revision 1.2
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE)® Program Guide Version 3.1 For Use With the PCI P2PE Standard v3.x
Modified p. 2
June 2012 1.0 Initial Release of the PCI P2PE Program Guide
June 2012 1.0 Initial release of the PCI P2PE Program Guide
Modified p. 2
February 2013 1.1 Updated to reflect changes to Domain 2 assessments and changes to the evolving P2PE Program.
February 2013 1.1 Updated to reflect changes to Domain 2 assessments and changes to the evolving P2PE Program
Removed p. 5
• Program Background (Section 1.1)

• P2PE Initiative and Overview (Section 1.4)

• Program Roles and Responsibilities (Section 2)

• Overview of the Validation Process (Section 3)

• Preparation for the Review (Section 4)

• Managing a Validated P2PE Listing (Section 5)

• Reporting Considerations (Section 6)

• Assessor Quality Management Program (Section 6.3) 1.1 Program Background In response to requests from merchants and other members of the Payment Card Industry (PCI) for a unified set of point-to-point encryption security requirements, PCI SSC has adopted and maintains the Point-to-Point Encryption Standard (P2PE), the current version of which is available on the PCI SSC Website. When implemented appropriately, a P2PE Solution provides a rigorous defense against data exposure and compromise.

PCI SSC manages the Program, including the development, implementation, and maintenance of validated P2PE Products (P2PE Application, P2PE Component, or P2PE Solution).

Organizations qualified by PCI SSC to validate P2PE Solutions and P2PE Components on behalf of P2PE Vendors are …
Removed p. 6
Document name Description Payment Card Industry (PCI) Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms (the “P2PE Glossary”) Separate glossary for specific use with the P2PE Standard.

PCI Point-to-Point Encryption Solution Requirements and Testing Procedures (“P2PE Standard”) The P2PE Standard lists and defines the specific technical requirements and assessment procedures.

PCI P2PE Report on Validation Reporting Template (“P-ROV Reporting Template”) The P-ROV Reporting Template is mandatory for completing a P2PE Report on Validation and includes detail on how to document the findings of a P2PE Assessment. There are several versions covering P2PE Solutions, P2PE Components, and P2PE Applications.

PCI P2PE Attestation of Validation (“P- AOV”) The P-AOV is a form for QSA (P2PE) and/or PA- QSA (P2PE) Companies to attest to the results of a P2PE Assessment, as documented in the P2PE Report on Validation. There are several versions covering P2PE Solutions, P2PE Components, and P2PE Applications.

PCI Qualification Requirements for Point-to- Point Encryption …
Removed p. 7
Term Meaning Accepted, or listed A P2PE Product is deemed to have been “Accepted” or “listed” (and “Acceptance” is deemed to have occurred) when PCI SSC has:

(i) received the corresponding P-ROV from the P2PE Assessor Company; (ii) received the corresponding fee and all documentation required with respect to that P2PE Product as part of the Program; (iii) confirmed that the P-ROV is correct as to form (all applicable documents completed appropriately/sufficiently), the P2PE Assessor Company properly determined that the P2PE Solution, P2PE Component, or P2PE Application is eligible to be a P2PE Validated Solution, a P2PE Validated Component, or a P2PE Validated Application, the P2PE Assessor Company adequately reported the P2PE compliance of the P2PE Solution, P2PE Component, or P2PE Application in accordance with Program requirements, and the detail provided in the P-ROV meets PCI SSC’s reporting requirements; and (iv) listed the P2PE Solution, P2PE Component, or P2PE Application on …
Removed p. 8
Listing Refers to the listing and related information regarding a P2PE Solution on the List of Validated P2PE Solutions, a P2PE Component on the List of Validated P2PE Components, or a P2PE Application on the List of Validated P2PE Applications.

Merchant-managed Solution (or MMS) A P2PE solution managed by a merchant rather than by a Third- Party Solution Provider. These merchant solutions are typically for large retail organizations who centrally manage the solution on behalf of their own encryption environments.

In a merchant-managed solution, part of the merchant business plays the role of a P2PE solution provider (managing POIs, decryption environment, etc.), and part of the business plays the role of a “merchant” that has no access to clear-text account data, etc.

Merchant-managed solutions are not eligible for PCI listing.

P-AOV A P2PE Program “Attestation of Validation” declaring the P2PE Solution, P2PE Component, or P2PE Application’s validation status against the P2PE Standard.

• The P2PE …
Modified p. 8 → 6
List of Validated P2PE Applications The Council’s authoritative List of Validated P2PE Applications appearing on the PCI SSC website.
List of Validated P2PE Solutions The Council’s authoritative List of Validated P2PE Solutions appearing on the Website.
Modified p. 8 → 6
List of Validated P2PE Components The Council’s authoritative List of Validated P2PE Components appearing on the PCI SSC website.
List of Validated P2PE Components The Council’s authoritative List of Validated P2PE Components appearing on the Website.
Modified p. 8 → 6
List of Validated P2PE Solutions The Council’s authoritative List of Validated P2PE Solutions appearing on the PCI SSC website.
See also: New Assessment, Reassessment List of Validated P2PE Applications The Council’s authoritative List of Validated P2PE Applications appearing on the Website.
Removed p. 9
P2PE Assessment A P2PE Solution Assessment, P2PE Component Assessment, or P2PE Application Assessment.

P2PE Assessor Company A company qualified by PCI SSC as either a QSA (P2PE) Company or PA-QSA (P2PE) Company.

P2PE Assessor Employee A QSA (P2PE) Employee or PA-QSA (P2PE) Employee.

P2PE Components A P2PE service (such as encryption management, decryption management, or key injection) that is eligible for validation and Acceptance on a standalone basis as part of the P2PE Program and may be incorporated into and/or referenced as part of a P2PE Solution.

P2PE Component Assessment Assessment of a P2PE Component against applicable P2PE Domains in order to validate compliance with the P2PE Standard as part of the P2PE Program.

P2PE Component Provider Refer to definition in P2PE Glossary.

P2PE Domain or Domain Any of the six control domains of the P2PE Standard, which together represent the core areas where security controls may need to be applied and validated.

P2PE Non-payment Software Refer …
Modified p. 9 → 6
P2PE Application Refer to definition in P2PE Glossary.
P2PE Application Assessor Company Refer to the P2PE Qualification Requirements.
Modified p. 9 → 6
P2PE Application Vendor Refer to definition in P2PE Glossary.
P2PE Application Assessor Employee Refer to the P2PE Qualification Requirements.
Modified p. 9 → 7
P2PE Application Assessment Assessment of a P2PE Application against P2PE Domain 2 in isolation of any point-to-point solution in order to validate compliance with the P2PE Standard as part of the P2PE Program.
P2PE Component Assessment A Full Assessment of a P2PE Component to validate compliance with the P2PE Standard as part of the P2PE Program.
Modified p. 9 → 7
P2PE Instruction Manual or “PIM” An instruction manual prepared by a P2PE Solution Provider in accordance with the P2PE Standard to instruct its customers and resellers/integrators on secure P2PE Solution implementation, to document secure configuration specifics, and to clearly delineate vendor, reseller/integrator, and customer responsibilities for installing and/or using P2PE Solutions.
See also: P2PE Glossary in the Related Publications section P2PE Instruction Manual (PIM) An instruction manual prepared by a P2PE Solution Provider using the template provided by PCI SSC in accordance with the P2PE Standard to instruct its customers and resellers/integrators on secure P2PE Solution implementation, to document secure configuration specifics, and to clearly delineate vendor, reseller/integrator, and customer responsibilities for installing and/or using P2PE Solutions.
Modified p. 9 → 7
P2PE Product A P2PE Application, P2PE Component, or P2PE Solution
See also: PIM in the Related Publications section P2PE Product A P2PE Application, P2PE Component, or P2PE Solution.
Removed p. 10
P2PE Solution A combination of secure devices, applications, and processes that encrypt cardholder data from a PCI SSC-approved point-of- interaction (POI) device through to decryption and that is eligible for validation and Acceptance as part of the P2PE Program.

P2PE Solution Provider Refer to definition in P2PE Glossary.

PA-QSA (P2PE) Company A Payment Application Qualified Security Assessor (PA-QSA) Company that:

(a) Is qualified by PCI SSC to provide services to P2PE Solution Providers, P2PE Component Providers, and/or P2PE Application Vendors in order to validate that such providers’ or vendors’ P2PE Solutions, P2PE Components, and/or P2PE Applications adhere to all aspects of the P2PE Standard, including but not limited to, validation that payment applications, when incorporated into or used as part of a P2PE Solution, adhere to all P2PE Domain 2 requirements; and (b) Remains in Good Standing (defined in Section 1.3 of the P2PE Qualification Requirements) or in remediation as a PA-QSA (P2PE) …
Modified p. 10 → 8
P2PE Solution Assessment Assessment of a P2PE Solution against applicable P2PE Domains in order to validate compliance with the P2PE Standard as part of the P2PE Program.
See also: P-ROV in the Related Publications section P2PE Solution Assessment A Full Assessment of a P2PE Solution to validate compliance with the P2PE Standard as part of the P2PE Program.
Modified p. 10 → 8
P2PE Standard The then-current version of (or successor document(s) to) the Payment Card Industry (PCI) Point-to-Point Encryption Solution Requirements and Testing Procedures, any and all appendices, exhibits, schedules, and attachments to the foregoing and all materials incorporated therein, in each case, as from time to time amended and made available on the Website.
P2PE Standard The then-current version of (or successor document(s) to) the Payment Card Industry (PCI) Point-to-Point Encryption Security Requirements and Testing Procedures, any and all appendices, exhibits, schedules, and attachments to the foregoing and all materials incorporated therein, in each case, as from time to time amended and made available on the Website.
Modified p. 10 → 8
P2PE Vendor A P2PE Solution Provider, or P2PE Component Provider, or P2PE Application Vendor.
See also: P2PE Standard in the Related Publications section P2PE Vendor A P2PE Solution Provider, P2PE Component Provider, or P2PE Application Vendor.
Removed p. 11
PCI-approved POI device Refer to definition in P2PE Glossary.

