Document Comparison
P2PE_Program_Guide_v1.1.pdf
→
P2PE_Program_Guide_v1.2.pdf
83% similar
48 → 48
Pages
17143 → 17002
Words
95
Content Changes
Content Changes
95 content changes. 60 administrative changes (dates, page numbers) hidden.
Added
p. 2
November 2015 1.2 Updated to correct minor typos and to align processes and listings with the evolving P2PE Program.
Added
p. 7
P2PE Standard Refers to Solution Requirements and Testing Procedures: Encryption, Decryption, and Key Management within Secure Cryptographic Devices (Hardware/Hardware) v1.1.1 and Solution Requirements and Testing Procedures: Encryption, Decryption, and Key Management within Secure Cryptographic Devices (Hardware/Hybrid) v1.1.1.
Vendor Release Agreement (or “VRA”) The then-current and applicable form of release agreement that PCI SSC:
Vendor Release Agreement (or “VRA”) The then-current and applicable form of release agreement that PCI SSC:
Added
p. 24
Annually, by the interim assessment due date (i.e., 12 months after each Acceptance), the P2PE Solution Provider is required to submit an updated Solution AOV, performing the “interim assessment steps.” As a courtesy, PCI SSC will endeavor to provide notification via email to the P2PE Vendor Contact (listed on the P-AOV) within 90 days of revalidation/reassessment, but it is the sole responsibility of the P2PE Vendor to maintain the listing regardless of the successful receipt of courtesy reminder(s).
(i) Update the List of Validated P2PE Solutions on the PCI SSC website accordingly with the new information; and (ii) Sign and return a copy of the Solution AOV to both the P2PE Solution Provider and the P2PE Assessor. The Revalidation Date and Reassessment Date of this P2PE Solution will remain unchanged i.e. an administrative change has no impact on the Revalidation Date or Reassessment Date of a listed P2PE Solution.
For quality issues …
(i) Update the List of Validated P2PE Solutions on the PCI SSC website accordingly with the new information; and (ii) Sign and return a copy of the Solution AOV to both the P2PE Solution Provider and the P2PE Assessor. The Revalidation Date and Reassessment Date of this P2PE Solution will remain unchanged i.e. an administrative change has no impact on the Revalidation Date or Reassessment Date of a listed P2PE Solution.
For quality issues …
Added
p. 27
Hardware/Hardware and Hardware/Hybrid template and document the testing completed per PCI SSC requirements; (iii) The P2PE Solution Provider prepares and signs a Solution AOV and sends it to the P2PE (iv) The P2PE Assessor signs its concurrence on the Solution AOV and forwards it, along with the P2PE Solution’s updated P2PE Instruction Manual and the P2PE Designated Changes to Solutions: Hardware/Hardware and Hardware/Hybrid template Report to PCI SSC; and (v) PCI SSC will then issue an invoice to the P2PE Vendor for the applicable change fee; and (vi) Upon payment of the invoice PCI SSC reviews the submission for quality assurance purposes.
(i) Amend the corresponding List of Validated P2PE Solutions on the Website accordingly with the new information; and (ii) Sign and return a copy of the corresponding P2PE Attestation of Validation to both the P2PE Vendor and the P2PE Assessor Company.
For quality issues associated with any aspect of the …
(i) Amend the corresponding List of Validated P2PE Solutions on the Website accordingly with the new information; and (ii) Sign and return a copy of the corresponding P2PE Attestation of Validation to both the P2PE Vendor and the P2PE Assessor Company.
For quality issues associated with any aspect of the …
Added
p. 37
PCI SSC’s Assessor Quality Management Team (“AQM”) reviews each P-ROV submission after the invoice for the P2PE Acceptance Fee has been paid by the P2PE Vendor. Administrative review will be performed in “pre- screening” to ensure that the submission is complete, and then an AQM Analyst will review the submission in its entirety.
