Document Comparison
P2PE_Program_Guide_v3.0.pdf
→
PCI-SSC_P2PE_Program_Guide_v3.0r1.0.pdf
82% similar
82 → 86
Pages
23894 → 25784
Words
264
Content Changes
From Revision History
- June 2012 1.0 Initial release of the PCI P2PE Program Guide
Content Changes
264 content changes. 107 administrative changes (dates, page numbers) hidden.
Added
p. 2
December 2020 3.0 r1.0 Errata revision
• resolved requirements in Appendix G part 3a Resolved definition of P2PE Expired Listings Other general revisions made for increased consistency and clarity
• resolved requirements in Appendix G part 3a Resolved definition of P2PE Expired Listings Other general revisions made for increased consistency and clarity
Added
p. 5
Note: Capitalized terms used but not otherwise defined herein have the meanings set forth in Section 1.4 below or in the P2PE Glossary, as applicable.
PCI Data Security Standard Qualification Requirements For Qualified Security Assessors (QSA) (or "QSA Qualification Requirements") The QSA Qualification Requirements are a baseline set of requirements that describe the necessary qualifications for security companies and their employees to be qualified by PCI SSC to perform PCI DSS Assessments.
Expired P2PE Product A P2PE Product (P2PE Solution, P2PE Component, or P2PE Application) listed on the P2PE Expired Listings that is no longer considered a Validated P2PE Product.
List of Validated P2PE Products Refers to the List of Validated P2PE Solutions, List of Validated P2PE Components, and the List of Validated P2PE Applications.
Note: At the time of this publication, Participating Payment Brands include PCI SSC’s Founding Members and Strategic Members.
PCI DSS Assessment The onsite review of an entity by a QSA …
PCI Data Security Standard Qualification Requirements For Qualified Security Assessors (QSA) (or "QSA Qualification Requirements") The QSA Qualification Requirements are a baseline set of requirements that describe the necessary qualifications for security companies and their employees to be qualified by PCI SSC to perform PCI DSS Assessments.
Expired P2PE Product A P2PE Product (P2PE Solution, P2PE Component, or P2PE Application) listed on the P2PE Expired Listings that is no longer considered a Validated P2PE Product.
List of Validated P2PE Products Refers to the List of Validated P2PE Solutions, List of Validated P2PE Components, and the List of Validated P2PE Applications.
Note: At the time of this publication, Participating Payment Brands include PCI SSC’s Founding Members and Strategic Members.
PCI DSS Assessment The onsite review of an entity by a QSA …
Added
p. 11
Validated P2PE Product A Validated P2PE Application, Validated P2PE Component, or Validated P2PE Solution.
A P-ROV using the required P-ROV template specifically for P2PE Solutions (a “Solution P- ROV”), in addition to any applicable P2PE Component P-ROV(s) and/or P2PE Application P- ROV(s), must be submitted to PCI SSC for each P2PE Solution to be validated (except for Merchant-Managed P2PE Solutions, which are not Listed by PCI SSC). Refer to Table 6.1, “P- ROVs to be used for P2PE v3 Assessments”.
A P-ROV using the required P-ROV template specifically for P2PE Solutions (a “Solution P- ROV”), in addition to any applicable P2PE Component P-ROV(s) and/or P2PE Application P- ROV(s), must be submitted to PCI SSC for each P2PE Solution to be validated (except for Merchant-Managed P2PE Solutions, which are not Listed by PCI SSC). Refer to Table 6.1, “P- ROVs to be used for P2PE v3 Assessments”.
Added
p. 16
However, a P2PE Solution Provider (or a merchant acting as its own P2PE Solution Provider in the case of a Merchant-Managed Solution) or P2PE Component Provider may choose to outsource certain services that are part of the applicable P2PE Solution or P2PE Component to Third-Party Service Providers who perform these functions on behalf of the P2PE Solution Provider or the P2PE Component Provider.
Added
p. 20
1) The P2PE Vendor selects a P2PE Assessor Company from PCI SSC’s List of P2PE Qualified Security Assessor Companies and negotiates the cost and any associated P2PE Assessor Company confidentiality and non-disclosure agreements with the P2PE Assessor Company.
Added
p. 26
For additional details, refer to Appendix J, “PCI-Approved HSM Expiry Flowchart.” SCDs (continued) Existing PCI P2PE approvals of Validated P2PE Products with expired PCI- approved POI devices may be revalidated and reassessed for up to, but not exceeding, five years past the PCI-approved POI device expiry dates (as appearing on the PCI SSC List of Approved PTS Devices) used in the corresponding P2PE Product. A PCI-approved POI device may not be used in a Listed P2PE Product more than five years past the corresponding PCI-approved POI device expiry date. A Validated P2PE Product will be delisted if all of its associated POI device types have exceeded the five-year window (as shown in the table below).
Added
p. 27
For applicable P2PE Component Assessments, if a P2PE Application is not already on the List of Validated P2PE Applications, both the applicable P2PE Component P-ROV and the P2PE Application P-ROV(s), (one for each P2PE Application), must be submitted to PCI SSC. The P2PE Application P-ROV(s) must undergo PCI SSC review (and Acceptance, where the P2PE Application is being submitted to be Listed on the List of Validated P2PE Applications) prior to the PCI SSC review and Acceptance of the P2PE Component. This applies for each P2PE Component in which the P2PE Application(s) is used.
Can be assessed by either a QSA (P2PE) or a PA-QSA(P2PE).
Note: Specific P2PE Components can be used as part of other specific P2PE Component Assessments. Refer to Table 6.1, “P-ROVs to be used for P2PE v3 Assessments”.
For P2PE Solution Assessments or P2PE Component Assessments (that use another P2PE Component):
• If a P2PE Component is currently listed on …
Can be assessed by either a QSA (P2PE) or a PA-QSA(P2PE).
Note: Specific P2PE Components can be used as part of other specific P2PE Component Assessments. Refer to Table 6.1, “P-ROVs to be used for P2PE v3 Assessments”.
For P2PE Solution Assessments or P2PE Component Assessments (that use another P2PE Component):
• If a P2PE Component is currently listed on …
Added
p. 33
Note: Within each three year cycle, a Listed P2PE Product is required to have one Full Assessment (either as part of a new Listing or a renewal of an existing Listing) and two subsequent, sequential Annual Revalidations, each based on the applicable anniversary of the Listing’s initial Acceptance date. The first Annual Revalidation is required one calendar year after the last Full Assessment, and the second Annual Revalidation is required one calendar year after the first Annual Revalidation date, provided the P2PE Vendor satisfies all applicable Program requirements for the first Annual Revalidation. After the second Annual Revalidation, a Full Assessment is required to renew the Listing and start the 3 year cycle again. Refer to section 5.3, “Renewing Listed P2PE Products”.
If the updated and complete P-AOV is received by PCI SSC within this initial 90-day period, PCI SSC will, upon Acceptance, remove the Orange status from the P2PE Product …
If the updated and complete P-AOV is received by PCI SSC within this initial 90-day period, PCI SSC will, upon Acceptance, remove the Orange status from the P2PE Product …
Added
p. 34
Once a Listed P2PE Product is in Red, a Full Assessment (including applicable fees) is required to return the P2PE Product’s Listing to good standing.
If a P2PE Product’s Listing has been in a Red status for more than 90 consecutive calendar days (over 180 days overdue in satisfying the Annual Revalidation requirements in the Program), it becomes an Expired P2PE Product, is no longer considered a Validated P2PE Product, and will be moved to the P2PE Expired Listings.
If a P2PE Product’s Listing has been in a Red status for more than 90 consecutive calendar days (over 180 days overdue in satisfying the Annual Revalidation requirements in the Program), it becomes an Expired P2PE Product, is no longer considered a Validated P2PE Product, and will be moved to the P2PE Expired Listings.
Added
p. 35
Submit P-AOV to P2PE Assessor Company.
P2PE ASSESSOR COMPANY:
Submit updated P2PE Application Implementation Guide and/or PIM to PCI SSC for review, as applicable.
Submit P-AOV to PCI SSC for review.
Submit new VRA to PCI SSC, if applicable.
Submit P-AOV to PCI SSC in accordance with Section 5.1, “Annual Revalidation of P2PE Products.”
Submit P-AOV to P2PE Assessor Company.
P2PE ASSESSOR COMPANY:
Submit updated P2PE Application Implementation Guide and/or PIM to PCI SSC for review, as applicable.
Submit P-AOV to PCI SSC for review.
Submit new VRA to PCI SSC, if applicable.
Name and reference number of the Validated P2PE Listing Description of the change Description of why the change is necessary It is recommended that the P2PE Vendor submit the change analysis to the same P2PE Assessor Company used for the last Full Assessment of the P2PE Product.
1) The P2PE Assessor Company must notify the P2PE Vendor that it agrees; 2) If applicable, the P2PE Vendor modifies the P2PE …
P2PE ASSESSOR COMPANY:
Submit updated P2PE Application Implementation Guide and/or PIM to PCI SSC for review, as applicable.
Submit P-AOV to PCI SSC for review.
Submit new VRA to PCI SSC, if applicable.
Submit P-AOV to PCI SSC in accordance with Section 5.1, “Annual Revalidation of P2PE Products.”
Submit P-AOV to P2PE Assessor Company.
P2PE ASSESSOR COMPANY:
Submit updated P2PE Application Implementation Guide and/or PIM to PCI SSC for review, as applicable.
Submit P-AOV to PCI SSC for review.
Submit new VRA to PCI SSC, if applicable.
Name and reference number of the Validated P2PE Listing Description of the change Description of why the change is necessary It is recommended that the P2PE Vendor submit the change analysis to the same P2PE Assessor Company used for the last Full Assessment of the P2PE Product.
1) The P2PE Assessor Company must notify the P2PE Vendor that it agrees; 2) If applicable, the P2PE Vendor modifies the P2PE …
Added
p. 39
6) The P2PE Vendor prepares and signs the corresponding P-AOV and sends it to the P2PE Assessor Company; 7) The P2PE Assessor signs its concurrence on the P-AOV and forwards it along with the completed P2PE Change Impact Template, the P2PE Solution’s updated P2PE Instruction Manual or Implementation Guide, (as applicable), VRA (as applicable), and the red-lined P-ROV(s) to PCI SSC; 8) PCI SSC will then issue an invoice to the P2PE Vendor for the applicable change fee; and 9) Upon payment of the invoice, PCI SSC will review the Delta Change submission for quality assurance purposes and consistency.
Following successful PCI SSC quality assurance review of the change, PCI SSC will:
Following successful PCI SSC quality assurance review of the change, PCI SSC will:
Added
p. 40
New Validation: If the P2PE Vendor wishes the Listed P2PE Product to remain on the corresponding List of Validated P2PE Products on the Website, the P2PE Vendor must contact a P2PE Assessor Company to perform a Full Assessment of the P2PE Product against the P2PE Standard and Program, resulting in a new Acceptance, on or before the Listed P2PE Product’s applicable Reassessment date. This reassessment must follow the same process as an initial P2PE Assessment of the applicable P2PE Product.
Expiry: A Listed P2PE Product for which a new Acceptance has not occurred on or before the Listed P2PE Product’s applicable Reassessment date will immediately appear in Orange for up to 90 consecutive calendar days, and in Red thereafter for up to 90 additional consecutive calendar days. If a new Acceptance has not occurred within 180 days following the Listed P2PE Product’s applicable Reassessment date, the P2PE Product will become an …
Expiry: A Listed P2PE Product for which a new Acceptance has not occurred on or before the Listed P2PE Product’s applicable Reassessment date will immediately appear in Orange for up to 90 consecutive calendar days, and in Red thereafter for up to 90 additional consecutive calendar days. If a new Acceptance has not occurred within 180 days following the Listed P2PE Product’s applicable Reassessment date, the P2PE Product will become an …
Added
p. 49
PCI-approved HSMs Supported FIPS 140 Validated HSMs Supported P2PE Applications Supported P2PE Components Supported PCI-approved POI Devices Supported P2PE Solution Details: Detail PCI-approved HSMs Supported
Added
p. 50
FIPS 140 Validated HSMs Supported This section identifies FIPS 140 validated HSMs for use with this P2PE Solution, including the NIST Cryptographic Module Validation Program (CMVP) certificate number and sunset date. A website link will be provided to the appropriate entry in the NIST CMVP database of validated cryptographic modules.
A P2PE Solution may include P2PE Applications that were evaluated as part of the Solution Assessment that are not separately Listed on the List of Validated P2PE Applications. P2PE Applications in this case are not denoted on the P2PE Solution Listing. Any use of such an application in another P2PE Product would require either independent listing as a Listed P2PE Application, if eligible, or assessment as part of each P2PE Product the application is part of.
PCI-Approved POI Devices Supported This section identifies PCI-approved POI devices validated for use with this P2PE Solution and will include relevant PCI PTS reference numbers and …
A P2PE Solution may include P2PE Applications that were evaluated as part of the Solution Assessment that are not separately Listed on the List of Validated P2PE Applications. P2PE Applications in this case are not denoted on the P2PE Solution Listing. Any use of such an application in another P2PE Product would require either independent listing as a Listed P2PE Application, if eligible, or assessment as part of each P2PE Product the application is part of.
PCI-Approved POI Devices Supported This section identifies PCI-approved POI devices validated for use with this P2PE Solution and will include relevant PCI PTS reference numbers and …
Added
p. 51
Note: Listed P2PE Solutions are valid for a period of three years from their initial Acceptance Date.
• PCI-approved HSMs Supported
PCI-Approved HSMs Supported This section identifies PCI-approved HSM devices validated for use with this P2PE Solution, including the HSM expiry date and a website link to the corresponding PCI PTS-approval on the List of Approved PIN Transaction Security Devices.