QSA (P2PE) Company A Qualified Security Assessor (QSA) Company that:

(a) Is qualified by PCI SSC to provide services to P2PE Solution Providers and/or P2PE Component Providers in order to validate that such providers’ P2PE Solutions and/or P2PE Components adhere to all applicable aspects of the P2PE Standard, and (b) Remains in Good Standing (defined in Section 1.3 of the P2PE Qualification Requirements) or in remediation as a QSA (P2PE) Company.

QSA (P2PE) Company qualification, alone, does not qualify a company to conduct P2PE Application Assessments. P2PE Application Assessments may only be performed by PA-QSA (P2PE) Companies.

QSA (P2PE) Employee An individual employed by a QSA (P2PE) who has satisfied, and continues to satisfy, all QSA (P2PE) Requirements applicable to employees of QSA (P2PE) Companies who will conduct P2PE Solution Assessments and/or P2PE Component Assessments, as described in further detail herein.

Secure Cryptographic Device (SCD) Refer …
Modified p. 11 → 8
Participating Payment Brand A global payment card brand or scheme that is also a limited liability company member of PCI SSC (or affiliate thereof).
Participating Payment Brand A payment card brand that, as of the time in question, is then formally admitted as (or an affiliate of) a member of PCI SSC pursuant to its governing documents.
Modified p. 11 → 9
Third-Party Service Provider An entity that provides a service or function on behalf of a P2PE Solution Provider, which is incorporated into and/or referenced by the applicable P2PE Solution, such as a payment gateway or data center.
Third-Party Service Provider An entity that provides a service or function on behalf of a P2PE Solution Provider or P2PE Component Provider, which is incorporated into and/or referenced by the applicable P2PE Solution or P2PE Component.
Modified p. 11 → 9
A Third-Party Service Provider is only considered a P2PE Component Provider for eligible P2PE Component services if the applicable service is separately PCI-listed on the List of Validated P2PE Components. A Third-Party Service Provider that is not also a PCI-listed P2PE Component Provider for those services must have its services reviewed during the course of each of its solution- provider customers’ P2PE Assessments.
A Third-Party Service Provider is only considered a P2PE Component Provider for eligible P2PE Component services if the applicable service is separately Listed on the List of Validated P2PE Components. A Third- Party Service Provider that is not also a Listed P2PE Component Provider for those services must have its services reviewed during the course of each of its P2PE Solution Provider or P2PE Component Provider customers’ P2PE Assessments.
Removed p. 12
Validated P2PE Component A P2PE Component that has been assessed and validated by a QSA (P2PE) Company to be in scope for the P2PE Program and to have met all necessary P2PE Requirements and then Accepted by PCI SSC, so long as such Acceptance has not been revoked, suspended, withdrawn, or terminated.

Validated P2PE Product A Validated P2PE Application, Validated P2PE Component, or Validated P2PE Solution Validated P2PE Solution A P2PE Solution that has been assessed by a QSA (P2PE) Company or PA-QSA (P2PE) Company to be in scope for the P2PE Program and to have met all of the requirements of the P2PE Standard and then Accepted by PCI SSC, so long as such Acceptance has not been revoked, suspended, withdrawn, or terminated.

Versioning Methodology Refer to definition in P2PE Glossary.

Wildcard Refer to definition in P2PE Glossary.
Removed p. 12
Stakeholders in the payments value chain benefit from the P2PE Standard in a variety of ways, including the following:

• Customers benefit from a broader selection of validated P2PE Solutions, the possibility of implementing Validated P2PE Solutions to reduce the scope of PCI DSS assessments, and assurance from using P2PE Products validated by a QSA (P2PE) and/or PA-QSA (P2PE) Companies to be P2PE Standard compliant.
Modified p. 12 → 9
Vendor Release Agreement (or VRA) The then-current and applicable form of release agreement that PCI SSC:
See also: List of Validated P2PE Solutions Vendor Release Agreement (VRA) The then-current and applicable form of vendor release agreement that PCI SSC:
Modified p. 12 → 9
(a) Requires to be executed by P2PE Solution Providers, P2PE Component Providers and/or P2PE Application Vendors (as applicable) in connection with the P2PE Assessor Program, and (b) Makes available on the Website.
(a) Requires to be executed by P2PE Vendors in accordance with the Program Requirements, and (b) Is available on the Website.
Modified p. 12 → 9
Website The then-current PCI SSC Website (and its accompanying web pages), which is currently available at www.pcisecuritystandards.org.
See also: VRA in the Related Publications section Website The then-current PCI SSC Website (and its accompanying web pages), which is currently available at www.pcisecuritystandards.org.
Removed p. 13
• P2PE Solution Providers benefit from a broader selection and recognition of P2PE Components and P2PE Applications.

• P2PE Solutions validated and listed by the Council are currently recognized by all Participating Payment Brands.

Note: each brand independently develops and manages its own compliance programs and decisions regarding recognition of P2PE Products.

For more information regarding PCI SSC, see the Website.
Removed p. 14
• P2PE security requirements and assessment procedures

• Quality assurance processes for P2PE Assessor Companies P2PE Solution Providers may choose to have their P2PE Solutions validated for compliance with the P2PE Standard in accordance with this P2PE Program Guide in order to have those solutions included in the List of Validated P2PE Solutions on the PCI SSC website.

There are six control Domains for validation of P2PE Solutions. These Domains represent the core areas where security controls need to be applied and validated in order for the P2PE Solution to be listed on the PCI SSC website, as follows:

Domain Name Description Domain 1: Encryption Device and Application Management The secure management of the PCI-approved POI devices and the resident software.

Domain 2: Application Security The secure development of payment applications designed to have access to clear-text account data intended solely for installation on PCI-approved POI devices.

Domain 3: P2PE Solution Management Overall management of …
Modified p. 14 → 13
• Processes for recognizing P2PE Assessor-validated P2PE Solutions, P2PE Components, and P2PE Applications
The P2PE Program Guide is intended for P2PE Assessor Companies and P2PE Vendors of P2PE Products (P2PE Solutions, P2PE Components, and P2PE Applications).
Modified p. 14 → 13
Note: PCI SSC reserves the right to require revalidation due to changes to the P2PE Standard and/or due to specifically identified vulnerabilities in listed P2PE Solutions.
Note: PCI SSC reserves the right to require revalidation due to changes to the P2PE Standard and/or due to specifically identified vulnerabilities in Listed P2PE Products.
Removed p. 15
P2PE Solution Providers have overall responsibility for ensuring that their P2PE Solutions satisfy all applicable requirements of the P2PE Standard.
Removed p. 15
Where a P2PE Application is to be used in a P2PE Solution, the vendor may optionally seek to have that application validated and Accepted as a Validated P2PE Application, and accordingly listed on the List of Validated P2PE Applications. P2PE Applications must be assessed by a PA- QSA (P2PE) Company. For P2PE Applications intended for use in multiple P2PE Solutions, validation and Acceptance as a Validated P2PE Application eliminates the need for the application to be separately reviewed as part of each P2PE Solution in which is it used.
Removed p. 15
• Encryption-management services

• Assessed per Domains 1 and 6 including Annex A as applicable.

• Assessed per Domains 5 and 6 including Annex A as applicable.

• Decryption-management services

• Key-Injection Facility services

• Assessed per Annex B of Domain 6 including Annex A as applicable.

• Certification Authority/Registration Authority services

• Assessed per Domain 6 and Annex A Part A2 (in addition to Annex A Part A1, as applicable).
Removed p. 16
If a component service described above is assessed as part of a P2PE Solution but is not on the List of Validated P2PE Components, the entity is not considered a P2PE Component Provider for purposes of that component and is simply referred to as a Third-Party Service Provider with respect to that component. A Third-Party Service Provider must have its services reviewed during the course of each of its solution provider customers’ P2PE Assessments.
Removed p. 16
Specific requirements for Decryption-management Entities are set out in Domains 5 and 6 (including Annex A as applicable) of the P2PE Standard. The requirements in Domains 5 and 6 apply to all Decryption-management Entities whether the entity is a P2PE Component Provider, a P2PE Solution Provider, or a Third-Party Service Provider performing functions on behalf of a P2PE Solution Provider.
Removed p. 16
Specific requirements for KIFs are set out in Annex B of Domain 6 (including Annex A) of the P2PE Standard. The requirements apply to all KIFs, whether the entity is a P2PE Component Provider, a P2PE Solution Provider, or a Third-Party Service Provider performing functions on behalf of a P2PE Solution Provider.
Modified p. 16
All QSA (P2PE) Companies are qualified to assess P2PE Components for Listing on the List of Validated P2PE Components.
P2PE Assessor Companies are qualified to perform P2PE Assessments of P2PE Components for consideration of Acceptance by PCI SSC and subsequent inclusion on the List of Validated P2PE Components.
Removed p. 17
Refer to Section 2.1.3, “P2PE Component Providers,” to understand how to address Third-Party Service Providers whose services may be eligible for consideration as a P2PE Component. Without such applicable services being separately PCI-listed on the List of Validated P2PE Components, those services (such as KIF, CA/RA, etc.) are not considered P2PE Components but simply a third-party service provider with respect to the P2PE Solution it is used within.
Removed p. 17
• Maintains a centralized repository for all P-ROVs for P2PE Products listed on the Website;

• Hosts the List of Validated P2PE Solutions, the List of Validated P2PE Components, and the List of Validated P2PE Applications on the Website;

• Provides required training for and qualifies QSA (P2PE) and PA-QSA (P2PE) Companies and Employees to assess and validate P2PE Products for P2PE compliance;

• Maintains and updates the P2PE Standard and related documentation according to a standards lifecycle management process; and

