Document Comparison
PCI-P2PE-v3_1-Summary-of-Changes.pdf
→
PCI-P2PE-v3.2-Summary-Of-Changes-June2025.pdf
7% similar
4 → 10
Pages
738 → 2293
Words
11
Content Changes
Content Changes
11 content changes. 8 administrative changes (dates, page numbers) hidden.
Added
p. 2
This summary does not denote every change made in the standard.
Reqt = Requirement, TP = Test Procedure, Re = Regarding P2PE v3.1 P2PE v3.2 DESCRIPTION General / Introduction Sections Global General errata Global Test Procedures (TPs) updated to use defined actions: Examine, Interview, Observe, Test Introductory sections prior to Technical References Minor edits, wording alignment P2PE at a Glance
• Overview of Domains and Requirements Added entries for section 3D to Domain 3 Scope of Assessment Merchant Encryption Environment Retitled section based on context SCD Domain Applicability Fixed ‘N/A’ for Domain 2 re POI devices to ‘Applicable’ Signing Devices New Section. Creates context re use of SCDs and/or HMDs for signing software.
P2PE Solutions and Use of Third Parties and/or P2PE Component Providers Removed enumerated process for third parties as it is already within the P2PE Program Guide P2PE Solutions and the Use of P2PE Applications and/or P2PE Non- payment Software P2PE …
Reqt = Requirement, TP = Test Procedure, Re = Regarding P2PE v3.1 P2PE v3.2 DESCRIPTION General / Introduction Sections Global General errata Global Test Procedures (TPs) updated to use defined actions: Examine, Interview, Observe, Test Introductory sections prior to Technical References Minor edits, wording alignment P2PE at a Glance
• Overview of Domains and Requirements Added entries for section 3D to Domain 3 Scope of Assessment Merchant Encryption Environment Retitled section based on context SCD Domain Applicability Fixed ‘N/A’ for Domain 2 re POI devices to ‘Applicable’ Signing Devices New Section. Creates context re use of SCDs and/or HMDs for signing software.
P2PE Solutions and Use of Third Parties and/or P2PE Component Providers Removed enumerated process for third parties as it is already within the P2PE Program Guide P2PE Solutions and the Use of P2PE Applications and/or P2PE Non- payment Software P2PE …
Added
p. 4
• modified TP 1A-1.2.b
• removed (testing) 1A-1.2.1 Removed Reqt & TPs removed
• already accounted for by 1A-1.2 Additional clarity added to Reqt New note added taken from PTS POI 1A-1.3 TP modified (now 1A-1.3.a)
• partly moved to new TP 1A-1.3.b to reduce testing.
• only required where excluded interface(s) exist, thereby reducing testing.
1A-2 Domain 3, 3D-1 Note removed
• context already stated elsewhere 1A-2 requirements all moved to Domain 3.
1A-2.1 3D-1.1 Moved to Domain 3 as overall Solution scope. No longer applicable to Domain 1 related CPs.
1A-2.2 3D-1.2 Moved to Domain 3 as overall Solution scope. No longer applicable to Domain 1 related CPs.
Added clarity to reqt Removed five of the bullet points, minor edits Added bullet re remote access, which allows the removal of reqt 1B-2.3.
TPs modified to match reqt updates TP 1B-1.1.b
• modified testing expectation/method 1B-1.1.1 Removed Reqt & TPs removed. Context already exists in Domain 2 and Domain 3, …
• removed (testing) 1A-1.2.1 Removed Reqt & TPs removed
• already accounted for by 1A-1.2 Additional clarity added to Reqt New note added taken from PTS POI 1A-1.3 TP modified (now 1A-1.3.a)
• partly moved to new TP 1A-1.3.b to reduce testing.
• only required where excluded interface(s) exist, thereby reducing testing.
1A-2 Domain 3, 3D-1 Note removed
• context already stated elsewhere 1A-2 requirements all moved to Domain 3.
1A-2.1 3D-1.1 Moved to Domain 3 as overall Solution scope. No longer applicable to Domain 1 related CPs.
1A-2.2 3D-1.2 Moved to Domain 3 as overall Solution scope. No longer applicable to Domain 1 related CPs.
Added clarity to reqt Removed five of the bullet points, minor edits Added bullet re remote access, which allows the removal of reqt 1B-2.3.
TPs modified to match reqt updates TP 1B-1.1.b
• modified testing expectation/method 1B-1.1.1 Removed Reqt & TPs removed. Context already exists in Domain 2 and Domain 3, …
Added
p. 5
1B-3.4 Added clarity to TP 1B-3.4.b 1B-4.1 ‘PAN and/or SAD’ changed to ‘account data’ for consistency 1B-5.1 TP 1B-5.1.c was an embedded reqt
• deleted TP and moved context to new reqt 1B-5.1.1.
TP 1B-5.1.c 1B-5.1.1 New reqt to accommodate embedded reqt.
TP 1B-5.1.c was an embedded reqt
• deleted TP and moved context to new reqt 1B-5.1.1.
