PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI-P2PE-Program-Guide-v3.1.pdf P2PE_Program_Guide_v3.0.pdf
28% similar
70 → 82 Pages
23653 → 23894 Words
249 Content Changes

From Revision History

  • June 2012 1.0 Initial Release of the PCI P2PE Program Guide

Content Changes

249 content changes. 112 administrative changes (dates, page numbers) hidden.

Added p. 5
• A P2PE Solution can be made up of Validated P2PE Applications and Validated P2PE Components (see Figure 1.1) or can be validated as a standalone solution.

• P2PE Applications and P2PE Components (all the boxes in blue in Figure 1.1) can be validated and Listed on the Website on a standalone basis and made available for Validated P2PE Solutions. See Section 2.1.3, “P2PE Component Providers” for details on P2PE Components.

• The P2PE requirements and test procedures for validating P2PE Products can be found in the corresponding P-ROV indicated by green text in Figure 1.1. P-ROVs can be found on the Website.

• For each P2PE Product to be Listed on the Website, Vendors must also submit P2PE Attestations of Validation (P-AOVs), Acceptance fees, Vendor Release Agreements (VRAs), and other supporting documents such as P2PE Application Implementation Guides and Instruction Manuals, as applicable.

• Once Listed, P2PE Products must be revalidated on an …
Added p. 9
Key Management Services The P2PE-related services provided by a KIF as more fully described in Section 2.1.3.3.

Listing Refers to the listing and related information regarding a P2PE Product on the applicable list of Validated P2PE Products on the Website.

P2PE Assessor Company A company qualified by PCI SSC as either a QSA (P2PE) Company or PA- QSA (P2PE) Company.

P2PE Assessor Employee A QSA (P2PE) Employee or PA-QSA (P2PE) Employee.

P2PE Program (or Program) Refers to PCI SSC's program and requirements for qualification of QSA (P2PE) Companies and QSA (P2PE) Employees and PA-QSA (P2PE) Companies and PA-QSA (P2PE) Employees, and validation and Acceptance of P2PE Solutions, P2PE Components, and P2PE Applications, as further described in this document and related PCI SSC documents, policies, and procedures.

P2PE Report on Validation (P-ROV) A “P2PE Report on Validation” completed by a P2PE Assessor Company and (except with respect to Merchant-Managed P2PE Solutions) submitted directly to PCI SSC …
Added p. 11
(a) Is qualified by PCI SSC to provide services to P2PE Vendors in order to validate that such P2PE Vendors or their P2PE Products adhere to all aspects of the P2PE Standard, including but not limited to, validation that P2PE Applications, when incorporated into or used as part of a P2PE Solution, adhere to all applicable P2PE requirements; and (b) Remains in Good Standing (defined in Section 1.3, “Qualification Process Overview,” of the P2PE Qualification Requirements) or in remediation as a PA-QSA (P2PE) Company.

PA-QSA (P2PE) Employee An individual employed by a PA-QSA (P2PE) Company who has satisfied, and continues to satisfy, all PA-QSA (P2PE) Requirements (defined in the P2PE Qualification Requirements) applicable to employees of PA-QSA (P2PE) Companies who will conduct P2PE Application Assessments, as described in further detail herein.

POI Deployment Component The POI devices and any resident P2PE applications and/or P2PE non- payment software that can support a P2PE …
Added p. 15
The EMS P-ROV (see Table 6.1, “P-ROVs to be used for P2PE v3.0 Assessments”) must be submitted in order to validate P2PE Components of the types provided by each of the above providers.
Added p. 15
Listings will indicate whether the P2PE Component Provider offers local or remote key- injection services and will show whether Certification Authority/Registration Authority (CA/RA) services are provided.
Added p. 16
1) May be entirely performed and managed by a single P2PE Solution Provider or by a merchant acting as its own P2PE Solution Provider (in the case of a MMS); or 2) Certain services that are part of the applicable P2PE Solution may be outsourced to Third- Party Service Providers who perform these functions on behalf of the P2PE Solution Provider or P2PE Component Provider.

2) A P2PE Solution Provider or P2PE Component Provider (or a merchant as a P2PE Solution Provider in the case of a MMS) can outsource certain P2PE Component service functions to Listed P2PE Component Providers and report use of those PCI-Listed P2PE Component(s) in its P2PE Solution P-ROV.
Added p. 17
• Hosts the List of Validated P2PE Solutions, the List of Validated P2PE Components, and the List of Validated P2PE Applications on the Website;

• Provides required training for and qualifies QSA (P2PE) and PA-QSA (P2PE) Companies and Employees to assess and validate P2PE Products against the P2PE Standard;

• Maintains and updates the P2PE Standard and related documentation; and

• Reviews all P-ROVs submitted to PCI SSC and related change submissions for compliance with baseline quality standards, including but not limited to, confirmation that:

• Submissions (including P-ROVs, updates and Annual Revalidations are correct as to form;

• QSA (P2PE) and PA-QSA (P2PE) Companies properly determine whether candidate P2PE Products are eligible for validation under the P2PE Program (PCI SSC reserves the right to reject or de-list any P2PE Solution, P2PE Component, and/or P2PE Application determined to be ineligible for the P2PE Program);

• QSA (P2PE) and PA-QSA (P2PE) Companies adequately report the P2PE compliance …
Added p. 21
Process Illustration P2PE Assessment for P2PE Products Intended for v3 PCI SSC Listing Figure 1 P2PE Product Submission and PCI SSC Review Figure 2
Added p. 24
1) The Merchant selects a P2PE Assessor Company from the PCI SSC List of P2PE Qualified Security Assessor Companies and negotiates the cost and any associated P2PE Assessor Company confidentiality and non-disclosure agreements with the P2PE Assessor Company.

Note: Merchant-Managed P2PE Solutions are not eligible for listing on the Website, and the corresponding P-ROV is not submitted to PCI SSC. A Merchant-Managed P2PE Solution may utilize Third-Party Service Providers, Validated P2PE Applications, and/or Validated P2PE Components.
Added p. 25
Possible Element Program Guidance SCDs Validated P2PE Solutions and P2PE Components require the use of various types of Secure Cryptographic Devices (SCDs). To assist in evaluating these device types for use in a P2PE Solution, note the following:

• Refer to “Definition of Secure Cryptographic Devices (SCDs) to be used in P2PE Solutions” in the Introduction section of the P2PE Standard for requirements for these devices.

PCI PTS HSM Approval Expiry P2PE Reassessment End- date for Expired HSM Devices* Expired PCI HSMs End of 1.x EXPIRED April 2019 29 April 2022 29 April 2025 2.x 30 April 2022 29 April 2025 29 April 2028 3.x 30 April 2026 29 April 2029 29 April 2032
Added p. 26
** P2PE Solutions and applicable P2PE Components must have replaced any expired HSMs with current (non-expired) HSMs by this date.

• Existing PCI P2PE approvals of Validated P2PE Products with expired PTS POI devices may be revalidated and reassessed for up to, but not exceeding, five years past the PTS POI device expiry dates (as appearing on the PCI SSC List of Approved PTS Devices) used in the corresponding P2PE Product. A POI device may not be used in a Listed P2PE Solution more than five years past the corresponding PTS POI device expiry date. A Validated P2PE Solution will be delisted if all of its associated POI device types have exceeded the five-year window (as shown in the table below).

• The following table provides the current POI device expiry dates and the corresponding revalidation/reassessment window for P2PE Solutions using these devices.

PCI PTS POI version PTS POI Expiry Date P2PE Revalidation/Reassessment …
Added p. 28
If a P2PE Component is currently listed on the List of Validated P2PE Components, the Component P-ROV has already been Accepted by PCI SSC. As a result, only the P2PE Components that the P2PE Solution or P2PE Component uses will need to be identified in the Solution P-ROV and no assessment of that currently listed P2PE Component is needed as part of the P2PE Solution or P2PE Component assessment.

• If a P2PE Component is not already on the List of Validated P2PE Components but is being added to the List of Validated P2PE Components, the applicable Component P-ROV must be submitted and Accepted before the P2PE Solution or P2PE Component P-ROV can be Accepted.

Third-Party Service Provider Refer to the Section 2.1.4, “Use of Third-Party Service Providers,” in this document to understand options for validating P2PE Component services or functions provided by Third-Party Service Providers.

Note: The process for developing and validating …
Added p. 29
• How close the P2PE Product is compliant with the P2PE Standard at the start of the P2PE Assessment Corrections to the P2PE Product to achieve compliance will delay validation.
Added p. 30
PCI SSC qualifies and provides required training for P2PE Assessor Companies (QSA (P2PE) and PA- QSA (P2PE)) to assess and validate P2PE Products to the P2PE Standard. In order to perform P2PE Solution Assessments and/or P2PE Component Assessments, a P2PE Assessor Company must have been qualified by PCI SSC and remain in Good Standing (as defined in the QSA Qualification Requirements and P2PE Qualification Requirements, as applicable) or in remediation as both a QSA Company and QSA (P2PE) Company. In order to perform P2PE Application Assessments, a P2PE Assessor Company must have been additionally qualified by PCI SSC and remain in Good Standing (as defined in the QSA Qualification Requirements and P2PE Qualification Requirements, as applicable) or in remediation as both a PA-QSA Company and PA-QSA (P2PE) Company. All recognized P2PE Assessor Companies are Listed on the Website. These are the only assessors recognized by PCI SSC as qualified to …
Added p. 31
Among other things, the VRA:

• Covers confidentiality issues;

• Covers the P2PE Vendor’s agreement to P2PE Program requirements, policies and procedures;

• Gives permission to the P2PE Vendor’s P2PE Assessor Company to release P-ROVs and related materials to PCI SSC for review; and

• Requires P2PE Vendors to adopt and comply with industry standard Vulnerability Handling Policies.

For PCI SSC to review a P-ROV, PCI SSC must receive from the P2PE Assessor Company (or already have on file) the P2PE Vendor’s signed copy of then-current VRA. At the time of submission of any P-ROV to PCI SSC:

• If PCI SSC does not already have the P2PE Vendor’s signed copy of the then-current VRA, the P2PE Assessor Company must provide the P2PE Vendor’s signed copy of the then-current VRA to PCI SSC, along with the P-ROV(s) submission.
Added p. 32
All P2PE Assessment-related fees are payable directly to the P2PE Assessor Company (these fees are negotiated between the P2PE Assessor Company and its customers).

PCI SSC will bill the P2PE Vendor for all P2PE Acceptance Fees and the P2PE Vendor will pay these fees directly to PCI SSC.

There are no annual recurring PCI SSC fees associated with the Acceptance of a P2PE Product. There are, however, PCI SSC fees associated with P2PE Vendor delays in annual revalidation of P2PE Validated Products. See the Website for more information.

All Program fees are non-refundable and are subject to change upon posting of revised fees on the Website.

Annually, based on the date of the applicable P2PE Product’s Acceptance, the P2PE Vendor is required to submit an updated P2PE Attestation of Validation for that P2PE Product, covering the time since the last submission for that P2PE Product (i.e., initial P-ROV submission or annual update per this …
Added p. 34
Table 5.2

• Changes to P2PE Listed Products Change Type Description Action by Vendor/Assessor Delta1 1. Impacts the corresponding P2PE Product Listing; and

2. Is not an “Administrative” change (described below).

Delta changes include changes to:

• Add/Remove a P2PE Component;

• Add/Remove a PCI-approved POI device Type;

• Add/Remove a PCI SSC listed or FIPS- approved HSM;

• Add/Remove a P2PE Application; and

• P2PE Application changes where fewer than half the applicable Requirements/Sub- Requirements are affected. Note: P2PE Application changes where at least half of the applicable Requirements/ Sub-Requirements are affected require a full P2PE Assessment.

See Section 5.2.2, “Delta Changes for P2PE Products” for details.

• Complete change analysis and submit to P2PE Assessor Company for review.

• Submit Change Impact Template (See Appendices) to PCI SSC for review.

• Submit updated P2PE Application Implementation Guide or P2PE Instruction Manual to P2PE Assessor Company for review, if applicable.

• Submit red-lined P-ROV to PCI SSC for review, if applicable.

• Submit …
Added p. 35
2. Only impacts administrative information in the corresponding Listing.

• Corporate identity changes

• P2PE Product name changes

• Listing detail changes such as “Regions Served” (P2PE Solutions only) See Section 5.2.1, “Administrative Changes for P2PE Listings,” for details.

• Complete P2PE Change Impact Template (See Appendices) and submit to P2PE Assessor Company for review.

• Submit new VRA to P2PE Assessor Company, if applicable
Added p. 35
The P2PE Vendor prepares a change analysis (for example, using the corresponding P2PE Change Impact Template) and submits it to the P2PE Assessor Company for review, along with the updated P2PE Application Implementation Guide or P2PE Instruction Manual. The change analysis must contain the following information at a minimum:

• Name and reference number of the Validated P2PE Listing

• Description of the change

1) The P2PE Assessor Company must notify the P2PE Vendor that it agrees; 2) The P2PE Vendor prepares and signs the corresponding P-AOV, and sends it to the P2PE Assessor Company; 3) If applicable, the P2PE Vendor modifies the P2PE Instruction Manual and/or P2PE Application Implementation Guide and/or completes a new VRA; 4) The P2PE Assessor Company completes the corresponding P2PE Change Impact Template in the Appendix;

• Name and reference number of the Validated P2PE Listing

• Description of the change
Added p. 36
If the P2PE Assessor Company does not agree with the P2PE Vendor that the change as documented in the change analysis is eligible as an Administrative Change, the P2PE Assessor Company returns the change analysis to the P2PE Vendor and works with the P2PE Vendor to consider the actions necessary to address the P2PE Assessor Company’s observations.

1) Amend the corresponding List of Validated P2PE Solutions, List of Validated P2PE Components, or List of Validated P2PE Applications on the Website accordingly with the new information; and 2) Sign and return a copy of the corresponding P2PE Attestation of Validation to both the P2PE Vendor and the P2PE Assessor Company. The Revalidation date of the updated listing will be the same as that of the parent listing.
Added p. 36
• Add/remove a PCI-approved POI device; or

• Add/remove a PCI SSC listed and/or FIPS-approved HSM; or

• Add/remove a validated P2PE Application; or

• Add/remove a validated P2PE Component; or

• Address changes to P2PE Application changes where fewer than half of the applicable Requirements/sub-Requirements are affected.

Note: P2PE Application changes where greater than half the applicable Requirements/Sub- Requirements are affected require a Full Assessment of the application.

Delta Changes result in an amendment to a P2PE Product as currently Listed on the Website.

The P2PE Vendor prepares a change analysis (for example, using the corresponding P2PE Change Impact Template) and submits it to the P2PE Assessor Company for review, along with the updated P2PE Instruction Manual or P2PE Application Implementation Guide, as applicable. The change analysis must contain the following information at a minimum:

• Description of why the change is necessary
Added p. 37
1) The P2PE Assessor Company must notify the P2PE Vendor that it agrees; 2) If applicable, the P2PE Vendor modifies the P2PE Instruction Manual or P2PE Application Implementation Guide and/or completes a new VRA and submits this to the P2PE Assessor Company; 3) The P2PE Assessor Company must perform an assessment of the requirements of the P2PE Standard that are affected by the change. Details of the tests that must be performed are available within the “Delta Changes” sections of the corresponding P2PE Change Impact Template; 4) The P2PE Assessor Company completes the corresponding P2PE Change Impact Template and must produce a red-lined P-ROV and document the testing completed per PCI SSC requirements. For any changes to P2PE Applications where fewer than half of the security requirements have been impacted, the Change Impact Template for P2PE Applications must be completed.