• Reviews all P-ROVs submitted to PCI SSC and related change submissions for compliance with baseline quality standards, including but not limited to, confirmation that:
Modified p. 17 → 19
PCI SSC is the standards body that maintains the PCI SSC standards including the PCI DSS, P2PE Standard, PTS Standard, and PA-DSS. In relation to the P2PE Standard, PCI SSC:
PCI SSC is the standards body that maintains the PCI SSC standards. In relation to the P2PE Standard, PCI SSC:
Modified p. 17 → 19
• Submissions (including P-ROVs, updates and Interim Self Assessments/Annual Revalidations) are correct as to form;
• Submissions (including P-ROVs, Change Impact Submissions, and Annual Revalidations) are correct as to form;
Modified p. 17 → 19
QSA (P2PE) and PA-QSA (P2PE) Companies properly determine whether candidate P2PE Products meet baseline eligibility criteria for validation under the P2PE Program (PCI SSC reserves the right to reject or de-list any P2PE Solution, P2PE Component, and/or P2PE Application determined to be ineligible for the P2PE Program);
The P2PE Assessor Company determines whether P2PE Products are eligible for validation under the P2PE Program (PCI SSC reserves the right to reject or remove the applicable Listing of any Validated P2PE Product determined to be ineligible for the P2PE Program);
Modified p. 17 → 19
QSA (P2PE) and PA-QSA (P2PE) Companies adequately report the P2PE compliance of candidate Products in their associated submissions; and
The P2PE Assessor Company adequately report the P2PE compliance of P2PE Products in their associated submissions; and
Modified p. 17 → 19
As part of the PCI SSC quality assurance (QA) process, PCI SSC assesses whether overall, QSA (P2PE) and PA-QSA (P2PE) Company operations appear to conform to PCI SSC‘s quality assurance and qualification requirements.
As part of the PCI SSC quality assurance (QA) process, PCI SSC assesses whether overall, a P2PE Assessor Company’s operations appear to conform to PCI SSC’s quality assurance and qualification requirements. (Refer to Section 4.6 P2PE Assessor Information.)
Removed p. 18
Note: PCI SSC does not assess or validate P2PE Solutions, P2PE Components, and/or P2PE Applications for P2PE compliance; assessment and validation is the role of the QSA (P2PE) and/or PA- QSA (P2PE) Company, as applicable. Listing of a P2PE Solution, P2PE Component, and/or P2PE Application on the List of Validated P2PE Solutions, List of Validated P2PE Components, and/or List of Validated P2PE Applications signifies only that the applicable P2PE Assessor Company has determined that the application complies with the P2PE Standard, that the P2PE Assessor Company has submitted a corresponding P-ROV to PCI SSC, and that the P-ROV, as submitted to PCI SSC, has satisfied all requirements of the PCI SSC for P-ROVs as of the time of PCI SSC's review.
Removed p. 18
• QSA (P2PE): QSA (P2PE) Companies are QSA companies that have been additionally qualified by PCI SSC to perform P2PE Assessments of P2PE Solutions and P2PE Components. QSA (P2PE) Companies are not qualified by PCI SSC to perform P2PE Application Assessments.

• PA-QSA (P2PE): PA-QSA (P2PE) Companies are PA-QSA companies that have been additionally qualified by PCI SSC to perform P2PE Assessments of P2PE Solutions, P2PE Components, and P2PE Applications.

• Not all QSA Companies are PA-QSA Companies

•there are additional qualification requirements that must be met for a QSA Company to become a PA-QSA Company.

• Not all QSA Companies are QSA (P2PE) Companies

•there are additional qualification requirements that must be met for a QSA Company to become a QSA (P2PE) Company.

• Not all PA-QSA Companies are PA-QSA (P2PE) Companies

•there are additional qualification requirements that must be met for a PA-QSA Company to become a PA-QSA (P2PE) Company.

• Performing assessments of P2PE Solutions …
Removed p. 19
• Implementing Validated P2PE Solutions in compliance with:

a) All applicable requirements in this document; and

b) The P2PE Instruction Manual.

• Configuring P2PE Solutions (where configuration options are provided) according to the validated processes provided by the P2PE Solution Provider, as documented in the P2PE Instruction Manual.

• Servicing POI devices used in a P2PE Solution

•for example, troubleshooting, delivering remote updates, and providing remote support

•according to the validated processes in the P2PE Instruction Manual.

• Ensuring that customers are provided (either directly from the Vendor or from the reseller or integrator) with a current copy of the P2PE Instruction Manual.

Integrators and Resellers do not submit P2PE Solutions for P2PE Solution Assessments. Only a P2PE Solution Provider may submit a P2PE Solution for a P2PE Solution Assessment.
Removed p. 19
PCI Qualified Integrators and Resellers (QIRs) are trained by the Council in PCI DSS and PA-DSS in order to help ensure that they securely implement Payment Applications. However, the QIR Program does not apply to the P2PE Program at this time.

• Use of Validated P2PE Solutions, coordinating with their acquirers to determine which solutions and devices to implement.

• Ensuring

•if the merchant has other non-P2PE payment channels

•that the P2PE environment is adequately segmented (isolated) from any non-P2PE payment channels.

• Removing any legacy cardholder data or systems from the P2PE environment.

• Ensuring that their payment environments are validated against applicable PCI DSS requirements in accordance with applicable payment card brand requirements.
Modified p. 19 → 20
• Adherence to the P2PE Instruction Manual (PIM), provided to the merchant by the P2PE Solution Provider and/or integrator/reseller.
 Adhering to the P2PE Instruction Manual (PIM), provided to the merchant by the P2PE Solution Provider.
Modified p. 20
Note: Device evaluation by a PCI-recognized Laboratory is a separate process from the validation of a P2PE Solution Assessment; the P2PE Solution Assessment validates whether or not a given P2PE Solution (which may include multiple POI devices) is in compliance with the P2PE Standard.
Note: Device evaluation by a PCI-recognized Laboratory is a separate process from the validation that occurs as part of a P2PE Assessment; the P2PE Assessment validates if a given P2PE Product (which may include multiple POI/HSM/KLD devices) is in compliance with the P2PE Standard.
Removed p. 21
1) The P2PE Vendor selects a P2PE Assessor Company from the Council’s List of P2PE Qualified Security Assessor Companies and negotiates the cost and any associated P2PE Assessor Company confidentiality and non-disclosure agreements with the P2PE Assessor Company.
Modified p. 21 → 29
2) The P2PE Vendor then provides to the P2PE Assessor Company access to the Solution, Component, or Application to be assessed, POI device types, corresponding Implementation Guides for P2PE Applications, P2PE Instruction Manual for P2PE Solutions, and all associated manuals and other required documentation, including but not limited to the P2PE Vendor’s signed Vendor Release Agreement.
2) The P2PE Vendor then provides to the P2PE Assessor Company its executed VRA and access to the applicable P2PE Product to be assessed, PTS POI device types, corresponding Implementation Guides for P2PE Applications, P2PE Instruction Manual for P2PE Solutions, and all associated manuals and other required documentation.
Removed p. 22
Note: If the P2PE Solution being assessed includes a P2PE Component and/or P2PE Application intended for PCI SSC Listing (but not yet Listed), each such P2PE Product must be individually submitted to PCI SSC via the Portal

• including the corresponding P-AOV, P-ROV, and applicable fees

• to achieve PCI SSC Listing for each P2PE Product. This submission must be Accepted by PCI SSC before review of the P2PE Solution can occur, though all can be submitted to PCI SSC and invoiced at the same time. The review of the paid P2PE Solution will remain on hold until the Listing of any related pending P2PE Component and/or P2PE Application.

Note: Only one P2PE Component service can be included in each submission to PCI SSC for Listing, even if an entity conducts more than one component service and they were assessed together. As noted above, this may not require separate assessments, but each such …
Modified p. 22 → 29
4) If the P2PE Assessor Company determines that the Solution, Component, or Application is in compliance with the P2PE Standard, the P2PE Assessor Company submits a corresponding P-ROV to PCI SSC, attesting to compliance and setting forth the results, opinions, and conclusions of the P2PE Assessor Company on all test procedures along with the P2PE Vendor’s signed VRA and the corresponding P-AOV.
4) If the P2PE Assessor Company determines that the P2PE Product is in compliance with the P2PE Standard and Program Requirements, the P2PE Assessor Company submits the corresponding P- ROV(s) to PCI SSC, attesting to compliance and setting forth the results and observations of the P2PE Assessor Company on all test procedures, along with the P2PE Vendor’s signed VRA and the corresponding P-AOV. Refer to Appendix A for more details on Acceptance.
Modified p. 22 → 29
The illustrations and descriptions on the following pages explain in further detail processes for the P2PE Program:
The diagrams on the following pages explain in further detail the processes for the P2PE Program:
Modified p. 22 → 32
3) The P2PE Assessor Company then assesses the Solution, Component, or Application, including its security functions and features, to determine whether it complies with the P2PE Standard.
3) The P2PE Assessor Company assesses the MMS, including its security functions and features, to determine whether the MMS is in accordance with the P2PE Standard and Program Requirements.
Modified p. 24 → 31
Figure 1: P2PE Product Assessment for Products Intended for PCI SSC Listing
Figure 5: P2PE Product Submission and PCI SSC Review
Modified p. 25 → 30
Figure 2: P2PE Product Submission and PCI SSC Review
Figure 4: P2PE Product Validation Overview
Removed p. 26
1) The Merchant selects a P2PE Assessor Company from the Council’s List of P2PE Qualified Security Assessor Companies and negotiates the cost and any associated P2PE Assessor Company confidentiality and non-disclosure agreements with the P2PE Assessor Company.

3) The P2PE Assessor Company then assesses the MMS, including its security functions and features, to determine whether the MMS complies with the P2PE Standard.

Refer to the sections “P2PE Solutions and Use of Third Parties and/or P2PE Component Providers” and “P2PE Solutions and Use of P2PE Applications and/or P2PE Non-payment Software” in the P2PE Standard to understand options for validating Third- Party Service Providers, P2PE Component Providers, and P2PE Applications. 4) If the P2PE Assessor Company determines that the MMS, is in compliance with the P2PE Standard, the P2PE Assessor Company prepares and submits to the Merchant a corresponding Solution P-ROV attesting to compliance and setting forth the results, opinions and conclusions of the …
Modified p. 26 → 32
2) The Merchant then provides to the P2PE Assessor Company access to the MMS to be assessed, POI device types, corresponding Implementation Guides for P2PE Applications, P2PE Instruction Manual for MMS, and all associated manuals and other required documentation.
2) The merchant provides the P2PE Assessor Company access to the MMS to be assessed, PCI- approved PTS POI Device Types, corresponding Implementation Guides for P2PE Applications, P2PE Instruction Manual for the MMS, and all associated manuals and other required documentation.
Removed p. 27
Note: Applications used within P2PE Solutions may or may not be eligible for PA-DSS validation. PA- DSS and P2PE are distinct PCI SSC standards with different requirements; validation against one of these standards does not guarantee or provide automatic validation against the other standard.

