PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

P2PE_RT_Solution_v3.0.pdf PCI-P2PE-SOL-ROV-Template_v3_1.pdf
57% similar
40 → 53 Pages
9949 → 13821 Words
111 Content Changes

From Revision History

  • December 2019 P2PE v3.0 Revision 1.0 This template is for submitting P2PE Reports on Validation for P2PE Solutions
  • September 2021 P2PE v3.1 1.0 This template includes the following updates:

Content Changes

111 content changes. 65 administrative changes (dates, page numbers) hidden.

Added p. 2
• Updates from v3.0 P2PE Standard references to v3.1.

• Revisions made within the Introduction through Section 3 to add clarity and consistency, both within this P-ROV and across all v3.1 P-ROVs as applicable.

• Context of “PCI-listed” P2PE Products

• updated to “Validated”. Includes revision to diagram in Introduction.

• Revision to the description for the use of Not Applicable to add clarity and guidance.

• Reformatting and restructuring of tables in Sections 2 and 3 with additional guidance.

• Certain tables/context were

• modified into new tables (e.g., 2.4.x)

• Table numbering in sections 1 through 3

• modified as needed to better align across all v3.1 P-ROVs.

• Repurposed cryptographic key information into new table 3.9.

• New table in section 4 to document all requirements determined to be Not Applicable.

• Updates to section 4 to align with the updates from the P2PE v3.1 Standard, in addition to errata.

• Added check boxes to section 4 to each individual …
Added p. 7
Encryption Management Services (EMS) Solution (SP) Encryption Management CP (EMCP) POI Deployment CP (PDCP) POI Management CP (PMCP) Encryption Management Services relates to the distribution, management, and use of PTS-approved POI devices in a P2PE Solution. Solution assessments that have not satisfied the entirety of their Encryption Management Services (Domain 1 with Domain 5) via the use of applicable Validated P2PE Component Providers must complete the EMS P-ROV in addition to the Solution P-ROV. Component Provider assessments for an EMCP, PDCP, or a PMCP must complete the EMS P-ROV.

P2PE Application P2PE Application Any assessment that utilizes software on the PTS-approved POI devices intended for use in a P2PE Solution that has the potential to access clear-text account data must complete a P2PE Application P- ROV (one for each application).

Decryption Management Services (DMS) Solution (SP) Decryption Management CP (DMCP) Decryption Management Services relates to the management of a decryption environment, including …
Added p. 15
Are Validated EMS CPs being used to help satisfy requirements of this Solution assessment? No (If No, complete an EMS P-ROV and leave the remainder of this Encryption Management Services section blank) Yes (If Yes, complete the remainder of this EMS table) Is an EMS P-ROV still required to account for any remaining EMS-related requirements based on the full scope of the assessment? (E.g., where only a PMCP or a PDCP is being used, or otherwise where the Solution is providing functionality/services that are not covered by the Validated EMS P2PE Components being used.) Yes (If Yes, complete an EMS P-ROV) No (If No, ensure all applicable EMS requirements as they relate to the full scope of the Solution are satisfied through the use of Validated EMS CPs below) Document all Validated Encryption Management Services (EMS) Component Providers (CPs) being used to help satisfy requirements for the Solution assessment. For …
Added p. 16
<EMS CPs Description>
Added p. 17
Are Validated DMS CPs being used to help satisfy requirements of this Solution assessment? No (If No, complete a DMS P-ROV and leave the remainder of this Decryption Management Services section blank) Yes (If Yes, complete the remainder of this DMS table) Is a DMS P-ROV still required to account for any remaining DMS- related requirements based on the full scope of the assessment? (E.g., where the Solution is providing functionality/services that are not covered by the Validated DMS P2PE Components being used, such as an additional decryption environment) Yes (If Yes, complete a DMS P-ROV) No (If No, ensure all applicable DMS requirements as they relate to the full scope of the Solution are satisfied through the use of Validated DMS CPs below) Document all Validated Decryption Management Services (DMS) Component Providers (CPs) being used to help satisfy requirements for the Solution assessment. Note: The use of multiple CPs …
Added p. 18
<DMS CP(s) Description>
Added p. 19
It may be possible, depending on the scope of the Solution assessment, that a KMS P-ROV is not required even when there aren’t any KMS CPs being used. This is because a Solution does not assess to Domain 5 in isolation. It is assessed to Domain 5 in the context of Domain 1(EMS) and Domain 4(DMS). The assessor must accurately identify the full scope of the Solution assessment as per Table 3.1.

Note: Remote Key Distribution (RKD) requirements are additional requirements to an assessment. It is not possible to assess the RKD requirements in isolation. Refer to the “P2PE Applicability of Requirements” in the P2PE Program Guide.

Are Validated KMS CPs being used to help satisfy requirements of this Solution assessment? Yes (If Yes, complete the remainder of this KMS table) Is a KMS P-ROV still required to account for any remaining KMS- related requirements based on the scope of the assessment? …
Added p. 20
<KMS CP(s) Description>
Added p. 21
Note: If the EMS, DMS, and/or KMS P-ROVs are being used as part of this assessment, document the use of Third Parties relative to those services (requirements) in their respective P-ROVs. There is no need to duplicate information regarding Third Parties from those P-ROVs here. However, ensure information is not excluded here where it is not being documented in another P-ROV (e.g., when no other P-ROVs are being used as part of the Solution assessment and/or when there is information unique to the Solution that is otherwise not captured in another P-ROV). Insert additional rows as necessary.