5) The P2PE Vendor prepares and signs the corresponding P-AOV and …
Added p. 38
• New Validation: If the P2PE Vendor wishes the P2PE Product listing to remain on the corresponding P2PE Product list on the Website, the P2PE Vendor must contact a P2PE Assessor Company to perform a Full Assessment of the P2PE Product against the P2PE Standard, resulting in a new Acceptance, on or before the applicable Reassessment Date. This reassessment must follow the same process as an initial P2PE Assessment of the applicable P2PE Product.

• Expiry: Listings of P2PE Products for which a new Acceptance has not occurred on or before the applicable expiration date/reassessment date will appear in Orange for the first 90 days, and in Red thereafter. If the P2PE Product remains in a Red status on the listing for 90 days, the P2PE Product will be moved to the P2PE Expired Listing.
Added p. 39
There is no PCI SSC fee associated with the processing of Annual Revalidation Assessments.

A parent P2PE listing must already exist on the corresponding List and not yet have expired in order to have a change Accepted and Listed.

• The name, PCI SSC approval number, and any other relevant identifiers of each of the P2PE Vendor’s P2PE Product(s) affected by the Security Issue;

• A description of the general nature of the Security Issue;

• Assurance that the P2PE Vendor is following its Vulnerability Handling Policies.

• Notify Participating Payment Brands that a Security Issue has occurred.

• Request a copy of the latest version of the P2PE Vendor’s Vulnerability Handling Policies.

• Communicate with the P2PE Vendor about the Security Issue and, where possible and permitted, share information relating to the Security Issue.

• Support the P2PE Vendor’s efforts to mitigate or prevent further Security Issues.

• Support the P2PE Vendor’s efforts to correct any Security Issues.

• …
Added p. 41
Once PCI SSC receives the completed P-ROV(s) and all other required materials and applicable fees, PCI SSC reviews the submission from a quality-assurance perspective and determines whether it is acceptable. Subsequent iterations will also be responded to, typically within 30 calendar days of receipt. If the P-ROV(s) meet all applicable quality assurance requirements (as documented in the QSA Qualification Requirements and related P2PE Program materials), PCI SSC sends a countersigned P-AOV to both the P2PE Vendor and the P2PE Assessor Company and adds the product to the List of Validated P2PE Solutions, List of Validated P2PE Components, or List of Validated P2PE Applications, as applicable.

PCI SSC communicates any quality issues associated with P-ROVs to the P2PE Assessor Company. It is the responsibility of the P2PE Assessor Company to resolve those issues with PCI SSC and/or the P2PE Vendor, as applicable. Such issues may be limited or more extensive:

• Limited issues …
Added p. 43
Solution assessments that have not satisfied the key management services requirements (Domain 5) either through the use of PCI-listed Component Providers and/or through the assessment of their Encryption Management Services and/or Decryption Management Services must complete the KMS P-ROV. For example, if the P2PE Solution offers remote key-distribution using asymmetric techniques for the distribution of keys to POI devices for use in connection with account-data encryption, or the operation of an applicable CA/RA, or any other relevant key management service that has not already been assessed as part of the inclusion of a PCI-listed Component Provider, then the Solution assessment must include the use of the KMS P-ROV.

Component Provider assessments for a KIF, KMCP, KLCP, or a CA/RA must complete this P-ROV 6.2 Delivery of the P-ROV and Related Materials For P2PE Products to be Listed on the Website, all documents required in connection with the P2PE validation process must …
Added p. 44
PCI SSC’s Assessor Quality Management Team (“AQM”) reviews each P-ROV submission after the invoice for the P2PE Acceptance Fee has been paid by the P2PE Vendor. Administrative review will be performed in “pre-screening” to ensure that the submission is complete prior to AQM review, during which an AQM Analyst reviews the submission in its entirety.

The AQM Analyst will review the P2PE submission first to determine whether the candidate P2PE Product is eligible for validation as described in the P2PE Program Guide. If there are questions as to eligibility, the AQM Analyst will contact the P2PE Assessor Company for additional information. If the P2PE submission is determined to be ineligible for validation under the P2PE Program, the P-ROV will be rejected. The P2PE Assessor Company will receive a letter of rejection with instructions for optionally appealing.

If the P2PE submission is complete and is determined to be eligible for validation under the …
Added p. 44
As QSA Company audits are described in the QSA Qualification Requirements, P2PE Assessor Companies are also subject to audits of their work as P2PE Assessor Companies under the QSA Qualification Requirements at any time. This may include but is not limited to review of completed reports, work papers, and onsite visits with P2PE Assessor Companies to audit internal QA programs, at the expense of the P2PE Assessor Company. Refer to the QSA Qualification Requirements for information on PCI SSC’s audit process.
Added p. 44
Note: These status designations are not necessarily progressive: Any P2PE Assessor Company’s status may be revoked or its P2PE Assessor Addendum (defined in the P2PE Qualification Requirements) terminated in accordance with the P2PE Assessor Addendum; and
Added p. 45
If administrative or minor quality problems are detected, PCI SSC will typically recommend participation in Remediation. Remediation provides an opportunity for P2PE Assessor Companies and/or Employees to improve performance by working closely with PCI SSC staff; in the absence of participation, quality issues may persist or increase. Additionally, Remediation helps to assure that the baseline standard of quality for P2PE Assessor Companies and/or Employees is upheld. Refer to the QSA Qualification Requirements for further detail on the Remediation Process.
Added p. 45
Note: If a Listed P2PE Solution, P2PE Component or P2PE Application is compromised due to P2PE Assessor Company and/or Employee error, that P2PE Assessor Company and/or Employee may immediately be placed into Remediation or its P2PE qualification status revoked.

The P2PE Assessor Company and/or P2PE Assessor Employee may appeal the Revocation but, unless otherwise approved by PCI SSC in writing in each instance, will not be permitted to perform P2PE Assessments, process P-ROVs, or otherwise participate in the P2PE Program pending resolution of the appeal. The P2PE Assessor Company and/or P2PE Assessor Employee may reapply at a later date of two years after Revocation, so long as it has demonstrated to PCI SSC's satisfaction that it meets all applicable QSA, P2PE Assessor and, if applicable, PA-QSA requirements, as documented in the relevant PCI SSC program documents.
Added p. 47
P2PE Solution Identifier “P2PE Solution Identifier” refers to a subset of fields in the listing below the “Company” entry used by PCI SSC to denote relevant information for each Validated P2PE Solution, consisting of the following fields (fields are explained in detail below):

• Solution Details P2PE Solution Identifier: Detail

• P2PE Solution Details Clicking on this link brings up a list of details specific to this Solution consisting of the following fields (fields are explained in detail below):

• PCI SSC listed and/or FIPS 140-certified Devices Supported

• P2PE Application(s) Supported

• P2PE Components P2PE Solution Details: Detail

• PCI SSC Listed and FIPS 140-certified Devices Supported This section identifies:

• PCI-approved POI devices validated for use with this P2PE Solution and will include
Added p. 48
• PCI SSC listed, or FIPS 140-certified HSM reference numbers and expiry date. A website link will be provided to the appropriate entry on the NIST Cryptographic Module Validation Program (CMVP) list of FIPS validated HSMs.

While a P2PE Solution may include P2PE Applications that were evaluated per relevant requirements in the P2PE Standard, those are not Listed within the P2PE Solution or within the List of Validated P2PE Applications. Any use of such an application in another P2PE Product would require either independent listing as a P2PE Application, if eligible, or assessment as part of each P2PE Solution the application is part of.

• P2PE Components This section identifies the P2PE Components validated for use with this P2PE Solution and Listed on the List of Validated P2PE Components and will include the expiry date of the P2PE Component’s approval.

While a P2PE Solution may include third-party services (including services potentially eligible for …
Added p. 49
• Encryption-management services (EMS):

• Encryption Management

• Decryption-management services (DMS)

• Decryption Management

• Key Management Services (KMS):

• Key-Injection Facility (KIF)

• Certification Authority/Registration Authority (CA/RA) Each contains the same listing elements below:

Company (link to Company website) This entry denotes the P2PE Component Provider for the Validated P2PE Component.

P2PE Component Identifiers “P2PE Component Identifier” refers to a subset of fields in the listing below the “Company” entry used by PCI SSC to denote relevant information for each Validated P2PE Component, consisting of the following fields (fields are explained in detail below):

• P2PE Component Details P2PE Component Identifier: Detail

PCI SSC assigns the Reference number once the Validated P2PE Component is posted to the Website; this number is unique per P2PE Component Provider and will remain the same for the life of the listing.

• P2PE Application(s) Supported
Added p. 50
• P2PE Component Details Clicking on this link brings up a list of details specific to this Component consisting of the following fields (fields are explained in detail below):

• PCI-approved POI Devices Supported

• PCI SSC Listed and/or FIPS 140-certified HSMs Supported

P2PE Component Details: Detail

• PCI SSC Listed and/or FIPS 140-certified HSMs Supported This section identifies PCI SSC listed, and/or FIPS 140-certified HSMs for use with this P2PE Solution and will include reference numbers and expiry dates. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices and the NIST CMVP (Cryptographic Module Validation Program) list of FIPS validated HSMs.

• P2PE Components This section identifies the P2PE Components validated for use with this P2PE Component and Listed on the List of Validated P2PE Components and will include the expiry date of the P2PE Component’s approval.

While a P2PE Component may include third-party services …
Added p. 51
Reassessment Date The Reassessment Date for a Validated P2PE Component is the date by which the P2PE Component Provider must have the P2PE Component re-evaluated against the P2PE Standard in order to maintain the Acceptance.
Added p. 52
P2PE Application Identifiers “P2PE Application Identifiers” refers to a subset of fields in the listing below the Company entry used by PCI SSC to denote relevant information for each Validated P2PE Application, consisting of the following fields (fields are explained in detail below):

• P2PE Application Details P2PE Application Identifier: Detail

• P2PE Application Version # P2PE Application Version # represents the specific application version reviewed in the P2PE Application Assessment. The format of the version number:

• Is set by the P2PE vendor,

• May consist of a combination of alphanumeric characters; and

Field Format Year of listing 4 digits + hyphen P2PE Application Vendor # 5 digits + period (assigned alphabetically initially, then as received) P2PE Application Vendor App # 3 digits (assigned as received) Minor version 3 alpha characters (assigned as received)
Added p. 53
• P2PE Application Details Clicking on this link brings up a list of details specific to this P2PE Application consisting of the following fields (fields are explained in detail below): PCI-approved POI devices Supported P2PE Application Details: Detail

• PCI-Approved POI Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Application and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices.

P2PE Version “P2PE Version” is used by PCI SSC to denote the standard, and the specific version thereof, used to assess the compliance of a Validated P2PE Application.

Reassessment Date The Reassessment Date for Validated P2PE Application is the date by which the P2PE Application Vendor must have the application re- evaluated against the P2PE Standard in order …
Added p. 54
The P2PE Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change. The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review.

Part 1. P2PE Listing Details, Contact Information, and Change Type P2PE Listing Details P2PE Solution Name Validated Listing Reference # Type of Change (Select one) Administrative (Complete Part 2) Delta (Complete Part 3) Submission Date P2PE Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Added p. 55
Add/Remove POI Device Type (Complete Part 3a) Add Remove Add/Remove HSM (Complete Part 3b) Add Remove Add/Remove P2PE Application (Complete Part 3c) Add Remove Application Version Number:

Add/Remove P2PE Component (Complete Part 3d) Add Remove Description of changes to the P2PE Solution, P2PE Application or P2PE Component:

Description of how the Delta Change impacts the P2PE Solution Additional details, as applicable
Added p. 56
POI Device Type Adding for inclusion in listing or removal from listing? Addition/Inclusion in listing (Red-lined P-ROV review required, see details below) Removal from listing (No Red-lined P-ROV review required) POI Device type name/identifier POI Device manufacturer, model, and number PTS approval number for POI Device POI Device Hardware version # POI Device Firmware version # Perform a red-lined P-ROV review for the added POI Device type(s) using the table below as a minimum set of testing procedures.

P2PE Requirements (including all testing procedures) All of 1A-1.1 All of 1A-1.2

Note: The above testing does not have to performed by the Solution if the POI Device was tested as part of a listed Component.
Added p. 57
Perform a red-lined P-ROV review for the added HSM using the table below as a minimum set of testing procedures.

P2PE Requirements (including all testing procedures) for Decryption Management P2PE Requirements (including all testing procedures) for Encryption Management and/or Key Management Services All 4A-1 1-3 4B-1.3 1-4 4B-1.7 5-1 5-1 5A-1.1
Added p. 58
P2PE Requirements (including all testing procedures)
Added p. 60
The P2PE Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change. The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review.
Added p. 60
Part 1. P2PE Listing Details, Contact Information, and Change type P2PE Listing Details P2PE Component Provider Name Type of P2PE Component (select only one) SSC Listing Number KIF Key Loading Key Mgmt CA/RA Encryption POI Deployment POI Management Decryption Type of Change (Select one) Administrative (Complete Part 2) Delta (Complete Part 3) Submission Date P2PE Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Added p. 61
Add/Remove POI Device Type (Complete Part 3a) Add Remove Add/Remove HSM (Complete Part 3b) Add Remove Add/Remove P2PE Application (Complete Part 3c) Add Remove Version Number of the Application:

Add/Remove P2PE Component (Complete Part 3d) Description of changes to the P2PE Component:

Add Remove Description of real or potential impact to the P2PE Solution(s) it is used in Additional details, as applicable

POI Device Type Adding for inclusion in listing or removal from listing? Addition/Inclusion in listing (Red-lined P-ROV review required, see details below) Removal from listing (No Red-lined P-ROV review required) POI Device type name/identifier POI Device manufacturer, model, and number PTS approval number for POI Device POI Device Hardware version # POI Device Firmware version # Perform a red-lined P-ROV review for the added POI Device type(s) using the table below as a minimum set of testing procedures.

P2PE Requirements (including all testing procedures) All of 1A-1.1 All of 1A-1.2
Added p. 63
P2PE Requirements (including all testing procedures) for Decryption Management P2PE Requirements (including all testing procedures) for Encryption Management and/or Key Management Services All 4A-1 1-3 4B-1.3 1-4 4B-1.7 5-1 5-1 5A-1.1
Added p. 63
Adding for inclusion in listing or removal from listing? Addition/Inclusion in listing (Red-lined P-ROV review required, see details below) Removal from (No Red-lined P-ROV review required) HSM name/identifier HSM manufacturer, model, and number PTS or FIPS 140 approval number for HSM HSM Hardware version # HSM Firmware version # Perform a red-lined P-ROV review for the added HSM using the table below as a minimum set of testing procedures.

P2PE Requirements (including all testing procedures)
Added p. 66
The P2PE Application Vendor and/or P2PE Assessor Company must complete each section of this document and all other required documents based on the type of change (see Section 5.2, “Delta Changes for P2PE Products”). The P2PE Assessor Company is required to submit this P2PE Change Impact along with supporting documentation to PCI SSC for review.