Note: A PA-DSS assessment is not required or necessary for a P2PE Application or Non-payment Software to be used in a P2PE Solution.

The following table should be used to determine requirements and eligibility, along with the relevant reference sections of the P2PE Standard:

Element Program Guidance SCDs Validated P2PE Solutions require the use of various types of SCDs. To assist in evaluating these device types for use in a P2PE Solution:

• Refer to “Definition of Secure Cryptographic Devices (SCDs) to be used in P2PE Solutions” in the Introduction section of the P2PE Standard for requirements for these devices;

• Use the “SCD Domain Applicability” matrix in the Introduction section …
Modified p. 28 → 25
Refer to definition in P2PE Glossary.
Refer to the definition of P2PE Application in the P2PE Glossary.
Modified p. 28 → 25
Must undergo validation per all P2PE Domain 2 Requirements by a PA-QSA (P2PE), and will be either:
Must undergo validation per all applicable P2PE Application Requirements by a P2PE Application Assessor Company, with the option to be:
Modified p. 28 → 26
Refer to “P2PE Solutions and Use of P2PE Applications and/or P2PE Non- payment Software” in the Introduction section of the P2PE Standard.
Refer to information regarding P2PE Non-payment Software in the P2PE Standard.
Modified p. 28 → 26
Refer to definition in P2PE Glossary.
Refer to the definition of P2PE Non-payment Software in the P2PE Glossary.
Modified p. 28 → 26
Not eligible for PCI-listing.
Not eligible to be Listed by PCI SSC.
Removed p. 29
• Refer to “P2PE Solutions and Use of Third Parties and/or P2PE Component Providers” in the Introduction section of the P2PE Standard.

Independent PCI SSC listing of Third-Party Service Provider component services depends on eligibility and is optional. However, such independent listing is required for a given component service to be recognized as a Validated P2PE Component that can be used in multiple P2PE Solutions without the need for full P2PE Assessment of those services each time it is used with a different P2PE Solution.

• If a P2PE Component is currently listed on the List of Validated P2PE Components, the Component P-ROV has already been Accepted by PCI SSC. As a result, only the applicable Testing Procedures must be assessed and evidenced in the Solution P-ROV for each Validated P2PE Component included in the applicable P2PE Solution

• If a P2PE Component is not already on the List of Validated P2PE Components …
Modified p. 29 → 25
Refer to definition in P2PE Glossary.
Refer to information regarding SCDs in the P2PE Standard.
Modified p. 29 → 27
If independent listing is not being pursued for a P2PE Component, this is instead considered a Third-Party Service Provider’s service offering and it is only an element of the specific Validated P2PE Solution within which it is assessed.
If independent listing is not being pursued for a P2PE Component, this is instead considered a Third-Party Service Provider’s service offering, and it is only an element of the specific P2PE Solution or P2PE Component within which it is assessed.
Removed p. 30
Note: The process for developing and validating P2PE Solutions

•including responsibilities for implementing requirements and validating compliance with each Domain

•is defined within the P2PE Standard.

• Determine/assess the Solution’s, Component’s, or Application’s readiness to comply with P2PE:

• Perform a gap analysis between the Solution’s, Component’s, or Application’s security functionality and the P2PE Standard;

• Correct any gaps; and

• If desired, the P2PE Assessor Company may perform a pre-assessment or gap analysis of a P2PE Solution, Component, or Application. If the P2PE Assessor Company notes deficiencies that would prevent a compliant result, the P2PE Assessor Company will provide a list of P2PE features to be addressed before the formal review process begins.

• P2PE Solution Providers are responsible for ensuring that the various components and applications (including those provided by Third-Party Service Providers, P2PE Application Vendors, and/or P2PE Component Providers) used as part of their P2PE Solutions are all compliant with all applicable requirements of …
Modified p. 30 → 32
Prior to commencing a P2PE review with a P2PE Assessor Company, all parties involved are encouraged to take the following preparatory actions:
Prior to commencing a P2PE Assessment with a P2PE Assessor Company, all parties involved are encouraged to take the following preparatory actions:
Modified p. 30 → 32
Review the requirements of both the PCI DSS and the P2PE Standard and all related documentation located at the Website.
Review the requirements of the P2PE Standard and all related documentation located at the Website, including the P2PE Technical FAQs.
Modified p. 30 → 33
• Determine whether the P2PE Application Provider’s Implementation Guide meets P2PE Standard requirements and correct any gaps.
 For P2PE Solution Assessments, determine whether the P2PE Solution Provider’s P2PE Instruction Manual (PIM) meets P2PE Standard requirements and correct any gaps.
Modified p. 30 → 33
• Determine whether the P2PE Solution Provider’s P2PE Instruction Manual meets P2PE Standard requirements and correct any gaps.
 Whether the P2PE Application’s Implementation Guide and/or the P2PE Solution’s P2PE Instruction Manual meets all P2PE Standard requirements at the start of the assessment:
Modified p. 30 → 33
• How close the P2PE Product is to being P2PE-compliant at the start of the Assessment
 The degree that the P2PE Product satisfies the P2PE Standard and Program Requirements at the start of the P2PE Assessment:
Modified p. 30 → 33
Corrections to the P2PE Product to achieve compliance will delay validation.
Corrections to the P2PE Product to remediate gaps will delay validation.
Modified p. 30 → 33
For P2PE Solutions that use P2PE Applications and/or P2PE Components
For P2PE Solutions and P2PE Components that use P2PE Applications and/or P2PE Components:
Modified p. 30 → 33
Those that are being listed on the Website separately must be Listed before the P2PE Solution can be reviewed.
Those that are being Listed on the Website separately must be Listed before the P2PE Solution or the P2PE Component can be reviewed and Accepted.
Removed p. 31
• Whether the P2PE Application’s Implementation Guide and/or P2PE Implementation Manual meets all P2PE Requirements at the start of the Assessment

PCI SSC qualifies and provides required training for P2PE Assessor Companies (QSA (P2PE) and PA- QSA (P2PE)) to assess and validate P2PE Products for adherence to the P2PE Standard. In order to perform P2PE Solution Assessments and/or P2PE Component Assessments, a P2PE Assessor Company must have been qualified by PCI SSC and remain in Good Standing (as defined in the QSA Qualification Requirements and P2PE Qualification Requirements, as applicable) or in remediation as both a QSA Company and QSA (P2PE) Company. In order to perform P2PE Application Assessments, a P2PE Assessor Company must have been additionally qualified by PCI SSC and remain in Good Standing (as defined in the QSA Qualification Requirements and P2PE Qualification Requirements, as applicable) or in remediation as both a PA-QSA Company and PA-QSA (P2PE) Company. …
Modified p. 31 → 33
Extensive rewrites will delay validation.
Extensive rewrites will delay validation.
Modified p. 31 → 33
Prompt payment of the fees due to PCI SSC
Prompt payment of the P2PE Program fees due to PCI SSC for the P2PE Product submission.
Modified p. 31 → 33
PCI SSC will not commence review of the P-ROV until the applicable fee has been paid.
PCI SSC will not commence review of the P-ROV(s) for the P2PE Products until the applicable fee has been paid.
Modified p. 31 → 33
Quality of the P2PE Assessor Company's submission to PCI SSC
Quality of the P2PE Assessor Company's submission to PCI SSC:
Modified p. 31 → 33
Incomplete submissions or those containing errors

•for example, missing or unsigned documents, incomplete or inconsistent submissions

•will result in delays in the review process.
Submissions that are incomplete or contain errors

•for example, missing or unsigned documents, incomplete or inconsistent submissions

•will result in delays in the review process.
Modified p. 31 → 33
• If PCI SSC reviews the P-ROV more than once, providing comments back to the P2PE Assessor Company to address each time, this will increase the length of time for the review process.
• If PCI SSC reviews the P-ROV(s) more than once, providing comments back to the P2PE Assessor Company to address each time will increase the length of time for the review process.
Modified p. 31 → 33
Any P2PE Assessment timeframes provided by a P2PE Assessor Company should be considered estimates, since they may be based on the assumption that the P2PE Product is able to successfully meet all P2PE requirements quickly. If problems are found during the review or acceptance processes, discussions between the P2PE Assessor Company, the P2PE Vendor, and/or PCI SSC may be required. Such discussions may significantly impact review times and cause delays and/or may even cause the review to end prematurely (for …
Any P2PE Assessment timeframes provided by a P2PE Assessor Company should be considered estimates, since they may be based on the assumption that the P2PE Product is able to successfully satisfy all P2PE Standard and Program Requirements quickly. If issues are found during review or
Modified p. 31 → 34
The P2PE Assessor Company must prepare each P-ROV based on evidence obtained by following the P2PE Standard.
The P2PE Assessor Company must prepare each P-ROV based on evidence obtained by following the P2PE Standard and Program Requirements.
Removed p. 32
• Review of P2PE Solution design, response to questions via e-mail or phone, and participation in conference calls to clarify requirements

• Guidance on preparing the P2PE Instruction Manual and/or P2PE Application Implementation Guide

• Pre-assessment (gap analysis) services prior to beginning formal P2PE Assessment

• Guidance for bringing the Solution, Component, or Application into compliance with the P2PE Standard if gaps or areas of non-compliance are noted during the assessment

Note: When arranging for non-P2PE Assessment services with a P2PE Assessor Company, care should be taken by both the P2PE Assessor Company and its customer to ensure that the P2PE Assessor Company satisfies all independence requirements as set forth in the QSA Qualification Requirements•for example, that a P2PE Assessor Employee does not assess its own work product as part of the actual P2PE Assessment. Conflicts of interest may result in the P-ROV being rejected by PCI SSC.
Removed p. 32
• Covers confidentiality issues;

• Covers the P2PE Vendor’s agreement to P2PE Program requirements, policies and procedures;
Modified p. 32 → 25
• Guidance on designing P2PE Solutions in accordance with the P2PE Standard
 Refer to the information regarding P2PE Applications in the P2PE Standard.
Removed p. 33
• Gives permission to the P2PE Vendor’s P2PE Assessor Company to release P-ROVs and related materials to PCI SSC for review; and

• Requires P2PE Vendors to adopt and comply with industry standard Vulnerability Handling Policies.