Is the EMS P-ROV being used? Yes (Document EMS-related Third Parties in the EMS P-ROV) No (Document any EMS-related Third Parties below) Is the DMS P-ROV being used? Yes (Document DMS-related Third Parties in the DMS P-ROV) No (Document any DMS-related Third Parties below) Is the KMS P-ROV being used? Yes (Document KMS-related Third …
Added p. 23
ONLY list the PTS Approval #s from each Validated P2PE Application in use that are actually supported by the Solution under assessment.

Each PTS Approval # here must be in Table 2.5 - i.e., all POI Device Types associated with a Validated P2PE Application must have been assessed to all applicable requirements in Domains 1 and 5. As POI Device Types associated with Validated P2PE Applications are only assessed to Domain 2, each POI Device Type supported by a Validated P2PE Application listed here must be:

• Included in the POI Device Types supported by a Validated EMCP, or by BOTH a Validated PDCP AND a Validated PMCP, being used in the scope of this Solution assessment, OR,

• Be assessed to all unaccounted for Domain 1 and Domain 5 requirements, which will depend on each unique Solution assessment.

Note 1: “P2PE Applications” and “P2PE non-payment software” (refer to P2PE Glossary) do not meet …
Added p. 24
Are any non-Validated P2PE Applications included in the scope of the Solution assessment where the Solution Provider is choosing not to separately list the application?

No (If No, leave remainder of this table blank) If Yes, is the EMS P-ROV being used as part of this Solution assessment? Yes (If Yes, document ALL non-Validated P2PE Applications in the EMS P-ROV and leave the remainder of this table blank) No (If No, document ALL non-Validated P2PE Applications below) Application Name Application Version # P2PE Application P-ROV Completed (one per application) PTS Approval #(s) (comma delimited)

• Only list each unique PTS Approval # once.

• List ALL associated hardware (HW) and firmware (FW) versions supported by the Solution and tested as part of the P2PE assessment.

• Ensure all the information below is correct, accurate, and there are no discrepancies between the information listed here and the information present on the POI device’s associated PTS …
Added p. 27
Note 1: PTS-approved POI Device information must be entered in Table 2.5. Do not enter it here.

Note 2: If the EMS, DMS, and/or KMS P-ROVs are being used as part of this assessment, document the use of SCDs relative to those services in their respective P-ROVs. There is no need to duplicate information regarding SCDs from those P-ROVs here. However, ensure information is not excluded here where it is not being documented in another P-ROV (e.g., when no other P-ROVs are being used as part of the Solution assessment).

Insert additional rows as necessary.

Is the EMS P-ROV being used? Yes (Document EMS-related SCDs in the EMS P-ROV) No (Document any EMS-related SCDs below) Is the DMS P-ROV being used? Yes (Document DMS-related SCDs in the DMS P-ROV) No (Document any DMS-related SCDs below) Is the KMS P-ROV being used? Yes (Document KMS-related SCDs in the KMS P-ROV) No (Document any KMS-related …
Added p. 28
Note 2: While non-payment software is not permitted to have access to clear-text account data, it might still be involved in supporting additional encryption implementations. Non-payment software detailed below must be able to be cross-referenced to Table 2.4.a in the EMS P-ROV.

Yes (If Yes, provide details below) No (If No, leave details blank) Complete the following information for ONLY the relevant POI devices, P2PE Applications and/or non-payment software that is involved in supporting additional encryption implementations.

PTS Approval # (One unique # per row) POI Device Firmware (comma delimited) P2PE Application Listing Reference # Non-Payment Software Details (Name, version#) Describe the additional account data encryption implementations and the involvement of the POI device firmware, P2PE Application, and/or non-payment software as detailed above. Where there is more than one implementation, clearly describe each implementation along with the applicable entity (e.g., acquirer / solution provider) managing it.
Added p. 30
Describe how the accuracy of the scope for the entire P2PE Solution assessment was validated, including:

Location of critical components within the P2PE decryption environment, such as the Host System, HSMs and other SCDs, cryptographic key stores, etc., as applicable Location of systems performing key-management functions Connections into and out of the decryption environment Connectivity between the requisite functions of the Solution Other necessary components, as applicable to the Solution Provide any additional information below that is not adequately captured within the diagram(s). Otherwise, check No Additional Details. No Additional Details <Additional Details, as needed> <Insert Solution diagram(s) here>

Provide any additional information below that is not adequately captured within the diagram(s). Otherwise, check No Additional Details. No Additional Details <Additional Details, as needed> <Insert diagram(s) of Solution Data Flows here>

Key Generation Key Distribution / Loading / Injection onto POI devices Other Key Distribution / Loading / Injection activities Key Storage Key …
Added p. 36
Reference # (optional use) Interviewee’s Name Job Title Company Summary of Topics Covered (brief summary) 3.8 (Table not currently used)

Note: There is no need to duplicate Key Matrix information in Table 3.9 from other P-ROVs here. However, ensure all key types not documented in other P- ROVs are documented here.

Key ID: Retain generic ID or use specific IDs from assessment. Key Type: E.g., DEK, MFK, BDK, KEK, IEK, PEK, MAC, Public, Private, etc. Algorithm: E.g., TDEA, AES, RSA, DSA, etc. Key Mgmt: E.g., DUKPT, MK/SK, Fixed, One-time use, etc.

Key Length: Full length (include parity bits as applicable) Key Storage: Smartcard, SCD, HSMs, Components, etc. Key Destruction: List destruction methods for each storage method. Key Distribution: E.g., Courier, Remote, etc.