Requirement 1C See below 1C-1.1 Revised signing and authentication expectations 1C-1.1.1 1C-1.1.2 1C-1.1.3 Reqts superseded by 1C-1.1 1C-2.1 Revised documentation expectations 1C-2.1.1 1C-2.1.2 1C-2.1.3 Superseded by Reqts superseded by 1C-2.1 1D-1.1 Moved 1D-1.1 to 1D-1.2. Rewrote 1D-1.1 into new requirement.
• deleted TP and moved context to new reqt 1B-5.1.1.
TP 1B-5.1.c 1B-5.1.1 New reqt to accommodate embedded reqt.
TP 1B-5.1.c was an embedded reqt
• deleted TP and moved context to new reqt 1B-5.1.1.
Requirement 1C See below 1C-1.1 Revised signing and authentication expectations 1C-1.1.1 1C-1.1.2 1C-1.1.3 Reqts superseded by 1C-1.1 1C-2.1 Revised documentation expectations 1C-2.1.1 1C-2.1.2 1C-2.1.3 Superseded by Reqts superseded by 1C-2.1 1D-1.1 Moved 1D-1.1 to 1D-1.2. Rewrote 1D-1.1 into new requirement.
Added
p. 6
Additional notes added 2A-1.2 TP reworded and partly moved to new TP 2A-1.2.b that reduces testing ‘PAN/SAD’ changed to ‘account data’, which is more accurate and used in (and therefore aligns with) SRED requirements in PTS POI.
2A-2.1 Note added Clarity in wording added 2A-2.2 TP 2A-2.2.a
• removed 1st bullet point 2A-2.3, 2A-2.4 Added note to account for technical constraints 2A-3 Added clarity to context/intent 2A-3.1 Added additional bullet to add clarity on intent
• TP updated accordingly Changed to ‘If’ language to better support use of ‘N/A’ as reqt is conditionally mandatory Added note to ref explicit P2PE Tech FAQ for truncation 2A-3.1.2 Revised TPs 2A-3.2 Added clarity on intent 2A-3.3 Added clarity to 2nd note Changed to ‘If’ language to better support use of ‘N/A’ as reqt is conditionally mandatory Removed 3rd bullet 2B-1.1 Removed TP 2B-1.1.d
• redundant 2B-4.1 Clarity added to reqt wording 2C-3.1 TP 2C-3.1 removed Domain 2 …
2A-2.1 Note added Clarity in wording added 2A-2.2 TP 2A-2.2.a
• removed 1st bullet point 2A-2.3, 2A-2.4 Added note to account for technical constraints 2A-3 Added clarity to context/intent 2A-3.1 Added additional bullet to add clarity on intent
• TP updated accordingly Changed to ‘If’ language to better support use of ‘N/A’ as reqt is conditionally mandatory Added note to ref explicit P2PE Tech FAQ for truncation 2A-3.1.2 Revised TPs 2A-3.2 Added clarity on intent 2A-3.3 Added clarity to 2nd note Changed to ‘If’ language to better support use of ‘N/A’ as reqt is conditionally mandatory Removed 3rd bullet 2B-1.1 Removed TP 2B-1.1.d
• redundant 2B-4.1 Clarity added to reqt wording 2C-3.1 TP 2C-3.1 removed Domain 2 …
Added
p. 8
TP 4A-1.1.a removed TP 4A-1.1.b updated to reference reqt 1-3 4A-1.1.1 Removed Removed due to duplication w/ reqt 1-4 in Domain 5 4A-1.1.2, 4A-1.1.3 Added clarity re use of HSMs 4B-1.4 Added clarity re the use of the POI devices Added clarity and reorganized reqt wording Revised expectation for the inspection/detection Removed TP 4B-1.5.b Combined TP 4B-1.5.c into TP 4B-1.5.a 4B-1.6 Revised TP 4B-1.6.a
• removed explicit ROC section title Changed to ‘If’ wording to better report N/A where applicable as reqt is conditionally mandatory.
Removed generic DSS reference Added Note to explicit P2PE Tech FAQ ref for truncated PANs.
4B-1.9[.x] Changed to ‘If’ wording to better report N/A where applicable as reqt is conditionally mandatory.
4B-1.9.1 4B-1.9 Combined into 4B-1.9 including TPs 4C-1.1 Revised Note and TP 4C-1.3 Removed reference to 4C-1.3.4 from TP 4C-1.3.4 Removed Reqt removed At a Glance
• Example P2PE Hybrid Decryption Implementation Diagram updated
• contextually the same 4D-1.3 Reqt …
• removed explicit ROC section title Changed to ‘If’ wording to better report N/A where applicable as reqt is conditionally mandatory.
Removed generic DSS reference Added Note to explicit P2PE Tech FAQ ref for truncated PANs.
4B-1.9[.x] Changed to ‘If’ wording to better report N/A where applicable as reqt is conditionally mandatory.
4B-1.9.1 4B-1.9 Combined into 4B-1.9 including TPs 4C-1.1 Revised Note and TP 4C-1.3 Removed reference to 4C-1.3.4 from TP 4C-1.3.4 Removed Reqt removed At a Glance
• Example P2PE Hybrid Decryption Implementation Diagram updated
• contextually the same 4D-1.3 Reqt …
Added
p. 10
• Double length context for POI v2.x removed
• use case no longer applicable.