FIPS 140 Validated HSMs Supported This section identifies FIPS 140 validated HSMs for use with this P2PE Component, including the NIST Cryptographic Module Validation Program (CMVP) certificate number and sunset date. A website link will be provided to the appropriate entry in the NIST CMVP database of validated cryptographic modules.
Certain P2PE Components may include P2PE Applications that were evaluated as part of the P2PE Component Assessment that are not separately Listed on the List of Validated P2PE Applications. P2PE Applications in this case are not denoted on the P2PE Component Listing. Any use …
• PCI-approved HSMs Supported
PCI-Approved HSMs Supported This section identifies PCI-approved HSM devices validated for use with this P2PE Solution, including the HSM expiry date and a website link to the corresponding PCI PTS-approval on the List of Approved PIN Transaction Security Devices.
FIPS 140 Validated HSMs Supported This section identifies FIPS 140 validated HSMs for use with this P2PE Component, including the NIST Cryptographic Module Validation Program (CMVP) certificate number and sunset date. A website link will be provided to the appropriate entry in the NIST CMVP database of validated cryptographic modules.
Certain P2PE Components may include P2PE Applications that were evaluated as part of the P2PE Component Assessment that are not separately Listed on the List of Validated P2PE Applications. P2PE Applications in this case are not denoted on the P2PE Component Listing. Any use …
Added
p. 54
Note: Listed P2PE Components are valid for a period of three years from their initial Acceptance date.
Added
p. 60
Note: The above testing does not have to be performed by the Listed P2PE Solution undergoing the Delta Change if the POI Device Type being added as part of this Delta Change was already tested as part of, and denoted on, a Listed P2PE Component, where the Listed P2PE Component is already denoted in the Solution Details of the Listed P2PE Solution.
Added
p. 66
Note: The above testing does not have to be performed by the Listed P2PE Component undergoing the Delta Change if the POI Device Type being added as part of this Delta Change was already tested as part of, and denoted on, a Listed P2PE Component, where that Listed P2PE Component is already denoted in the Component Details of the Listed P2PE Component undergoing the Delta Change.
Added
p. 74
• Numbers of digits used for each element
• Format of separators used between elements
• Character set used for each element (consisting of alphabetic, numeric, and/or alphanumeric characters) The hierarchy of the elements:
• Definition of what each element represents in the version scheme
Changes that have no impact on the functionality of the application or its dependencies Changes that have impact on the application functionality but no impact on security or P2PE Requirements Changes that impact any security functionality or P2PE Requirements Elements of the version number used for non-security-impacting changes must never be used for security-impacting changes.
• Format of separators used between elements
• Character set used for each element (consisting of alphabetic, numeric, and/or alphanumeric characters) The hierarchy of the elements:
• Definition of what each element represents in the version scheme
Changes that have no impact on the functionality of the application or its dependencies Changes that have impact on the application functionality but no impact on security or P2PE Requirements Changes that impact any security functionality or P2PE Requirements Elements of the version number used for non-security-impacting changes must never be used for security-impacting changes.
Modified
p. 1
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE)® Program Guide Version 3.0
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE)® Program Guide Version 3.0, Revision 1.0
Modified
p. 2
June 2012 1.0 Initial Release of the PCI P2PE Program Guide
June 2012 1.0 Initial release of the PCI P2PE Program Guide
Modified
p. 5
A P2PE Solution can be made up of Validated P2PE Applications and Validated P2PE Components (refer to Figure 1.1) or can be validated as a standalone solution.
Modified
p. 5
P2PE Applications and P2PE Components (all the boxes in blue in Figure 1.1) can be validated and Listed on the Website on a standalone basis and made available for P2PE Components and P2PE Solutions. Refer to Section 2.1.3, “P2PE Component Providers” for details on P2PE Components.
Modified
p. 5
The P2PE requirements and test procedures for validating P2PE Products can be found in the corresponding P2PE Report on Validation (P-ROV) indicated by green text in Figure 1.1. P- ROVs can be found on the Website.
Modified
p. 5
For each P2PE Product to be Listed on the Website, Vendors must also submit P2PE Attestations of Validation (P-AOVs), Acceptance fees, Vendor Release Agreements (VRAs), and other supporting documents such as P2PE Application Implementation Guides and Instruction Manuals, as applicable.
Modified
p. 5
Once Listed, P2PE Products must be revalidated on an annual basis. Refer to Section 5.1, “Annual Revalidation of P2PE Products,” for further details.
Modified
p. 5
A complete P2PE Assessment in accordance with the P2PE Standard, Program, and all associated documentation (a “Full Assessment”) is required on all Listed P2PE Products every three years based on the Acceptance date of each Listing.
Modified
p. 5
Any changes made to a Listed P2PE Product must be assessed as to the impact of the change on the ability of that P2PE Product to continue to satisfy applicable P2PE Requirements. Refer to Section 5.2, “Changes to P2PE Products,” for further details.
Modified
p. 5
For a mapping of the P2PE Requirements to all P2PE Products, refer to the matrix in Appendix I, “P2PE Applicability of Requirements.”
Modified
p. 6
Figure 1.1 P2PE Program Overview 1.2 Related Publications The P2PE Program Guide should be used in conjunction with the latest versions of (or successor documents to) the following PCI SSC publications, each as available through the Website:
Figure 1.1 P2PE Products Overview 1.2 Related Publications The P2PE Program Guide should be used in conjunction with the latest versions of (or successor documents to) the following PCI SSC publications, each as available through the Website:
Modified
p. 6
PCI P2PE Report on Validation Reporting Template (“P-ROV Reporting Template”) The P-ROV Reporting Templates are mandatory for completing a P2PE Assessment and include details on how to document the findings of a P2PE Assessment. See Table 6.1 below for specific P-ROV types.
PCI P2PE Report on Validation Reporting Template (“P-ROV Reporting Template”) The P-ROV Reporting Templates are mandatory for completing a P2PE Assessment and include details on how to document the findings of a P2PE Assessment. Refer to Table 6.1 below for specific P-ROV types.
Modified
p. 6 → 7
PCI P2PE Attestation of Validation (“P-AOV”) The P-AOV is a form for QSA (P2PE) and/or PA-QSA (P2PE) Companies to attest to the results of a P2PE Assessment, as documented in the P2PE Report on Validation. There are several versions covering P2PE Solutions, P2PE Components, and P2PE Applications.
PCI P2PE Attestation of Validation (“P-AOV”) The P-AOV is a form for QSA (P2PE) and/or PA-QSA (P2PE) Companies to attest to the results of a P2PE Assessment, as documented in the P2PE Report on Validation (P-ROV). There are several versions covering P2PE Solutions, P2PE Components, and P2PE Applications.
Removed
p. 7
• Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures (PCI DSS)
• Payment Card Industry (PCI) PIN Security Requirements
• Payment Card Industry (PCI) PTS Hardware Security Module (HSM) Security Requirements
• Payment Card Industry (PCI) PTS POI Modular Security Requirements
• Payment Card Industry (PCI) PIN Security Requirements
• Payment Card Industry (PCI) PTS Hardware Security Module (HSM) Security Requirements
• Payment Card Industry (PCI) PTS POI Modular Security Requirements
Modified
p. 7
Vendor Release Agreement (“VRA”) The VRA establishes the terms and conditions under which validated P2PE Solutions, P2PE Components, and P2PE Applications are accepted and listed by PCI SSC.
Vendor Release Agreement (“VRA”) The VRA establishes the terms and conditions under which Validated P2PE Solutions, Validated P2PE Components, and Validated P2PE Applications are Accepted and Listed by PCI SSC.
Modified
p. 7
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures (PCI DSS) Payment Card Industry (PCI) PIN Security Requirements Payment Card Industry (PCI) PTS Hardware Security Module (HSM) Security Requirements Payment Card Industry (PCI) PTS POI Modular Security Requirements Payment Card Industry (PCI) PTS Device Testing and Approval Program Guide 1.3 Updates to Documents and Security Requirements It is necessary to regularly review, update, and improve the security requirements and testing procedures used to evaluate P2PE Products. PCI …
Modified
p. 7
PCI SSC reserves the right to change, amend, or withdraw security requirements or testing procedures at any time. If such a change is required, PCI SSC will endeavor to work closely with PCI SSC’s community of Participating Organizations, P2PE Solution Providers, P2PE Component Providers, validated P2PE Application Vendors, and P2PE Assessor Companies to help minimize the impact of any changes.
PCI SSC reserves the right to change, amend, or withdraw security requirements or testing procedures at any time. If such a change is required, PCI SSC will endeavor to work closely with PCI SSC’s community of Participating Organizations, P2PE Solution Providers, P2PE Component Providers, P2PE Application Vendors, and P2PE Assessor Companies to help minimize the impact of any changes.
Removed
p. 8
Decryption Management Component A decryption environment that can support a P2PE Solution and is managed by a Decryption Management Component Provider.
Decryption Management Services The P2PE-related services provided by a Decryption Management Component Provider as more fully described in Section 2.1.3.2.
Encryption Management Component The POI devices and any resident P2PE applications and/or P2PE non- payment software that can support a P2PE Solution and is deployed and managed by an Encryption Management Component Provider.
Encryption Management Services The P2PE-related services provided by an Encryption Management Component Provider as more fully described in Section 2.1.3.1.
Key Injection Facility (KIF) Component Key-injection facility (KIF) services managed by a KIF.
Key Loading Component A Key Loading P2PE Component.
Decryption Management Services The P2PE-related services provided by a Decryption Management Component Provider as more fully described in Section 2.1.3.2.
Encryption Management Component The POI devices and any resident P2PE applications and/or P2PE non- payment software that can support a P2PE Solution and is deployed and managed by an Encryption Management Component Provider.
Encryption Management Services The P2PE-related services provided by an Encryption Management Component Provider as more fully described in Section 2.1.3.1.
Key Injection Facility (KIF) Component Key-injection facility (KIF) services managed by a KIF.
Key Loading Component A Key Loading P2PE Component.
Modified
p. 8
(i) received the corresponding P-ROV from the P2PE Assessor Company; (ii) received the corresponding fee and all documentation required with respect to that P2PE Product as part of the Program; (iii) confirmed that the P-ROV is correct as to form (all applicable documents completed appropriately/sufficiently), the P2PE Assessor Company properly determined that the P2PE Solution, P2PE Component, or P2PE Application is eligible to be a P2PE Validated Solution, a P2PE Validated Component, or a P2PE Validated Application, the P2PE Assessor …
(i) received the corresponding P-ROV(s) from the P2PE Assessor Company; (ii) received the corresponding fee and all documentation required with respect to that P2PE Product as part of the Program; (iii) confirmed that the P-ROV(s) is correct as to form (all applicable documents completed appropriately/sufficiently), the P2PE Assessor Company properly determined that the P2PE Solution, P2PE Component, or P2PE Application is eligible to be a Validated P2PE Solution, a Validated P2PE Component, or a Validated P2PE Application, the P2PE Assessor …
Modified
p. 8
Delta Assessment Partial P2PE Assessment performed against applicable P2PE Requirements when changes to a Listed P2PE Solution, P2PE Application, or P2PE Component are eligible for review under the “Delta Assessment” change- review process described herein.
Delta Assessment Partial P2PE Assessment performed against applicable P2PE Requirements when changes to a Listed P2PE Solution, Listed P2PE Application, or Listed P2PE Component are eligible for review under the “Delta Assessment” change-review process described herein.
Removed
p. 9
Key Management Services The P2PE-related services provided by a KIF as more fully described in Section 2.1.3.3.
Modified
p. 9 → 8
Listing Refers to the listing and related information regarding a P2PE Product on the applicable list of Validated P2PE Products on the Website.
Listing Refers to the listing and related information regarding a P2PE Product on the applicable List of Validated P2PE Products on the Website.
Modified
p. 9
P2PE Component A P2PE service that is eligible for validation as a “P2PE component” (as defined in the P2PE Glossary) as part of the P2PE Program.
P2PE Component A P2PE service that is eligible for validation as a “P2PE Component” (as defined in the P2PE Glossary) as part of the P2PE Program.
Modified
p. 9
P2PE Expired Listing (Expired Listing) The list of P2PE Products on the Website that have an expired status for a period of at least 90 days.
P2PE Expired Listings (Expired Listings) The Council’s authoritative list of Expired P2PE Products appearing on the Website.
Removed
p. 11
POI Deployment Component The POI devices and any resident P2PE applications and/or P2PE non- payment software that can support a P2PE Solution and is prepared and deployed by a POI Deployment Component Provider.
POI Management Component The POI devices and any resident P2PE applications and/or P2PE non- payment software that can support a P2PE solution and are managed by a POI Management Component Provider once deployed.
POI Management Component The POI devices and any resident P2PE applications and/or P2PE non- payment software that can support a P2PE solution and are managed by a POI Management Component Provider once deployed.
Modified
p. 11 → 10
Participating Payment Brand A global payment card brand or scheme that is also a limited liability company member of PCI SSC (or affiliate thereof).
Participating Payment Brand A payment card brand that, as of the time in question, is then formally admitted as (or an affiliate of) a member of PCI SSC pursuant to its governing documents.
Modified
p. 11
QSA (P2PE) Employee An individual employed by a QSA (P2PE) who has satisfied, and continues to satisfy, all QSA (P2PE) Requirements applicable to employees of QSA (P2PE) Companies who will conduct P2PE Solution Assessments and/or P2PE Component Assessments, as described in further detail herein.
QSA (P2PE) Employee An individual employed by a QSA (P2PE) Company who has satisfied, and continues to satisfy, all QSA (P2PE) Requirements applicable to employees of QSA (P2PE) Companies who will conduct P2PE Solution Assessments and/or P2PE Component Assessments, as described in further detail herein.