ID Key Type Algorithm Key Mgmt Key Length (bits) Fill out all the information below for each key type Key_1 Description & Purpose:

Copy the entire table below as needed and paste a …
Added p. 39
All N/A responses require reporting on testing performed (including interviews conducted and documentation reviewed) and must explain how it was determined that the requirement does not apply within the scope of the assessment for the P2PE Product. Note: ‘Not Applicable’ cannot be used by entities that provide only partial aspects of a defined Component Provider service to validate to that Component Provider type. Refer to the “P2PE Applicability of Requirements” in the P2PE Program Guide.

Every requirement denoted as ‘N/A’ in the reporting section below must be documented in this table and vice versa.

List requirements in the order as they appear in the reporting section below. Insert additional rows if needed.

Requirement Document how it was determined that the requirement is Not Applicable to the P2PE Product under assessment

• Identifies all P2PE controls covered by each third-party service provider.
Added p. 43
Following up with the component provider to resolve any questions or changes in expected performance of the component provider.
Added p. 51
<Report Findings Here> 3C-1.1.e Examine the PIM to verify the following:
Modified p. 1
Payment Card Industry (PCI) Point-to-Point Encryption P2PE Solution Template for Report on Validation for use with P2PE v3.0 for P2PE Solution Assessments
Payment Card Industry (PCI) Point-to-Point Encryption P2PE Solution Template for Report on Validation for use with P2PE v3.1 for P2PE Solution Assessments
Removed p. 5
Solution assessments, at a minimum, must complete this P-ROV template. For every function that is not outsourced to a PCI-listed component provider, EACH applicable P-ROV must be completed and submitted in addition to this P-ROV as per the following diagram and table:
Modified p. 5
Note: There is a separate P-ROV for Merchant-managed Solution (MMS) assessments. This Reporting Template provides reporting instructions and the template form for QSA (P2PE) and QSA (PA-P2PE) assessors to provide a more consistent level of reporting.
Note: There is a separate P-ROV for Merchant-Managed Solution (MMS) assessments.
Modified p. 5
Use of this Reporting Template is mandatory for all P2PE v3.0 Solution assessments.
Use of this Reporting Template is mandatory for all P2PE v3.1 Solution assessments.
Removed p. 6
SP = Solution Provider CP = Component Provider P-ROV Name Used for the Following Assessments Purpose Solution Solution (SP) The Solution P-ROV is mandatory for all P2PE Solution assessments, at a minimum. Additional P-ROVs (below) may be required.

Note: A separate Merchant-Managed Solution P-ROV is used as part of MMS assessments.

Encryption Management Services (EMS) Solution (SP) Encryption Management CP (EMCP) POI Deployment CP (PDCP) POI Management CP (PMCP) Encryption Management Services relates to the distribution, management, and use of POI devices in a P2PE Solution.

Solution assessments that do not outsource the entirety of their Encryption Management Services to PCI-Listed Component Providers, either to an EMCP or to BOTH a PDCP AND a PMCP, must complete this P-ROV in addition to the Solution P-ROV.

Component Provider assessments for an EMCP, PDCP, or a PMCP must complete this P-ROV.

P2PE Application P2PE Application Any assessment that utilizes software on the POI devices intended for use …
Removed p. 7
Solution assessments that have not satisfied the key management services requirements (Domain 5) either through the use of PCI-listed Component Providers and/or through the assessment of their Encryption Management Services and/or Decryption Management Services must complete the KMS P-ROV. E.g., if the P2PE Solution offers remote key-distribution using asymmetric techniques for the distribution of keys to POI devices for use in connection with account-data encryption, or the operation of an applicable CA/RA, or any other relevant key management service that has not already been assessed as part of the inclusion of a PCI-listed Component Provider, then the Solution assessment must include the use of the KMS P-ROV.

Component Provider assessments for a KIF, KMCP, KLCP, or a CA/RA must complete this P-ROV.
Modified p. 7 → 5
• modified to increase/decrease the number of rows, or to change column width. Additional appendices may be
• modified to increase/decrease the number of rows, as necessary. Additional appendices may be
Modified p. 7 → 5
A P2PE compliance assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These work papers contain comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file lists, interview notes, documentation excerpts, references, screenshots, and other evidence collected during the course of the assessment. The P-ROV is effectively a summary of evidence derived from the assessor’s work papers to describe how the assessor performed the validation activities and how …
A P2PE compliance assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These work papers contain comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file lists, interview notes, documentation excerpts, references, screenshots, and other evidence collected during the course of the assessment. The P-ROV is effectively a summary of evidence derived from the assessor’s work papers to describe how the assessor performed the validation activities and how …
Modified p. 8
Section 1: Contact Information and Report Date
Section 1: Contact Information and Report Date
Modified p. 8
Section 2: Summary Overview
Section 2: Summary Overview
Modified p. 8
Section 3: Details and Scope of P2PE Assessment
Section 3: Details and Scope of P2PE Assessment
Modified p. 8
Section 4: Findings and Observations This Reporting Template includes tables with Reporting Instructions built in. Details provided should focus on concise quality of detail, rather than lengthy, repeated verbiage.
Section 4: Findings and Observations This Reporting Template includes tables with Reporting Instructions. Details provided should focus on concise quality of detail, rather than lengthy, repeated verbiage.
Removed p. 9
Response When to use this Response:

(Not Applicable) The requirement does not apply to the P2PE Product.
Modified p. 9 → 8
In Place The expected testing has been performed, and all elements of the requirement have been met as stated. This may be a mix of In Place and Not Applicable responses, but no Not in Place response. Requirements fulfilled by other P2PE Components or Third Parties should be In Place, unless the requirement does not apply.
RESPONSE WHEN TO USE THIS RESPONSE In Place The expected testing has been performed, and all elements of the requirement have been met as stated. Requirements fulfilled by other P2PE Components or Third Parties should be In Place, unless the requirement does not apply.
Modified p. 9 → 8
All Not Applicable responses require reporting on testing performed (including interviews conducted and documentation reviewed) and must explain how it was determined that the requirement does not apply. There is no need to repeat lengthy responses where related requirements are not applicable.
All N/A responses require reporting on testing performed (including interviews conducted and documentation reviewed) and must explain how it was determined that the requirement does not apply within the scope of the assessment for the P2PE Product.
Modified p. 9 → 8
Note: Checkboxes have been added to the “Summary of Assessment Findings” so that the assessor may double click to check the applicable summary result. Hover over the box you’d like to mark and click once to mark with an ‘x.’ To remove a mark, hover over the box and click again. Mac users may instead need to use the space bar to add the mark
Note: Checkboxes have been added to the “Summary of Assessment Findings” so that the assessor may double click to check the applicable summary result. Hover over the box you’d like to mark and click once to mark with an ‘x.’ To remove a mark, hover over the box and click again. Mac users may instead need to use the space bar to add the mark.
Removed p. 10
• Brief description/short answer
Modified p. 10 → 9
“Identify the P2PE Assessor who confirms…” Indicates only an affirmative response where further reporting is deemed unnecessary by PCI SSC. The P2PE Assessor’s name or a Not Applicable response are the two appropriate responses here. A Not Applicable response will require brief reporting to explain how this was confirmed via testing.
“Identify the P2PE Assessor who confirms…” Indicates only an affirmative response where further reporting is deemed unnecessary by PCI SSC. The P2PE Assessor’s name or a Not Applicable response are the two appropriate responses here. A Not Applicable response will require brief reporting to explain how this was confirmed via testing.
Modified p. 10 → 9
Document name or interviewee reference At 3.6, “Documentation Reviewed,” and 3.7, “Individuals Interviewed,” there is a space for a reference number and it is the P2PE Assessor’s choice to use the document name/interviewee job title or the reference number in responses. A listing is sufficient here, no further detail required.
Document name or interviewee reference At section 3.6, “Documentation Reviewed,” and section 3.7, “Individuals Interviewed,” there is a space for a reference number; it is the P2PE Assessor’s choice to use the document name/interviewee job title or the reference number in responses. A listing is sufficient here, no further detail is required.
Modified p. 10 → 9
Sample reviewed Brief list is expected or sample identifier. Again, where applicable, it is the P2PE Assessor’s choice to list out each sample within reporting or to utilize sample identifiers from the sampling summary table.
Sample reviewed Brief list is expected or sample identifier. Where applicable, it is the P2PE Assessor’s choice to list out each sample within the reporting or to utilize sample identifiers from the sampling summary table.
Modified p. 10 → 9
• “Describe how…” These are the only reporting instructions that will stretch across half of the table; the above are all a quarter-table’s width to serve as a visual indicator of detail expected in response. These responses must be a narrative response that provides explanation as to the observation•both a summary of what was witnessed and how that verified the criteria of the testing procedure.
Brief description/short answer

• “Describe how…” These responses must be a narrative response that provides explanation as to the observation•both a summary of what was witnessed and how that verified the criteria of the testing procedure.
Removed p. 11
• Describe how a Requirement was verified as the Reporting Instruction directs, not just that it was verified.