For PCI SSC review of a P-ROV to take place:

• The P2PE Assessor Company must provide to PCI SSC the P2PE Vendor’s signed copy of the then-current VRA, along with the initial P-ROV submitted to PCI SSC in connection with that P2PE Assessment.
Removed p. 33
There are no annual recurring PCI SSC fees associated with the Acceptance of a P2PE Product. There are, however, PCI SSC fees associated with P2PE Vendor delays in annual revalidation of P2PE Validated Products. Please see the Website for more information.
Modified p. 33 → 35
• So long as an executed copy of the current VRA is on file with PCI SSC for the relevant P2PE Vendor, the P2PE Assessor is not required to re-submit the same VRA with each subsequent P- ROV for the same P2PE Vendor.
 If PCI SSC does have a copy of the P2PE Vendor’s signed, then-current VRA on file, the P2PE Assessor Company is not required to re-submit the same VRA to PCI SSC at that time.
Modified p. 33 → 35
The Portal is also used by the Council to track all communications relating to a particular submission.
The Portal is also used by PCI SSC to track all communications relating to a submission.
Modified p. 33 → 42
All P2PE Assessment-related fees are payable directly to the P2PE Assessor Company (these fees are negotiated between the P2PE Assessor Company and their customers).
Note: The P2PE Vendor pays all P2PE Assessment-related fees directly to the P2PE Assessor Company. (These fees are negotiated between the P2PE Vendor and the P2PE Assessor Company.)
Modified p. 33 → 42
PCI SSC will bill the P2PE Vendor for all P2PE Acceptance Fees and the P2PE Vendor will pay these fees directly to PCI SSC.
PCI SSC will invoice the P2PE Vendor for all associated Program Fees for a submission and the P2PE Vendor is required to pay these fees directly to PCI SSC.
Modified p. 33 → 42
All Program fees are non-refundable and are subject to change upon posting of revised fees on the Website.
7. Program Fees Program Fees are denoted in the Programs Fee Schedule on the Website. Program fees are non- refundable and are subject to change upon posting of revised fees on the Website.
Removed p. 34
c) The PCI SSC has been advised of any change that necessitates a change to the listing on the Website, in accordance with this Program Guide.

• On the Interim Assessment Due Date, the corresponding List will be updated to show the P2PE Listing in Orange for a period of 90 days.

PCI SSC will, upon receipt of the updated P2PE Attestation of Validation: (i) review the submission for completeness; (ii) once completeness is established, update the List of Validated P2PE Solutions, List of Validated P2PE Components, or List of Validated P2PE Applications with the new Interim Assessment Due Date; and (iii) sign and return a copy of the updated P2PE Attestation of Validation to the P2PE Vendor.
Modified p. 34 → 39
As part of this annual process, P2PE Vendors are required to confirm whether any changes have been made to the P2PE Solution, P2PE Component, or P2PE Application, and that:
As part of this annual process, P2PE Vendors are required to submit the applicable P-AOV to the PCI SSC P2PE Program Manager and confirm, in part, that:
Modified p. 34 → 39
a) Changes have been applied in a way that is consistent with the P2PE Standard;
a) Changes have been applied to the Listed P2PE Product in a way that is consistent with the P2PE Standard and Program Requirements;
Modified p. 34 → 39
b) The P2PE Solution, P2PE Component, or P2PE Application continues to meet the requirements of the P2PE Standard;
b) The Listed P2PE Product continues to meet the requirements of the P2PE Standard and Program Requirements;
Modified p. 34 → 39
The P2PE Vendor is required to give consideration to the impact of external threats and whether updates to the P2PE Solution, P2PE Component, or P2PE Application are necessary to address changes to the external threat environment.The updated P-AOV should be submitted via email to the P2PE Program Manager. If an updated P-AOV is not submitted in a timely manner, the P2PE Listing will be subject to early administrative expiry, as follows:
Note: The P2PE Vendor is required to consider the impact of external threats and whether updates to the Listed P2PE Product are necessary to address changes to the external threat environment.
Modified p. 34 → 40
If the updated and complete P-AOV is received within this 90-day period, PCI SSC will update the corresponding List with the new Interim Assessment Due Date and remove the Orange status.
If the updated and complete P-AOV is received by PCI SSC within this initial 90-day period, PCI SSC will, upon Acceptance, remove the Orange status from the P2PE Product Listing.
Modified p. 34 → 40
If the updated and complete P-AOV is not received within this 90-day period, the corresponding List will be updated to show the P2PE Listing in Red.
6.1.2. Secondary Administrative Expiry Period  If the updated and complete P-AOV is not received and Accepted by PCI SSC within the 90-day initial Administrative Expiry period, the corresponding P2PE Product Listing will be updated to show the P2PE Product’s Annual Revalidation date in Red for a period up to 90 consecutive calendar days.
Modified p. 34 → 40
Once in Red, a full assessment (including applicable fees) is required to return the P2PE Listing status to good standing.
Once a Listed P2PE Product is in this secondary Administrative Expiry period (Red), a Full Assessment (including applicable Program fees) is required to relist the P2PE Product and avoid Expiry.
Removed p. 35
Table 5.2.a

• Changes to P2PE Listings for Solutions and Components Change Type Description Designated Designated Changes to P2PE Solutions or P2PE Components are limited to the following:

• Add/Remove P2PE Component;

• Add/Remove PCI-approved POI Device Type;

• Add/Remove P2PE Application.

See Section 5.2.2, “Designated Changes for P2PE Solutions and P2PE Components,” for details.

Interim Interim Changes are not reported in detail but are addressed by the P2PE Vendor during the Annual Revalidation process via the Interim Self-Assessment. These changes will include:

• Any change that impacts compliance with the requirements of the P2PE Standard for a P2PE Solution or P2PE Component, but is not considered a “Designated Change.”

• Any other change that does not impact compliance with the requirements of the P2PE standard for a given P2PE Product.

Administrative Changes made to a listed P2PE Solution or P2PE Component that have no impact on the compliance of the P2PE Listing with any requirements of the P2PE …
Modified p. 35 → 36
See Section 5.2.1, “Administrative Changes for P2PE Listings,” for details.
5.1. Administrative Changes to Listed P2PE Products
Removed p. 36
Table 5.2.b

• Changes to P2PE Listings for Applications Change Type Description (low impact) Delta Changes are applicable only to P2PE Applications and are limited to the following:

• Changes where less than half of the P2PE Application’s functionality is affected; and

• Changes where less than half of the Domain 2 Requirements/sub- Requirements are affected; and

• Changes where less than half the P2PE Application’s code-base is changed. See Section 5.2.4, “Delta Changes for P2PE Applications,” for details.

Any other change that does not impact compliance with the requirements of the P2PE standard for a given P2PE Product.

No Impact Changes are not reported in detail, but are addressed by the P2PE Vendor during the Annual Revalidation process.

Administrative Changes made to a P2PE Application that have no impact on the compliance of the P2PE Listing with any requirements of the P2PE Standard, but where the List of Validated P2PE Applications is updated to reflect the …
Removed p. 36
See Section 5.3, “Change Documentation,” for specifics on the below:

The P2PE Vendor prepares a Vendor Change Analysis (for example, using the corresponding P2PE Change Impact Template in the Appendices) and submits it to the P2PE Assessor Company for review, along with the updated P2PE Application Implementation Guide or P2PE Implementation Manual. The change analysis must contain the following information at a minimum:

Administrative Changes are only permissible to already- listed P2PE Solutions, P2PE Components, and P2PE Applications that have not expired.
Removed p. 36
• Description of why the change is necessary It is recommended that the P2PE Vendor submit the Vendor Change Analysis to the same P2PE Assessor Company used for the original P2PE Solution Assessment.
Modified p. 36 → 25
• Name and reference number of the Validated P2PE Listing
- Independently Listed on the List of Validated P2PE Applications
Removed p. 37
1) The P2PE Assessor Company must notify the P2PE Vendor that they agree; 2) The P2PE Vendor prepares and signs the corresponding P-AOV, and sends it to the P2PE Assessor Company; 3) If applicable, the P2PE Vendor modifies the P2PE Instruction Manual and/or P2PE Application Implementation Guide and/or completes a new VRA; 4) The P2PE Assessor Company completes the corresponding P2PE Change Impact Template in the Appendix; 5) The P2PE Assessor signs their concurrence on the P-AOV and forwards it, along with the corresponding P2PE Change Impact report, to PCI SSC; 6) PCI SSC will then issue an invoice to the P2PE vendor for the applicable change fee; and 7) Upon payment of the invoice, PCI SSC will review Administrative Change submission for quality assurance purposes.

If the P2PE Assessor Company does not agree with the P2PE Vendor that the change as documented in the Vendor Change Analysis is eligible as …
Removed p. 37
• Add/remove a validated POI device; or

• Add/remove a validated P2PE Application ; or

• Add/remove a validated P2PE Component used in a P2PE Solution Designated Changes result in an amendment to a P2PE Solution or P2PE Component as currently listed on the corresponding List on the Website.

See Section 5.3, “Change Documentation,” for specifics on the below.
Modified p. 37 → 36
Following successful PCI SSC quality assurance review of the change, PCI SSC will:
Following successful PCI SSC quality assurance review of the Administrative Change, PCI SSC will:
Modified p. 37 → 36
For quality issues associated with any aspect of the submission, PCI SSC communicates those issues to the P2PE Assessor Company. PCI SSC reserves the right to reject any P2PE Change Impact document if it determines that a change described therein and purported to be an Administrative Change by the P2PE Assessor Company or P2PE Vendor is ineligible for treatment as an Administrative Change.
For quality issues associated with any aspect of the submission, PCI SSC communicates those issues to the P2PE Assessor Company. PCI SSC reserves the right to reject any P2PE Change Impact submission if it determines that a change described therein and purported to be an Administrative Change by the P2PE Assessor Company and/or P2PE Vendor is ineligible for an Administrative Change.
Removed p. 38
• Name and reference number of the Validated P2PE Listing

• Description of why the change is necessary It is recommended that the P2PE Vendor submit the Vendor Change Analysis to the same P2PE Assessor Company used for the original assessment.