Modified
p. 12 → 11
Validated P2PE Solution A P2PE Solution that has been assessed by a QSA (P2PE) Company or PA- QSA (P2PE) Company to have met all of the requirements of the P2PE Standard and then Accepted by PCI SSC, so long as such Acceptance has not been revoked, suspended, withdrawn, or terminated.
Removed
p. 13
• Authorize the P2PE Assessor Company to submit resulting P-ROVs and related information to PCI SSC.
• Directly manage P2PE Solutions for their customers and/or manage corresponding responsibilities.
A P-ROV using the required P-ROV template specifically for P2PE Solutions (a “Solution P- ROV”) (see Table 6.1 below) must be submitted to PCI SSC for each P2PE Solution to be validated (except Merchant-Managed P2PE Solutions).
• Provide corresponding Implementation Guides that describe the secure installation and administration of such applications on the corresponding POI devices.
• Directly manage P2PE Solutions for their customers and/or manage corresponding responsibilities.
A P-ROV using the required P-ROV template specifically for P2PE Solutions (a “Solution P- ROV”) (see Table 6.1 below) must be submitted to PCI SSC for each P2PE Solution to be validated (except Merchant-Managed P2PE Solutions).
• Provide corresponding Implementation Guides that describe the secure installation and administration of such applications on the corresponding POI devices.
Modified
p. 13
Provide access to their P2PE Products and supporting documentation to a P2PE Assessor Company for validation, and Authorize the P2PE Assessor Company to submit resulting P-ROVs and related information to PCI SSC.
Modified
p. 13
Have overall responsibility for the design and implementation of specific P2PE Solutions, and Directly manage P2PE Solutions for their customers and/or manage corresponding responsibilities.
Modified
p. 13
Have those applications assessed against the P2PE Standard for secure operation within the applicable PCI-approved POI device(s), and Provide corresponding Implementation Guides that describe the secure installation and administration of such applications on the corresponding PCI-approved POI devices.
Modified
p. 13
For P2PE Applications intended for use in multiple P2PE Solutions, validation and Acceptance as a Validated P2PE Application eliminates the need for the application to be separately assessed for P2PE Program purposes as part of each P2PE Solution in which is it used.
For P2PE Applications intended for use in multiple P2PE Solutions or applicable P2PE Components, validation and Acceptance as a Validated P2PE Application eliminates the need for the application to be separately assessed for P2PE Program purposes as part of each P2PE Solution or P2PE Component in which it is used.
Modified
p. 13
A P2PE Application P-ROV (see Table 6.1 below) must be submitted to PCI SSC for each P2PE Application assessed as part of the Program.
A P2PE Application P-ROV (refer to Table 6.1 below) must be submitted to PCI SSC for each P2PE Application assessed as part of the Program.
Removed
p. 14
• Key Management Services (KMS)
Each P2PE Component requires its own PCI SSC submission. A separate P-ROV is required for each Listed P2PE Component.
Each P2PE Component requires its own PCI SSC submission. A separate P-ROV is required for each Listed P2PE Component.
Modified
p. 14
(a) Require P2PE Assessment for Program purposes, and (b) Are performed on behalf of a P2PE Solution Provider or Component Provider for use in P2PE Solutions. These services (and their respective P2PE Component Providers) include:
(a) Require a P2PE Assessment for Program purposes, and (b) Are performed on behalf of a P2PE Solution Provider or a P2PE Component Provider for use in P2PE Solutions. These services (and their respective P2PE Component Providers) include the following (each as described further below):
Modified
p. 14
Encryption Management Services (EMS)
Modified
p. 14
• POI Management Component Provider (PMCP)
• POI Management Component Provider (PMCP) Decryption Management Services (DMS)
Modified
p. 14
• Decryption Management Services (DMS)
• Decryption Management Component Provider (DMCP) Key Management Services (KMS)
Modified
p. 14
If a P2PE Component service described above is assessed as part of a P2PE Solution but is not on the List of Validated P2PE Components, the entity providing that component service is not considered a P2PE Component Provider for purposes of that component service and is considered a Third-Party Service Provider with respect to that component service. A Third- Party Service Provider must have its services reviewed during the course of each of its P2PE Solution Provider customers’ P2PE Assessments.
Each P2PE Component requires its own PCI SSC submission. A separate P-ROV must be submitted to PCI SSC for each P2PE Component assessed as part of the Program for it to be Accepted and Listed. If a P2PE Component service described above is assessed as part of a P2PE Solution (or a P2PE Component, as applicable) but is not on the List of Validated P2PE Components, the entity providing that component service is not considered a P2PE Component Provider for …
Removed
p. 15
The KMS P-ROV must be submitted in order to validate P2PE Components of the types provided by the above provider types.
Modified
p. 15
POI Deployment Component Provider (PDCP) is an entity that prepares and deploys PCI-approved POI devices and any resident P2PE Applications and/or P2PE Non-payment Software that can support a P2PE Solution.
Modified
p. 15
POI Management Component Provider (PMCP) is an entity that maintains the PCI-approved POI devices and any resident P2PE Applications and/or P2PE Non- payment Software, once deployed, that can support a P2PE Solution.
Modified
p. 15
The EMS P-ROV (see Table 6.1, “P-ROVs to be used for P2PE v3.0 Assessments”) must be submitted in order to validate P2PE Components of the types provided by each of the above providers.
The EMS P-ROV (refer to Table 6.1, “P-ROVs to be used for P2PE v3 Assessments”) must be submitted in order to validate P2PE Components included within Encryption Management Services.
Modified
p. 15
Decryption Management Component Provider is an entity that manages the decryption environment that can support a P2PE solution.
Modified
p. 15
The DMS P-ROV must be submitted in order to validate P2PE Components of the type provided by the Decryption-Management Component Provider.
The DMS P-ROV (refer to Table 6.1, “P-ROVs to be used for P2PE v3 Assessments”) must be submitted in order to validate P2PE Components included within Decryption Management Services.
Modified
p. 15
Key Injection Facility (KIF) is an entity that performs cryptographic key services for PCI-approved POI devices and HSMs (including, but not limited to, key generation, conveyance, and/or key loading).
Modified
p. 15
Key Loading Component Provider (KLCP) is an entity that manages the cryptographic key loading for PCI-approved POI devices and HSMs that can support a P2PE solution.
Modified
p. 15
Key Management Component Provider (KMCP) is an entity that manages cryptographic key generation and key conveyance for PCI-approved POI devices and HSMs that can support a P2PE Solution.
Modified
p. 15
Certification/Registration Authorities (CA/RA) is an entity that signs public keys such as X.509 or other non-X.509 certificates for use in connection with the remote distribution of symmetric keys using asymmetric techniques. A Registration Authority (RA) performs registration services on behalf of a CA to vet requests for certificates that will be issued by the CA.
Modified
p. 15
The KMS P-ROV (see Table 6.1 below) must be submitted in order to validate P2PE Components of the type provided by this provider type.
The KMS P-ROV (refer to Table 6.1, “P-ROVs to be used for P2PE v3 Assessments”) must be submitted in order to validate P2PE Components included within Key Management Services.
Modified
p. 15
Listings will indicate whether the P2PE Component Provider offers local or remote key- injection services and will show whether Certification Authority/Registration Authority (CA/RA) services are provided.
Listings will indicate whether the P2PE Component Provider offers local and/or remote key-injection services.
Removed
p. 16
1) May be entirely performed and managed by a single P2PE Solution Provider or by a merchant acting as its own P2PE Solution Provider (in the case of a MMS); or 2) Certain services that are part of the applicable P2PE Solution may be outsourced to Third- Party Service Providers who perform these functions on behalf of the P2PE Solution Provider or P2PE Component Provider.
Modified
p. 16
1) Undergo a P2PE Assessment of the applicable P2PE Component services and functions against relevant P2PE Requirements, and have their P2PE Assessor submit the applicable P2PE Report of Validation (P-ROV) to PCI SSC for review and Acceptance. Upon Acceptance, the corresponding P2PE Component is Listed on PCI SSC’s List of Validated P2PE Components. Or:
1) Undergo a P2PE Assessment of the applicable P2PE Component services or functions against relevant P2PE Requirements and have their P2PE Assessor submit the applicable P2PE Report of Validation (P-ROV) to PCI SSC for review and Acceptance. Upon Acceptance, the corresponding P2PE Component is Listed on PCI SSC’s List of Validated P2PE Components.
Modified
p. 16
Accordingly, a P2PE Solution or P2PE Component can be reviewed via one of the following scenarios:
Accordingly, a P2PE Solution or P2PE Component can be reviewed via the following scenarios:
Modified
p. 16
2) A P2PE Solution Provider or P2PE Component Provider (or a merchant as a P2PE Solution Provider in the case of a MMS) can outsource certain P2PE Component service functions to Listed P2PE Component Providers and report use of those PCI-Listed P2PE Component(s) in its P2PE Solution P-ROV.
2) A P2PE Solution Provider or P2PE Component Provider (or a merchant as a P2PE Solution Provider in the case of a MMS) can outsource certain P2PE Component service functions to Listed P2PE Component Providers and report use of those PCI-Listed P2PE Component(s) in its P2PE Solution P-ROV or applicable P2PE Component P-ROV.
Modified
p. 16
P2PE Solution Providers (or merchants as P2PE Solution Providers in the case of a MMS) must manage the overall P2PE Solution and any third-party services (and corresponding Third-Party Service Providers) used to perform P2PE Component services or functions on their behalf, whether those Third-Party Service Providers are separately Listed by PCI SSC as P2PE Component Providers or are assessed as part of the P2PE Assessment of the corresponding P2PE Solution or P2PE Component.
P2PE Solution Providers (or merchants as P2PE Solution Providers in the case of a MMS) and P2PE Component Providers must manage the overall P2PE Solution or P2PE Component, respectively, and any third-party services (and corresponding Third-Party Service Providers) used to perform P2PE Component services or functions on their behalf, whether those Third-Party Service Providers are separately Listed by PCI SSC as P2PE Component Providers or are assessed as part of the P2PE Assessment of the corresponding P2PE Solution or P2PE …
Removed
p. 17
• Hosts the List of Validated P2PE Solutions, the List of Validated P2PE Components, and the List of Validated P2PE Applications on the Website;
• Maintains and updates the P2PE Standard and related documentation; and
• Maintains and updates the P2PE Standard and related documentation; and
Modified
p. 17
Hosts the List of Validated P2PE Solutions, the List of Validated P2PE Components, and the List of Validated P2PE Applications on the Website; Hosts the P2PE Expired Listings on the Website; Provides required training for and qualifies QSA (P2PE) and PA-QSA (P2PE) Companies and Employees to assess and validate P2PE Products against the P2PE Standard; Maintains and updates the P2PE Standard and related documentation; and
Modified
p. 17
Note: PCI SSC does not assess or validate P2PE Products for P2PE compliance; assessment and validation is the role of the QSA (P2PE) and/or PA-QSA (P2PE) Company, as applicable. Listing of a P2PE Solution, P2PE Component, and/or P2PE Application on the List of Validated P2PE Solutions, List of Validated P2PE Components, and/or List of Validated P2PE Applications signifies only that the applicable P2PE Assessor Company has determined that the P2PE Product complies with the P2PE Standard, that the P2PE Assessor …
Note: PCI SSC does not assess or validate P2PE Products for P2PE compliance; assessment and validation is the role of the QSA (P2PE) and/or PA-QSA (P2PE) Company, as applicable. Listing of a P2PE Solution, P2PE Component, and/or P2PE Application on the List of Validated P2PE Solutions, List of Validated P2PE Components, and/or List of Validated P2PE Applications signifies only that the applicable P2PE Assessor Company has determined that the P2PE Product complies with the P2PE Standard, that the P2PE Assessor …
Modified
p. 18
QSA (P2PE): QSA (P2PE) Companies are QSA companies that have been additionally qualified by PCI SSC to perform P2PE Assessments of P2PE Solutions and P2PE Components. QSA (P2PE) Companies are not qualified by PCI SSC to perform P2PE Application Assessments.
Modified
p. 18
PA-QSA (P2PE): PA-QSA (P2PE) Companies are PA-QSA companies that have been additionally qualified by PCI SSC to perform P2PE Assessments of P2PE Solutions, P2PE Components, and P2PE Applications.
Modified
p. 18
Performing P2PE Assessments of P2PE Solutions and P2PE Components (and P2PE Applications for PA-QSA (P2PE) Assessor Companies) in accordance with the P2PE Standard, the P2PE Program, and the P2PE Qualification Requirements.
Modified
p. 18
Determining the scope of their P2PE Assessments and applicability of the P2PE Standard to each of those P2PE Assessments.
Modified
p. 18
Assessing the compliance of P2PE Solutions and P2PE Components (and P2PE Applications for PA-QSA (P2PE) Assessor Companies) against the P2PE Standard.
Modified
p. 18
Documenting each P2PE Assessment using the applicable P-ROV Reporting Templates. Refer to Table 6.1, “P-ROVs to be used for P2PE v3 Assessments”.
Modified
p. 18
Submitting the applicable P-ROV(s) and/or any change submission to PCI SSC, along with the applicable P-AOV signed by both the P2PE Assessor Company and P2PE Vendor.
Modified
p. 18
Maintaining an internal quality assurance process for their P2PE Assessment efforts.
Modified
p. 18
Staying up to date with PCI SSC statements and guidance, P2PE Technical and General FAQs, industry trends, and best practices.
Modified
p. 18
Determining which solutions and devices to implement.
Modified
p. 18
Adhering to the P2PE Instruction Manual (PIM), provided to the merchant by the P2PE Solution Provider.