Part 1. P2PE Application Details, Contact Information, and Change Type P2PE Application Details P2PE Application Name Validated Listing Reference # P2PE Application Version #: Revised P2PE Application Version (if applicable) Type of Change (Select one) Administrative (Complete Part 2) Delta (Complete Part 3) Submission Date P2PE Application Vendor Contact Information Contact Name Title/Role Contact E-mail Contact Phone PA-QSA (P2PE) Contact Information Contact Name Title/Role Contact E-mail Contact Phone
Added p. 68
Delta Change

• Change Summary Add/Remove POI Device Type (Complete Part 3a) Add Remove Not Applicable Additional details, as applicable:

Change Number Detailed description of the change Description of why the change is necessary Description of how P2PE functionality is Description of how P2PE Requirements/sub- Requirements are impacted
Added p. 69
P2PE Requirements (including all testing procedures) All of 1A-1.1 All of 1A-1.2 1A-1.3 1A-1.4 1B-1.1 1B-2.2 1B-2.3 1C-2.1.1 1C-2.1.2
Added p. 74
Note: 4E-1 is only applicable to Decryption Management Services Component Providers (DMCP) 1-1 Note: Not used in P2PE 1-3 X X X X X X X X X

Note: Not used in P2PE 10-3 11-1 X X X X X X X X X 11-2 X X X X X X X X 12-1 X X X X X X X X 12-2 X X X X X X X X 12-3 X X X X X X X X 12-4 X X X X X X X X 12-5 X X X X X X X X 12-6 X X X X X X X X 12-7 X X X X X X X 12-8 X X X X X X X 13-1 X X X X X X X X 13-2 X X X X X X X X 13-3 X X X X X X X X 13-4 …
Added p. 80
Note: Not used in P2PE 30-2 31-1 X X X X X X X X X 32-1 X X X X X X X X 32-8 (8.1, 8.2) X X X 32-8 (8.3 − 8.7) X X 33-1 X X X X X X X X 5A-1 X X X X X

Note: 5I-1 is only applicable to Key Management Services Component Providers
Modified p. 1
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE)® Program Guide Version 3.1 For Use With the PCI P2PE Standard v3.x
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE)® Program Guide Version 3.0
Removed p. 2
December 2020 3.0 r1.0 Errata revision

• resolved requirements in Appendix G part 3a Resolved definition of P2PE Expired Listings Other general revisions made for increased consistency and clarity

September 2024 3.1 General updates throughout document Added links to internal section references Former P2PE QSA terms have been updated in accordance with new terms in the currently published P2PE Qualification Requirements (QRs) regarding assessor companies and employees New terminology added as well as terminology revised New Publication references added as well as minor revisions to certain descriptions Partial section/structure reordering Added section regarding P2PE Technical FAQs Added content from published P2PE Technical FAQs where appropriate Revised content regarding PTS POI device and HSM expiry Added content regarding PTS POI device testing Added new Listed P2PE Product Outsourcing Matrix New figures regarding listing lifecycle and expiry Revisions to Appendices B, C, & D Removal of Appendices E, F, & G. External Change Impact …
Modified p. 2
June 2012 1.0 Initial release of the PCI P2PE Program Guide
June 2012 1.0 Initial Release of the PCI P2PE Program Guide
Removed p. 5
(i) received the corresponding Validated P2PE Product submission in the Portal, including the completed P-ROV(s), P-AOV, and all other documentation and information as required by the P2PE Standard and P2PE Program Requirements, from the P2PE Assessor Company qualified to perform the P2PE Assessment of the P2PE Product; (ii) received the corresponding P2PE Program fee for the P2PE Product submission; and (iii) confirmed that:

- the P2PE Product submission to the Portal is complete (all applicable documents completed appropriately/sufficiently), and

- the P2PE Assessor Company properly determined that the P2PE Product satisfies the P2PE Standard and P2PE Program Requirements for a Validated P2PE Product.

Administrative Change A change affecting defined administrative information on the Listing for a Listed P2PE Product that is not a Delta Change.

See also: Delta Change Administrative Expiry The early expiry of a Listed P2PE Product due to Program Requirements for that Listed P2PE Product not being satisfied, whereby the P2PE …
Modified p. 5 → 8
Term Meaning Accepted, Acceptance A P2PE Product is deemed to have been “Accepted” (and “Acceptance” is deemed to have occurred, so long as such Acceptance has not been revoked, suspended, withdrawn, or terminated) when PCI SSC has:
Term Meaning Accepted, Listed A P2PE Product is deemed to have been “Accepted” or “Listed” (and “Acceptance” is deemed to have occurred) when PCI SSC has:
Removed p. 6
A Full Assessment is NOT an:

- Administrative Change, or a

- Delta Change A New Assessment and a Reassessment both require a Full Assessment.

List of Validated P2PE Products Refers to the List of Validated P2PE Solutions, List of Validated P2PE Components, and List of Validated P2PE Applications. The List of Validated P2PE Products is the authoritative source of on-going Acceptance by PCI SSC of Validated P2PE Products.

Listed A Validated P2PE Product has been published on the Website after corresponding Acceptance has occurred, so long as such Acceptance has not been revoked, suspended, withdrawn, or terminated.

See also: List of Validated P2PE Products, Acceptance Listing The information regarding a Validated P2PE Product appearing on the applicable List of Validated P2PE Products after Acceptance has occurred. Listings contain information about Validated P2PE Products, as described in Appendix B, Appendix C, and Appendix D herein.

New Assessment A Full Assessment of a P2PE Product where that …
Modified p. 6 → 9
See also: New Assessment, Reassessment List of Validated P2PE Applications The Council’s authoritative List of Validated P2PE Applications appearing on the Website.
List of Validated P2PE Applications The Council’s authoritative List of Validated P2PE Applications appearing on the Website.
Modified p. 6 → 9
- Is an Expired P2PE Product See also: Reassessment P2PE Application Assessment A Full Assessment of a P2PE Application to validate compliance with the P2PE Standard as part of the Program Requirements.
P2PE Application Assessment Assessment of a P2PE Application against applicable P2PE Requirements in order to validate compliance with the P2PE Standard as part of the P2PE Program.
Modified p. 6 → 9
P2PE Application Vendor An entity that develops and then sells, distributes, or licenses a P2PE Application for use in a P2PE Solution or an applicable P2PE Component.
P2PE Application Vendor A vendor that develops and then sells, distributes, or licenses a P2PE Application for use in a P2PE Solution. A P2PE Solution Provider may also be a P2PE Application Vendor.
Removed p. 7
P2PE Assessor Employee Refer to the P2PE Qualification Requirements.

P2PE Component Provider An entity providing a service on behalf of other P2PE Solution Providers or P2PE Component Providers, intended for use in P2PE Solutions.

P2PE Program (Program) The PCI SSC program for Point-to-Point Encryption (P2PE)® whereby an entity can choose to have their P2PE Product validated by a qualified P2PE Assessor, and subsequently submitted to PCI SSC for consideration of being Accepted and Listed for purposes of demonstrating compliance with the PCI P2PE Standard and Program Requirements.

P2PE Program Documents (Program Documents) The P2PE Standard and P2PE Program Guide, all written agreements executed between PCI SSC and P2PE Vendors, and PCI SSC and P2PE Assessors (Companies & Employees) in connection with the P2PE Program, all other materials, requirements, obligations, policies, and procedures published from time to time by PCI SSC on the Website or elsewhere relating to the P2PE Program, and all successor …
Modified p. 7 → 9
P2PE Attestation of Validation (P-AOV) A form for P2PE Assessors and P2PE Vendors to declare the validation status of a P2PE Product to the P2PE Standard and Program Requirements.
P2PE Attestation of Validation (P-AOV) A P2PE Program “Attestation of Validation” declaring the validation status of a P2PE Solution, P2PE Component, or P2PE Application against the P2PE Standard.
Modified p. 7 → 9
See also: P-AOV in Related Publications P2PE Component A P2PE service that is eligible for validation as a “P2PE Component” (as defined in the P2PE Glossary and herein) intended for use in a P2PE Solution as part of the P2PE Program.
P2PE Component A P2PE service that is eligible for validation as a “P2PE component” (as defined in the P2PE Glossary) as part of the P2PE Program.
Modified p. 7 → 9
P2PE Component Assessment A Full Assessment of a P2PE Component to validate compliance with the P2PE Standard as part of the P2PE Program.
P2PE Component Assessment Assessment of a P2PE Component against applicable P2PE Requirements in order to validate compliance with the P2PE Standard as part of the P2PE Program.
Modified p. 7 → 9
P2PE Expired Listings (Expired List / Expired Listings) The Council’s authoritative list of Expired P2PE Products appearing on the Website. Expired P2PE Products are no longer considered Validated P2PE Products.
P2PE Expired Listing (Expired Listing) The list of P2PE Products on the Website that have an expired status for a period of at least 90 days.
Modified p. 7 → 10
See also: PIM in the Related Publications section P2PE Product A P2PE Application, P2PE Component, or P2PE Solution.
P2PE Product A P2PE Application, P2PE Component, or P2PE Solution.
Removed p. 8
P2PE Program Requirements (Program Requirements) All requirements, obligations, policies and procedures for P2PE Products, P2PE Product Vendors and P2PE Assessors, as applicable, and as set forth in the corresponding P2PE Program Documents, the VRA or otherwise established by PCI SSC from time to time in connection with the P2PE Program, including without limitation, those relating to disclosure, PCI SSC’s quality assurance initiatives, and / or export control and administration, and such P2PE Vendor’s warranties pursuant to the VRA.

P2PE Report on Validation (P-ROV) A set of templates provided by PCI SSC that require completion by a P2PE Assessor Company as part of the validation effort of a P2PE Product as per the Program Requirements.

Note: At the time of this publication, Participating Payment Brands include PCI SSC’s Founding Members and Strategic Members.

PCI DSS Assessment The onsite review of an entity by a QSA Company to determine the entity’s compliance with the PCI …
Modified p. 8 → 10
See also: P-ROV in the Related Publications section P2PE Solution Assessment A Full Assessment of a P2PE Solution to validate compliance with the P2PE Standard as part of the P2PE Program.
P2PE Solution Assessment Assessment of a P2PE Solution against applicable P2PE Requirements in order to validate compliance with the P2PE Standard as part of the P2PE Program.
Modified p. 8 → 10
See also: P2PE Standard in the Related Publications section P2PE Vendor A P2PE Solution Provider, P2PE Component Provider, or P2PE Application Vendor.
P2PE Vendor A P2PE Solution Provider, P2PE Component Provider, or P2PE Application Vendor.
Modified p. 8 → 11
Participating Payment Brand A payment card brand that, as of the time in question, is then formally admitted as (or an affiliate of) a member of PCI SSC pursuant to its governing documents.
Participating Payment Brand A global payment card brand or scheme that is also a limited liability company member of PCI SSC (or affiliate thereof).
Removed p. 9
Solution-specific P2PE Application A Validated P2PE Application included as part of a P2PE Solution assessment for use in that P2PE Solution only that is not separately Listed on the List of Validated P2PE Applications.

Validated P2PE Application A P2PE Application that has undergone a Full Assessment by a P2PE Application Assessor Company that satisfies the P2PE Standard and Program Requirements, as documented in the corresponding P-ROV(s), AOV, and all other associated supporting material and information.

See also: List of Validated P2PE Applications Validated P2PE Component A P2PE Component that has undergone a Full Assessment by a P2PE Assessor Company that satisfies the P2PE Standard and P2PE Program, as documented in the corresponding P-ROV(s), AOV, and all other associated supporting material and information.

See also: List of Validated P2PE Components Validated P2PE Product A Validated P2PE Application, Validated P2PE Component, or Validated P2PE Solution.

See also: List of Validated P2PE Products Validated P2PE Solution A …
Modified p. 9 → 12
A Third-Party Service Provider is only considered a P2PE Component Provider for eligible P2PE Component services if the applicable service is separately Listed on the List of Validated P2PE Components. A Third- Party Service Provider that is not also a Listed P2PE Component Provider for those services must have its services reviewed during the course of each of its P2PE Solution Provider or P2PE Component Provider customers’ P2PE Assessments.
A Third-Party Service Provider is only considered a P2PE Component Provider for eligible P2PE Component services if the applicable service is separately Listed on the List of Validated P2PE Components. A Third-Party Service Provider that is not also a Listed P2PE Component Provider for those services must have its services reviewed during the course of each of its P2PE Solution Provider or P2PE Component Provider customers’ P2PE Assessments.
Modified p. 9 → 12
See also: List of Validated P2PE Solutions Vendor Release Agreement (VRA) The then-current and applicable form of vendor release agreement that PCI SSC:
Vendor Release Agreement (or VRA) The then-current and applicable form of vendor release agreement that PCI SSC:
Modified p. 9 → 12
(a) Requires to be executed by P2PE Vendors in accordance with the Program Requirements, and (b) Is available on the Website.
(a) Requires to be executed by P2PE Vendors in connection with the P2PE Program, and (b) Is available on the Website.
Modified p. 9 → 12
See also: VRA in the Related Publications section Website The then-current PCI SSC Website (and its accompanying web pages), which is currently available at www.pcisecuritystandards.org.
Website The then-current PCI SSC Website (and its accompanying web pages), which is currently available at www.pcisecuritystandards.org.
Removed p. 11
ii. Related Publications This Program Guide shall be used in conjunction with the latest versions of (or successor documents to) the following PCI SSC publications, each as available through the Website. Related Publications are italicized within this document.

Document name Description Payment Card Industry (PCI) Point- to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms (“P2PE Glossary”) The then-current version of (or successor document to) the PCI Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms, as from time to time amended and made available on the Website.

PCI Point-to-Point Encryption Security Requirements and Testing Procedures (“P2PE Standard”) Contains the requisite security requirements and associated test procedures for the assessment and validation of P2PE Products.

PCI Point-to-Point Encryption Technical FAQs for use with PCI P2PE version 3.x (“P2PE Technical FAQs”) Technical FAQs are normative and are an integral and mandatory part of the PCI P2PE Standard and Program. Technical FAQs must be fully considered during …
Removed p. 12
PCI SSC Remote Assessments Guidelines and Procedures Describes how remote assessment methods may be incorporated into practices for validating environments, solutions, and products to PCI SSC standards.

PCI PIN Transaction Security (PTS) Device Testing and Approval Program Guide (“PTS Program Guide”) Program information for the PTS Program, which includes program information for PTS POI devices and PTS HSMs.
Removed p. 13
Note: Capitalized terms used but not otherwise defined herein have the meanings set forth in Section i Terminology, in the P2PE Glossary or the P2PE Qualification Requirements (found on the Website), as applicable.

This document, the PCI Point-to-Point Encryption (P2PE)® Program Guide, provides information on the P2PE Program operated and managed by the PCI Security Standards Council, LLC (PCI SSC).

The P2PE Program Guide is intended for P2PE Assessor Companies and P2PE Vendors of P2PE Products (P2PE Solutions, P2PE Components, and P2PE Applications).

Note: Information regarding the qualification of P2PE Assessor Companies and their employees can be found in the PCI P2PE Qualification Requirements on the Website.