If the P2PE Assessor Company agrees that the change as documented by the P2PE Vendor is eligible as a Designated Change:

1) The P2PE Assessor Company must notify the P2PE Vendor that they agree; 2) If applicable, the P2PE Vendor modifies the P2PE Instruction Manual and/or completes a new VRA and submits this to the P2PE Assessor Company; 3) The P2PE Assessor Company must perform an assessment of the requirements of the P2PE Standard that are affected by the change. Details of the tests that must be performed are available within the “Designated Changes” sections of the corresponding P2PE Change Impact Template in the Appendices.

4) The P2PE Assessor Company completes the corresponding …
Modified p. 38
Following successful PCI SSC quality assurance review of the change, PCI SSC will:
Following successful PCI SSC quality assurance review of the Delta Change, PCI SSC will:
Removed p. 39
• Changes where less than half of the P2PE Application’s functionality is affected; and

See Section 5.3, “Change Documentation,” for specifics on the below.
Removed p. 39
Only those P2PE applications that have had the P2PE Vendor’s wildcard versioning methodology assessed to P2PE v2 by a PA-QSA (P2PE) Assessor Company are eligible for wildcard usage and listing on the Website with wildcards. Changes falling within the scope of wildcard usage are not required to be advised to PCI SSC; therefore, any such changes will not result in an update to the P2PE Application listing on the Website. See Appendix H, “P2PE Application Software Version Methodology,” for additional information regarding the use of wildcards.
Removed p. 39
• Changes where less than half of the Domain 2 Requirements/sub-Requirements are affected; and

• Changes where less than half the P2PE Application’s code-base is changed.

Since the number of possible P2PE Application changes and their impact cannot be determined in advance, the type of assessment required must be considered on a per-case basis. P2PE Application Vendors are encouraged to contact the P2PE Assessor Company that performed the last full validation of the P2PE Application for guidance. The P2PE Assessor Company engaged by the P2PE Vendor for this purpose then determines whether a full P2PE Application Assessment or Delta Assessment of the P2PE Application is required, based on the degree to which the changes impact the security and/or P2PE-related functions of the P2PE Application, the impact to P2PE Requirements, and/or the scope of the changes being made.

The P2PE Application Vendor prepares a Vendor Change Analysis (for example, using the corresponding P2PE Change …
Modified p. 39 → 38
Note: Wildcards may only be substituted for elements of the version number that represent non-security- impacting changes; the use of wildcards for any change that has an impact on security or any P2PE Requirements is prohibited.
Note: Wildcards may only be substituted for elements of the version number that represent non-security-impacting changes. The use of wildcards for any change that has an impact on security, or any P2PE Standard requirement, is prohibited.
Removed p. 40
If the P2PE Assessor Company agrees that the change as documented by the P2PE Application Vendor is eligible as a Delta Change:

1) The P2PE Assessor Company must notify the P2PE Application Vendor that they agree; 2) The P2PE Application Vendor modifies the P2PE Application Implementation Guide and/or completes a new VRA (if applicable) and sends it to the P2PE Assessor Company; 3) The P2PE Assessor Company performs a Delta Assessment of the P2PE Application for the P2PE Requirements affected by the changes; 4) The P2PE Assessor Company tests the P2PE Application’s affected functionality; 5) The P2PE Assessor Company completes the appropriate P2PE Change Impact Template in the Appendices, providing the detail of the changes to the P2PE Application, and must produce a red-lined P-ROV and document the testing completed per PCI SSC requirements; 6) The P2PE Application Vendor prepares and signs the corresponding P-AOV and sends it to the P2PE …
Modified p. 40 → 38
For quality issues associated with any aspect of the submission, PCI SSC communicates those issues to the P2PE Assessor Company. PCI SSC reserves the right to reject any P2PE Change Impact document if it determines that a change described therein and purported to be a Delta Change by the P2PE Assessor Company or P2PE Application Vendor is ineligible for treatment as a Delta Change.
For quality issues associated with any aspect of the submission, PCI SSC communicates those issues to the P2PE Assessor Company. PCI SSC reserves the right to reject any Change Impact submission if it determines that a change described therein and purported to be a Delta Change by the P2PE Assessor Company and/or P2PE Vendor is ineligible for a Delta Change.
Removed p. 41
Assuming the above defined criteria for a delta assessment is met, examples of low-impact changes to a Validated P2PE application that could be included in a delta assessment may include, but are not limited to:

• Addition of a POI device type to be supported by the P2PE Application

• Discontinuing support of a POI device currently supported by the P2PE Application

• Inclusion of updates or patches

• Recompilation of unchanged code-base 5.3 Change Documentation * If applicable ** Note: The P2PE Change Impact

• P2PE Solutions and P2PE Components documents in the Appendix are mandatory for the P2PE Assessor Company for submitting Administrative and Designated Changes to PCI SSC on behalf of P2PE Solution Providers and P2PE Component Service Providers.

*** Note: The P2PE Change Impact

• P2PE Applications document in the Appendix is mandatory for the P2PE Assessor Company for submitting Administrative and Delta Changes to PCI SSC on behalf of the P2PE Application …
Removed p. 41
• P2PE Change Impact document** Implementation Guide *

• P2PE Change Impact document***

• P2PE Implementation

• P2PE Change Impact document **

• Red-lined P-ROV Implementation Guide *
Removed p. 42
• New Validation: If the P2PE Vendor wishes the P2PE Product listing to remain on the corresponding P2PE Product list on the Website, the P2PE Vendor must contact a P2PE Assessor Company to have the P2PE Product fully re-evaluated against the then-current version of the P2PE Standard, resulting in a new Acceptance, on or before the applicable Reassessment Date. This reassessment must follow the same process as an initial P2PE Assessment of the applicable P2PE Product.

• Expiry: Listings of P2PE Products for which a new Acceptance has not occurred on or before the applicable expiration date/reassessment date, will appear in Orange for the first 90 days, and in Red thereafter.
Removed p. 42
For any change affecting the listing of a validated P2PE Solution, P2PE Component, or P2PE Application, the applicable fee will be invoiced and must be received by PCI SSC for the changes to be Accepted and added to the corresponding P2PE List. Upon Acceptance, PCI SSC will sign and return a copy of the P-AOV to both the P2PE Vendor and the P2PE Assessor Company.

There is no PCI SSC fee associated with the processing of Interim Self-Assessments.

All P2PE Program fees are posted on the Website. Program fees are non-refundable and are subject to change upon posting of revised fees on the Website.

The P2PE Vendor pays all P2PE Assessment-related fees directly to the P2PE Assessor. (These fees are negotiated between the P2PE Vendor and the P2PE Assessor Company.)

PCI SSC will invoice the P2PE Vendor for all Validation Maintenance Fees, and the P2PE Vendor will pay these fees directly to PCI SSC.

A …
Removed p. 43
• The name, PCI SSC approval number, and any other relevant identifiers of each of the P2PE Vendor’s P2PE Product(s) affected by the Security Issue;

• A description of the general nature of the Security Issue;

• Assurance that the P2PE Vendor is following its Vulnerability Handling Policies.

• Notify Participating Payment Brands that a Security Issue has occurred.

• Request a copy of the latest version of the P2PE Vendor’s Vulnerability Handling Policies.

• Communicate with the P2PE Vendor about the Security Issue and, where possible and permitted, share information relating to the Security Issue.

• Support the P2PE Vendor’s efforts to mitigate or prevent further Security Issues.

• Support the P2PE Vendor’s efforts to correct any Security Issues.

• Work with the P2PE Vendor to communicate and cooperate with appropriate law enforcement agencies to help mitigate or prevent further Security Issues.
Modified p. 43
The P2PE Vendor’s good-faith assessment, to its knowledge at the time, as to the scope and severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS or other industry-accepted standard scoring); and
 The name, PCI SSC approval (Reference) number, and any other relevant identifiers of each of the P2PE Vendor’s P2PE Product(s) affected by the Security Issue;  A description of the general nature of the Security Issue;  The P2PE Vendor’s good-faith assessment, to its knowledge at the time, as to the scope and severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS or other industry-accepted standard scoring); and  Assurance that the P2PE Vendor is …
Modified p. 43 → 44
PCI SSC reserves the right to suspend, withdraw, revoke, cancel or place conditions upon its Acceptance of (and accordingly, remove from the List of Validated P2PE Solutions, List of Validated P2PE Components, or List of Validated P2PE Applications) any P2PE Product in accordance with the VRA, in instances including but not limited to, if PCI SSC reasonably determines that (a) the P2PE Product does not provide sufficient protection against current threats and conform to the requirements of the P2PE Program, …
PCI SSC reserves the right to suspend, withdraw, revoke, cancel or place conditions upon its Acceptance of (and accordingly, remove from the List of Validated P2PE Products) any P2PE Product in accordance with the VRA, in instances including but not limited to, if PCI SSC reasonably determines that (a) the P2PE Product does not provide sufficient protection against current threats and conform to the requirements of the P2PE Program, (b) the continued Acceptance of the P2PE Product represents a significant …
Removed p. 44
When the P-ROV has all items in place, and where the P2PE Vendor seeks to have the P2PE Product listed on the Website, the P2PE Assessor Company submits the P-ROV and all other required materials to PCI SSC. If the P-ROV does not have all items in place, the P2PE Vendor must address those items, and the P2PE Assessor must update the P-ROV prior to submission to PCI SSC.. Once the P2PE Assessor Company is satisfied that all documented issues have been resolved by the P2PE Vendor, the P2PE Assessor Company submits the P-ROV and all other required materials to PCI SSC.

All P-ROVs and other materials submitted to PCI SSC must be in English or with certified English translation.