Modified
p. 20
2) The P2PE Vendor then provides to the P2PE Assessor Company its executed VRA and access to the applicable P2PE Solution, P2PE Component(s), and/or P2PE Application(s) to be assessed, POI device types, corresponding Implementation Guides for P2PE Applications, P2PE Instruction Manual for P2PE Solutions, and all associated manuals and other required documentation.
Modified
p. 20
4) If the P2PE Assessor Company determines that the P2PE Solution, P2PE Component(s), and/or P2PE Application is in compliance with the P2PE Standard, the P2PE Assessor Company submits the corresponding P-ROV(s) to PCI SSC, attesting to compliance and setting forth the results, opinions, and conclusions of the P2PE Assessor Company on all test procedures along with the P2PE Vendor’s signed VRA and the corresponding P-AOV. See Appendix A, “P2PE Products and Acceptance,” for more details on Acceptance.
4) If the P2PE Assessor Company determines that the P2PE Solution, P2PE Component(s), and/or P2PE Application is in compliance with the P2PE Standard, the P2PE Assessor Company submits the corresponding P-ROV(s) to PCI SSC, attesting to compliance and setting forth the results, opinions, and conclusions of the P2PE Assessor Company on all test procedures along with the P2PE Vendor’s signed VRA and the corresponding P-AOV. Refer to Appendix A, “P2PE Products and Acceptance,” for more details on Acceptance.
Modified
p. 20
6) Once the above process is complete for the submitted P2PE Solution, P2PE Component(s), and/or P2PE Application(s), PCI SSC signs the corresponding P-AOV and adds the P2PE Solution, P2PE Component(s), and/or P2PE Application(s) to the corresponding list of Validated P2PE Products on the Website.
6) Once the above process is complete for the submitted P2PE Solution, P2PE Component(s), and/or P2PE Application(s), PCI SSC signs the corresponding P-AOV and adds the P2PE Solution, P2PE Component(s), and/or P2PE Application(s) to the corresponding List of Validated P2PE Products on the Website.
Modified
p. 21
Process Illustration P2PE Assessment for P2PE Products Intended for v3 PCI SSC Listing Figure 1 P2PE Product Submission and PCI SSC Review Figure 2
Process Illustration P2PE Assessment of P2PE Products Intended for PCI SSC Listing Figure 1 P2PE Product Submission and PCI SSC Review Figure 2
Modified
p. 22
Figure 1: P2PE Assessment for Products Intended for v3 PCI SSC Listing
Figure 1: P2PE Assessment of P2PE Products Intended for PCI SSC Listing
Modified
p. 24
2) The Merchant provides the P2PE Assessor Company access to the MMS to be assessed, POI device types, corresponding Implementation Guides for P2PE Applications, P2PE Instruction Manual for MMS, and all associated manuals and other required documentation.
2) The Merchant provides the P2PE Assessor Company access to the MMS to be assessed, PCI- approved POI Device Types, corresponding Implementation Guides for P2PE Applications, P2PE Instruction Manual for MMS, and all associated manuals and other required documentation.
Modified
p. 24
4) If the P2PE Assessor Company determines that the MMS is in compliance with the P2PE Standard, the P2PE Assessor Company prepares and submits to the Merchant a corresponding Merchant- Managed P2PE Solution P-ROV attesting to compliance and setting forth the results, opinions and conclusions of the P2PE Assessor Company on all test procedures.
4) If the P2PE Assessor Company determines that the MMS is in compliance with the P2PE Standard, the P2PE Assessor Company prepares and submits to the Merchant a corresponding P2PE Merchant-Managed Solution P-ROV attesting to compliance and setting forth the results, opinions and conclusions of the P2PE Assessor Company on all test procedures.
Modified
p. 24
Note: Merchant-Managed P2PE Solutions are not eligible for listing on the Website, and the corresponding P-ROV is not submitted to PCI SSC. A Merchant-Managed P2PE Solution may utilize Third-Party Service Providers, Validated P2PE Applications, and/or Validated P2PE Components.
Note: Merchant-Managed P2PE Solutions are not eligible for listing on the Website, and the corresponding P-ROV(s) is not submitted to PCI SSC. A Merchant-Managed P2PE Solution may utilize Third-Party Service Providers, Validated P2PE Applications, and/or Validated P2PE Components.
Modified
p. 25
Possible Element Program Guidance SCDs Validated P2PE Solutions and P2PE Components require the use of various types of Secure Cryptographic Devices (SCDs). To assist in evaluating these device types for use in a P2PE Solution, note the following:
Table 4.1 Program Guidance Possible Element Program Guidance SCDs Validated P2PE Solutions and P2PE Components require the use of various types of Secure Cryptographic Devices (SCDs). To assist in evaluating these device types for use in a P2PE Solution, note the following:
Modified
p. 25
Refer to “Definition of Secure Cryptographic Devices (SCDs) to be used in P2PE Solutions” in the P2PE Standard.
Modified
p. 25
Obtaining and maintaining PCI PTS HSM or FIPS 140 device approval is the responsibility of the secure cryptographic device vendor. P2PE Assessors will request evidence of device approvals being in place and current as part of performing a P2PE Assessment.
Modified
p. 25
An existing P2PE Program approval of a Listed P2PE Solution or a Listed P2PE Component may be reassessed up to but not exceeding three years past the expiry date of any PCI-listed HSMs already included in the corresponding P2PE Solution or P2PE Component approval. This will be checked as part of the reassessment and submittal process to PCI SSC. As the reassessment (provided it results in an updated P2PE listing) is valid for three years, this will allow vendors to …
Modified
p. 25
The following table provides the current PCI PTS HSM expiry dates and the corresponding reassessment window for P2PE Solutions and applicable P2PE Components using these devices:
Removed
p. 26
For additional detail, refer to Appendix J, “PCI-Listed PTS HSM Expiry Flowchart.” SCDs (continued)
• Existing PCI P2PE approvals of Validated P2PE Products with expired PTS POI devices may be revalidated and reassessed for up to, but not exceeding, five years past the PTS POI device expiry dates (as appearing on the PCI SSC List of Approved PTS Devices) used in the corresponding P2PE Product. A POI device may not be used in a Listed P2PE Solution more than five years past the corresponding PTS POI device expiry date. A Validated P2PE Solution will be delisted if all of its associated POI device types have exceeded the five-year window (as shown in the table below).
• Existing PCI P2PE approvals of Validated P2PE Products with expired PTS POI devices may be revalidated and reassessed for up to, but not exceeding, five years past the PTS POI device expiry dates (as appearing on the PCI SSC List of Approved PTS Devices) used in the corresponding P2PE Product. A POI device may not be used in a Listed P2PE Solution more than five years past the corresponding PTS POI device expiry date. A Validated P2PE Solution will be delisted if all of its associated POI device types have exceeded the five-year window (as shown in the table below).
Modified
p. 26
The following table provides the current PCI-approved POI device expiry dates and the corresponding revalidation/reassessment window for P2PE Products using these devices
Modified
p. 26
PCI PTS POI version PTS POI Expiry Date P2PE Revalidation/Reassessment End-date for Expired POI Devices* 1.x EXPIRED 2014 N/A
• v1.x devices are not P2PE eligible 2.x EXPIRED April 2017 29 April 2022 3.x 30 April2020 29 April 2025 4.x 30 April 2023 29 April 2028 5.x 30 April 2026 29 April 2031 * There may be regional variations⎯ check with the respective payment brands to determine any variances in the dates shown above.
• v1.x devices are not P2PE eligible 2.x EXPIRED April 2017 29 April 2022 3.x 30 April
PCI PTS POI PCI-approved POI Expiry Date P2PE Revalidation/Reassessment End-date for Expired POI Devices* 1.x EXPIRED 2014 N/A
• v1.x devices are not P2PE eligible 2.x EXPIRED April 2017 29 April 2022 3.x 30 April 2021 29 April 2026 4.x 30 April 2023 29 April 2028 5.x 30 April 2026 29 April 2031 * There may be regional variations⎯please check with the respective payment brands to determine any variances in the dates shown above.
• v1.x devices are not P2PE eligible 2.x EXPIRED April 2017 29 April 2022 3.x 30 April 2021 29 April 2026 4.x 30 April 2023 29 April 2028 5.x 30 April 2026 29 April 2031 * There may be regional variations⎯please check with the respective payment brands to determine any variances in the dates shown above.
Modified
p. 26
Device vendors wishing to obtain PTS approval should consult the Website for further information. Obtaining PTS approval does not replace or supersede any payment card brand-specific device-approval processes.
Device vendors wishing to obtain PCI approval should consult the Website for further information. Obtaining PCI approval does not replace or supersede any payment card brand-specific device-approval processes.
Removed
p. 27
• Independently Listed on the List of Validated P2PE Applications
• Refer to definition in P2PE Glossary.
• Assessed only per designated P2PE Requirements by a P2PE Assessor Company.
• Refer to definition in P2PE Glossary.
• Assessed only per designated P2PE Requirements by a P2PE Assessor Company.
Modified
p. 27
P2PE Non-payment Refer to the definition in the P2PE Glossary.
Modified
p. 27
Refer to the “P2PE Solutions and Use of P2PE Applications and/or P2PE Non- payment Software” section of the P2PE Standard.
Modified
p. 27
Refer to the “P2PE Solutions and Use of P2PE Applications and/or P2PE Non- payment Software” section of the P2PE Standard.
Modified
p. 27
Must undergo validation per all applicable P2PE Application Requirements by a PA-QSA (P2PE), and will be either:
Modified
p. 27
Independently Listed on the List of Validated P2PE Applications Not Listed on the List of Validated P2PE Applications and therefore only considered an element of the specific Validated P2PE Solution or Validated P2PE Component for which it has been submitted.
Modified
p. 27
If a P2PE Application is currently Listed on the List of Validated P2PE Applications and was assessed against the same major version of the P2PE Standard, additional testing/assessment against the P2PE Application P-ROV is not required as part of the P2PE Assessment of the applicable P2PE Solution or P2PE Component.
Modified
p. 27
For P2PE Solution Assessments, if a P2PE Application is not already on the List of Validated P2PE Applications, both the P2PE Solution P-ROV (including P2PE Component P-ROVs, if applicable) and the P2PE Application P-ROV(s) (one for each P2PE Application), must be submitted to PCI SSC. The P2PE Application P-ROV(s) must undergo PCI SSC review (and Acceptance, where the P2PE Application is being submitted to be Listed on the List of Validated P2PE Applications) prior to the PCI SSC review and …
Modified
p. 27
Not eligible for PCI-listing by PCI SSC.
Removed
p. 28
If a P2PE Component is currently listed on the List of Validated P2PE Components, the Component P-ROV has already been Accepted by PCI SSC. As a result, only the P2PE Components that the P2PE Solution or P2PE Component uses will need to be identified in the Solution P-ROV and no assessment of that currently listed P2PE Component is needed as part of the P2PE Solution or P2PE Component assessment.
• If a P2PE Component is not already on the List of Validated P2PE Components but is being added to the List of Validated P2PE Components, the applicable Component P-ROV must be submitted and Accepted before the P2PE Solution or P2PE Component P-ROV can be Accepted.
• If a P2PE Component is not already on the List of Validated P2PE Components but is being added to the List of Validated P2PE Components, the applicable Component P-ROV must be submitted and Accepted before the P2PE Solution or P2PE Component P-ROV can be Accepted.
Modified
p. 28
If independent listing is not being pursued for a P2PE Component, this is instead considered a Third-Party Service Provider’s service offering and it is only an element of the specific P2PE Solution or P2PE Component within which it is assessed.
• If independent listing is not being pursued for a P2PE Component, this is instead considered a Third-Party Service Provider’s service offering and it is only an element of the specific P2PE Solution or P2PE Component within which it is assessed.
Removed
p. 29
Note: The process for developing and validating P2PE Products
•including responsibilities for implementing requirements and validating compliance with each Requirement
•is defined within the P2PE Standard.
• Determine whether the P2PE Solution Provider’s P2PE Instruction Manual meets P2PE Standard requirements and correct any gaps.
•including responsibilities for implementing requirements and validating compliance with each Requirement
•is defined within the P2PE Standard.
• Determine whether the P2PE Solution Provider’s P2PE Instruction Manual meets P2PE Standard requirements and correct any gaps.
Modified
p. 29
Review the requirements of both the PCI DSS and the P2PE Standard and all related documentation located at the Website.
Modified
p. 29
Determine/assess the P2PE Solution’s, P2PE Component’s, or P2PE Application’s readiness to comply with the P2PE Standard: Select the appropriate P-ROV(s) based on the type of P2PE Assessment. Refer to Table 6.1, “P-ROVs to be used for P2PE v3 Assessments.” Determine whether the P2PE Application Vendor’s Implementation Guide meets P2PE Standard requirements and correct any gaps.
Modified
p. 29
Determine whether the P2PE Solution Provider’s P2PE Instruction Manual (PIM) meets P2PE Standard requirements and correct any gaps.
Modified
p. 29
How close the P2PE Product is compliant with the P2PE Standard at the start of the P2PE Assessment Corrections to the P2PE Product to achieve compliance will delay validation.
Modified
p. 29
For P2PE Solutions and P2PE Components that use P2PE Applications and/or P2PE Components Those that are being Listed on the Website separately must be Listed before the P2PE Solution or the P2PE Component can be reviewed and Accepted.
Modified
p. 29
Whether the P2PE Application’s Implementation Guide and/or the P2PE Solution’s P2PE Instruction Manual meets all P2PE Requirements at the start of the Assessment Extensive rewrites will delay validation.
Modified
p. 29
Prompt payment of the fees due to PCI SSC
Modified
p. 29
PCI SSC will not commence review of the P-ROV until the applicable fee has been paid.