• use case no longer applicable.
Removed
p. 1
Payment Card Industry (PCI) Point-to-Point Encryption Security Requirements and Testing Procedures Summary of Significant Changes from v3.0 to v3.1
Removed
p. 2
Table 1: Change Types Change Type Definition Clarification Clarifies intent of requirement or testing procedure. Ensures that concise wording in the standard portrays the desired intent of requirements.
Additional guidance Explanation, definition, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Evolving / New Changes to ensure that the standard is up to date with emerging threats and changes in the market. May consist of a new or modified requirement, test procedure, or context.
Removal Deleted a requirement or context due to redundancy or to better reflect the intent of the standard.
Restructure Changes to eliminate redundant requirements or better align content with other requirements/standards.
Additional guidance Explanation, definition, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Evolving / New Changes to ensure that the standard is up to date with emerging threats and changes in the market. May consist of a new or modified requirement, test procedure, or context.
Removal Deleted a requirement or context due to redundancy or to better reflect the intent of the standard.
Restructure Changes to eliminate redundant requirements or better align content with other requirements/standards.
Modified
p. 2
PCI P2PE v3.1 Summary of Significant Changes This document provides an overall summary of significant changes from P2PE v3.0 to P2PE v3.1 of the Security Requirements and Testing Procedures (i.e., the P2PE Standard).
PCI P2PE v3.2 - Summary of Significant Changes This document provides an overall summary of significant changes from PCI P2PE v3.1 to PCI P2PE v3.2 of the Security Requirements and Testing Procedures (i.e., the PCI P2PE Standard, the/this standard).
Removed
p. 3
Table 2: Summary of Changes P2PE v3.0 P2PE v3.1 DESCRIPTION CHANGE TYPE Technical References Updated ANSI and NIST (FIPS) references Evolving 3A-3.2.1 Removed erroneous context of 3A-4.1 (which does not exist as of v3.0) from both the 3A-3.2.1 requirement and test procedure.
Clarification Domain 4 2nd paragraph. Added missing context that the term Solution Provider is relative to the entity undergoing the P2PE assessment (as is mentioned in other applicable Domains).
Additional Guidance Domain 5 Remote Key-Distribution Using Asymmetric Techniques Operations Added two bullet points to further clarify the term ‘remotely’.
Additional Guidance 1-3 Added note to clarify PCI-approved HSMs may be contingent on being deployed in controlled environments or more robust (e.g., secure) environments as defined in ISO 13491-2 and in the HSM’s Security Policy.
Additional Guidance 6-3 Minor rewording/restructuring to requirement and test procedures.
Added Note to clarify printed key components includes manual capture.
Clarification Added new requirements with pre-existing context to capture a …
Clarification Domain 4 2nd paragraph. Added missing context that the term Solution Provider is relative to the entity undergoing the P2PE assessment (as is mentioned in other applicable Domains).
Additional Guidance Domain 5 Remote Key-Distribution Using Asymmetric Techniques Operations Added two bullet points to further clarify the term ‘remotely’.
Additional Guidance 1-3 Added note to clarify PCI-approved HSMs may be contingent on being deployed in controlled environments or more robust (e.g., secure) environments as defined in ISO 13491-2 and in the HSM’s Security Policy.
Additional Guidance 6-3 Minor rewording/restructuring to requirement and test procedures.
Added Note to clarify printed key components includes manual capture.
Clarification Added new requirements with pre-existing context to capture a …
Removed
p. 4
21-4 Added context for FIPS 140-2/3 and Annex C. Clarification 24-2.2 Clarified retention context of affidavit. Clarification 26-1 Added clarity regarding secure storage of logs.
Added missing context to new test procedure 26-1.a regarding interviews and documentation review. Renumbered existing test procedures.
Clarification 29-1 Added note providing guidance for SCDs used for key injection and code signing (including display prompts).
Additional Guidance 29-1.1.3 29-1.1.2 Resolved misnumbering issue. Clarification 29-3 New bullet point for context of tamper. Clarification 32-1.1 Additional clarification in Note for character length. Clarification 32-9 Aligned encrypted key loading dates and POI versions with previously issued PCI Bulletin (and PIN v3.1).
32-9.7 Added missing context of recording from requirement to test procedure.
Clarification Annex C Updated wording throughout Annex C to add clarity to existing context.
Clarification & Additional Guidance
Added missing context to new test procedure 26-1.a regarding interviews and documentation review. Renumbered existing test procedures.
Clarification 29-1 Added note providing guidance for SCDs used for key injection and code signing (including display prompts).
Additional Guidance 29-1.1.3 29-1.1.2 Resolved misnumbering issue. Clarification 29-3 New bullet point for context of tamper. Clarification 32-1.1 Additional clarification in Note for character length. Clarification 32-9 Aligned encrypted key loading dates and POI versions with previously issued PCI Bulletin (and PIN v3.1).
32-9.7 Added missing context of recording from requirement to test procedure.
Clarification Annex C Updated wording throughout Annex C to add clarity to existing context.
Clarification & Additional Guidance