Once PCI SSC receives the P-ROV and all other required materials and applicable fees, PCI SSC reviews the submission from a quality assurance perspective and determines whether it is acceptable. Subsequent iterations …
Removed p. 45
There must be consistency between the information in documents submitted for review via the Portal and the “Details fields within the Portal. Common errors in submissions include inconsistent application names or contact information and incomplete or inconsistent documentation. Incomplete or inconsistent submissions may result in a significant delay in the processing of requests for listing and/or may be rejected by PCI SSC.
Removed p. 45
PCI SSC’s Assessor Quality Management Team (“AQM”) reviews each P-ROV submission after the invoice for the P2PE Acceptance Fee has been paid by the P2PE Vendor. Administrative review will be performed in “pre-screening” to ensure that the submission is complete; then an AQM Analyst will review the submission in its entirety The AQM Analyst will review the P2PE submission first to determine whether the candidate P2PE Product is eligible for validation as described in the P2PE Program Guide. If there is question as to eligibility, the AQM Analyst will contact the P2PE Assessor Company for additional information. If the P2PE submission is determined to be ineligible for validation under the P2PE Program, the P-ROV will be rejected. The P2PE Assessor Company will receive a letter of rejection with optional instructions for appealing this rejection.
Removed p. 46
QSA Company audits are provided for in the QSA Qualification Requirements, and P2PE Assessor Companies are subject to audits of their work as P2PE Assessor Companies under the QSA Qualification Requirements at any time. This may include, but not be limited to, review of completed reports, work papers, and onsite visits with P2PE Assessor Companies to audit internal QA programs, at the expense of the P2PE Assessor Company. Refer to the QSA Qualification Requirements for information on PCI SSC’s audit process.
Removed p. 46
Note: These status designations are not necessarily progressive: Any P2PE Assessor Company’s status may be revoked or its P2PE Assessor Addendum (defined in the P2PE Qualification Requirements) terminated in accordance with the P2PE Assessor Addendum; and accordingly, if warranted, a P2PE Assessor Company may move directly from “In Good Standing” to “Revocation.” Nonetheless, in the absence of severe quality concerns, P2PE Assessor Companies with quality issues are generally first addressed through the Remediation process in order to promote improved performance.
Removed p. 47
If a P2PE Solution, P2PE Component, or P2PE Application included on the List of Validated Solutions, List of Validated Components, or List of Validated Applications is compromised due to P2PE Assessor Company and/or Employee error, that P2PE Assessor Company and/or Employee may immediately be placed into Remediation or its P2PE qualification status revoked.

The P2PE Assessor Company and/or P2PE Assessor Employee may appeal the Revocation but, unless otherwise approved by PCI SSC in writing in each instance, will not be permitted to perform P2PE Assessments, process P-ROVs, or otherwise participate in the P2PE Program. The P2PE Assessor Company and/or P2PE Assessor Employee may reapply at a later date of two years after revocation, so long as it has demonstrated to PCI SSC's satisfaction that it meets all applicable QSA, P2PE Assessor, and, if applicable, PA-QSA requirements, as documented in the relevant PCI SSC program documents.
Modified p. 48 → 45
• the Alternate Product should not be considered Accepted by PCI SSC, nor promoted as Accepted by PCI SSC.
even if the different P2PE Product (the “Alternate Product”) conforms to the basic product description of the Accepted P2PE Product

•the Alternate Product should not be considered Accepted by PCI SSC, nor promoted as Accepted by PCI SSC.
Modified p. 48 → 45
When granted, PCI SSC Acceptance is provided to ensure certain security and operational characteristics important to the achievement of PCI SSC’s goals, but such acceptance does not under any circumstances include or imply any endorsement or warranty regarding the P2PE Solution Provider or the functionality, quality, or performance of the P2PE Product or any other product or service. PCI SSC does not warrant any products or services provided by third parties. PCI SSC acceptance does not, under any circumstances, include …
When granted, PCI SSC Acceptance is provided to ensure certain security and operational characteristics important to the achievement of PCI SSC’s goals, but such acceptance does not under any circumstances include or imply any endorsement or warranty regarding the P2PE Vendor or the functionality, quality, or performance of the Validated P2PE Product or any other product or service. PCI SSC does not warrant any products or services provided by third parties. PCI SSC acceptance does not, under any circumstances, include …
Removed p. 49
• Solution Details P2PE Solution Identifier: Detail

• Solution Details Clicking on this link brings up a list of details specific to this Solution consisting of the following fields (fields are explained in detail below):

• P2PE Components Solution Details: Detail

• PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Solution and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link
Modified p. 49 → 46
P2PE Solution Identifier P2PE Solution Identifiers refers to a subset of fields in the listing below the “Company” entry used by PCI SSC to denote relevant information for each Validated P2PE Solution, consisting of the following fields (fields are explained in detail below):
P2PE Solution Information The following fields in the Listing provide relevant information for each Validated P2PE Solution, consisting of the following:
Modified p. 49 → 46
P2PE Solution Name P2PE Solution Name is provided by the P2PE Solution Provider, and is the name by which the P2PE Solution is sold.
P2PE Solution Name The P2PE Solution Name is provided by the P2PE Solution Provider and is the name by which the P2PE Solution is known.
Modified p. 49 → 46
PCI SSC assigns the Reference number once the Validated P2PE Solution is posted to the Website; this number is unique per P2PE Solution Provider and will remain the same for the life of the listing.
PCI SSC assigns the Reference Number once the Validated P2PE Solution is Accepted, which uniquely identifies the Listed P2PE Solution.
Modified p. 49 → 46
Field Format Year of listing 4 digits + hyphen Solution Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Solution Number # 3 digits
Field Format Year of Listing 4 digits + hyphen P2PE Solution Provider Identifier 5 digits + period This value uniquely identifies the P2PE Solution Provider.
Modified p. 49 → 50
PTS Devices Supported
P2PE Components Supported
Modified p. 49 → 52
An example reference number is 2015-XXXXX.XXX consisting of the following:
An example reference number format is 2024-xxxxx.yyy, consisting of the following:
Modified p. 49 → 52
P2PE Application(s) Supported
P2PE Application Name
Removed p. 50
While a P2PE Solution may include applications that were evaluated per relevant requirements in the P2PE Standard, those are not listed within the P2PE Solution or within the List of Validated P2PE Applications. Any use of such an application in another P2PE Product would require either independent listing as a P2PE Application, if eligible, or assessment as part of each P2PE Solution the application is part of.

While a P2PE Solution may include third-party services (including services potentially eligible for Listing as a P2PE Component, such as CA/RA or KIF), those are not listed within the P2PE Solution or within the List of Validated P2PE Components. Any use of such a component in another P2PE Product would require either independent listing as a P2PE Component, if eligible, or assessment as part of each P2PE Solution the application is part of.

P2PE Version “P2PE Version” is used by PCI SSC to denote the …
Modified p. 50 → 47
• P2PE Applications Supported This section identifies the P2PE Applications validated for use with this P2PE Solution and listed on the List of Validated P2PE Applications, and will include the expiry date of the P2PE Application’s approval.
• P2PE Applications Supported This section identifies the P2PE Applications validated for use with the P2PE Solution, including the P2PE Application’s Reassessment date.
Modified p. 50 → 47
P2PE Assessor This entry denotes the name of the qualified P2PE Assessor Company that performed the validation and determined that the P2PE Solution is compliant with the P2PE Standard.
P2PE Assessor Company The qualified P2PE Assessor Company that performed the validation and determined that the P2PE Solution is in accordance with the P2PE Standard and Program Requirements.
Modified p. 50
• P2PE Components This section identifies the P2PE Components validated for use with this P2PE Solution and listed on the List of Validated P2PE Components, and will include the expiry date of the P2PE Component’s approval.
This section identifies the P2PE Components validated for use with this P2PE Component including the Reassessment Date of the P2PE Component.
Removed p. 51
This entry denotes the P2PE Component Provider for the Validated P2PE Component.

• Component Details P2PE Component Identifier: Detail
Modified p. 51 → 46
An example reference number is 2015-XXXXX.XXX consisting of the following:
An example reference number format is 2024-xxxxx.yyy consisting of the following, in order:
Modified p. 51 → 49
P2PE Component Identifiers P2PE Component Identifier refers to a subset of fields in the listing below the “Company” entry used by PCI SSC to denote relevant information for each Validated P2PE Component, consisting of the following fields (fields are explained in detail below):
P2PE Component Information The following fields in the Listing provide relevant information for each Validated P2PE Component, consisting of the following:
Modified p. 51 → 49
P2PE Component Name P2PE Component Name is provided by the P2PE Component Provider, and is the name by which the P2PE Component Provider’s services are known.
P2PE Component Name The P2PE Component Name is provided by the P2PE Component Provider and is the name by which the P2PE Component Provider’s services are known.
Modified p. 51 → 49
PCI SSC assigns the Reference number once the Validated P2PE Component is posted to the Website; this number is unique per P2PE Component Provider and will remain the same for the life of the listing.
PCI SSC assigns the Reference Number once the Validated P2PE Component is Accepted, which uniquely identifies the Listed P2PE Component.
Modified p. 51 → 52
P2PE Component Name
P2PE Application Version Number
Modified p. 51 → 52
Field Format Year of listing 4 digits + hyphen Component Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Component Number # 3 digits
Field Format Year of Listing 4 digits + hyphen P2PE Application Vendor Identifier 5 digits + period This value uniquely identifies the P2PE Application Vendor.
Removed p. 52
• PTS Devices Supported

• P2PE Application(s) Supported

Component Details: Detail

• PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Component and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices.

• P2PE Components This section identifies the P2PE Components validated for use with this P2PE Component and listed on the List of Validated P2PE Components, and will include the expiry date of the P2PE Component’s approval.

P2PE Version “P2PE Version” is used by PCI SSC to denote the standard, and the specific version thereof, used to assess the compliance of a Validated P2PE Component.