PCI SSC will not commence review of the P-ROV(s) for the P2PE Products until the applicable fee has been paid.
Removed
p. 30
• Quality of the P2PE Assessor Company's submission to PCI SSC
• The P2PE Assessor Company must prepare each P-ROV based on evidence obtained by following the P2PE Standard.
• The P2PE Assessor Company must prepare each P-ROV based on evidence obtained by following the P2PE Standard.
Modified
p. 30
PCI SSC qualifies and provides required training for P2PE Assessor Companies (QSA (P2PE) and PA- QSA (P2PE)) to assess and validate P2PE Products to the P2PE Standard. In order to perform P2PE Solution Assessments and/or P2PE Component Assessments, a P2PE Assessor Company must have been qualified by PCI SSC and remain in Good Standing (as defined in the QSA Qualification Requirements and P2PE Qualification Requirements, as applicable) or in remediation as both a QSA Company and QSA (P2PE) Company. In …
PCI SSC qualifies and provides required training for P2PE Assessor Companies (QSA (P2PE) and PA- QSA (P2PE)) to assess and validate P2PE Products to the P2PE Standard. In order to perform P2PE Solution Assessments and/or P2PE Component Assessments, a P2PE Assessor Company must have been qualified by PCI SSC and remain in Good Standing (as defined in the QSA Qualification Requirements and P2PE Qualification Requirements, as applicable) or in remediation as both a QSA Company and QSA (P2PE) Company. In …
Modified
p. 30
For each P2PE Assessment, the resulting P2PE Assessor report must follow the P2PE Report on Validation (P-ROV) template and instructions, as outlined in the corresponding P-ROV Reporting Template. Refer to Table 6.1, “P-ROVs to be used for P2PE v3 Assessments.” The P2PE Assessor Company must prepare each P-ROV based on evidence obtained by following the P2PE Standard.
Modified
p. 30
Prior to submitting to PCI SSC, the P2PE Assessor Company must perform a review of all documents to ensure they are consistent and meet PCI SSC’s requirements and quality standards.
Modified
p. 30
Each P2PE Product (including all applicable P-ROVs) submitted to PCI SSC for Acceptance and Listing must be accompanied by a corresponding P2PE Attestation on Validation (P-AOV) in the form available through the Website, signed by a duly authorized officer of the P2PE Assessor Company, that summarizes whether the entity is in compliance or is not in compliance with the P2PE Standard and any related findings, as well as the P2PE Application Implementation Guide (as applicable) and P2PE Instruction Manual.
Modified
p. 31
Covers confidentiality issues; Covers the P2PE Vendor’s agreement to P2PE Program requirements, policies and procedures; Gives permission to the P2PE Vendor’s P2PE Assessor Company to release P-ROVs and related materials to PCI SSC for review; and Requires P2PE Vendors to adopt and comply with industry standard Vulnerability Handling Policies.
Modified
p. 31
If PCI SSC does not already have the P2PE Vendor’s signed copy of the then-current VRA, the P2PE Assessor Company must provide the P2PE Vendor’s signed copy of the then-current VRA to PCI SSC, along with the P-ROV(s) submission.
Modified
p. 31
If PCI SSC does already have the P2PE Vendor’s signed copy of the then-current VRA, the P2PE Assessor is not required to re-submit the same VRA to PCI SSC at that time.
Modified
p. 32
There are no annual recurring PCI SSC fees associated with the Acceptance of a P2PE Product. There are, however, PCI SSC fees associated with P2PE Vendor delays in annual revalidation of P2PE Validated Products. See the Website for more information.
There are no annual recurring PCI SSC fees associated with the Acceptance of a P2PE Product. There are, however, PCI SSC fees associated with P2PE Vendor delays in annual revalidation of Validated P2PE Products. Refer to the P2PE Program fees on the Website for more information.
Removed
p. 33
• If the updated and complete P-AOV is received within this 90-day period, PCI SSC will update the corresponding Listing’s Reassessment Date with the new date and remove the Orange status.
• If the updated and complete P-AOV is not received within this 90-day period, the corresponding Listing’s Reassessment Date will be updated to show the date in Red.
• Once in Red, a Full Assessment (including applicable fees) is required to return the P2PE Product’s Listing to good standing.
• If a P2PE Product’s Listing has been in a Red status for more than 90 days, the P2PE Product will be moved to the P2PE Expired Listing.
• PCI SSC will, following receipt of the updated P2PE Attestation of Validation: (i) review the submission for completeness; and (ii) if completeness is established, sign and return a copy of the updated P2PE Attestation of Validation to the P2PE Vendor.”
• If the updated and complete P-AOV is not received within this 90-day period, the corresponding Listing’s Reassessment Date will be updated to show the date in Red.
• Once in Red, a Full Assessment (including applicable fees) is required to return the P2PE Product’s Listing to good standing.
• If a P2PE Product’s Listing has been in a Red status for more than 90 days, the P2PE Product will be moved to the P2PE Expired Listing.
• PCI SSC will, following receipt of the updated P2PE Attestation of Validation: (i) review the submission for completeness; and (ii) if completeness is established, sign and return a copy of the updated P2PE Attestation of Validation to the P2PE Vendor.”
Modified
p. 33
Note: P2PE v3 Products require a Full Assessment every three years based on the date of the P2PE Product’s Acceptance.
Note: Listed P2PE Products require a Full Assessment every three years based on the date of the P2PE Product’s initial Acceptance. Refer to section 5.3, “Renewing Listed P2PE Products”.
Modified
p. 33
Annually, based on the date of the applicable P2PE Product’s Acceptance, the P2PE Vendor is required to submit an updated P2PE Attestation of Validation for that P2PE Product, covering the time since the last submission for that P2PE Product (i.e., initial P-ROV submission or annual update per this Section) was accepted and listed by PCI SSC (each an “Annual Revalidation”)
Annually, based on the date of the applicable P2PE Product’s Acceptance, the P2PE Vendor is required to submit an updated P2PE Attestation of Validation (P-AOV) for that P2PE Product, covering the time since the last submission for that P2PE Product (i.e., initial P-ROV(s) submission or annual update per this Section) was Accepted and Listed by PCI SSC (each an “Annual Revalidation”).
Modified
p. 33
PCI SSC will generally send a courtesy reminder e-mail to the P2PE Vendor’s contact (as identified in the applicable P-AOV) within 90 days prior to the relevant revalidation/reassessment date, but it is the sole responsibility of the P2PE Vendor to maintain the listing regardless of any such courtesy reminder(s).
PCI SSC will generally send a courtesy reminder e-mail to the P2PE Vendor’s contact (as identified in the applicable P-AOV) within 90 days prior to the relevant Annual Revalidation/Reassessment date, but it is the sole responsibility of the P2PE Vendor to maintain the listing regardless of any such courtesy reminder(s).
Modified
p. 33
c) POI devices or HSMs that are part of the P2PE Product continue to be acceptable for use in a P2PE Product. See Table 4.1, “Program Guidance,” for SCDs regarding expired POI devices and HSMs.
c) POI devices or HSMs that are part of the P2PE Product continue to be acceptable for use in a P2PE Product. Refer to Table 4.1, “Program Guidance,” for SCDs regarding expired POI devices and HSMs.
Modified
p. 33
The P2PE Vendor is required to give consideration to the impact of external threats and whether updates to the P2PE Product are necessary to address changes to the external threat environment. The updated P-AOV should be submitted via e-mail to the P2PE Program Manager. If an updated P- AOV is not submitted in a timely manner, the P2PE Product will be subject to early administrative expiry, as follows:
The P2PE Vendor is required to give consideration to the impact of external threats and whether updates to the P2PE Product are necessary to address changes to the external threat environment. The updated P-AOV should be submitted via e-mail to the PCI SSC P2PE Program Manager. If an updated P-AOV is not submitted and Accepted by PCI SSC on or before the P2PE Product’s current Annual Revalidation Date, the P2PE Product will be subject to early administrative expiry, as follows:
Modified
p. 33
The corresponding P2PE Product Listing will be updated to show the P2PE Product’s Annual Revalidation date in Orange for a period up to 90 consecutive calendar days unless the Annual Revalidation requirements of the Program are satisfied.
Removed
p. 34
• Add/Remove a P2PE Component;
• Add/Remove a PCI-approved POI device Type;
• Add/Remove a PCI SSC listed or FIPS- approved HSM;
• Add/Remove a P2PE Application; and
• Pay fee to PCI SSC.
• Submit P-AOV to PCI SSC in accordance with Section 5.1, “Annual Revalidation.” 1 Combining former Designated and Delta change categories 2 Combining former Interim and No Impact change categories
• Add/Remove a PCI-approved POI device Type;
• Add/Remove a PCI SSC listed or FIPS- approved HSM;
• Add/Remove a P2PE Application; and
• Pay fee to PCI SSC.
• Submit P-AOV to PCI SSC in accordance with Section 5.1, “Annual Revalidation.” 1 Combining former Designated and Delta change categories 2 Combining former Interim and No Impact change categories
Modified
p. 34 → 35
Table 5.2
• Changes to P2PEListed Products Change Type Description Action by Vendor/Assessor Delta1 1. Impacts the corresponding P2PE Product Listing; and
• Changes to P2PE
Table 5.2
• Changes to Listed P2PE Products Change Type Description Action by Vendor/Assessor Delta 1. Impacts the corresponding P2PE Product Listing; and
• Changes to Listed P2PE Products Change Type Description Action by Vendor/Assessor Delta 1. Impacts the corresponding P2PE Product Listing; and
Modified
p. 34 → 35
2. Is not an “Administrative” change (described below).
2. Is not an “Administrative” change or a “No Impact” change (described below).
Modified
p. 34 → 35
Add/Remove a P2PE Component; Add/Remove a PCI-approved POI Device Type; Add/Remove a PCI SSC listed or FIPS- approved HSM; Add/Remove a P2PE Application; and P2PE Application changes where fewer than half the applicable Requirements/Sub-Requirements are affected. Note: P2PE Application changes where at least half of the applicable Requirements/ Sub-Requirements are affected require a full P2PE Assessment.
Modified
p. 34 → 35
Refer to Section 5.2.2, “Delta Changes for P2PE Products” for details.
Modified
p. 34 → 35
Complete change analysis (for example, using the applicable Change Impact Template in the Appendices) and submit to P2PE Assessor Company for review.
Modified
p. 34 → 35
Submit applicable Change Impact Template (refer to Appendices) to PCI SSC for review.
Modified
p. 34 → 35
Submit updated P2PE Application Implementation Guide and/or PIM to P2PE Assessor Company for review, as applicable.
Modified
p. 34 → 35
Submit red-lined P-ROV(s) to PCI SSC for review.
Modified
p. 34 → 35
Submit new VRA to P2PE Assessor Company, if applicable.
Modified
p. 34 → 35
No Impact2 1. Does not impact the P2PE Product’s compliance with any of the P2PE Requirements; and
No Impact 1. Does not impact the P2PE Product’s compliance with any of the P2PE Requirements; and
Modified
p. 34 → 35
Not reported at the time of the change.
Modified
p. 34 → 35
Addressed by P2PE Vendor during the Annual Revalidation Process.
Removed
p. 35
• Pay fee to PCI SSC.
• Corporate identity changes
• P2PE Product name changes
• Name and reference number of the Validated P2PE Listing
• Description of the change
• Corporate identity changes
• P2PE Product name changes
• Name and reference number of the Validated P2PE Listing
• Description of the change
Modified
p. 35 → 36
Corporate identity changes P2PE Product name changes Listing detail changes such as “Regions Served” (P2PE Solutions only) Refer to Section 5.2.1, “Administrative Changes for P2PE Listings,” for details.
Modified
p. 35 → 36
Complete change analysis (for example, using applicable Change Impact Template from Appendices) and submit to P2PE Assessor Company for review.
Modified
p. 35 → 36
Submit applicable Change Impact Template (refer to Appendices herein) to PCI SSC for review.
Modified
p. 35 → 36
Submit updated P2PE Application Implementation Guide and/or PIM to P2PE Assessor Company for review, if applicable.
Modified
p. 35 → 36
Submit new VRA to P2PE Assessor Company, if applicable Pay fee to PCI SSC.
Modified
p. 35 → 37
The P2PE Vendor prepares a change analysis (for example, using the corresponding P2PE Change Impact Template) and submits it to the P2PE Assessor Company for review, along with the updated P2PE Application Implementation Guide or P2PE Instruction Manual. The change analysis must contain the following information at a minimum:
The P2PE Vendor prepares a change analysis (for example, using the corresponding P2PE Change Impact Template located in the Appendices herein and submits it to the P2PE Assessor Company for review, along with the updated P2PE Application Implementation Guide and/or P2PE Instruction Manual(PIM), as applicable. The change analysis must contain the following information at a minimum:
Modified
p. 35 → 37
Name and reference number of the Validated P2PE Listing Description of the change Description of why the change is necessary It is recommended that the P2PE Vendor submit the change analysis to the same P2PE Assessor Company used for the last Full Assessment of the P2PE Product.