1.1. P2PE Program Overview A P2PE Vendor may choose to have its P2PE Products validated to the P2PE Standard as part of the Program in order to have those P2PE Products considered for Acceptance by PCI SSC and included in the applicable List of Validated P2PE Products …
Modified p. 15 → 13
Provide access to their P2PE Products and supporting documentation to a P2PE Assessor Company for validation, and  Authorize the P2PE Assessor Company to submit resulting P-ROVs, an AOV, and all other required information and documentation for the submission to PCI SSC.
Provide access to their P2PE Products and supporting documentation to a P2PE Assessor Company for validation, and
Modified p. 15 → 13
 Have overall responsibility for the design and implementation of specific P2PE Solutions, and  Directly manage P2PE Solutions for their customers and/or manage corresponding responsibilities.
Directly manage P2PE Solutions for their customers and/or manage corresponding responsibilities.
Modified p. 15 → 13
 Have their applications assessed against the P2PE Standard for secure operation within the applicable PCI-approved PTS POI device(s), and  Provide corresponding Implementation Guides that describe the secure installation and administration of such applications on the corresponding PCI-approved PTS POI devices.
Provide corresponding Implementation Guides that describe the secure installation and administration of such applications on the corresponding POI devices.
Modified p. 15 → 13
For P2PE Applications intended for use in multiple P2PE Solutions or applicable P2PE Components, validation and Acceptance as a Validated P2PE Application eliminates the need for the application to be separately assessed for P2PE Program purposes as part of each P2PE Solution or P2PE Component in which it is used.
For P2PE Applications intended for use in multiple P2PE Solutions, validation and Acceptance as a Validated P2PE Application eliminates the need for the application to be separately assessed for P2PE Program purposes as part of each P2PE Solution in which is it used.
Removed p. 16
2.1.3. P2PE Component Providers P2PE Component Providers are entities that provide one or more services that:

Each P2PE Component requires its own PCI SSC submission. A separate P-ROV must be submitted to PCI SSC for each P2PE Component assessed as part of the Program for it to be Accepted and Listed. If a P2PE Component service described above is assessed as part of a P2PE Solution (or a P2PE Component, as applicable) but is not on the List of Validated P2PE Components, the entity providing that component service is not considered a P2PE Component Provider for purposes of that component service and is considered a Third-Party Service Provider with respect to that component service. A Third-Party Service Provider must have its services reviewed during the course of each of its P2PE Solution Provider (or P2PE Component Provider) customers’ P2PE Assessments.
Modified p. 16 → 14
Require a P2PE Assessment for Program purposes, and Are performed on behalf of a P2PE Solution Provider or a P2PE Component Provider for use in P2PE Solutions. These services (and their respective P2PE Component Providers) are described further below.
(a) Require P2PE Assessment for Program purposes, and (b) Are performed on behalf of a P2PE Solution Provider or Component Provider for use in P2PE Solutions. These services (and their respective P2PE Component Providers) include:
Modified p. 16 → 14
Only P2PE Components validated by a P2PE Assessor Company and Accepted on an “Individual basis” by PCI SSC are separately Listed on the Website.
• Certification Authority/Registration Authority (CA/RA) Only P2PE Components (i.e., component services) that have been validated by a P2PE Assessor and Accepted on an “Individual basis” by PCI SSC are separately Listed on the Website.
Modified p. 16 → 14
P2PE Assessor Companies are qualified to perform P2PE Assessments of P2PE Components for consideration of Acceptance by PCI SSC and subsequent inclusion on the List of Validated P2PE Components.
All QSA (P2PE) Assessors are qualified to perform P2PE Assessments of P2PE Components for potential listing on the List of Validated P2PE Components.
Modified p. 16 → 15
 Encryption Management Component Provider (EMCP) is an entity that deploys and manages PCI-approved PTS POI devices and any resident P2PE Applications or P2PE Non-payment Software that can support a P2PE Solution.
• POI Deployment Component Provider is an entity that prepares and deploys POI devices and any resident P2PE applications and/or P2PE non-payment software that can support a P2PE solution.
Modified p. 16 → 15
POI Deployment Component Provider (PDCP) is an entity that prepares and deploys PCI- approved PTS POI devices and any resident P2PE Applications or P2PE Non-payment Software that can support a P2PE Solution.
POI Management Component Provider is an entity that maintains the POI devices and any resident P2PE applications and/or P2PE non-payment software, once deployed. that can support a P2PE solution.
Modified p. 16 → 15
 POI Management Component Provider (PMCP) is an entity that maintains the PCI-approved PTS POI devices and any resident P2PE Applications or P2PE Non-payment Software, once deployed, that can support a P2PE Solution.
• Decryption Management Component Provider is an entity that manages the decryption environment that can support a P2PE solution.
Modified p. 16 → 15
The EMS P-ROV must be used to validate P2PE Components included within Encryption Management Services.
The DMS P-ROV must be submitted in order to validate P2PE Components of the type provided by the Decryption-Management Component Provider.
Removed p. 17
 Key Management Component Provider (KMCP) is an entity that manages cryptographic key generation and key conveyance for PCI-approved PTS POI devices and HSMs that can support a P2PE Solution.

2.1.4. Third-Party Service Providers A P2PE Solution Provider (or a merchant acting as its own P2PE Solution Provider in the case of a Merchant-Managed Solution) or P2PE Component Provider may choose to manage their P2PE Solution or P2PE Component, respectively, without outsourcing to Third-Party Service Providers.

Alternatively, a P2PE Solution Provider (or a merchant acting as its own P2PE Solution Provider in the case of a Merchant-Managed Solution) or P2PE Component Provider may choose to outsource certain services that are part of the applicable P2PE Solution or P2PE Component to Third-Party Service Providers who perform these services on behalf of the P2PE Solution Provider or the P2PE Component Provider.
Modified p. 17 → 15
 Decryption Management Component Provider is an entity that manages the decryption environment that can support a P2PE solution.
• Key Loading Component Provider is an entity that manages the cryptographic key loading for POI devices and HSMs that can support a P2PE solution.
Modified p. 17 → 15
The DMS P-ROV must be used to validate P2PE Components included within Decryption Management Services.
The KMS P-ROV must be submitted in order to validate P2PE Components of the types provided by the above provider types.
Modified p. 17 → 15
Key Injection Facility (KIF) is an entity that performs cryptographic key services for PCI- approved PTS POI devices and HSMs (including, but not limited to, key generation, conveyance, and/or key loading).
Key Injection Facility is an entity that performs cryptographic key services for POI devices and HSMs (including, but not limited to, key generation, conveyance, and/or key loading).
Modified p. 17 → 15
Key Loading Component Provider (KLCP) is an entity that manages the cryptographic key loading for PCI-approved PTS POI devices and HSMs that can support a P2PE solution.
Key Management Component Provider is an entity that manages cryptographic key generation and key conveyance for POI devices and HSMs that can support a P2PE Solution.
Modified p. 17 → 15
Certification/Registration Authorities (CA/RA) is an entity that signs public keys such as X.509 or other non-X.509 certificates for use in connection with the remote distribution of symmetric keys using asymmetric techniques. A Registration Authority (RA) performs registration services on behalf of a CA to vet requests for certificates that will be issued by the CA.
Certification/Registration Authorities (CA/RA) is an entity that signs public keys such as X.509 or other non-X.509 certificates for use in connection with the remote distribution of symmetric keys using asymmetric techniques. A Registration Authority (RA) performs registration services on behalf of a CA to vet requests for certificates that will be issued by the CA.
Modified p. 17 → 15
The KMS P-ROV must be used to validate P2PE Components included within Key Management Services.
The KMS P-ROV (see Table 6.1 below) must be submitted in order to validate P2PE Components of the type provided by this provider type.
Modified p. 17 → 16
All P2PE services performed by Third-Party Service Providers on behalf of a P2PE Solution Provider or P2PE Component Provider must be validated per applicable P2PE Solution or P2PE Component requirements. Third-Party Service Providers also have the option of having their P2PE Component services validated under the Program.
All P2PE services and functions performed by Third-Party Service Providers on behalf of a P2PE Solution Provider or P2PE Component Provider must be validated per applicable P2PE Solution or P2PE Component requirements, and Third-Party Service Providers have the option of having their P2PE Component services validated under the Program.
Modified p. 17 → 16
There are two validation options for Third-Party Service Providers performing P2PE functions on behalf of P2PE Solution Providers or P2PE Component Providers:
There are two validation options for third-party entities performing P2PE functions on behalf of P2PE Solution Providers or P2PE Component Providers:
Modified p. 17 → 16
1) Undergo a P2PE Assessment of the applicable P2PE Component services against relevant P2PE Requirements and have their P2PE Assessor Company submit the applicable P2PE Report of
1) Undergo a P2PE Assessment of the applicable P2PE Component services and functions against relevant P2PE Requirements, and have their P2PE Assessor submit the applicable P2PE Report of Validation (P-ROV) to PCI SSC for review and Acceptance. Upon Acceptance, the corresponding P2PE Component is Listed on PCI SSC’s List of Validated P2PE Components. Or:
Removed p. 18
2.2. P2PE Assessor Companies There are two types of P2PE Assessor Companies:

P2PE Assessor Company:

Note: P2PE Assessor Companies are not qualified by PCI SSC to perform P2PE Application Assessments unless they are also qualified as a P2PE Application Assessor Company.

P2PE Application Assessor Company:

P2PE Application Assessor Companies are P2PE Assessor Companies that have been qualified by PCI SSC to perform P2PE Assessments of P2PE Solutions, P2PE Components, in addition to P2PE Applications.
Modified p. 18 → 16
2) Have their P2PE Component services reviewed during and as part of each of their customers’ corresponding P2PE Assessments.
2) Have their P2PE Component functions or services reviewed during and as part of each of their customers’ corresponding P2PE Assessments.
Modified p. 18 → 16
Accordingly, a P2PE Solution or P2PE Component can be reviewed via the following scenarios:
Accordingly, a P2PE Solution or P2PE Component can be reviewed via one of the following scenarios:
Modified p. 18 → 16
1) A P2PE Solution Provider or P2PE Component Provider (or a merchant as a P2PE Solution Provider in the case of a Merchant-Managed Solution (MMS)) can outsource services to Third- Party Service Providers and have the services assessed as part of the overall P2PE Assessment of that P2PE Solution or P2PE Component; and/or 2) A P2PE Solution Provider or P2PE Component Provider (or a merchant as a P2PE Solution Provider in the case of an MMS) can outsource certain P2PE …
1) A P2PE Solution Provider or P2PE Component Provider (or a merchant as a P2PE Solution Provider in the case of a Merchant-Managed Solution (MMS)) can outsource functions and have them assessed as part of the overall P2PE Assessment of that P2PE Solution or P2PE Component.
Modified p. 18 → 16
P2PE Solution Providers (or merchants as P2PE Solution Providers in the case of an MMS) and P2PE Component Providers must manage the overall P2PE Solution or P2PE Component, respectively, and any third-party services (and corresponding Third-Party Service Providers) used to perform P2PE Component services on their behalf, whether those Third-Party Service Providers are separately Listed by PCI SSC as P2PE Component Providers or are assessed as part of the P2PE Assessment of the corresponding P2PE Solution or P2PE Component.
P2PE Solution Providers (or merchants as P2PE Solution Providers in the case of a MMS) must manage the overall P2PE Solution and any third-party services (and corresponding Third-Party Service Providers) used to perform P2PE Component services or functions on their behalf, whether those Third-Party Service Providers are separately Listed by PCI SSC as P2PE Component Providers or are assessed as part of the P2PE Assessment of the corresponding P2PE Solution or P2PE Component.
Modified p. 18
P2PE Assessor Companies are QSA or QPA companies that have been additionally qualified by PCI SSC to perform P2PE Assessments of P2PE Solutions and P2PE Components.
• PA-QSA (P2PE): PA-QSA (P2PE) Companies are PA-QSA companies that have been additionally qualified by PCI SSC to perform P2PE Assessments of P2PE Solutions, P2PE Components, and P2PE Applications.
Modified p. 18
Performing P2PE Assessments of P2PE Solutions and P2PE Components (and P2PE Applications for P2PE Application Assessor Companies) in accordance with the P2PE Standard, the P2PE Program, and the P2PE Qualification Requirements.
Performing P2PE Assessments of P2PE Solutions and P2PE Components (and P2PE Applications for PA-QSA (P2PE) Assessor Companies) in accordance with the P2PE Standard and the P2PE Qualification Requirements.
Modified p. 18
Determining the scope of their P2PE Assessments and applicability of the P2PE Standard to each of those P2PE Assessments.
Determining the scope of their P2PE Assessments and applicability of the P2PE Standard to each of those P2PE Assessments.
Modified p. 18
Assessing the compliance of P2PE Solutions and P2PE Components (and P2PE Applications for P2PE Application Assessor Companies) against the P2PE Standard.
Assessing the compliance of P2PE Solutions and P2PE Components (and P2PE Application for PA-QSA (P2PE) Assessor Companies) against the P2PE Standard.
Modified p. 18
Documenting each P2PE Assessment using the applicable P-ROV Reporting Templates.
Documenting each P2PE Assessment in a P-ROV using the applicable P2PE P-ROV Reporting Templates.
Removed p. 19
2.3. PCI Security Standards Council (PCI SSC)

 Hosts the List of Validated P2PE Products on the Website;  Hosts the P2PE Expired Listings on the Website;  Provides required training for and qualifies P2PE Assessor Companies (and their P2PE Assessor Employees), P2PE Application Assessor Companies (and their P2PE Application Assessor Employees), to assess and validate P2PE Products against the P2PE Standard and Program;  Maintains and updates the P2PE Standard, Program, and related documentation;  Reviews all P-ROVs (and other related documents) submitted to PCI SSC and related change submissions for compliance with baseline quality standards, including but not limited to, confirmation that:

• Submissions (including P-ROVs, Change Impact Submissions, and Annual Revalidations) are correct as to form;

• The P2PE Assessor Company determines whether P2PE Products are eligible for validation under the P2PE Program (PCI SSC reserves the right to reject or remove the applicable Listing of any Validated P2PE Product …
Modified p. 19 → 18
Maintaining an internal quality assurance process for their P2PE Assessment efforts.
Maintaining an internal quality assurance process for their P2PE Assessment efforts.
Modified p. 19 → 18
Staying up to date with PCI SSC statements and guidance, P2PE Technical and General FAQs, industry trends, and best practices.
Staying up to date with PCI SSC statements and guidance, P2PE Technical and General FAQs, industry trends, and best practices.
Removed p. 20
Note: The PCI Security Standards Council (PCI SSC) does not manage compliance programs and does not impose any consequences for non-compliance. Whether an entity is required to comply with or validate compliance to a PCI SSC standard is at the discretion of organizations that manage compliance programs, such as a payment brand, acquirer, or other entity.