• Don’t include forward-looking statements or project plans in responses.
Modified p. 11 → 10
Complete all applicable P-ROVs based on the assessment.
Complete all applicable P-ROVs based on the assessment type.
Modified p. 11 → 10
Read and understand the intent of each Requirement and Testing Procedure.
Read and understand the intent of each Requirement and Testing Procedure.
Modified p. 11 → 10
Provide a response for every Testing Procedure, even if N/A.
Provide a response for every Testing Procedure, even if N/A.
Modified p. 11 → 10
Provide sufficient detail and information to demonstrate a finding of “in place” or “not applicable.”
Provide sufficient detail and information to demonstrate a finding of “in place” or “not applicable.” Describe how a Requirement was verified as the Reporting Instruction directs, not just that it was verified.
Modified p. 11 → 10
Ensure all parts of the Testing Procedure are addressed.
Ensure all parts of the Testing Procedure are addressed.
Modified p. 11 → 10
Ensure the response covers all applicable application and/or system components.
Ensure the response covers all applicable application and/or system components.
Modified p. 11 → 10
Perform an internal quality assurance review of the P-ROV for clarity, accuracy, and quality.
Perform an internal quality assurance review of the P-ROV for clarity, accuracy, and quality.
Modified p. 11 → 10
Perform an internal quality assurance review of all submitted P-ROVs and the details within the PCI SSC Portal.
Perform an internal quality assurance review of all submitted P-ROVs and the details within the PCI SSC Portal.
Modified p. 11 → 10
Provide useful, meaningful diagrams, as directed.
Provide useful, meaningful diagrams, as directed.
Modified p. 11 → 10
Don’t report items in the “In Place” column unless they have been verified as being “in place.”
Don’t report items in the “In Place” column unless they have been verified as being “in place.” Don’t include forward-looking statements or project plans in responses.
Modified p. 11 → 10
Don’t simply repeat or echo the Testing Procedure in the response.
Don’t simply repeat or echo the Testing Procedure in the response.
Modified p. 11 → 10
Don’t copy responses from one Testing Procedure to another.
Don’t copy responses from one Testing Procedure to another.
Modified p. 11 → 10
Don’t copy responses from previous assessments.
Don’t copy responses from previous assessments.
Modified p. 11 → 10
Don’t include information irrelevant to the assessment.
Don’t include information irrelevant to the assessment.
Modified p. 12 → 11
1. Contact Information and Report Date 1.1 Contact Information P2PE Solution Provider contact information Company name: Company URL:
1. Contact Information and Report Date 1.1 Contact Information Solution Provider Contact Information Company name: Company URL:
Modified p. 12 → 11
P2PE Company and Lead Assessor contact information Company name: Assessor company credentials: QSA (P2PE) PA-QSA (P2PE) Company Servicing Markets for P2PE: (see https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_assessors) Assessor name: Assessor credentials: QSA (P2PE) PA-QSA (P2PE) Assessor phone number: Assessor e-mail address:
P2PE Assessor Company and Lead Assessor Contact Information Company name: Assessor company credentials: QSA (P2PE) PA-QSA (P2PE) Company Servicing Markets for P2PE: (see https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_assessors) Assessor name: Assessor credentials: QSA (P2PE) PA-QSA (P2PE) Assessor phone number: Assessor e-mail address:
Modified p. 12 → 11
Confirm that internal QA was fully performed on the entire P2PE submission, per requirements in relevant program documentation.
Confirm that internal QA was fully performed on the entire P2PE submission, per requirements in the relevant program documentation.
Modified p. 12 → 11
No (if no, this is not in accordance with PCI Program requirements) QA reviewer name: Assessor credentials:
No (If No, this is not in accordance with PCI Program requirements) QA reviewer name: QA reviewer credentials:
Modified p. 12 → 11
(Leave blank if not applicable) QA reviewer phone number: Assessor e-mail address:
(Leave blank if not applicable) QA reviewer phone number: QA reviewer e-mail address:
Modified p. 12 → 11
P2PE additional Assessor contact information (add additional rows as needed) Assessor name: Assessor credentials: QSA (P2PE) PA-QSA (P2PE) Assessor phone number: Assessor e-mail address:
Assessor name: Assessor credentials: QSA (P2PE) PA-QSA (P2PE) Assessor phone number: Assessor e-mail address:
Modified p. 13 → 12
Additional services provided by PA-QSA(P2PE)/QSA (P2PE)/QSA company The P2PE QSA (P2PE) and PA-QSA (P2PE) Qualification Requirements v2.1, Section 2.2 “Independence” specifies requirements for QSAs around disclosure of such services and/or offerings that could reasonably be viewed to affect independence of assessment. Complete the sections below after review of this portion of the Validation Requirements, to ensure responses are consistent with documented obligations.
(From DD-MMM-YYYY To DD-MMM-YYYY) 1.3 Additional Services Provided by PA-QSA(P2PE) / QSA(P2PE) / P2PE QSA Company The current version of the “Qualification Requirements for Point-to-Point Encryption (P2PE)TM Qualified Security Assessors

 QSA (P2PE) and PA-QSA (P2PE)” (P2PE QSA Qualification Requirements), section “Independence”, specifies requirements for P2PE QSAs around disclosure of such services and/or offerings that could reasonably be viewed to affect independence of assessment. Complete the sections below after review of this portion of the P2PE QSA Qualification Requirements to ensure …
Modified p. 13 → 12
Disclose all services offered to the assessed entity by the PA- QSA(P2PE)/QSA (P2PE)/QSA company, including but not limited to whether the assessed entity uses any security-related devices or security-related applications that have been developed or manufactured by the QSA, or to which the QSA owns the rights or that the QSA has configured or manages:
Disclose all services offered to the assessed entity by the PA-QSA(P2PE) / QSA(P2PE) / P2PE QSA company, including but not limited to whether the assessed entity uses any security-related devices or security-related applications that have been developed or manufactured by the QSA, or to which the QSA owns the rights or that the QSA has configured or manages:
Modified p. 13 → 12
Describe efforts made to ensure no conflict of interest resulted from the above mentioned services provided by the PA-QSA(P2PE)/QSA (P2PE)/QSA company:
Describe efforts made to ensure no conflict of interest resulted from the above mentioned services provided by the PA-QSA(P2PE) / QSA (P2PE) / P2PE QSA company:
Removed p. 14
2. Summary Overview 2.1 P2PE Submission Details P2PE Solution name (and version if applicable):
Modified p. 14 → 13
Is the submission already listed on the PCI SSC List of Validated P2PE Solutions? Yes (if yes, provide ref #) No
2. Summary Overview 2.1 P2PE Solution Details Solution Name: Is the Solution currently (or was it previously) listed on the PCI SSC List of Validated P2PE Solutions? Yes (If Yes, provide listing reference #):
Modified p. 14 → 13
PCI SSC Ref # Description of P2PE Solution provider (e.g., payment gateway, acquirer, multi-acquirer payment processor, etc.):
No (If No, the solution has never been listed) Description of the Solution Provider (e.g., payment gateway, acquirer, multi-acquirer payment processor, etc.):
Modified p. 14 → 13
Description of Solution will typically be used:
Description of how the Solution will typically be used:
Removed p. 15
PCI-Listed Components Additional P- ROV included in submission Included as a Listed Component Component Provider Name Component Name

PCI SSC Reference # Comments If the Solution does not use a PCI-listed EMCP, or only uses either a PDCP or a PMCP, then the Encryption Management Services (EMS) P-ROV must be completed for all applicable requirements and submitted in addition to this Solution P-ROV.