Modified
p. 35 → 37
1) The P2PE Assessor Company must notify the P2PE Vendor that it agrees; 2) The P2PE Vendor prepares and signs the corresponding P-AOV, and sends it to the P2PE Assessor Company; 3) If applicable, the P2PE Vendor modifies the P2PE Instruction Manual and/or P2PE Application Implementation Guide and/or completes a new VRA; 4) The P2PE Assessor Company completes the corresponding P2PE Change Impact Template in the Appendix;
1) The P2PE Assessor Company must notify the P2PE Vendor that it agrees; 2) The P2PE Vendor prepares and signs the corresponding P-AOV, and sends it to the P2PE Assessor Company; 3) If applicable, the P2PE Vendor modifies the P2PE Instruction Manual and/or P2PE Application Implementation Guide and/or completes a new VRA; 4) The P2PE Assessor Company completes the corresponding P2PE Change Impact Template in the Appendix; 5) The P2PE Assessor signs their concurrence on the P-AOV and submits it …
Removed
p. 36
• Name and reference number of the Validated P2PE Listing
• Description of the change
• Description of the change
Removed
p. 36
• Add/remove a PCI-approved POI device; or
• Add/remove a PCI SSC listed and/or FIPS-approved HSM; or
• Add/remove a validated P2PE Application; or
• Add/remove a validated P2PE Component; or
• Description of why the change is necessary
• Add/remove a PCI SSC listed and/or FIPS-approved HSM; or
• Add/remove a validated P2PE Application; or
• Add/remove a validated P2PE Component; or
• Description of why the change is necessary
Modified
p. 36 → 37
1) Amend the corresponding List of Validated P2PE Solutions, List of Validated P2PE Components, or List of Validated P2PE Applications on the Website accordingly with the new information; and 2) Sign and return a copy of the corresponding P2PE Attestation of Validation to both the P2PE Vendor and the P2PE Assessor Company. The Revalidation date of the updated listing will be the same as that of the parent listing.
1) Amend the corresponding List of Validated P2PE Solutions, List of Validated P2PE Components, or List of Validated P2PE Applications on the Website accordingly with the new information; and 2) Sign and return a copy of the corresponding P2PE Attestation of Validation to both the P2PE Vendor and the P2PE Assessor Company. An Administrative change does not change the Listed P2PE Product’s Annual Revalidation date or its Reassessment date.
Modified
p. 36 → 38
Add/remove a PCI-approved POI Device Type; or Add/remove a PCI SSC listed and/or FIPS-approved HSM; or Add/remove a P2PE Application; or Add/remove a P2PE Component; or Address changes to P2PE Application changes where fewer than half of the applicable Requirements/sub-Requirements are affected.
Modified
p. 36 → 38
The P2PE Vendor prepares a change analysis (for example, using the corresponding P2PE Change Impact Template) and submits it to the P2PE Assessor Company for review, along with the updated P2PE Instruction Manual or P2PE Application Implementation Guide, as applicable. The change analysis must contain the following information at a minimum:
The P2PE Vendor prepares a change analysis (for example, using the corresponding P2PE Change Impact Template located in the Appendices herein and submits it to the P2PE Assessor Company for review, along with the updated P2PE Instruction Manual (PIM) and/or P2PE Application Implementation Guide, as applicable. The change analysis must contain the following information at a minimum:
Removed
p. 37
1) The P2PE Assessor Company must notify the P2PE Vendor that it agrees; 2) If applicable, the P2PE Vendor modifies the P2PE Instruction Manual or P2PE Application Implementation Guide and/or completes a new VRA and submits this to the P2PE Assessor Company; 3) The P2PE Assessor Company must perform an assessment of the requirements of the P2PE Standard that are affected by the change. Details of the tests that must be performed are available within the “Delta Changes” sections of the corresponding P2PE Change Impact Template; 4) The P2PE Assessor Company completes the corresponding P2PE Change Impact Template and must produce a red-lined P-ROV and document the testing completed per PCI SSC requirements. For any changes to P2PE Applications where fewer than half of the security requirements have been impacted, the Change Impact Template for P2PE Applications must be completed.
5) The P2PE Vendor prepares and signs the corresponding P-AOV and …
5) The P2PE Vendor prepares and signs the corresponding P-AOV and …
Modified
p. 37 → 39
1) Amend the corresponding Listing of Validated P2PE Solutions. P2PE Applications or P2PE Components on the Website accordingly with the new information; and 2) Sign and return a copy of the corresponding P2PE Attestation of Validation to both the P2PE Vendor and the P2PE Assessor Company. The Revalidation date of the updated listing will be the same as that of the parent listing.
1) Amend the corresponding List of Validated P2PE Solutions, List of Validated P2PE Applications, or List of Validated P2PE Components on the Website accordingly with the new information; and 2) Sign and return a copy of the corresponding P2PE Attestation of Validation to both the P2PE Vendor and the P2PE Assessor Company. A Delta change does not change the Listed P2PE Product’s Annual Revalidation date or its Reassessment date.
Removed
p. 38
• New Validation: If the P2PE Vendor wishes the P2PE Product listing to remain on the corresponding P2PE Product list on the Website, the P2PE Vendor must contact a P2PE Assessor Company to perform a Full Assessment of the P2PE Product against the P2PE Standard, resulting in a new Acceptance, on or before the applicable Reassessment Date. This reassessment must follow the same process as an initial P2PE Assessment of the applicable P2PE Product.
• Expiry: Listings of P2PE Products for which a new Acceptance has not occurred on or before the applicable expiration date/reassessment date will appear in Orange for the first 90 days, and in Red thereafter. If the P2PE Product remains in a Red status on the listing for 90 days, the P2PE Product will be moved to the P2PE Expired Listing.
• Expiry: Listings of P2PE Products for which a new Acceptance has not occurred on or before the applicable expiration date/reassessment date will appear in Orange for the first 90 days, and in Red thereafter. If the P2PE Product remains in a Red status on the listing for 90 days, the P2PE Product will be moved to the P2PE Expired Listing.
Modified
p. 38 → 39
Only those P2PE applications that have had the P2PE Vendor’s wildcard versioning methodology assessed to P2PE v3 by a PA-QSA (P2PE) Assessor Company are eligible for wildcard usage and listing on the Website with wildcards. Changes falling within the scope of wildcard usage are not required to be advised to PCI SSC; therefore, any such changes will not result in an update to the P2PE Application listing on the Website. See Appendix H, “P2PE Application Software Version Methodology,” for additional …
Only those P2PE applications that have had the P2PE Vendor’s wildcard versioning methodology assessed to P2PE v3 by a PA-QSA (P2PE) Assessor Company are eligible for wildcard usage and listing on the Website with wildcards. Changes falling within the scope of wildcard usage are not required to be advised to PCI SSC; therefore, any such changes will not result in an update to the P2PE Application listing on the Website. Refer to Appendix H, “P2PE Application Software Versioning Methodology,” for …
Removed
p. 39
• The name, PCI SSC approval number, and any other relevant identifiers of each of the P2PE Vendor’s P2PE Product(s) affected by the Security Issue;
• A description of the general nature of the Security Issue;
• A description of the general nature of the Security Issue;
Modified
p. 39 → 40
A parent P2PE listing must already exist on the corresponding List and not yet have expired in order to have a change Accepted and Listed.
A P2PE Product must be on the List of Validated P2PE Solutions, List of Validated P2PE Components, or List of Validated P2PE Applications in order to have a change Accepted and Listed.
Modified
p. 39 → 41
The name, PCI SSC approval number, and any other relevant identifiers of each of the P2PE Vendor’s P2PE Product(s) affected by the Security Issue; A description of the general nature of the Security Issue; The P2PE Vendor’s good-faith assessment, to its knowledge at the time, as to the scope and severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS or other industry-accepted standard scoring); and Assurance that the P2PE Vendor is following its Vulnerability Handling Policies.
Modified
p. 39 → 41
Request a copy of the latest version of the P2PE Vendor’s Vulnerability Handling Policies.
Removed
p. 40
• Request a copy of the latest version of the P2PE Vendor’s Vulnerability Handling Policies.
Modified
p. 40 → 41
Notify Participating Payment Brands that a Security Issue has occurred.
Modified
p. 40 → 41
Communicate with the P2PE Vendor about the Security Issue and, where possible and permitted, share information relating to the Security Issue.
Modified
p. 40 → 41
Support the P2PE Vendor’s efforts to mitigate or prevent further Security Issues.
Modified
p. 40 → 41
Support the P2PE Vendor’s efforts to correct any Security Issues.
Modified
p. 40 → 41
Work with the P2PE Vendor to communicate and cooperate with appropriate law enforcement agencies to help mitigate or prevent further Security Issues.
Removed
p. 41
• Limited issues may simply require updating the P-ROV(s) to reflect adequate documentation to support the P2PE Assessor Company’s decisions; whereas
Modified
p. 42 → 43
Table 6.1: P-ROVs to be used for P2PE v3.0 Assessments P-ROV Name Used for the Following Assessments Purpose Solution P2PE Solution The Solution P-ROV is mandatory for all P2PE Assessments of P2PE Solutions. Additional P-ROVs (below) may be required.
Table 6.1: P-ROVs to be used for P2PE v3 Assessments P-ROV Name Used for the Following Assessments Purpose Solution P2PE Solution The Solution P-ROV is mandatory for all P2PE Assessments of P2PE Solutions. Additional P-ROVs (below) may be required.
Modified
p. 42 → 43
Encryption Management Services (EMS) P2PE Solution Encryption Management POI Deployment POI Management “Encryption Management Services” relates to the distribution, management, and use of POI devices in a P2PE Solution or Component.
Encryption Management Services (EMS) P2PE Solution Encryption Management POI Deployment POI Management “Encryption Management Services” relates to the distribution, management, and use of PCI-approved POI devices in a P2PE Solution or a P2PE Component.
Modified
p. 42 → 43
P2PE Assessment of P2PE Solutions that do not outsource the entirety of their Encryption Management Services to PCI SSC-listed P2PE Component Providers, either to an EMCP or to BOTH a PDCP AND a PMCP, must complete this P-ROV in addition to the Solution P-ROV.
P2PE Assessment of P2PE Solutions that do not outsource the entirety of their Encryption Management Services to Listed P2PE Component Providers, either to an EMCP or to BOTH a PDCP AND a PMCP, must complete this P- ROV in addition to the Solution P-ROV.
Modified
p. 42 → 43
P2PE Application P2PE Application Any P2PE Assessment for software on the POI devices intended for use in a P2PE Solution that has the potential to access clear-text cardholder data must complete this P- ROV.
P2PE Application P2PE Application Any P2PE Assessment for software on the PCI-approved POI devices intended for use in a P2PE Solution that has the potential to access clear-text cardholder data must complete this P-ROV.
Modified
p. 42 → 44
P2PE Assessments of P2PE Solutions that do not outsource the entirety of their Decryption Management Services to a PCI SSC-listed DMCP must complete this P-ROV in addition to the Solution P-ROV.
P2PE Assessments of P2PE Solutions that do not outsource the entirety of their Decryption Management Services to a Listed DMCP must complete this P-ROV in addition to the Solution P-ROV.
Modified
p. 43 → 44
Solution assessments that have not satisfied the key management services requirements (Domain 5) either through the use of PCI-listed Component Providers and/or through the assessment of their Encryption Management Services and/or Decryption Management Services must complete the KMS P-ROV. For example, if the P2PE Solution offers remote key-distribution using asymmetric techniques for the distribution of keys to POI devices for use in connection with account-data encryption, or the operation of an applicable CA/RA, or any other relevant key management service …
Solution assessments that have not satisfied the key management services requirements (Domain 5) either through the use of Listed P2PE Component Providers and/or through the assessment of their Encryption Management Services and/or Decryption Management Services must complete the KMS P-ROV. E.g., if the P2PE Solution offers remote key-distribution using asymmetric techniques for the distribution of keys to PCI-approved POI devices for use in connection with account-data encryption, or the operation of an applicable CA/RA, or any other relevant key management …
Modified
p. 43 → 44
Component Provider assessments for a KIF, KMCP, KLCP, or a CA/RA must complete this P-ROV 6.2 Delivery of the P-ROV and Related Materials For P2PE Products to be Listed on the Website, all documents required in connection with the P2PE validation process must be submitted to PCI SSC by the P2PE Assessor Company, through the Portal. PCI SSC staff pre-screen Portal submissions to ensure that all required documentation has been included and the basic submission requirements have been satisfied.
P2PE Component assessments for a KIF, KMCP, KLCP, or a CA/RA must complete this P-ROV 6.2 Delivery of the P-ROV and Related Materials For P2PE Products to be Listed on the Website, all documents required in connection with the P2PE validation process must be submitted to PCI SSC by the P2PE Assessor Company, through the Portal. PCI SSC staff pre-screen Portal submissions to ensure that all required documentation has been included and the basic submission requirements have been satisfied.
Modified
p. 44 → 45
The AQM Analyst will review the P2PE submission first to determine whether the candidate P2PE Product is eligible for validation as described in the P2PE Program Guide. If there are questions as to eligibility, the AQM Analyst will contact the P2PE Assessor Company for additional information. If the P2PE submission is determined to be ineligible for validation under the P2PE Program, the P-ROV will be rejected. The P2PE Assessor Company will receive a letter of rejection with instructions for optionally …
The AQM Analyst will review the P2PE submission first to determine whether the candidate P2PE Product is eligible for validation as described in the P2PE Program Guide. If there are questions as to eligibility, the AQM Analyst will contact the P2PE Assessor Company for additional information. If the P2PE submission is determined to be ineligible for validation under the P2PE Program, the P-ROV submission will be rejected. The P2PE Assessor Company will receive a letter of rejection with instructions for …
Modified
p. 44 → 46
Note: These status designations are not necessarily progressive: Any P2PE Assessor Company’s status may be revoked or its P2PE Assessor Addendum (defined in the P2PE Qualification Requirements) terminated in accordance with the P2PE Assessor Addendum; and
Note: These status designations are not necessarily progressive: Any P2PE Assessor Company’s status may be revoked or its P2PE Assessor Addendum (defined in the P2PE Qualification Requirements) terminated in accordance with the P2PE Assessor Addendum; and accordingly, if warranted, a P2PE Assessor Company may move directly from “In Good Standing” to “Revocation.” Nonetheless, in the absence of severe quality concerns, P2PE Assessor Companies with quality issues are generally first addressed through the Remediation process in order to promote improved performance.