Reassessment Date The Reassessment Date for Validated P2PE Component …
Modified p. 52 → 50
• P2PE Components Not all component details will apply, as each component service is different. For example, Encryption-management services may have PTS Devices Supported, others likely will not.
Note: Not all component detail categories will apply to every P2PE Component type. For example, Decryption Environments do not have associated P2PE Applications.
Modified p. 52 → 50
• P2PE Applications Supported This section identifies the P2PE Applications validated for use with this P2PE Component and listed on the List of Validated P2PE Applications, and will include the expiry date of the P2PE Application’s approval.
• P2PE Applications Supported This section identifies the P2PE Applications validated for use with the P2PE Component including the P2PE Application’s Reassessment date.
Modified p. 52 → 50
While a P2PE Component may include third-party services (including those offering services potentially eligible for Listing as a P2PE Component, such as CA/RA or KIF), those are not listed within the P2PE Component or within the List of Validated P2PE Components. Any use of such a component in another P2PE Product would require either independent listing as a P2PE Component, if eligible, or assessment as part of each P2PE Solution the application is part of.
While a P2PE Component may include third-party services (including those offering services potentially eligible for being Listed as a Validated P2PE Component), those third-party services are not identified within the P2PE Component’s Listing or on the List of Validated P2PE Components. Any use of such a service in another P2PE Product would require either an independent Listing as a P2PE Component, if eligible, or assessment as part of each P2PE Product of which the P2PE Component is a part of.
Modified p. 52 → 50
P2PE Assessor This entry denotes the name of qualified P2PE Assessor Company that performed the validation and determined that the P2PE Component is compliant with the P2PE Standard.
P2PE Assessor Company The qualified P2PE Assessor Company that performed the validation and determined that the P2PE Component is in accordance with the P2PE Standard and Program Requirements.
Removed p. 54
• P2PE Application Name

• P2PE Application Version #

• Application Details P2PE Application Identifier: Detail

• P2PE Application Version # P2PE Application Version # represents the specific application version reviewed in the P2PE Application Assessment. The format of the version number:

• Is set by the vendor,

• May consist of a combination of alphanumeric characters and

Field Format Year of listing 4 digits + hyphen Application Vendor # 5 digits + period (assigned alphabetically initially, then as received) Application Vendor App # 3 digits (assigned as received) Minor version 3 alpha characters (assigned as received)
Modified p. 54 → 49
An example reference number is 2015-XXXXX.XXX.AAA, consisting of the following:
An example reference number format is 2024-xxxxx.yyy consisting of the following, in order:
Modified p. 54 → 52
P2PE Application Identifiers P2PE Application Identifiers refers to a subset of fields in the listing below the Company entry used by PCI SSC to denote relevant information for each Validated P2PE Application, consisting of the following fields (fields are explained in detail below):
P2PE Application Information The following fields in the Listing provide relevant information for each Validated P2PE Application, consisting of the following:
Modified p. 54 → 52
• P2PE Application Name P2PE Application Name is provided by the Application Vendor, and is the name by which the application is sold. The Application Name cannot contain any variable characters.
The P2PE Application Name is provided by the Application Vendor and is the name by which the application is known.
Modified p. 54 → 52
Must be consistent with the Application Vendor’s published versioning methodology for this product as documented in the P2PE Application Implementation Guide.
Is set by the P2PE Application Vendor, in accordance with Program Requirements; May consist of a combination of alphanumeric characters; and Must be consistent with the P2PE Application Vendor’s published versioning methodology for this product as documented in the P2PE Application Implementation Guide.
Modified p. 54 → 52
See Appendix H: P2PE Application Software Versioning Methodology for details about content to include in the Application P-ROV and P2PE Application Implementation Guide for the Application Vendor’s versioning methods. • Reference Number
Note: Refer to Appendix E for details about content to include in the P2PE Application P-ROV and P2PE Application Implementation Guide for the Application Vendor’s versioning methods.
Modified p. 54 → 52
PCI SSC assigns the Reference number once the Validated P2PE Application is posted to the Website; this number is unique per Application Vendor and will remain the same for the life of the listing.
PCI SSC assigns the Reference Number once the Validated P2PE Application is Accepted, which uniquely identifies the Listed P2PE Application.
Removed p. 55
• Application Details Clicking on this link brings up a list of details specific to this Component consisting of the following fields (fields are explained in detail below):

• PTS Devices Supported Application Details: Detail

• PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Application and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices.

P2PE Version “P2PE Version” is used by PCI SSC to denote the standard, and the specific version thereof, used to assess the compliance of a Validated P2PE Application.

P2PE Assessor This entry denotes the name of qualified PA-QSA (P2PE) Assessor Company that performed the validation and determined …
Removed p. 56
The P2PE Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change. The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review.

Part 1. P2PE Listing Details, Contact Information, and Change Type P2PE Listing Details P2PE Solution Name Validated Listing Reference # Type of Change (Please check) Administrative (Complete Part 2) Delta (Complete Part 3) Submission Date P2PE Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Removed p. 57
Add/Remove POI Device Type (Complete Part 3a) Add Remove Add/Remove P2PE Application (Complete Part 3b) Add Remove Application Version Number:

Add/Remove P2PE Component (Complete Part 3c) Add Remove Description of changes to the P2PE Solution or P2PE Component:

Description of how Designated Change impacts the P2PE Solution’s functionality Additional details, as applicable
Removed p. 59
P2PE Requirements (including all testing procedures) All of 1D-1
Removed p. 60
Perform a red-lined P-ROV review for the added P2PE Component using the table below as a minimum set of testing procedures.

P2PE Requirements (including all testing procedures) All of 3A-1 3A-2 (as applicable) All of 3B-1 3C-1 (as applicable)

The P2PE Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change. The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review.
Removed p. 61
Part 1. P2PE Listing Details, Contact Information, and Change type P2PE Listing Details P2PE Component Provider Type of P2PE Component (select only one) SSC Listing Number KIF CA/RA Encryption Mgmt. Decryption Mgmt.

Type of Change (Please check) Administrative (Complete Part 2) Delta (Complete Part 3) Submission Date P2PE Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Removed p. 62
Add/Remove POI Device Type (Complete Part 3a) Add Remove Add/Remove P2PE Application * (Complete Part 3b) Add Remove Version Number of the Application:

Add/Remove P2PE Component (Complete Part 3c) Add Remove Description of changes to the P2PE Component:

Description of real or potential impact to the P2PE Solution(s) it is used in Additional details, as applicable
Removed p. 64
P2PE Requirements (including all testing procedures) All of 1D-1
Removed p. 65
Perform a red-lined P-ROV review for the added P2PE Component using the table below as a minimum set of testing procedures.

P2PE Requirements (including all testing procedures) All of 3A-1 3A-2 (as applicable) All of 3B-1 3C-1 (as applicable)
Removed p. 66
The P2PE Application Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change (see Table 5.2.b

• Changes to P2PE Listings for Applications). The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review.

Part 1. P2PE Application Details, Contact Information, and Change type P2PE Application Details P2PE Application Name Validated Listing Reference # P2PE Application Version #: Revised P2PE Application Version (if applicable) Type of Change (Please check) Administrative (Complete Part 2) Delta (Complete Part 3) Submission Date P2PE Application Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone PA-QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Removed p. 68
Delta Change

• Change Summary Add/Remove POI Device Type (Complete Part 3a) Add Remove Not Applicable Additional details, as applicable:

Change Number Detailed description of the Description of why the change is necessary Description of how P2PE functionality is impacted Description of how P2PE Domain 2 Requirements/sub- Requirements are impacted
Modified p. 70 → 54
H.1 Version Number Format The format of the application version number is set by the P2PE Application Vendor and may be comprised of several elements. The versioning methodology and the P2PE Application Implementation Guide must fully describe the format of the application version number including the following:
E.1 Version Number Format The format of the application version number is set by the P2PE Application Vendor and may be comprised of several elements. The versioning methodology and the P2PE Application Implementation Guide must fully describe the format of the application version number including the following:
Modified p. 70 → 54
• The hierarchy of the elements
• The hierarchy of the elements:
Modified p. 70 → 54
• The definition of elements that indicate any use of wildcards
• The definition of elements that indicate any use of wildcards.
Modified p. 70 → 54
• The specific details of how wildcards are used in the versioning methodology H.2 Version Number Usage All changes to the P2PE Application must result in a new application version number. However, whether this affects the version number listed on the Website depends on the nature of the change and the P2PE Application Vendor’s published versioning methodology (see Section H.3, “Wildcards,” below). All changes that impact security functionality and/or any P2PE Requirements must result in a change to the version …
E.2 Version Number Usage All changes to the P2PE Application must result in a new application version number. However, whether this affects the version number listed on the Website depends on the nature of the change and the P2PE Application Vendor’s published versioning methodology (refer to Section E.3, “Wildcards” below). All changes that impact security functionality and/or any P2PE Standard requirements must result in a change to the version number listed on the Website; wildcards are not permitted for changes …
Modified p. 70 → 54
• Types of changes made to the application •e.g., major release, minor release, maintenance release, wildcard, etc.
• Types of changes made to the application •for example, major release, minor release, maintenance release, wildcard, etc.
Modified p. 71 → 55
• Changes that have impact on the application functionality but no impact on security or P2PE Requirements
• Changes that have impact on the application functionality but no impact on security or P2PE Standard requirements
Modified p. 71 → 55
• Changes that impact any security functionality or P2PE Requirement Elements of the version number used for non-security-impacting changes must never be used for security-impacting changes.
• Changes that impact any security functionality or P2PE Standard requirements Elements of the version number used for non-security-impacting changes must never be used for security-impacting changes.
Modified p. 71 → 55
H.3 Wildcards A “wildcard” element is a variable character that may be substituted for a defined subset of possible characters in an application versioning scheme. In the context of P2PE Applications, wildcards can optionally be used to represent non-security-impacting changes between each version represented by the wildcard element. A wildcard is the only variable element of the P2PE Application Vendor’s version scheme. Use of a wildcard element in the versioning scheme is optional and is not required in order for …
E.3 Wildcards A “wildcard” element is a variable character that may be substituted for a defined subset of possible characters in an application versioning scheme. In the context of P2PE Applications, wildcards can optionally be used to represent non-security-impacting changes between each version represented by the wildcard element. A wildcard is the only variable element of the P2PE Application Vendor’s version scheme. Use of a wildcard element in the versioning scheme is optional and is not required in order for …