2.7. Participating Payment Brands The Participating Payment Brands independently develop and enforce the various aspects of their respective compliance programs, including but not limited to, related requirements, mandates, and due dates.
Modified p. 20 → 18
Determining which P2PE Solutions, including the associated PCI-approved PTS POI devices and P2PE Applications to implement.
Determining which solutions and devices to implement.
Modified p. 20 → 18
Adhering to the P2PE Instruction Manual (PIM), provided to the merchant by the P2PE Solution Provider.
Adhering to the P2PE Instruction Manual (PIM), provided to the merchant by the P2PE Solution Provider.
Modified p. 20 → 19
Note: Device evaluation by a PCI-recognized Laboratory is a separate process from the validation that occurs as part of a P2PE Assessment; the P2PE Assessment validates if a given P2PE Product (which may include multiple POI/HSM/KLD devices) is in compliance with the P2PE Standard.
Note: Device evaluation by a PCI-recognized Laboratory is a separate process from the validation that occurs as part of a P2PE Assessment; the P2PE Assessment validates whether or not a given P2PE Product (which may include multiple POI/HSM devices) is in compliance with the P2PE Standard.
Removed p. 21
3. P2PE Product Assessment Considerations The following sections provide useful information and applicable criteria related to defined P2PE Product elements and/or dependencies that must be considered for P2PE Product assessments.

3.1. Listed P2PE Product Outsourcing Matrix

Note: Refer to Figure 1: P2PE Products Overview for a diagram of all the P2PE Product categories.

The P2PE Standard and Program provide significant flexibility in allowing the use of Listed P2PE Products to assist in satisfying P2PE Program Requirements for a P2PE Product assessment. The following matrix indicates the allowable Listed P2PE Products that can be included in a P2PE Product undergoing validation. While the use of Listed P2PE Products in a P2PE Product assessment is optional, all requisite requirements must be satisfied by the P2PE Product under assessment. Refer to Appendix H: P2PE Applicability of Requirements.

* Listed CA/RAs can be used to complement a P2PE Product assessment, e.g., to accommodate Remote Key Distribution, however they …
Removed p. 22
A table is included in the associated P2PE Technical FAQs on the Website that provides the current PTS POI device expiry dates and the corresponding Reassessment window for Listed P2PE Products using these devices. The P2PE Technical FAQs also contain information regarding POI v6+ device firmware expiry.

The following information applies to PTS POI v6+ device firmware expiry. Refer to the PTS Program Guide on the Website for additional details.

PTS POI v6+ Firmware Expiry New Assessments: As per the P2PE Standard, the PTS POI device approval must not be expired. In addition, for PTS POI v6 and later devices, the firmware must not be expired and past its 4-month grace period (i.e., it must not be red status). If at any time prior to Acceptance of the P2PE Product submission, including during the PCI SSC AQM review process, the PTS POI device firmware status turns red, the P2PE Product submission will …
Removed p. 23
Table 1: Uses Cases for Previously Deployed PTS POI Devices SCENARIO PROCESS New Assessments A P2PE Assessor is engaged to perform an initial assessment of a solution provider’s new P2PE solution. There are PTS POI device type(s) that need to be assessed that have already been deployed to merchant locations.

The P2PE Solution Provider engages a P2PE Assessor to assess their solution as required by the PCI P2PE Standard and Program.

- If the P2PE Assessor determines the applicable P2PE Standard requirements regarding the previously deployed PTS POI devices have been satisfied, the P2PE Assessor will document the P-ROV accordingly, which per the Program Requirements, can be submitted to the PCI Council upon completion of a successful P2PE Assessment.

- If the solution provider lacks sufficient evidence to verify the applicable P2PE requirements have been satisfied (as determined by a P2PE Assessor during a P2PE Assessment), then all firmware, cryptographic keys1, configurations, and …
Removed p. 24
With respect to the PTS POI device hardware/firmware (HW/FW) combinations, at least one unique combination of PTS POI device HW and FW (Figure 3, Example #1 below) supported by the P2PE Product must be validated and functionally tested (as determined by the P2PE Standard requirements and associated testing procedures) from each PTS approval that is being associated with the P2PE Product assessment.

Where the FW is not monolithic (Figure 3, Example #2 below), i.e., it is split into separate FW functionality (e.g., OS, SRED, OP), every FW required for the device to function as intended must be validated and functionally tested (as determined by the P2PE Standard requirements and associated testing procedures).

The P2PE Assessor must document in the appropriate P-ROV, for each associated PTS approval, the supported PTS POI device HW/FW(s) combinations that were validated and functionally tested, in addition to all eligible HW and FW from the same PTS approval …
Removed p. 25
3.3.1. NIST CMVP Historical Validation List The following applies to the use of HSMs on NIST’s ‘CMVP Historical Validation List’:

New Assessments: HSMs on the CMVP Historical Validation List can be used, however, the P2PE Assessor must determine the Historical Reason for the transition to the ‘CMVP Historical Validation List’ does not compromise the P2PE Product from satisfying applicable P2PE Standard requirements. This analysis must be documented in the appropriate P-ROV for requirements 4A-1.1 and 1-3, as applicable.

Annual Revalidations & Reassessments: P2PE Products can continue to use HSMs that are on the ‘CMVP Historical Validation List’ that were assessed as part of the P2PE Product’s New Assessment, if all other requirements are met during the Annual Revalidation and Reassessment processes per the Program Requirements.

The P2PE Product vendor is encouraged to make a risk determination on whether to continue using the HSMs on the ‘CMVP Historical Validation List’ based on their own …
Modified p. 25
Obtaining and maintaining PCI PTS HSM or FIPS 140 device approval is the responsibility of the secure cryptographic device vendor. The P2PE Assessor Company will request evidence of device approvals being in place and current as part of performing a P2PE Assessment, where applicable.
Obtaining and maintaining PTS or FIPS 140 device approval is the responsibility of the secure cryptographic device vendor. P2PE Assessors will request evidence of device approvals being in place and current as part of performing a P2PE Assessment.
Modified p. 25
A Listed (not Expired) P2PE Product may undergo a Reassessment up to but not exceeding three years past the expiry date of any PCI-listed HSMs already included in the corresponding Listed P2PE Product. This will be checked as part of the Reassessment and submittal process to PCI SSC. As the Reassessment (provided it results in an updated P2PE Listing) has the potential to be valid for three years, this will allow P2PE Product Vendors to continue to use the expired …
• An existing P2PE Program approval of a Listed P2PE Solution or P2PE Component may be reassessed up to but not exceeding three years past the expiry date of any PCI-listed HSMs already included in the corresponding P2PE Solution or P2PE Component approval. This will be checked as part of the reassessment and submittal process to PCI SSC. As the reassessment (provided it results in an updated P2PE listing) is valid for three years, this will allow vendors to continue …
Modified p. 25
A table is included in the associated P2PE Technical FAQs on the Website that provides the current PCI PTS HSM expiry dates and the corresponding Reassessment window for Listed P2PE Products using these devices, along with additional relevant information regarding the use of HSMs.
• The following table provides the current PTS HSM expiry dates and the corresponding reassessment window for P2PE Solutions and applicable P2PE Components using these devices:
Modified p. 25 → 26
For additional details, refer to Appendix I: Figure 9: PCI-Approved PTS HSM Expiry Flowchart.
For additional detail, refer to Appendix J, “PCI-Listed PTS HSM Expiry Flowchart.” SCDs (continued)
Modified p. 25 → 27
Refer to information regarding SCDs in the P2PE Standard.
Refer to definition in P2PE Glossary.
Modified p. 25 → 27
Refer to the definition of P2PE Application in the P2PE Glossary.
Refer to definition in P2PE Glossary.
Modified p. 25 → 27
Must undergo validation per all applicable P2PE Application Requirements by a P2PE Application Assessor Company, with the option to be:
Must undergo validation per all applicable P2PE Application Requirements by a PA-QSA (P2PE), and will be either:
Modified p. 25 → 27
- Independently Listed on the List of Validated P2PE Applications
Independently Listed on the List of Validated P2PE Applications
Removed p. 26
- A Solution-specific P2PE Application, which is not Listed on the List of Validated P2PE Applications and therefore only considered an element of the specific Validated P2PE Solution for which it has been submitted. While a P2PE Solution and a P2PE Component can be assessed by either a P2PE Assessor Company or a P2PE Application Assessor Company, only a P2PE Application Assessor Company can assess and validate a P2PE Application.

 For P2PE Solution Assessments, if a P2PE Application is not already on the List of Validated P2PE Applications, both the P2PE Solution P-ROV (including P2PE Component P-ROVs, if applicable) and the P2PE Application P-ROV(s) (one for each P2PE Application), must be submitted to PCI SSC. The P2PE Application P-ROV(s) must undergo PCI SSC review (and Acceptance, where the P2PE Application is being submitted to be Listed on the List of Validated P2PE Applications) prior to PCI SSC review and Acceptance …
Modified p. 26 → 27
Refer to the definition of P2PE Non-payment Software in the P2PE Glossary.
Refer to “P2PE Solutions and Use of P2PE Applications and/or P2PE Non- payment Software” in the Introduction section of the P2PE Standard.
Modified p. 26 → 27
Refer to information regarding P2PE Non-payment Software in the P2PE Standard.
Refer to “P2PE Solutions and Use of P2PE Applications and/or P2PE Non- payment Software” in the Introduction section of the P2PE Standard.
Modified p. 26 → 27
Not eligible to be Listed by PCI SSC.
Not eligible for PCI-listing by PCI SSC.
Removed p. 27
3.7. Remote Assessments P2PE Assessors are expected to perform onsite assessments for P2PE Products, where applicable. While onsite assessments continue to be the expected method for PCI SSC assessments, the use of remote assessment methods may provide a suitable alternative in legitimate scenarios where an onsite assessment is not feasible. Refer to the PCI SSC Remote Assessments Guidelines and Procedures for details of remote assessment procedures and methods that may be used when an onsite assessment cannot be performed.

If remote assessment methods are used in place of an onsite assessment, the P2PE Assessor must complete the Addendum for ROC/ROV: Remote Assessments, as provided in Appendix A of the PCI SSC Remote Assessment Guidelines and Procedures document, for submission to PCI SSC along with the applicable P- ROV(s).

3.8. New Assessments and Reassessments using Expired P2PE Products New Assessments and Reassessments of P2PE Products will not be Accepted if they use Expired …
Modified p. 27 → 28
If independent listing is not being pursued for a P2PE Component, this is instead considered a Third-Party Service Provider’s service offering, and it is only an element of the specific P2PE Solution or P2PE Component within which it is assessed.
If independent listing is not being pursued for a P2PE Component, this is instead considered a Third-Party Service Provider’s service offering and it is only an element of the specific P2PE Solution or P2PE Component within which it is assessed.
Removed p. 29
4. Overview of the Validation Processes The following sections provide a general overview of the validation processes for P2PE Products.

Refer to Section 4.2 for information regarding validation of Merchant-managed Solutions (MMS).

P2PE Application Assessments may only be performed by P2PE Application Assessor Companies.

1) The P2PE Vendor selects a P2PE Assessor Company from PCI SSC’s list of PCI Point-to-Point Encryption (P2PE)® Assessors on the Website and negotiates the cost and other terms of the assessor engagement directly with the P2PE Assessor Company.

The diagrams on the following pages explain in further detail the processes for the P2PE Program:
Modified p. 29 → 20
3) Refer to Section 2.1.4 Third-Party Service Providers in this document to understand options for validating P2PE Component functions and services provided by Third-Party Service Providers. The P2PE Assessor Company then assesses the P2PE Product, including its security functions and features, using the appropriate P-ROV(s), to determine whether it complies with the P2PE Standard and Program Requirements.
3) Refer to Section 2.1.4, “Use of Third-Party Service Providers,” in this document to understand options for validating P2PE Component functions and services provided by Third-Party Service Providers. The P2PE Assessor Company then assesses the P2PE Solution, P2PE Component(s), and/or P2PE Application(s), including its security functions and features, using the appropriate P-ROV(s), to determine whether it complies with the P2PE Standard.
Modified p. 29 → 20
4) If the P2PE Assessor Company determines that the P2PE Product is in compliance with the P2PE Standard and Program Requirements, the P2PE Assessor Company submits the corresponding P- ROV(s) to PCI SSC, attesting to compliance and setting forth the results and observations of the P2PE Assessor Company on all test procedures, along with the P2PE Vendor’s signed VRA and the corresponding P-AOV. Refer to Appendix A for more details on Acceptance.
4) If the P2PE Assessor Company determines that the P2PE Solution, P2PE Component(s), and/or P2PE Application is in compliance with the P2PE Standard, the P2PE Assessor Company submits the corresponding P-ROV(s) to PCI SSC, attesting to compliance and setting forth the results, opinions, and conclusions of the P2PE Assessor Company on all test procedures along with the P2PE Vendor’s signed VRA and the corresponding P-AOV. See Appendix A, “P2PE Products and Acceptance,” for more details on Acceptance.
Modified p. 29 → 20
5) PCI SSC issues an invoice to the P2PE Vendor for the applicable P2PE submission fee (Refer to the ‘Programs Fee Schedule’ on the Website). After the P2PE Vendor has paid the invoice, PCI SSC reviews the submission to confirm that it satisfies the P2PE Program Requirements and if confirmed, PCI SSC notifies the P2PE Assessor Company and P2PE Vendor that the P2PE Product submission is Accepted as a Validated P2PE Product.
5) PCI SSC issues an invoice to the P2PE Vendor for the applicable P2PE Acceptance Fee. After the P2PE Vendor has paid the invoice, PCI SSC reviews the submission to confirm that it meets the P2PE Program requirements and if confirmed, PCI SSC notifies the P2PE Assessor Company and P2PE Vendor that the P2PE Solution, P2PE Component(s), and/or P2PE Application(s) have completed the process.
Modified p. 29 → 20
6) Once the above process is complete for the submitted P2PE Product, PCI SSC signs the corresponding P-AOV and adds the P2PE Product to the corresponding List of Validated P2PE Products on the Website.
6) Once the above process is complete for the submitted P2PE Solution, P2PE Component(s), and/or P2PE Application(s), PCI SSC signs the corresponding P-AOV and adds the P2PE Solution, P2PE Component(s), and/or P2PE Application(s) to the corresponding list of Validated P2PE Products on the Website.
Modified p. 29 → 24
Refer to Section 2.1.4 to understand options for validating Third-Party Service Providers.
Note: Refer to Section 2.1.4, “Use of Third-Party Service Providers” in this document to understand options for validating Third-Party Service Providers.
Modified p. 29 → 24
2) The P2PE Vendor then provides to the P2PE Assessor Company its executed VRA and access to the applicable P2PE Product to be assessed, PTS POI device types, corresponding Implementation Guides for P2PE Applications, P2PE Instruction Manual for P2PE Solutions, and all associated manuals and other required documentation.
2) The Merchant provides the P2PE Assessor Company access to the MMS to be assessed, POI device types, corresponding Implementation Guides for P2PE Applications, P2PE Instruction Manual for MMS, and all associated manuals and other required documentation.
Modified p. 30 → 23
Figure 4: P2PE Product Validation Overview
Figure 2: P2PE Product Submission and PCI SSC Review
Modified p. 31 → 22
Figure 5: P2PE Product Submission and PCI SSC Review
Figure 1: P2PE Assessment for Products Intended for v3 PCI SSC Listing
Removed p. 32
P2PE Application Assessments may only be performed by P2PE Application Assessor Companies.
Removed p. 32
Refer to Section 2.1.4 to understand options for validating Third-Party Service Providers.