Modified
p. 45 → 47
Note: If a Listed P2PE Solution, P2PE Component or P2PE Application is compromised due to P2PE Assessor Company and/or Employee error, that P2PE Assessor Company and/or Employee may immediately be placed into Remediation or its P2PE qualification status revoked.
Note: If a Listed P2PE Solution, Listed P2PE Component or a Listed P2PE Application is compromised due to P2PE Assessor Company and/or Employee error, that P2PE Assessor Company and/or Employee may immediately be placed into Remediation or its P2PE qualification status revoked.
Removed
p. 47
• Solution Details P2PE Solution Identifier: Detail
• P2PE Solution Details Clicking on this link brings up a list of details specific to this Solution consisting of the following fields (fields are explained in detail below):
• PCI SSC listed and/or FIPS 140-certified Devices Supported
• P2PE Application(s) Supported
• P2PE Components P2PE Solution Details: Detail
• PCI SSC Listed and FIPS 140-certified Devices Supported This section identifies:
• PCI-approved POI devices validated for use with this P2PE Solution and will include
• P2PE Solution Details Clicking on this link brings up a list of details specific to this Solution consisting of the following fields (fields are explained in detail below):
• PCI SSC listed and/or FIPS 140-certified Devices Supported
• P2PE Application(s) Supported
• P2PE Components P2PE Solution Details: Detail
• PCI SSC Listed and FIPS 140-certified Devices Supported This section identifies:
• PCI-approved POI devices validated for use with this P2PE Solution and will include
Modified
p. 47 → 49
P2PE Solution Name Reference Number Solution Details P2PE Solution Identifier: Detail P2PE Solution Name P2PE Solution Name is provided by the P2PE Solution Provider and is the name by which the P2PE Solution is sold.
Modified
p. 47 → 49
PCI SSC assigns the Reference number once the Validated P2PE Solution is posted to the Website; this number is unique per P2PE Solution Provider and will remain the same for the life of the listing.
PCI SSC assigns the Reference number once the Validated P2PE Solution is posted to the Website that uniquely identifies the Listed P2PE Solution; this number will remain the same for the life of the listing. Note that a Listed P2PE Solution that undergoes a Reassessment that is Accepted and Listed on the Website results in a new Reference Number.
Modified
p. 47 → 49
Field Format Year of listing 4 digits + hyphen Solution Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Solution Number # 3 digits
Field Format Year of listing 4 digits + hyphen Solution Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Solution Number # 3 digits P2PE Solution Details Clicking on this link brings up a list of details specific to this Listed P2PE Solution consisting of the following fields (fields are explained in detail below):
Removed
p. 48
• PCI SSC listed, or FIPS 140-certified HSM reference numbers and expiry date. A website link will be provided to the appropriate entry on the NIST Cryptographic Module Validation Program (CMVP) list of FIPS validated HSMs.
While a P2PE Solution may include P2PE Applications that were evaluated per relevant requirements in the P2PE Standard, those are not Listed within the P2PE Solution or within the List of Validated P2PE Applications. Any use of such an application in another P2PE Product would require either independent listing as a P2PE Application, if eligible, or assessment as part of each P2PE Solution the application is part of.
Reassessment Date The Reassessment Date for Validated P2PE Solution is the date by which the P2PE Solution Provider must have the P2PE Solution re-evaluated against the P2PE Standard in order to maintain the Acceptance.
While a P2PE Solution may include P2PE Applications that were evaluated per relevant requirements in the P2PE Standard, those are not Listed within the P2PE Solution or within the List of Validated P2PE Applications. Any use of such an application in another P2PE Product would require either independent listing as a P2PE Application, if eligible, or assessment as part of each P2PE Solution the application is part of.
Reassessment Date The Reassessment Date for Validated P2PE Solution is the date by which the P2PE Solution Provider must have the P2PE Solution re-evaluated against the P2PE Standard in order to maintain the Acceptance.
Modified
p. 48 → 50
P2PE Applications Supported This section identifies the P2PE Applications validated for use with this P2PE Solution, including the P2PE Application’s Reassessment date.
Modified
p. 48 → 50
P2PE Components Supported This section identifies the P2PE Components validated for use with this P2PE Solution including the Reassessment date of the P2PE Component.
Modified
p. 48 → 50
While a P2PE Solution may include third-party services (including services potentially eligible for Listing as a P2PE Component, such as CA/RA or KIF), those are not identified within the P2PE Solution’s Listing or on the List of Validated P2PE Components. Any use of such a component in another P2PE Product would require either independent listing as a P2PE Component, if eligible, or assessment as part of each P2PE Solution the P2PE Component is part of.
While a P2PE Solution may include third-party services (including services potentially eligible for Listing as a P2PE Component, such as CA/RA or KIF), those third-party services are not identified within the P2PE Solution’s Listing or on the List of Validated P2PE Components. Any use of such a component in another P2PE Product would require either independent listing as a P2PE Component, if eligible, or assessment as part of each P2PE Product where the third-party services are used.
Modified
p. 48 → 50
P2PE Assessor This entry denotes the name of the qualified P2PE Assessor Company that performed the validation and determined that the P2PE Solution is compliant with the P2PE Standard.
P2PE Assessor This entry denotes the name of the qualified P2PE Assessor Company that performed the validation and determined that the P2PE Solution is compliant with the P2PE Standard and Program.
Modified
p. 48 → 50
Regions Served This section allows for the submission of a description of geographic regions in which this P2PE Solution is available•Example, Global or US, Brazil.
Regions Served This section allows for the submission of a description of geographic regions in which this P2PE Solution is available•for example, Global or US, Brazil.
Removed
p. 49
• Key Management Services (KMS):
• P2PE Component Name
• P2PE Component Details P2PE Component Identifier: Detail
• P2PE Component Name
• P2PE Component Details P2PE Component Identifier: Detail
Modified
p. 49 → 52
Encryption-management services (EMS)
Modified
p. 49 → 52
• Decryption-management services (DMS)
• POI Deployment Decryption-management services (DMS)
Modified
p. 49 → 52
• Decryption Management
• Decryption Management Key Management Services (KMS)
Modified
p. 49 → 52
P2PE Component Name Reference Number P2PE Component Details P2PE Component Identifier: Detail P2PE Component Name P2PE Component Name is provided by the P2PE Component Provider and is the name by which the P2PE Component Provider’s services are known.
Modified
p. 49 → 52
PCI SSC assigns the Reference number once the Validated P2PE Component is posted to the Website; this number is unique per P2PE Component Provider and will remain the same for the life of the listing.
PCI SSC assigns the Reference number once the Validated P2PE Component is posted to the Website; this number is unique per P2PE Component Listing and will remain the same for the life of the listing. Note that a Listed P2PE Component that undergoes a Reassessment and is Accepted and Listed on the Website results in a new Reference Number.
Removed
p. 50
• P2PE Component Details Clicking on this link brings up a list of details specific to this Component consisting of the following fields (fields are explained in detail below):
• PCI SSC Listed and/or FIPS 140-certified HSMs Supported This section identifies PCI SSC listed, and/or FIPS 140-certified HSMs for use with this P2PE Solution and will include reference numbers and expiry dates. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices and the NIST CMVP (Cryptographic Module Validation Program) list of FIPS validated HSMs.
• P2PE Components This section identifies the P2PE Components validated for use with this P2PE Component and Listed on the List of Validated P2PE Components and will include the expiry date of the P2PE Component’s approval.
• PCI SSC Listed and/or FIPS 140-certified HSMs Supported This section identifies PCI SSC listed, and/or FIPS 140-certified HSMs for use with this P2PE Solution and will include reference numbers and expiry dates. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices and the NIST CMVP (Cryptographic Module Validation Program) list of FIPS validated HSMs.
• P2PE Components This section identifies the P2PE Components validated for use with this P2PE Component and Listed on the List of Validated P2PE Components and will include the expiry date of the P2PE Component’s approval.
Modified
p. 50 → 53
Field Format Year of listing 4 digits + hyphen Component Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Component Number # 3 digits
Field Format Year of listing 4 digits + hyphen Component Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Component Number # 3 digits P2PE Component Details Clicking on this link brings up a list of details specific to this P2PE Component consisting of the following fields (fields are explained in detail below):
Modified
p. 50 → 53
• PCI SSC Listed and/or FIPS 140-certified HSMs Supported
• FIPS 140 Validated HSMs Supported
Modified
p. 50 → 53
• P2PE Application(s) Supported
• P2PE Applications Supported
Modified
p. 50 → 53
Note: Not all component details will apply to every P2PE Component Listing, as each component service is different. For example, Encryption-management services may have PCI-approved POI Devices Supported; others likely will not (for example, CA/RAs).
Modified
p. 50 → 53
P2PE Component Details: Detail
• P2PE Components Supported
Modified
p. 50 → 53
P2PE Component Details: Detail PCI-Approved POI Devices Supported This section identifies PCI-approved POI devices validated for use with this P2PE Component and will include relevant PCI PTS reference numbers and expiry dates of the PTS approval. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices.
Modified
p. 50 → 53
P2PE Applications Supported This section identifies the P2PE Applications validated for use with this P2PE Component including the P2PE Application’s Reassessment date.
Modified
p. 50 → 54
While a P2PE Component may include third-party services (including those offering services potentially eligible for Listing as a P2PE Component, such as CA/RA or KIF), those are not listed within the P2PE Component or on the List of Validated P2PE Components. Any use of such a component in another P2PE Product would require either independent listing as a P2PE Component, if eligible, or assessment as part of each P2PE Solution of which the P2PE Component is a part.
While a P2PE Component may include third-party services (including those offering services potentially eligible for Listing as a P2PE Component, such as CA/RA or KIF), those third-party services are not listed within the P2PE Component or on the List of Validated P2PE Components. Any use of such a component in another P2PE Product would require either independent listing as a P2PE Component, if eligible, or assessment as part of each P2PE Product of which the P2PE Component is a part …
Modified
p. 51 → 54
P2PE Assessor This entry denotes the name of qualified P2PE Assessor Company that performed the validation and determined that the P2PE Component is compliant with the P2PE Standard.
P2PE Assessor This entry denotes the name of qualified P2PE Assessor Company that performed the validation and determined that the P2PE Component is compliant with the P2PE Standard and Program.
Modified
p. 51 → 54
Reassessment Date The Reassessment Date for a Validated P2PE Component is the date by which the P2PE Component Provider must have the P2PE Component re-evaluated against the P2PE Standard in order to maintain the Acceptance.
Reassessment Date The Reassessment Date for a Validated P2PE Component is the date by which the P2PE Component Provider must have the P2PE Component undergo a Full Assessment against the P2PE Standard and Program in order to maintain the Acceptance.
Removed
p. 52
• P2PE Application Name
• P2PE Application Version #
• P2PE Application Details P2PE Application Identifier: Detail
• Is set by the P2PE vendor,
• May consist of a combination of alphanumeric characters; and
• P2PE Application Version #
• P2PE Application Details P2PE Application Identifier: Detail
• Is set by the P2PE vendor,
• May consist of a combination of alphanumeric characters; and
Modified
p. 52 → 55
P2PE Application Name P2PE Application Version # Reference Number P2PE Application Details P2PE Application Identifier: Detail P2PE Application Name P2PE Application Name is provided by the Application Vendor and is the name by which the application is sold. The Application Name cannot contain any variable characters.
Modified
p. 52 → 55
P2PE Application Version # P2PE Application Version # represents the specific application version reviewed in the P2PE Application Assessment. The format of the version number:
Modified
p. 52 → 55
Is set by the P2PE vendor, May consist of a combination of alphanumeric characters; and Must be consistent with the P2PE Application Vendor’s published versioning methodology for this product as documented in the P2PE Application Implementation Guide.
Modified
p. 52 → 55
Note: See Appendix H: P2PE Application Software Versioning Methodology for details about content to include in the P2PE Application P-ROV and P2PE Application Implementation Guide for the Application Vendor’s versioning methods. • Reference Number
Note: Refer to Appendix H: P2PE Application Software Versioning Methodology for details about content to include in the P2PE Application P-ROV and P2PE Application Implementation Guide for the Application Vendor’s versioning methods. Reference Number
Modified
p. 52 → 55
PCI SSC assigns the Reference number once the Validated P2PE Application is posted to the Website; this number is unique per P2PE Application Vendor and will remain the same for the life of the listing.
PCI SSC assigns the Reference number once the Validated P2PE Application is posted to the Website; this number is unique per P2PE Application Listing and will remain the same for the life of the listing. Note that a Listed P2PE Solution that undergoes a Reassessment that is Accepted and Listed on the Website results in a new Reference Number.
Modified
p. 52 → 55
Field Format Year of listing 4 digits + hyphen P2PE Application Vendor # 5 digits + period (assigned alphabetically initially, then as received) P2PE Application Vendor App # 3 digits (assigned as received) Minor version 3 alpha characters (assigned as received)
Field Format Year of listing 4 digits + hyphen P2PE Application Vendor # 5 digits + period (assigned alphabetically initially, then as received) P2PE Application Vendor App # 3 digits (assigned as received) Minor version period + 3 alpha characters (assigned as received)
Modified
p. 53 → 56
- PCI-approved POI Devices Supported P2PE Application Details: Detail PCI-Approved POI Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Application and will include relevant PCI PTS reference numbers and the expiry date of the PCI PTS approvals. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices.
Modified
p. 53 → 56
P2PE Assessor This entry denotes the name of qualified PA-QSA (P2PE) Assessor Company that performed the validation and determined that the application is compliant with the P2PE Standard.