Encryption Management Component Provider (EMCP) Yes No Yes No POI Deployment Component Provider (PDCP) Yes No Yes No POI Management Component Provider (PMCP) Yes No Yes No If the Solution uses applications that can access clear-text account data that are not PCI-listed P2PE Applications, then the P2PE Application P-ROV must be completed and submitted in addition to this Solution P-ROV for each P2PE Application.

P2PE Application Yes No Yes No Please include Applications in Table 2.3 below If the Solution does not use a PCI-listed Decryption Management Component Provider, then …
Removed p. 16
Entity Name: Role/Function: Entity Location(s): Other Details, if needed:
Removed p. 16
Note: If the Solution uses applications that can access clear-text account data that are not PCI-listed P2PE Applications, then the P2PE Application P-ROV must be completed and submitted in addition to this Solution P-ROV for each P2PE Application that is not already listed.

Application Vendor Name: Application Name: Application Version #: PCI SSC Reference #

Model Name/ Number: Hardware #: Firmware #(s):

Any additional Applications on POI devices (add rows as needed to report all applications) Application Name: Version # CHD Access *? (see note below) * Note: A P2PE Application P-ROV must be submitted and accepted by PCI SSC for all applications with access to clear-text account data and will be identified by the PCI SSC Reference # at Table 2.3 above (unless being assessed as part of the submitted Solution, whereby a P2PE Application P- ROV must be included).

Tables 2.3 and 2.4 MUST correspond to the P2PE Applications and PTS POI …
Removed p. 18
Model Name/ OP ICCR MSR Contactless PTS Listing P2PE PTS Listing P2PE PTS Listing P2PE PTS Listing P2PE Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N Y N

Note: If there is a different response for PTS Listing compared to P2PE Functionality for account-data-capture interfaces provided with the POI device, this will need to be addressed (including at applicable Domain 1 testing procedures) to ensure such functionality is specifically disabled or configured to prevent their use in a P2PE Solution.

External communication methods (for all POI device types supported) Report in each column whether the device configurations for …
Removed p. 20
P2PE Solution Management Yes No N/A Encryption Management Services Encryption Management Yes No N/A POI Deployment Yes No N/A POI Management Yes No N/A P2PE Application Yes No N/A Decryption Management Services Decryption Management Yes No N/A Key Management Services Key Injection Facility Yes No N/A Key Management Yes No N/A Key Loading Yes No N/A Certification Authority / Registration Authority Yes No N/A
Removed p. 21
• Location of critical components within the P2PE decryption environment, such as the Host System, HSMs and other SCDs, cryptographic key stores, etc., as applicable

• Location of systems performing key-management functions

• Connections into and out of the decryption environment

• Other necessary components, as applicable to the particular solution <Insert P2PE Solution network diagram(s)>
Modified p. 21 → 30
3. Details and Scope of P2PE Assessment 3.1 Scoping Details Describe how the P2PE assessor validated the accuracy of the P2PE scope for the assessment, including:
3. Details and Scope of P2PE Assessment 3.1 Scoping Details Complete this table as it applies to the entire Solution, even where EMS, DMS, KMS and/or P2PE Application P-ROVs are being used as part of this assessment.
Modified p. 21 → 30
Describe the methods or processes used to identify all elements in scope of the P2PE assessment:
The methods or processes used to identify all elements in scope of the P2PE assessment:
Modified p. 21 → 30
Describe how the P2PE assessor confirmed that the scope of the assessment is accurate and covers all components and facilities for the P2PE Solution:
How the scope of the assessment was confirmed to be accurate and to cover all components and facilities for the Solution:
Modified p. 21 → 31
Locations of critical facilities, including the solution provider’s decryption environment, key-injection and loading facilities, etc.
Locations of critical facilities, including the solution provider’s decryption environment, key-injection and loading facilities, etc.
Removed p. 22
• Flows and locations of encrypted account data

• Flows and locations of clear-text account data

• Location of critical system components (e.g., HSMs, Host System)

• All entities the Solution connects to for payment transmission or processing, including processors/acquirers.

<Insert P2PE Solution data-flow diagram(s)>
Modified p. 22 → 32
Note: The diagram should identify where merchant entities fit into the data flow, without attempting to identify individual merchants. For example, encrypted account data could be illustrated as flowing between an icon that represents all merchant customers and an icon that represents the solution provider’s decryption environment.
Flows and locations of encrypted account data Flows and locations of clear-text account data All flows and locations of truncated account data Location of critical system components (e.g., HSMs, Host System) All entities to which the Solution connects for payment transmission or processing, including processors/acquirers Note: The diagram should identify where merchant entities fit into the data flow, without attempting to identify individual merchants. For example, encrypted account data could be illustrated as flowing between an icon that represents all …
Removed p. 23
• Key Distribution / Loading / Injection onto POI devices

• Other Key Distribution / Loading / Injection activities

• Key Archiving (if applicable)

<Insert applicable diagram(s) showing all key-management processes> Description of Cryptographic Keys used in P2PE Solution Provide a brief description of all types of cryptographic keys used in the solution, as follows:
Modified p. 23 → 37
Key type / description Purpose/ function of the key
Key_2 Description & Purpose:
Removed p. 24
P2PE Assessor’s Lab Solution Provider’s Lab Address of the lab environment used for this assessment:

Describe the lab environment used for this assessment:

List of all facilities INCLUDED in this Solution assessment Description and purpose of facility included in assessment Address of facility List of facilities used in P2PE Solution that were EXCLUDED from this Solution assessment* Description and purpose of facility excluded from assessment Address of facility Explanation why the facility was excluded from the assessment Details of any separate assessments performed for the facility, including how the other assessment was verified to cover all components in scope for this Solution * Note: Does not include merchant locations.
Removed p. 25
Reference # (optional use) Document Name (Title of the IG) Version Number of the IG Document date (latest version date) Which P2PE Application is addressed? (Must align with Section 2.3) All other documentation reviewed for this P2PE Assessment:
Modified p. 25 → 35
Note: If the PIM or P2PE Application Implementation Guide consists of more than one document, the brief description below should explain the purpose of each document it includes, such as if it is for different POI devices, for different functions, etc.
Note: If the PIM or P2PE Application Implementation Guide consists of more than one document, the brief description below should explain the purpose of each document it includes, e.g., if it is for different POI Device Types, different functions, different uses of the Solution (e.g., for different customer types), etc.
Modified p. 25 → 35
P2PE Instruction Manual (PIM) Reference # (optional use) Document Name (Title of the PIM) Version Number of the PIM Document date (latest version date) Which P2PE Application is addressed? (Must align with Section 2.3) P2PE Application Implementation Guide(s) (IG):
P2PE Instruction Manual (PIM) Reference # (optional use) Document Name (Title of the PIM) Version Number of the PIM Document Date (latest version date) P2PE Application Implementation Guide(s) (IG) Reference # (optional use) Document Name (Title of the IG) Version Number of the IG Document Date (latest version date) Which P2PE Application is addressed? (must align with Table 2.4.b) All other documentation reviewed for this P2PE Assessment Reference # (optional use) Document Name (including version, if applicable) Document Date (latest …
Removed p. 26
Reference # (optional use) Interviewee’s Name Company Job Title 3.8 Device Samples for P2PE Assessment Complete for all sampled devices in the P2PE assessment, including for every POI device type at Section 2.5 above and every other SCD type at Section 2.6 above.

Note: Use of the “Sample Reference #” is optional, but if not used here, all of the sample’s serial numbers or other identifiers in the third column will need to be included in the reporting findings.

There is no need to duplicate devices that appear in other P-ROVs included unless they are relevant to the Solution Management Controls.

Sample Ref #: (optional) Sample Size Serial Numbers of Tested Devices/Other Identifiers Sampling Rationale
Removed p. 27
4. Findings and Observations Where functions are marked as “Additional P-ROV included in submission” in Table 2.2 Summary of Components Consumed by Solution, please ensure the relevant P-ROVs are included with the submission.
Modified p. 27 → 38
Reference Appendix I: P2PE Applicability of Requirements in the P2PE v3.0 Program Guide.
Reference Appendix I: P2PE Applicability of Requirements in the latest P2PE v3.x Program Guide.
Modified p. 28 → 38
3A-4 If the solution provider allows a merchant to stop P2PE encryption of account data, the solution provider manages the related process for merchants 3B Third-party management 3B-1 The solution provider facilitates and maintains formal agreements with all third parties contracted to perform P2PE functions on behalf of the solution provider.
3B Third-party management 3B-1 The solution provider facilitates and maintains formal agreements with all third parties contracted to perform P2PE functions on behalf of the solution provider.
Modified p. 29 → 40
• Identifies all components of the overall solution managed by the solution provider
• Identifies all components of the overall solution managed by the solution provider.
Modified p. 29 → 40
• Identifies all components of the overall solution that have been outsourced to third-party solution providers
• Identifies all components of the overall solution that have been outsourced to third-party solution providers.
Modified p. 31 → 43
• Ensuring reports are received from all P2PE component providers as specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider)
• Ensuring reports are received from all P2PE component providers as specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider).
Modified p. 31 → 43
• Ensuring reports are received from all P2PE component providers as specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider)
• Ensuring reports are received from all P2PE component providers as specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider).
Modified p. 31 → 43
• Confirming reports include at least the details specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider), and any additional details as agreed between a component provider and the solution provider
• Confirming reports include at least the details specified in the “Component providers ONLY: report status to solution providers” sections of this. Standard (as applicable to the component provider), and any additional details as agreed between a component provider and the solution provider.
Modified p. 31 → 43
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider Documented procedures reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> Describe the processes observed that verified that the solution provider has implemented a methodology for managing and monitoring status reporting from P2PE component providers, including processes for:
Documented procedures reviewed: &lt;Report Findings Here&gt; Responsible personnel interviewed: &lt;Report Findings Here&gt; Describe the processes observed that verified that the solution provider has implemented a methodology for managing and monitoring status reporting from P2PE component providers, including processes for:
Modified p. 31 → 43
• Confirming reports include at least the details specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider), and any additional details as agreed between a component provider and the solution provider
• Confirming reports include at least the details specified in the “Component providers ONLY: report status to solution providers” sections of this Standard (as applicable to the component provider), and any additional details as agreed between a component provider and the solution provider.
Modified p. 31 → 43
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider <Report Findings Here> 3A-2.2 Processes must be implemented to ensure P2PE controls are maintained when changes to the P2PE solution occur including, but not limited to:
• Following up with the component provider to resolve any questions or changes in expected performance of the component provider.
Modified p. 31 → 44
• Changes in overall solution architecture Documented procedures reviewed: &lt;Report Findings Here&gt; Responsible personnel interviewed: &lt;Report Findings Here&gt;
• Changes in overall solution architecture Documented procedures reviewed: <Report Findings Here> Responsible personnel interviewed: <Report Findings Here> 3A-2.2.b For a sample of changes, verify changes were documented and the solution updated accordingly.
Removed p. 32
Sample of changes reviewed: <Report Findings Here> 3A-3.1 Processes must be implemented to respond to notifications from merchants, component providers, and other third parties about any suspicious activity, and provide immediate notification to all applicable parties of suspicious activity including but not limited to:
Modified p. 32 → 45
• Encryption/decryption failures Note: “Immediate” means promptly or as soon as possible.
Note: “Immediate” means promptly or as soon as possible.
Removed p. 33
• The issue has been resolved and P2PE encryption functionality is restored and re-enabled, or