1) The merchant selects a P2PE Assessor Company from PCI SSC’s list of PCI Point-to-Point Encryption (P2PE)® Assessors on the Website and negotiates the cost and other terms of the assessor engagement directly with the P2PE Assessor Company.

2) The merchant provides the P2PE Assessor Company access to the MMS to be assessed, PCI- approved PTS POI Device Types, corresponding Implementation Guides for P2PE Applications, P2PE Instruction Manual for the MMS, and all associated manuals and other required documentation.

5) The merchant and the P2PE Assessor Company complete and sign the applicable MMS P-AOV.

4.3. Prior to P2PE Product Validation

Note: The security requirements applicable to P2PE Products and the test procedures for validating P2PE Products are defined within the P2PE Standard.
Modified p. 32 → 24
3) The P2PE Assessor Company assesses the MMS, including its security functions and features, to determine whether the MMS is in accordance with the P2PE Standard and Program Requirements.
3) The P2PE Assessor Company assesses the MMS, including its security functions and features, to determine whether the MMS complies with the P2PE Standard.
Modified p. 32 → 24
4) If the P2PE Assessor Company determines that the MMS is in accordance with the P2PE Standard and Program Requirements, the P2PE Assessor Company prepares and submits to the merchant a corresponding P2PE Merchant-Managed Solution P-ROV (and all additional P- ROVs as required for the P2PE Assessment) attesting to compliance and setting forth the results and observations of the P2PE Assessor Company on all test procedures.
4) If the P2PE Assessor Company determines that the MMS is in compliance with the P2PE Standard, the P2PE Assessor Company prepares and submits to the Merchant a corresponding Merchant- Managed P2PE Solution P-ROV attesting to compliance and setting forth the results, opinions and conclusions of the P2PE Assessor Company on all test procedures.
Modified p. 32 → 29
Review the requirements of the P2PE Standard and all related documentation located at the Website, including the P2PE Technical FAQs.
Review the requirements of both the PCI DSS and the P2PE Standard and all related documentation located at the Website.
Modified p. 32 → 29
Determine/assess the applicable P2PE Product’s readiness to satisfy the P2PE Standard and Program Requirements: Select the appropriate P-ROV(s) based on the type of P2PE Product assessment. Refer to Table 2: P-ROV Templates.
Determine/assess the P2PE Solution’s, P2PE Component’s, or P2PE Application’s readiness to comply with the P2PE Standard: Select the appropriate P-ROV(s) based on the type of P2PE Assessment.
Removed p. 33
4.4. P2PE Product Validation Required Documentation The P2PE Vendor and P2PE Assessor work together to account for all P2PE Assessment-related materials (such as, but not limited to, P-ROVs, P-AOV, the P2PE Instruction Manual (PIM), P2PE Application Implementation Guide (IG), the Vendor Release Agreement (VRA), and all other materials related to the P2PE Product assessment and participation in the P2PE Program). The P2PE Vendor does not submit any documentation directly to PCI SSC as part of a P2PE Assessment.

 The degree that the P2PE Product satisfies the P2PE Standard and Program Requirements at the start of the P2PE Assessment:

Corrections to the P2PE Product to remediate gaps will delay validation.

Those that are being Listed on the Website separately must be Listed before the P2PE Solution or the P2PE Component can be reviewed and Accepted.

 The scope of the P2PE Product assessment and validation effort. The use of Listed P2PE Components and/or Listed …
Modified p. 33 → 29
 For P2PE Solution Assessments, determine whether the P2PE Solution Provider’s P2PE Instruction Manual (PIM) meets P2PE Standard requirements and correct any gaps.
• Determine whether the P2PE Solution Provider’s P2PE Instruction Manual meets P2PE Standard requirements and correct any gaps.
Modified p. 33 → 29
Prompt payment of the P2PE Program fees due to PCI SSC for the P2PE Product submission.
Prompt payment of the fees due to PCI SSC
Modified p. 33 → 29
PCI SSC will not commence review of the P-ROV(s) for the P2PE Products until the applicable fee has been paid.
PCI SSC will not commence review of the P-ROV until the applicable fee has been paid.
Modified p. 33 → 29
For P2PE Solutions and P2PE Components that use P2PE Applications and/or P2PE Components:
For P2PE Solutions and P2PE Components that use P2PE Applications and/or P2PE Components Those that are being Listed on the Website separately must be Listed before the P2PE Solution can be reviewed.
Modified p. 33 → 29
Whether the P2PE Application’s Implementation Guide and/or the P2PE Solution’s P2PE Instruction Manual meets all P2PE Standard requirements at the start of the assessment:
Whether the P2PE Application’s Implementation Guide and/or P2PE Instruction Manual meets all P2PE Requirements at the start of the Assessment Extensive rewrites will delay validation.
Modified p. 33 → 30
Quality of the P2PE Assessor Company's submission to PCI SSC:
Quality of the P2PE Assessor Company's submission to PCI SSC
Modified p. 33 → 30
Any P2PE Assessment timeframes provided by a P2PE Assessor Company should be considered estimates, since they may be based on the assumption that the P2PE Product is able to successfully satisfy all P2PE Standard and Program Requirements quickly. If issues are found during review or
Any P2PE Assessment timeframes provided by a P2PE Assessor Company should be considered estimates, since they may be based on the assumption that the P2PE Product is able to successfully meet all P2PE Requirements quickly. If problems are found during review or Acceptance processes, discussions between the P2PE Assessor Company, the P2PE Vendor, and/or PCI SSC may be required. Such discussions may significantly impact review times and cause delays and/or may even cause the review to end prematurely (for example, …
Removed p. 34
4.6. P2PE Assessor Information By definition, a P2PE Application Assessor Company is also a P2PE Assessor Company.

PCI SSC qualifies and provides required training for P2PE Assessor Companies and P2PE Application Assessor Companies to assess and validate P2PE Products to the P2PE Standard and Program Requirements.

To perform P2PE Solution Assessments and/or P2PE Component Assessments, a P2PE Assessor Company must have been qualified by PCI SSC and remain in Good Standing (as defined in the QSA or QPA Qualification Requirements and P2PE Qualification Requirements, as applicable) or in remediation as both a QSA or QPA Company and P2PE Assessor Company.

To perform P2PE Application Assessments, a P2PE Assessor Company must have been additionally qualified by PCI SSC and remain in Good Standing (as defined in the QSA or QPA Qualification Requirements and P2PE Qualification Requirements, as applicable) or in remediation as both a P2PE Assessor Company and a P2PE Application Assessor Company.

All recognized …
Modified p. 34 → 30
The P2PE Assessor Company must prepare each P-ROV based on evidence obtained by following the P2PE Standard and Program Requirements.
The P2PE Assessor Company must prepare each P-ROV based on evidence obtained by following the P2PE Standard.
Modified p. 34 → 30
Prior to submitting to PCI SSC, the P2PE Assessor Company must perform a review of all documents to ensure they are consistent and meet PCI SSC’s requirements and quality standards.
Prior to submitting to PCI SSC, the P2PE Assessor Company must perform a review of all documents to ensure they are consistent and meet PCI SSC’s requirements and quality standards.
Removed p. 35
4.8. Vendor Release Agreement (VRA) For PCI SSC to review any submission, PCI SSC must have on file the P2PE Vendor’s signed copy of the then-current version of the Vendor Release Agreement (VRA) available on the Website.

 If PCI SSC does have a copy of the P2PE Vendor’s signed, then-current VRA on file, the P2PE Assessor Company is not required to re-submit the same VRA to PCI SSC at that time.

Generally, the P2PE Vendor provides its signed VRA to the P2PE Assessor Company, along with access to the P2PE Product and other documents and materials, at the beginning of the applicable P2PE Assessment process.

 Covers confidentiality issues;  Covers the P2PE Vendor’s agreement to P2PE Program Requirements, policies, and procedures;  Gives permission to the P2PE Vendor’s chosen P2PE Assessor Company to release P-ROVs and related materials to PCI SSC for review; and  Requires P2PE Vendors to adopt and …
Modified p. 35 → 31
If PCI SSC does not have a copy of the P2PE Vendor’s signed, then-current VRA on file, the P2PE Assessor Company must provide such VRA to PCI SSC.
If PCI SSC does already have the P2PE Vendor’s signed copy of the then-current VRA, the P2PE Assessor is not required to re-submit the same VRA to PCI SSC at that time.
Removed p. 36
5. Changes to Listed P2PE Products P2PE Vendors may need to update their Listed P2PE Products for various reasons. The Change Impact Template must be used to account for and submit Administrative Changes and Delta Changes to PCI SSC.

Changes are permissible only for Listed (not Expired) P2PE Products.

Any change to a Listed P2PE Product that is not an Administrative Change and not a Delta Change is accounted for by the P2PE Vendor as part of the Annual Revalidation process for the Listed P2PE Product. Refer to section 6.1 Annual Revalidation of Listed P2PE Products for further details.

Administrative Changes and Delta Changes do not have any impact on Annual Revalidation dates or Reassessment dates of Listed P2PE Products.

5.1. Administrative Changes to Listed P2PE Products

Note: The Change Impact Template on the Website must be used for Administrative Changes.

An Administrative Change is used to update the following information on a Listed P2PE Product:

 …
Modified p. 36
Following successful PCI SSC quality assurance review of the Administrative Change, PCI SSC will:
Following successful PCI SSC quality assurance review of the change, PCI SSC will:
Modified p. 36
For quality issues associated with any aspect of the submission, PCI SSC communicates those issues to the P2PE Assessor Company. PCI SSC reserves the right to reject any P2PE Change Impact submission if it determines that a change described therein and purported to be an Administrative Change by the P2PE Assessor Company and/or P2PE Vendor is ineligible for an Administrative Change.
For quality issues associated with any aspect of the submission, PCI SSC communicates those issues to the P2PE Assessor Company. PCI SSC reserves the right to reject any P2PE Change Impact document if it determines that a change described therein and purported to be an Administrative Change by the P2PE Assessor Company or P2PE Vendor is ineligible for treatment as an Administrative Change.
Removed p. 37
Delta Change submissions to add Expired P2PE Products will not be Accepted. If at any time prior to Acceptance of the Delta Change submission, including during the PCI SSC AQM review process, a P2PE Product being added as part of the Delta Change is expired or expires, the Delta Change submission will be rejected. Delta Changes to add P2PE Components/Applications to an existing Listed P2PE Solution or Listed P2PE Component without further assessment requires the P2PE Component/Application being added to be on the List of Validated P2PE Components or the List of Validated P2PE Applications, respectively.

The Change Impact Template on the Website must be used for Delta Changes.

Delta Changes are security-impacting changes (not Administrative Changes) made to a Listed P2PE Product as defined and accounted for in the Change Impact Template that affect a Listing element as defined in Appendix B, Appendix C, and Appendix D. Generally, Delta Changes include, …
Modified p. 37 → 35
5.2.1. Delta Change Submission Process Overview The P2PE Vendor and P2PE Assessor Company prepare and complete the Change Impact Template. It is recommended that the P2PE Vendor submit the Delta Change request to the same P2PE Assessor Company used for the last Full Assessment of the Listed P2PE Product.
• Description of why the change is necessary It is recommended that the P2PE Vendor submit the change analysis to the same P2PE Assessor Company used for the last full P2PE Solution Assessment.
Modified p. 37 → 35
If the P2PE Assessor Company agrees that the change as documented and conveyed by the P2PE Vendor is eligible as a Delta Change under the Program:
If the P2PE Assessor Company agrees that the change as documented by the P2PE Vendor is eligible as an Administrative Change:
Removed p. 38
Following successful PCI SSC quality assurance review of the Delta Change, PCI SSC will:

1) Amend the Listed P2PE Product details on the corresponding List of Validated P2PE Products on the Website accordingly based on the Delta Change submission; and 2) Sign and return a copy of the corresponding P-AOV to both the P2PE Vendor and the P2PE Assessor Company. A Delta Change does not change the Listed P2PE Product’s Annual Revalidation date or its Reassessment date.

5.2.2. P2PE Application Changes and Version Numbers All P2PE Application changes must result in a new application version number; however, whether this affects the version number specified within the P2PE Product Listing on the Website depends on the nature of the change and the Vendor’s validated versioning methodology. The use of wildcards may be permitted for managing the versioning methodology for non-security-impacting changes only.

Only those P2PE Applications that have had the P2PE Vendor’s wildcard versioning …
Modified p. 38 → 37
For quality issues associated with any aspect of the submission, PCI SSC communicates those issues to the P2PE Assessor Company. PCI SSC reserves the right to reject any Change Impact submission if it determines that a change described therein and purported to be a Delta Change by the P2PE Assessor Company and/or P2PE Vendor is ineligible for a Delta Change.
For quality issues associated with any aspect of the submission, PCI SSC communicates those issues to the P2PE Assessor Company. PCI SSC reserves the right to reject any P2PE Change Impact document if it determines that a change described therein and purported to be a Delta Change by the P2PE Assessor Company or P2PE Vendor is ineligible for treatment as a Delta Change.
Modified p. 38
Note: Wildcards may only be substituted for elements of the version number that represent non-security-impacting changes. The use of wildcards for any change that has an impact on security, or any P2PE Standard requirement, is prohibited.
Note: Wildcards may only be substituted for elements of the version number that represent non-security- impacting changes; the use of wildcards for any change that has an impact on security, or any P2PE Requirements is prohibited.
Modified p. 38
Changes falling within the scope of wildcard usage are not required to be reported to PCI SSC; therefore, any such changes will not result in an update to the P2PE Application Listing on the Website. Refer to Appendix E for additional information regarding the use of wildcards.
Only those P2PE applications that have had the P2PE Vendor’s wildcard versioning methodology assessed to P2PE v3 by a PA-QSA (P2PE) Assessor Company are eligible for wildcard usage and listing on the Website with wildcards. Changes falling within the scope of wildcard usage are not required to be advised to PCI SSC; therefore, any such changes will not result in an update to the P2PE Application listing on the Website. See Appendix H, “P2PE Application Software Version Methodology,” for additional …
Removed p. 39
6. Lifecycle for Listed P2PE Products A Listed P2PE Product, upon Acceptance and being Listed as the result of a Full Assessment, remains Validated for 3 years based on the date of the most recent Acceptance, provided it satisfies the Program Requirements as described herein.

At the end of the 3-year lifecycle, P2PE Vendors have the option of undergoing a Reassessment as described herein to renew the Listing for their P2PE Product.

Figure 6: Listed P2PE Product 3-Year Lifecycle 6.1. Annual Revalidation of Listed P2PE Products The Annual Revalidation process requires the P2PE Vendor to attest to and account for their Listed P2PE Product continuing to adhere to the P2PE Standard and Program Requirements via their submittal of the appropriate P-AOV.