P2PE Assessor This entry denotes the name of qualified PA-QSA (P2PE) Assessor Company that performed the validation and determined that the P2PE Application is compliant with the P2PE Standard and Program.
Modified
p. 53 → 56
Reassessment Date The Reassessment Date for Validated P2PE Application is the date by which the P2PE Application Vendor must have the application re- evaluated against the P2PE Standard in order to maintain Acceptance.
Reassessment Date The Reassessment Date for a Validated P2PE Application is the date by which the P2PE Application Vendor must have the application undergo a Full Assessment against the P2PE Standard and Program in order to maintain the Acceptance.
Modified
p. 53 → 56
Note: P2PE Applications validated to P2PE Standard v2 and v3 are valid for a period of three years from their Acceptance Date.
Note: Listed P2PE Applications are valid for a period of three years from their initial Acceptance Date.
Modified
p. 54 → 57
The P2PE Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change. The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review.
The P2PE Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change to the Listed P2PE Solution. The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review. Refer to section 5.2, “Changes to P2PE Products”.
Modified
p. 54 → 57
Part 1. P2PE Listing Details, Contact Information, and Change Type P2PE Listing Details P2PE Solution Name Validated Listing Reference # Type of Change (Select one) Administrative (Complete Part 2) Delta (Complete Part 3) Submission Date P2PE Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Part 1. P2PE Solution Details, Contact Information, and Change Type P2PE Listing Details P2PE Solution Name Validated Listing Reference # Type of Change (Select one ONLY) Administrative (Complete Part 1 and 2 ONLY) Delta (Complete Part 1 and applicable sections of Part 3 ONLY) Submission Date P2PE Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Removed
p. 55
Add/Remove P2PE Component (Complete Part 3d) Add Remove Description of changes to the P2PE Solution, P2PE Application or P2PE Component:
Description of how the Delta Change impacts the P2PE Solution Additional details, as applicable
Description of how the Delta Change impacts the P2PE Solution Additional details, as applicable
Modified
p. 55 → 59
Add/Remove POI Device Type (Complete Part 3a) Add Remove Add/Remove HSM (Complete Part 3b) Add Remove Add/Remove P2PE Application (Complete Part 3c) Add Remove Application Version Number:
Add/Remove POI Device Type (Complete Part 3a) Add Remove Add/Remove HSM (Complete Part 3b) Add Remove Add/Remove P2PE Application (Complete Part 3c) Add Remove Application Version Number Add/Remove P2PE Component (Complete Part 3d) Add Remove Description of changes to the Listed P2PE Solution Description of how the Delta Change impacts the Listed P2PE Solution Additional details, as applicable
Removed
p. 56
Note: The above testing does not have to performed by the Solution if the POI Device was tested as part of a listed Component.
Modified
p. 56 → 60
POI Device Type Adding for inclusion in listing or removal from listing? Addition/Inclusion in listing (Red-lined P-ROV review required, see details below) Removal from listing (No Red-lined P-ROV review required) POI Device type name/identifier POI Device manufacturer, model, and number PTS approval number for POI Device POI Device Hardware version # POI Device Firmware version # Perform a red-lined P-ROV review for the added POI Device type(s) using the table below as a minimum set of testing procedures.
POI Device Type Adding for inclusion in listing or removal from listing? Addition/Inclusion in listing (Red-lined P-ROV review required, refer to details below) Removal from listing (No Red-lined P-ROV review required) POI Device Type name/identifier POI Device Type manufacturer, model, and number PTS approval number for POI Device Type POI Device Type Hardware version # POI Device Type Firmware version # Note: It may be possible a single POI Device Type uses more than one version of PTS- approved firmware …
Modified
p. 56 → 60
P2PE Requirements (including all testing procedures) All of 1A-1.1 All of 1A-1.2
P2PE Requirements (including all associated testing procedures) All of 1A-1.1 1B-2.2 All of 1A-1.2 1B-2.3 1A-1.3 1C-2.1.1 1A-1.4 1C-2.1.2
Modified
p. 57 → 61
P2PE Requirements (including all testing procedures) for Decryption Management P2PE Requirements (including all testing procedures) for Encryption Management and/or Key Management Services All 4A-1 1-3 4B-1.3 1-4 4B-1.7 5-1 5-1 5A-1.1
P2PE Requirements (including all testing procedures) for Decryption Management P2PE Requirements (including all testing procedures) for Encryption Management Services and/or Key Management Services All 4A-1 1-3 4B-1.3 1-4 4B-1.7 5-1 5-1 5A-1.-1
Modified
p. 58 → 62
P2PE Requirements (including all testing procedures)
P2PE Requirements (including all associated testing procedures)
Modified
p. 60 → 64
The P2PE Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change. The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review.
The P2PE Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change to the Listed P2PE Product. The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review. Refer to section 5.2, “Changes to P2PE Products”.
Modified
p. 60 → 64
Part 1. P2PE Listing Details, Contact Information, and Change type P2PE Listing Details P2PE Component Provider Name Type of P2PE Component (select only one) SSC Listing Number KIF Key Loading Key Mgmt CA/RA Encryption POI Deployment POI Management Decryption Type of Change (Select one) Administrative (Complete Part 2) Delta (Complete Part 3) Submission Date P2PE Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Part 1. P2PE Component Details, Contact Information, and Change type P2PE Listing Details P2PE Component Provider Name Type of P2PE Component (select only one) SSC Listing Number KIF Key Loading Key Mgmt CA/RA Encryption POI Deployment POI Management Decryption Type of Change (Select one ONLY) Administrative (Complete Part 1 and 2 ONLY) Delta (Complete Part 1 and applicable sections of Part 3 ONLY) Submission Date P2PE Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone# QSA (P2PE) Contact Information …
Removed
p. 61
Add Remove Description of real or potential impact to the P2PE Solution(s) it is used in Additional details, as applicable
Modified
p. 61 → 65
Add/Remove P2PE Component (Complete Part 3d) Description of changes to the P2PE Component:
Add/Remove P2PE Component (Complete Part 3d) Add Remove Description of changes to the Listed P2PE Component Description of how the Delta Change impacts the Listed P2PE Component Additional details, as applicable
Modified
p. 62 → 66
POI Device Type Adding for inclusion in listing or removal from listing? Addition/Inclusion in listing (Red-lined P-ROV review required, see details below) Removal from listing (No Red-lined P-ROV review required) POI Device type name/identifier POI Device manufacturer, model, and number PTS approval number for POI Device POI Device Hardware version # POI Device Firmware version # Perform a red-lined P-ROV review for the added POI Device type(s) using the table below as a minimum set of testing procedures.
POI Device Type Adding for inclusion in listing or removal from listing? Addition/Inclusion in listing (Red-lined P-ROV review required, refer to details below) Removal from listing (No Red-lined P-ROV review required) POI Device Type name/identifier POI Device Type manufacturer, model, and number PTS approval number for POI Device Type POI Device Type Hardware version # POI Device Type Firmware version # Note: It may be possible a single POI Device Type uses more than one version of PTS- approved firmware …
Modified
p. 62 → 68
P2PE Requirements (including all testing procedures) All of 1A-1.1 All of 1A-1.2
P2PE Requirements (including all associated testing procedures)
Modified
p. 63 → 67
P2PE Requirements (including all testing procedures) for Decryption Management P2PE Requirements (including all testing procedures) for Encryption Management and/or Key Management Services All 4A-1 1-3 4B-1.3 1-4 4B-1.7 5-1 5-1 5A-1.1
P2PE Requirements (including all testing procedures) for Decryption Management P2PE Requirements (including all testing procedures) for Encryption Management Services and/or Key Management Services All 4A-1 1-3 4B-1.3 1-4 4B-1.7 5-1 5-1 5A-1.-1
Modified
p. 64 → 73
P2PE Requirements (including all testing procedures)
P2PE Requirements (including all associated testing procedures)
Modified
p. 66 → 70
The P2PE Application Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change (see Section 5.2, “Delta Changes for P2PE Products”). The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review.
The P2PE Application Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change to the Listed P2PE Application. The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review. (Refer to Section 5.2, “Delta Changes for P2PE Products”).
Modified
p. 66 → 70
Part 1. P2PE Application Details, Contact Information, and Change Type P2PE Application Details P2PE Application Name Validated Listing Reference # P2PE Application Version #: Revised P2PE Application Version (if applicable) Type of Change (Select one) Administrative (Complete Part 2) Delta (Complete Part 3) Submission Date P2PE Application Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone PA-QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Part 1. P2PE Application Details, Contact Information, and Change Type P2PE Application Details P2PE Application Name Validated Listing Reference # P2PE Application Version # Revised P2PE Application Version (if applicable) Type of Change (Select one ONLY) Administrative (Complete Part 1 and 2 ONLY) Delta (Complete Part 1 and 3 ONLY) Submission Date P2PE Application Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone PA-QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone#
Removed
p. 68
Change Number Detailed description of the change Description of why the change is necessary Description of how P2PE functionality is Description of how P2PE Requirements/sub- Requirements are impacted
Modified
p. 68 → 72
Delta Change
• Change Summary Add/Remove POI Device Type (Complete Part 3a) Add Remove Not Applicable Additional details, asapplicable:
• Change Summary Add/Remove POI Device Type (Complete Part 3a) Add Remove Not Applicable Additional details, as
Delta Change
• Change Summary Add/Remove POI Device Type (Complete Part 3a) Add Remove Not Applicable Additional details, as applicable Change Number Detailed description of the change Description of why the change is necessary Description of how P2PE functionality is impacted Description of how P2PE Requirements/sub- Requirements are impacted
• Change Summary Add/Remove POI Device Type (Complete Part 3a) Add Remove Not Applicable Additional details, as applicable Change Number Detailed description of the change Description of why the change is necessary Description of how P2PE functionality is impacted Description of how P2PE Requirements/sub- Requirements are impacted
Modified
p. 69 → 66
P2PE Requirements (including all testing procedures) All of 1A-1.1 All of 1A-1.2 1A-1.3 1A-1.4 1B-1.1 1B-2.2 1B-2.3 1C-2.1.1 1C-2.1.2
P2PE Requirements (including all associated testing procedures) All of 1A-1.1 1A-1.4 1B-2.3 All of 1A-1.2 1B-1.1 1C-2.1.1 1A-1.3 1B-2.2 1C-2.1.2
Removed
p. 70
• The format of the version scheme, including: o Number of elements o Numbers of digits used for each element o Format of separators used between elements o Character set used for each element (consisting of alphabetic, numeric, and/or alphanumeric characters)
• The definition of elements that indicate any use of wildcards
• The definition of elements that indicate any use of wildcards
Modified
p. 70 → 74
• The hierarchy of the elements o Definition of what each element represents in the version scheme o Type of change: major, minor, maintenance release, wildcard, etc.
• Type of change: major, minor, maintenance release, wildcard, etc.
Modified
p. 70 → 74
The definition of elements that indicate any use of wildcards The specific details of how wildcards are used in the versioning methodology H.2 Version Number Usage All changes to the P2PE Application must result in a new application version number. However, whether this affects the version number listed on the Website depends on the nature of the change and the P2PE Application Vendor’s published versioning methodology (refer to Section H.3, “Wildcards,” below). All changes that impact security functionality and/or any …
Removed
p. 71
• Changes that have no impact on the functionality of the application or its dependencies
• Changes that have impact on the application functionality but no impact on security or P2PE Requirements
• Changes that impact any security functionality or P2PE Requirement Elements of the version number used for non-security-impacting changes must never be used for security-impacting changes.
• Changes that have impact on the application functionality but no impact on security or P2PE Requirements
• Changes that impact any security functionality or P2PE Requirement Elements of the version number used for non-security-impacting changes must never be used for security-impacting changes.
Modified
p. 71 → 75
•For
Types of changes made to the application•for example, major release, minor release, maintenance release, wildcard, etc.
Modified
p. 71 → 75
H.3 Wildcards A “wildcard” element is a variable character that may be substituted for a defined subset of possible characters in an application versioning scheme. In the context of P2PE Applications, wildcards can optionally be used to represent non-security-impacting changes between each version represented by the wildcard element. A wildcard is the only variable element of the P2PE Application Vendor’s version scheme. Use of a wildcard element in the versioning scheme is optional and is not required in order for …
H.3 Wildcards A “wildcard” element is a variable character that may be substituted for a defined subset of possible characters in an application versioning scheme. In the context of P2PE Applications, wildcards can optionally be used to represent non-security-impacting changes between each version represented by the wildcard element. A wildcard is the only variable element of the P2PE Application Vendor’s version scheme. Use of a wildcard element in the versioning scheme is optional and is not required in order for …
Modified
p. 72 → 76
E.g., if the P2PE Solution offers remote key-distribution using asymmetric techniques for the distribution of keys to PCI-approved POI devices for use in connection with account-data encryption, or the operation of an applicable CA/RA, or any other relevant key management service that has not already been assessed as part of the inclusion of a Listed P2PE Component Provider, then the P2PE Solution assessment must include all applicable key management services requirements (Domain 5).
Modified
p. 80 → 84
Note: Not used in P2PE 30-2 31-1 X X X X X X X X X 32-1 X X X X X X X X 32-8 (8.1, 8.2) X X X 32-8 (8.3 − 8.7) X X 33-1 X X X X X X X X 5A-1 X X X X X
Note: Not used in P2PE 30-2 31-1 X X X X X X X X X 32-1 X X X X X X X X 32-8 (8.1, 8.2) X X X 32-8 (8.3 − 8.7) X X 33-1 X X X X X X X X 5A-1 X X X X X X X X
Modified
p. 80 → 84
Note: 5I-1 is only applicable to Key Management Services Component Providers
Note: 5I-1 is only applicable to Key Management Services Component Providers 5I-1 X X X X X