• The issue has been resolved and P2PE encryption functionality is restored and re-enabled, or

• The merchant has provided written notification (signed by a merchant executive officer) formally requesting stopping of P2PE encryption services, according to the solution provider’s procedures (as defined in Requirement 3A-4.1).

• The merchant has provided written notification (signed by a merchant executive officer) requesting stopping of P2PE encryption services, according to the solution provider’s procedures (as defined in Requirement 3A-4.1).
Modified p. 33 → 46
3A-3.2.1 Examine documented procedures and interview personnel to verify the POI devices must not be re-enabled until it is confirmed that either:
3A-3.2.1 Examine documented procedures and interview personnel to verify the POI devices must not be re-enabled until it is confirmed that the issue has been resolved and P2PE encryption functionality is restored and re-enabled.
Modified p. 33 → 46
• Details of whether any account data was transmitted from the POI device(s) during the time that encryption was malfunctioning or disabled
• Details of whether any account data was transmitted from the POI device(s) during the time that encryption was malfunctioning or disabled 3A-3.3 Examine documented procedures and related records, and interview personnel to verify they maintain records of all suspicious activity, including the following details:
Modified p. 34 → 46
• Details of whether any account data was transmitted from the POI device(s) during the time that encryption was malfunctioning or disabled Documented procedures reviewed: <Report Findings Here> Related records reviewed: <Report Findings Here> Personnel interviewed: <Report Findings Here> 3A-3.4 Procedures must incorporate any applicable incident response procedures defined by the PCI payment brands, including timeframes for reporting incidents.
• Details of whether any account data was transmitted from the POI device(s) during the time that encryption was malfunctioning or disabled Documented procedures reviewed: &lt;Report Findings Here&gt; Related records reviewed: &lt;Report Findings Here&gt; Personnel interviewed: &lt;Report Findings Here&gt;
Modified p. 34 → 47
• Updating the solution and/or controls to prevent cause from recurring
• Updating the solution and/or controls to prevent cause from recurring 3A-3.5.a Interview responsible personnel and review documentation to verify the solution provider has a formal process for any P2PE control failures, including procedures for addressing the following:
Modified p. 35 → 47
• Implementing controls to prevent cause from recurring Responsible personnel interviewed: <Report Findings Here> Documentation reviewed: <Report Findings Here> 3A-3.5.b For a sample of P2PE control failures, interview personnel and review supporting document to verify that:
• Implementing controls to prevent cause from recurring Responsible personnel interviewed: &lt;Report Findings Here&gt; Documentation reviewed: &lt;Report Findings Here&gt;
Modified p. 36 → 49
• All functions each third party is responsible for
• All functions for which each third party is responsible
Modified p. 36 → 50
• Evidence of adherence to PCI’s process for P2PE Designated Changes to Solutions
• Evidence of adherence to PCI’s process for P2PE Designated Changes to Solutions 3B-1.2 Verify formal agreements established for all third parties managing SCDs on behalf of the solution provider require:
Modified p. 37 → 51
<Report Findings Here> 3C-1.1.d Examine the PIM to verify that all devices specified in the PIM are PCI-approved POI devices that were assessed as part of this P2PE solution assessment.
<Report Findings Here> 3C-1.1.d Examine the PIM to verify that all devices specified in the PIM are PCI- approved POI devices that were assessed as part of this P2PE solution assessment.
Removed p. 39
• All P2PE applications specified in the PIM are assessed for this solution (per Domain 1).

• All P2PE applications specified in the PIM are either PCI-listed P2PE applications or assessed to Domain 2 as part of this P2PE solution assessment.

Identify the P2PE Assessor who confirms that all P2PE applications specified in the PIM are assessed for this solution (per Domain 1) and that all P2PE applications specified in the PIM are either PCI-listed P2PE applications or assessed to Domain 2 as part of this P2PE solution assessment:

<Report Findings Here> 3C-1.1.f Examine the PIM to verify that all P2PE non-payment software specified in the PIM were assessed as part of this P2PE solution assessment (per Requirement 1C-2).

Identify the P2PE Assessor who confirms that all P2PE non-payment software specified in the PIM were assessed as part of this P2PE solution assessment (per Requirement 1C-2):

<Report Findings Here> 3C-1.1.g Configure each POI device type, …
Removed p. 40
<Report Findings Here> 3C-1.2.1 Communicate PIM updates to affected merchants, and provide merchants with an updated PIM as needed.