The first Annual Revalidation is required one calendar year after the most recent date of Acceptance based on the last Full Assessment, and the second Annual Revalidation is required one calendar year …
Modified p. 39 → 33
Once Listed, a P2PE Product is required to satisfy the Annual Revalidation process at year 1 and year 2 based on the date of the most recent Acceptance.
Note: P2PE v3 Products require a Full Assessment every three years based on the date of the P2PE Product’s Acceptance.
Modified p. 39 → 33
PCI SSC will send a courtesy reminder e-mail notification to the P2PE Vendor’s contact (as identified in the applicable P-AOV) within 90 calendar days prior to the relevant Annual Revalidation date, however it is the sole responsibility of the P2PE Vendor to maintain the Listing regardless of any such courtesy reminder(s).
PCI SSC will generally send a courtesy reminder e-mail to the P2PE Vendor’s contact (as identified in the applicable P-AOV) within 90 days prior to the relevant revalidation/reassessment date, but it is the sole responsibility of the P2PE Vendor to maintain the listing regardless of any such courtesy reminder(s).
Modified p. 39 → 33
As part of this annual process, P2PE Vendors are required to submit the applicable P-AOV to the PCI SSC P2PE Program Manager and confirm, in part, that:
As part of this annual process, P2PE Vendors are required to confirm whether any changes have been made to the P2PE Product, and that:
Modified p. 39 → 33
a) Changes have been applied to the Listed P2PE Product in a way that is consistent with the P2PE Standard and Program Requirements;
a) Changes have been applied in a way that is consistent with the P2PE Standard;
Modified p. 39 → 33
b) The Listed P2PE Product continues to meet the requirements of the P2PE Standard and Program Requirements;
b) The P2PE Product continues to meet the requirements of the P2PE Standard;
Removed p. 40
If an updated P-AOV is not submitted and Accepted by PCI SSC on or before the Listed P2PE Product’s current Annual Revalidation Date, the P2PE Product will be subject to Administrative Expiry, as follows:

Figure 7: Administrative Expiry 6.1.1. Initial Administrative Expiry Period  The corresponding P2PE Product Listing will be updated to show the P2PE Product’s Annual Revalidation date in Orange for a period up to 90 consecutive calendar days unless the Annual Revalidation requirements of the Program are satisfied.

 If a Full Assessment is conducted, submitted to and Accepted by PCI SSC, before the P2PE Product Expires, the submission will qualify as a Reassessment as described herein. Otherwise, once Expired, any Full Assessment submission of the P2PE Product to PCI SSC will be considered a New Assessment.
Modified p. 40 → 33
PCI SSC will, following receipt of the updated P-AOV: (i) review the submission for completeness; and (ii) if completeness is established, sign and return a copy of the updated P-AOV to the P2PE Vendor.
PCI SSC will, following receipt of the updated P2PE Attestation of Validation: (i) review the submission for completeness; and (ii) if completeness is established, sign and return a copy of the updated P2PE Attestation of Validation to the P2PE Vendor.”
Modified p. 40 → 33
If the updated and complete P-AOV is received by PCI SSC within this initial 90-day period, PCI SSC will, upon Acceptance, remove the Orange status from the P2PE Product Listing.
If the updated and complete P-AOV is received within this 90-day period, PCI SSC will update the corresponding Listing’s Reassessment Date with the new date and remove the Orange status.
Modified p. 40 → 33
6.1.2. Secondary Administrative Expiry Period  If the updated and complete P-AOV is not received and Accepted by PCI SSC within the 90-day initial Administrative Expiry period, the corresponding P2PE Product Listing will be updated to show the P2PE Product’s Annual Revalidation date in Red for a period up to 90 consecutive calendar days.
If the updated and complete P-AOV is not received within this 90-day period, the corresponding Listing’s Reassessment Date will be updated to show the date in Red.
Modified p. 40 → 33
Once a Listed P2PE Product is in this secondary Administrative Expiry period (Red), a Full Assessment (including applicable Program fees) is required to relist the P2PE Product and avoid Expiry.
Once in Red, a Full Assessment (including applicable fees) is required to return the P2PE Product’s Listing to good standing.
Modified p. 40 → 33
6.1.3. Administrative Expiry  If a P2PE Product’s Listing has been in a Red status for more than 90 consecutive calendar days (over 180 days overdue in satisfying the Annual Revalidation requirements of the Program), it becomes an Expired P2PE Product, is no longer considered a Validated P2PE Product, and will be moved to the P2PE Expired Listings.
If a P2PE Product’s Listing has been in a Red status for more than 90 days, the P2PE Product will be moved to the P2PE Expired Listing.
Removed p. 41
As a Listed P2PE Product approaches its 3-year Reassessment date, PCI SSC will provide a courtesy notification to the P2PE Vendor via email notification of the pending expiration. However, it is the sole responsibility of the P2PE Vendor to initiate a Reassessment of their P2PE Product regardless of any such courtesy reminder(s). The P2PE Vendor can choose to perform a Reassessment, otherwise, the P2PE Product will become an Expired P2PE Product and move to the P2PE Expired Listings as described below.

Figure 8: Reassessment Timeline & Listing Expiry 6.2.1. Listing Expiry A Listed P2PE Product for which a new Acceptance based on a Full Assessment has not occurred on or before the Listed P2PE Product’s applicable Reassessment date will immediately appear in Orange for up to 90 consecutive calendar days, and in Red thereafter for up to 90 additional consecutive calendar days.

If a new Acceptance has not occurred within 180 consecutive …
Modified p. 42 → 39
7. Program Fees Program Fees are denoted in the Programs Fee Schedule on the Website. Program fees are non- refundable and are subject to change upon posting of revised fees on the Website.
All P2PE Program fees are posted on the Website. Program fees are non-refundable and are subject to change upon posting of revised fees on the Website.
Modified p. 42 → 39
PCI SSC will invoice the P2PE Vendor for all associated Program Fees for a submission and the P2PE Vendor is required to pay these fees directly to PCI SSC.
PCI SSC will invoice the P2PE Vendor for all Validation Maintenance Fees, and the P2PE Vendor will pay these fees directly to PCI SSC.
Modified p. 42 → 39
Program fees must be received by PCI SSC for a submission to be reviewed and Accepted (provided the submission satisfies the P2PE Standard and Program Requirements). Upon Acceptance, PCI SSC will sign and return a copy of the P-AOV to both the P2PE Vendor and the P2PE Assessor Company.
For any change affecting the listing of a validated P2PE Product, the applicable fee will be invoiced and must be received by PCI SSC for the change to be Accepted and added to the corresponding P2PE List. Upon Acceptance, PCI SSC will sign and return a copy of the P-AOV to both the P2PE Vendor and the P2PE Assessor Company.
Modified p. 42 → 39
Note: The P2PE Vendor pays all P2PE Assessment-related fees directly to the P2PE Assessor Company. (These fees are negotiated between the P2PE Vendor and the P2PE Assessor Company.)
Note: The P2PE Vendor pays all P2PE Assessment-related fees directly to the P2PE Assessor. (These fees are negotiated between the P2PE Vendor and the P2PE Assessor Company.)
Removed p. 43
 Notify Participating Payment Brands that a Security Issue has occurred  Request a copy of the latest version of the P2PE Vendor’s Vulnerability Handling Policies  Communicate with the P2PE Vendor about the Security Issue and, where possible and permitted, share information relating to the Security Issue  Support the P2PE Vendor’s efforts to mitigate or prevent further Security Issues  Support the P2PE Vendor’s efforts to correct any Security Issues  Work with the P2PE Vendor to communicate and cooperate with appropriate law enforcement agencies to help mitigate or prevent further Security Issues
Modified p. 43 → 39
 The name, PCI SSC approval (Reference) number, and any other relevant identifiers of each of the P2PE Vendor’s P2PE Product(s) affected by the Security Issue;  A description of the general nature of the Security Issue;  The P2PE Vendor’s good-faith assessment, to its knowledge at the time, as to the scope and severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS or other industry-accepted standard scoring); and  Assurance that the P2PE Vendor is …
The P2PE Vendor’s good-faith assessment, to its knowledge at the time, as to the scope and severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS or other industry-accepted standard scoring); and
Modified p. 44 → 40
PCI SSC reserves the right to suspend, withdraw, revoke, cancel or place conditions upon its Acceptance of (and accordingly, remove from the List of Validated P2PE Products) any P2PE Product in accordance with the VRA, in instances including but not limited to, if PCI SSC reasonably determines that (a) the P2PE Product does not provide sufficient protection against current threats and conform to the requirements of the P2PE Program, (b) the continued Acceptance of the P2PE Product represents a significant …
PCI SSC reserves the right to suspend, withdraw, revoke, cancel or place conditions upon its Acceptance of (and accordingly, remove from the List of Validated P2PE Solutions, List of Validated P2PE Components, or List of Validated P2PE Applications) any P2PE Product in accordance with the VRA, in instances including but not limited to, if PCI SSC reasonably determines that (a) the P2PE Product does not provide sufficient protection against current threats and conform to the requirements of the P2PE Program, …
Removed p. 45
• regardless of if the P2PE Application being assessed is intended to be Listed on the List of Validated P2PE Applications or is not intended to be Listed and is only being validated and submitted as part of an overall P2PE Solution Assessment. If any aspect of a P2PE Product is different from that which was validated by the P2PE Assessor Company qualified to assess the specific P2PE Product, and Accepted by PCI SSC

• even if the different P2PE Product (the “Alternate Product”) conforms to the basic product description of the Accepted P2PE Product

•the Alternate Product should not be considered Accepted by PCI SSC, nor promoted as Accepted by PCI SSC.
Modified p. 45 → 46
When granted, PCI SSC Acceptance is provided to ensure certain security and operational characteristics important to the achievement of PCI SSC’s goals, but such acceptance does not under any circumstances include or imply any endorsement or warranty regarding the P2PE Vendor or the functionality, quality, or performance of the Validated P2PE Product or any other product or service. PCI SSC does not warrant any products or services provided by third parties. PCI SSC acceptance does not, under any circumstances, include …
When granted, PCI SSC Acceptance is provided to ensure certain security and operational characteristics important to the achievement of PCI SSC’s goals, but such acceptance does, not under any circumstances, include or imply any endorsement or warranty regarding the P2PE Solution Provider or the functionality, quality, or performance of the P2PE Product or any other product or service. PCI SSC does not warrant any products or services provided by third parties. PCI SSC acceptance does not, under any circumstances, include …
Removed p. 46
P2PE Solution Information The following fields in the Listing provide relevant information for each Validated P2PE Solution, consisting of the following:

 POI Device Key Loading Supported Denotes Local Key Injection and/or Remote Key Distribution being supported by the P2PE Product as determined and validated as part of the P2PE Product Assessment. The “Remote Key” distribution requirements are additional requirements that apply to any entity implementing remote key distribution using asymmetric techniques for the distribution of keys to PCI-approved PTS POI devices for use in connection with account-data encryption.

 Key Types Supported Denotes Symmetric and/or Asymmetric key types being supported as a result of the assessment and validation of the P2PE Product. The requisite set of requirements in the P2PE Standard must be satisfied to denote a key type. At least one key type must be supported.

Note: A Listed P2PE Solution that undergoes a Reassessment that is subsequently Accepted and Listed …
Modified p. 46 → 47
P2PE Solution Name The P2PE Solution Name is provided by the P2PE Solution Provider and is the name by which the P2PE Solution is known.
P2PE Solution Name P2PE Solution Name is provided by the P2PE Solution Provider and is the name by which the P2PE Solution is sold.
Modified p. 46 → 47
PCI SSC assigns the Reference Number once the Validated P2PE Solution is Accepted, which uniquely identifies the Listed P2PE Solution.
PCI SSC assigns the Reference number once the Validated P2PE Solution is posted to the Website; this number is unique per P2PE Solution Provider and will remain the same for the life of the listing.
Modified p. 46 → 47
An example reference number format is 2024-xxxxx.yyy consisting of the following, in order:
An example reference number is 2015-XXXXX.XXX consisting of the following:
Modified p. 46 → 47
Field Format Year of Listing 4 digits + hyphen P2PE Solution Provider Identifier 5 digits + period This value uniquely identifies the P2PE Solution Provider.
Field Format Year of listing 4 digits + hyphen Solution Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Solution Number # 3 digits
Removed p. 47
While a P2PE Solution may include third-party services (including services potentially eligible for being Listed as a P2PE Component) those third-party services are not identified within the P2PE Solution’s Listing or on the List of Validated P2PE Components. Any use of such a service in another P2PE Product would require either an independent Listing as a P2PE Component, if eligible, or an assessment as part of each P2PE Product where the third-party services are used.

Note: A P2PE Solution may include P2PE Applications that were validated as part of the Solution assessment that are not separately Listed on the List of Validated P2PE Applications (referred to as a ‘Solution-specific P2PE Application’).

P2PE Applications in this case are denoted on the P2PE Solution Listing, however they do not have an associated Reference Number or an independent Reassessment Date. The P2PE Application name and its validated version(s) will be displayed under the associated P2PE …
Modified p. 47 → 48
• P2PE Applications Supported This section identifies the P2PE Applications validated for use with the P2PE Solution, including the P2PE Application’s Reassessment date.
• P2PE Applications Supported This section identifies the P2PE Applications validated for use with this P2PE Solution and Listed on the List of Validated P2PE Applications and will include the expiry date of the P2PE Application’s approval.
Modified p. 47 → 48
P2PE Assessor Company The qualified P2PE Assessor Company that performed the validation and determined that the P2PE Solution is in accordance with the P2PE Standard and Program Requirements.
P2PE Assessor This entry denotes the name of the qualified P2PE Assessor Company that performed the validation and determined that the P2PE Solution is compliant with the P2PE Standard.
Modified p. 47 → 50
PCI-approved PTS HSMs Supported This section identifies PCI-approved PTS HSM devices validated for use with the P2PE Solution and will include the relevant PCI PTS reference numbers and expiry dates of the PCI PTS approval. A website link to the associated PTS Approval on the PCI List of Approved PIN Transaction Security (PTS) Devices is included for each device supported.
PCI-Approved POI Devices Supported This section identifies PCI-approved POI devices validated for use with this P2PE Solution and will include relevant PCI PTS reference numbers and expiry dates of the PTS approval. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices.
Removed p. 48
Reassessment Date The 3-year date from the last date of Acceptance based on a Full Assessment by which time the P2PE Solution Provider can choose to undergo and submit another Full Assessment of the P2PE Solution to the P2PE Standard and Program Requirements to, provided Acceptance occurs, maintain their Listing.

 POI Device Key Loading Supported Denotes Local Key Injection and/or Remote Key Distribution being supported by the P2PE Product as determined and validated as part of the P2PE Product Assessment. The “Remote Key” distribution requirements are additional requirements that apply to any entity implementing remote key distribution using asymmetric techniques for the distribution of keys to PCI-approved PTS POI devices for use in connection with account-data encryption.

 Key Types Supported Denotes Symmetric and/or Asymmetric key types being supported as a result of the assessment and validation of the P2PE Product. The requisite set of requirements in the P2PE Standard must …
Removed p. 49
P2PE Component Information The following fields in the Listing provide relevant information for each Validated P2PE Component, consisting of the following:

PCI SSC assigns the Reference Number once the Validated P2PE Component is Accepted, which uniquely identifies the Listed P2PE Component.

Note: A Listed P2PE Component that undergoes a Reassessment to the same major version of the P2PE Standard that is subsequently Accepted and Listed will retain the existing Reference Number.

A Listed P2PE Component that undergoes a Reassessment to a new major version of the P2PE Standard that is subsequently Accepted and Listed will result in an updated (new) Reference Number.
Modified p. 49
P2PE Component Name The P2PE Component Name is provided by the P2PE Component Provider and is the name by which the P2PE Component Provider’s services are known.
P2PE Component Name P2PE Component Name is provided by the P2PE Component Provider and is the name by which the P2PE Component Provider’s services are known.
Modified p. 49 → 52
An example reference number format is 2024-xxxxx.yyy consisting of the following, in order:
An example reference number is 2019-XXXXX.XXX.AAA, consisting of the following:
Removed p. 50
Note: Certain Component Types can outsource to other predefined Listed Component types. Refer to the Outsourcing Matrix in Section 3.1.

This section identifies the P2PE Components validated for use with this P2PE Component including the Reassessment Date of the P2PE Component.

While a P2PE Component may include third-party services (including those offering services potentially eligible for being Listed as a Validated P2PE Component), those third-party services are not identified within the P2PE Component’s Listing or on the List of Validated P2PE Components. Any use of such a service in another P2PE Product would require either an independent Listing as a P2PE Component, if eligible, or assessment as part of each P2PE Product of which the P2PE Component is a part of.

• PCI-Approved PTS POI Devices Supported This section identifies PCI-approved PTS POI devices, including the PTS POI device hardware and firmware versions, validated for use with this P2PE Component and will include …
Modified p. 50 → 49
• P2PE Components Supported
• P2PE Component Name
Modified p. 50
Note: Not all component detail categories will apply to every P2PE Component type. For example, Decryption Environments do not have associated P2PE Applications.
• P2PE Components Not all component details will apply, as each component service is different. For example, Encryption-management services may have PTS POI Devices Supported; others likely will not.
Modified p. 50
• P2PE Applications Supported This section identifies the P2PE Applications validated for use with the P2PE Component including the P2PE Application’s Reassessment date.
• P2PE Applications Supported This section identifies the P2PE Applications validated for use with this P2PE Component and Listed on the List of Validated P2PE Applications and will include the expiry date of the P2PE Application’s approval.
Modified p. 50 → 51
P2PE Assessor Company The qualified P2PE Assessor Company that performed the validation and determined that the P2PE Component is in accordance with the P2PE Standard and Program Requirements.
P2PE Assessor This entry denotes the name of qualified P2PE Assessor Company that performed the validation and determined that the P2PE Component is compliant with the P2PE Standard.
Removed p. 51
Reassessment Date The 3-year date from the last date of Acceptance based on a Full Assessment by which time the P2PE Component Provider can choose to undergo and submit another Full Assessment of the P2PE Component to the P2PE Standard and Program Requirements to, provided Acceptance occurs, maintain their Listing.
Removed p. 52
P2PE Application Information The following fields in the Listing provide relevant information for each Validated P2PE Application, consisting of the following:

Note: The P2PE Application Name cannot contain any variables or special characters.

Represents the validated application version. The format of the version number:

Note: A Listed P2PE Application that undergoes a Reassessment that is subsequently Accepted and Listed on the Website results in a new Reference Number.

An example reference number format is 2024-xxxxx.yyy, consisting of the following:

P2PE Application Identifier 3 digits This value uniquely identifies the P2PE Application of the P2PE Application Vendor.

 P2PE Application Details Details specific to the P2PE Application consisting of underlying dependencies that include the following:
Modified p. 52 → 50
Field Format Year of Listing 4 digits + hyphen P2PE Application Vendor Identifier 5 digits + period This value uniquely identifies the P2PE Application Vendor.
Field Format Year of listing 4 digits + hyphen Component Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Component Number # 3 digits
Modified p. 52
P2PE Application Name
P2PE Application Name
Modified p. 52
The P2PE Application Name is provided by the Application Vendor and is the name by which the application is known.
• P2PE Application Name P2PE Application Name is provided by the Application Vendor and is the name by which the application is sold. The Application Name cannot contain any variable characters.
Modified p. 52
P2PE Application Version Number
P2PE Application Version #
Modified p. 52
Note: Refer to Appendix E for details about content to include in the P2PE Application P-ROV and P2PE Application Implementation Guide for the Application Vendor’s versioning methods.
Note: See Appendix H: P2PE Application Software Versioning Methodology for details about content to include in the P2PE Application P-ROV and P2PE Application Implementation Guide for the Application Vendor’s versioning methods. • Reference Number
Modified p. 52
Is set by the P2PE Application Vendor, in accordance with Program Requirements; May consist of a combination of alphanumeric characters; and Must be consistent with the P2PE Application Vendor’s published versioning methodology for this product as documented in the P2PE Application Implementation Guide.
Must be consistent with the P2PE Application Vendor’s published versioning methodology for this product as documented in the P2PE Application Implementation Guide.
Modified p. 52
PCI SSC assigns the Reference Number once the Validated P2PE Application is Accepted, which uniquely identifies the Listed P2PE Application.
PCI SSC assigns the Reference number once the Validated P2PE Application is posted to the Website; this number is unique per P2PE Application Vendor and will remain the same for the life of the listing.
Removed p. 53
P2PE Standard Version The version of the P2PE Standard used to validate the P2PE Application.

Annual Revalidation Date The date by which the P2PE Application Vendor must satisfy the Annual Revalidation process, which occurs at the 12- and 24-month mark from the last date of Acceptance based on a Full Assessment.

Reassessment Date The 3-year date from the last date of Acceptance based on a Full Assessment by which time the P2PE Application Vendor can choose to undergo and submit another Full Assessment of the P2PE Application to the P2PE Standard and Program Requirements to, provided Acceptance occurs, maintain their Listing.
Modified p. 53
P2PE Application Assessor Company The qualified P2PE Application Assessor Company that performed the validation and determined that the P2PE Application is in accordance with the P2PE Standard and Program Requirements.
P2PE Assessor This entry denotes the name of qualified PA-QSA (P2PE) Assessor Company that performed the validation and determined that the application is compliant with the P2PE Standard.
Removed p. 54
• Numbers of digits used for each element

• Format of separators used between elements

• The hierarchy of the elements:

• The specific details of how wildcards are used in the versioning methodology.
Modified p. 54 → 70
E.1 Version Number Format The format of the application version number is set by the P2PE Application Vendor and may be comprised of several elements. The versioning methodology and the P2PE Application Implementation Guide must fully describe the format of the application version number including the following:
H.1 Version Number Format The format of the application version number is set by the P2PE Application Vendor and may be comprised of several elements. The versioning methodology and the P2PE Application Implementation Guide must fully describe the format of the application version number including the following:
Modified p. 54 → 70
• Character set used for each element (consisting of alphabetic, numeric, and/or alphanumeric characters)
The format of the version scheme, including: o Number of elements o Numbers of digits used for each element o Format of separators used between elements o Character set used for each element (consisting of alphabetic, numeric, and/or alphanumeric characters)
Modified p. 54 → 70
• Definition of what each element represents in the version scheme
The hierarchy of the elements o Definition of what each element represents in the version scheme o Type of change: major, minor, maintenance release, wildcard, etc.
Modified p. 54 → 70
• The definition of elements that indicate any use of wildcards.
• The definition of elements that indicate any use of wildcards
Modified p. 54 → 70
E.2 Version Number Usage All changes to the P2PE Application must result in a new application version number. However, whether this affects the version number listed on the Website depends on the nature of the change and the P2PE Application Vendor’s published versioning methodology (refer to Section E.3, “Wildcards” below). All changes that impact security functionality and/or any P2PE Standard requirements must result in a change to the version number listed on the Website; wildcards are not permitted for changes …
• The specific details of how wildcards are used in the versioning methodology H.2 Version Number Usage All changes to the P2PE Application must result in a new application version number. However, whether this affects the version number listed on the Website depends on the nature of the change and the P2PE Application Vendor’s published versioning methodology (see Section H.3, “Wildcards,” below). All changes that impact security functionality and/or any P2PE Requirements must result in a change to the version …
Modified p. 54 → 71
Type of change: major, minor, maintenance release, wildcard, etc.
Types of changes made to the application

•For example, major release, minor release, maintenance release, wildcard, etc.
Modified p. 55 → 71
• Changes that have impact on the application functionality but no impact on security or P2PE Standard requirements
• Changes that have impact on the application functionality but no impact on security or P2PE Requirements
Modified p. 55 → 71
• Changes that impact any security functionality or P2PE Standard requirements Elements of the version number used for non-security-impacting changes must never be used for security-impacting changes.
• Changes that impact any security functionality or P2PE Requirement Elements of the version number used for non-security-impacting changes must never be used for security-impacting changes.
Modified p. 55 → 71
E.3 Wildcards A “wildcard” element is a variable character that may be substituted for a defined subset of possible characters in an application versioning scheme. In the context of P2PE Applications, wildcards can optionally be used to represent non-security-impacting changes between each version represented by the wildcard element. A wildcard is the only variable element of the P2PE Application Vendor’s version scheme. Use of a wildcard element in the versioning scheme is optional and is not required in order for …
H.3 Wildcards A “wildcard” element is a variable character that may be substituted for a defined subset of possible characters in an application versioning scheme. In the context of P2PE Applications, wildcards can optionally be used to represent non-security-impacting changes between each version represented by the wildcard element. A wildcard is the only variable element of the P2PE Application Vendor’s version scheme. Use of a wildcard element in the versioning scheme is optional and is not required in order for …
Modified p. 55 → 71
a) Wildcard elements may only be used for non-security-impacting changes, which have no impact on security and/or any P2PE Standard requirements.
a) Wildcard elements may only be used for No Impact changes, which have no impact on security and/or any P2PE requirements.
Modified p. 55 → 71
d) Wildcard elements must not precede version elements that could represent security- impacting changes; version elements reflecting a security-impacting change must appear “to the left of” the first wildcard element.
d) Wildcard elements must not precede version elements that could represent security-impacting changes; version elements reflecting a security-impacting change must appear “to the left of” the first wildcard element.
Modified p. 55 → 71
f) All wildcard usage must be consistent with that validated by the P2PE Application Assessor Company as part of the P2PE Assessment of the P2PE Application.
f) All wildcard usage must be consistent with that validated by the P2PE Assessor Company as part of the P2PE Assessment of the P2PE Application.
Removed p. 56
Table 2: P-ROV Templates P-ROV Name (Abbreviated) Used for the Following Assessments Purpose Template for Report on Validation for use with P2PE v3.1 for P2PE Solution Assessments P2PE Solution Validation of a P2PE Solution requires, at a minimum, a P2PE Solution P-ROV. Additional P-ROVs (below) may be required for Validating a P2PE Solution depending on whether Listed P2PE Components and/or P2PE Applications are included.

Note: A separate Merchant-Managed Solution P-ROV is used as part of validating MMS.

Template for Report on Validation for use with P2PE v3.1 for P2PE Encryption Management Services Assessments P2PE Solution (as needed) Encryption Management POI Deployment POI Management “Encryption Management Services” relates to the distribution, management, and use of PCI-approved PTS POI devices in a P2PE Solution.

Validation of P2PE Solutions that do not outsource the entirety of their Encryption Management Services to Listed P2PE Component Providers, either to an EMCP or to BOTH a PDCP AND a …
Removed p. 57
Validation of P2PE Solutions that do not outsource the entirety of their Decryption Management Services to a Listed DMCP must include this P-ROV in addition to a Solution P-ROV.

Validation of P2PE Component services provided by a DMCP must use this P-ROV.

Template for Report on Validation for use with P2PE v3.1 for Key Management Services Assessments P2PE Solution (as needed) Key Management Key Loading “Key Management Services” relates to the generation, conveyance, management, and loading of cryptographic keys including the management of associated devices (POI devices, HSMs, etc.).

Validation of a P2PE Solution that has not satisfied the key management services requirements (Domain 5) either using Listed P2PE Component Providers and/or through the assessment of their Encryption Management Services and/or Decryption Management Services must complete the KMS P-ROV. E.g., if the P2PE Solution offers remote key- distribution using asymmetric techniques for the distribution of keys to PCI-approved PTS POI devices for use …
Removed p. 58
P-ROV Preparation and Submission:

The P2PE Assessor Company must complete the applicable P-ROV(s) in accordance with the Program Requirements. If the P2PE Assessor determines there are items that need to be addressed, the P2PE Vendor must address those items, and the P2PE Assessor Company must update the P- ROV(s) prior to submission to PCI SSC. Once the P2PE Assessor Company is satisfied that all documented issues have been resolved by the P2PE Vendor, the P2PE Assessor Company submits the P-ROV(s) and all other required materials to PCI SSC on behalf of the P2PE Vendor. As stated in the P2PE Qualification Requirements and the P2PE Assessor Addendum, P2PE Assessors are required to meet all quality assurance standards set by PCI SSC.

PCI SSC P-ROV Submission Review Once PCI SSC receives the completed P-ROV(s) and all other required materials and applicable fees, PCI SSC reviews the submission from a quality-assurance perspective and determines whether …
Removed p. 59
P-ROV(s) that have been returned to the P2PE Assessor Company for correction must be resubmitted to PCI SSC within 30 calendar days of the preceding submission (clearly denoting and communicating the cumulative changes within the document(s), including redline as applicable). If resubmitting to PCI SSC within 30 calendar days is not possible, the P2PE Assessor Company must inform PCI SSC of the timeline for response. Lack of response on P-ROV(s) returned to the P2PE Assessor Company for correction may result in the submission being closed. Submissions that have been closed will not be reopened and must be resubmitted as if they are new P-ROV submissions.

When undergoing a P2PE Assessment, ‘Not Applicable’ cannot be used by entities that provide only partial aspects of a defined P2PE Component Provider service to validate to that P2PE Component Provider type.
Modified p. 60 → 72
Notes: Each requirement denoted includes all sub-requirements unless indicated otherwise.
Note: Each requirement denoted includes all sub-requirements unless indicated otherwise.
Modified p. 60 → 72
Notes for the P2PE Standard Requirement Applicability Matrix:
Notes for the P2PE Requirement Applicability Matrix:
Modified p. 60 → 72
E.g., if the P2PE Solution offers remote key-distribution using asymmetric techniques for the distribution of keys to PCI-approved POI devices for use in connection with account-data encryption, or the operation of an applicable CA/RA, or any other relevant key management service that has not already been assessed as part of the inclusion of a Listed P2PE Component Provider, then the P2PE Solution assessment must include all applicable key management services requirements (Domain 5).
For example, if the P2PE Solution offers remote key-distribution using asymmetric techniques for the distribution of keys to POI devices for use in connection with account-data encryption, or the operation of an applicable CA/RA, or any other relevant key management service that has not already been assessed as part of the inclusion of a PCI-listed P2PE Component Provider, then the Solution assessment must include all applicable key management services requirements (Domain 5).
Removed p. 69
Note: 5I-1 is applicable to Component Providers performing key management services for POI devices and/or HSMs 5I-1 X X X X X X X X X APPENDIX A
Removed p. 70
** Listed P2PE Solutions and applicable Listed P2PE Components are prohibited from performing a P2PE Reassessment with any expired HSMs that exceed the reassessment date shown relative to the specified PCI PTS HSM Standard version. Note that a successful Reassessment is valid for three years.

*** Listed P2PE Solutions and applicable Listed P2PE Components must have replaced any expired HSMs with current (non-expired) HSMs by the date shown here relative to the specified PCI PTS HSM Standard version.

Figure 9: PCI-Approved PTS HSM Expiry Flowchart