The AQM Analyst will review the P2PE submission first to determine whether it is eligible for validation as described in the P2PE Program Guide. If there is question as to eligibility, the AQM Analyst will contact the P2PE Assessor Company for additional information. If the P2PE submission is determined to be ineligible for validation under the P2PE Program, the P-ROV will be rejected. The P2PE Assessor Company will receive a letter of rejection with optional instructions for appealing this rejection.
If the P2PE submission is determined to be eligible for validation under the P2PE Program and the submission is …
The AQM Analyst will review the P2PE submission first to determine whether it is eligible for validation as described in the P2PE Program Guide. If there is question as to eligibility, the AQM Analyst will contact the P2PE Assessor Company for additional information. If the P2PE submission is determined to be ineligible for validation under the P2PE Program, the P-ROV will be rejected. The P2PE Assessor Company will receive a letter of rejection with optional instructions for appealing this rejection.
If the P2PE submission is determined to be eligible for validation under the P2PE Program and the submission is …
Added
p. 37
QSA Company audits are provided for in the QSA Qualification Requirements, and P2PE Assessor Companies are subject to audits of their work as P2PE Assessor Companies under the QSA Qualification Requirements at any time. This may include, but not be limited to, review of completed reports, work papers and onsite visits with P2PE Assessor Companies to audit internal QA programs, at the expense of the P2PE Assessor Company. Refer to the QSA Qualification Requirements for information on PCI SSC’s audit process.
Added
p. 42
While a P2PE Solution may include applications that were evaluated per relevant requirements in the P2PE Standard, those are not listed within the P2PE Solution or within the List of Validated P2PE Applications. Any use of such an application in another P2PE Solution would require either independent listing as a P2PE Application, if eligible, or assessment as part of each P2PE Solution the application is part of.
P2PE Version “P2PE Version” is used by PCI SSC to denote the standard, and the specific version thereof, used to assess the compliance of a Validated P2PE Solution.
Regions Served This section allows for the submission of a description of geographic regions in which this P2PE Solution is available e.g. Europe, Asia-Pacific.
P2PE Version “P2PE Version” is used by PCI SSC to denote the standard, and the specific version thereof, used to assess the compliance of a Validated P2PE Solution.
Regions Served This section allows for the submission of a description of geographic regions in which this P2PE Solution is available e.g. Europe, Asia-Pacific.
Added
p. 46
Is set by the vendor, May consist of a combination of alphanumeric characters and Must be consistent with the Application Vendor’s published versioning methodology for this product as documented in the P2PE Application Implementation Guide.
Added
p. 47
PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Application and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices.
Description Provided by Application Vendor This section allows for the Application Vendor’s submission in the Portal via the PA-QSA (P2PE) of a description of the P2PE Application that is to be used in the List of Validated P2PE Applications should the Application P-ROV be Accepted. This must be a factual description of the application functionality. The description must not; Contradict any PCI SSC program or requirement Make misleading claims about the application Claim the application is …
Description Provided by Application Vendor This section allows for the Application Vendor’s submission in the Portal via the PA-QSA (P2PE) of a description of the P2PE Application that is to be used in the List of Validated P2PE Applications should the Application P-ROV be Accepted. This must be a factual description of the application functionality. The description must not; Contradict any PCI SSC program or requirement Make misleading claims about the application Claim the application is …
Modified
p. 1
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE) Program Guide Version 1.1
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE) Program Guide Version 1.2
Removed
p. 4
P2PE Glossary of Terms, Abbreviations and Acronyms PCI Data Security Standard Requirements and Security Assessment Procedures PA-DSS Requirements and Security Assessment Procedures PTS PIN Security Requirements PTS Hardware Security Module (HSM) Security Requirements PTS POI Modular Security Requirements PTS Device Testing and Approval Program Guide PCI DSS Glossary of Terms, Abbreviations, and Acronyms PCI DSS QSA Qualification Requirements
• Supplement for P2PE Qualified Security Assessors
• Supplement for P2PE Qualified Security Assessors
Modified
p. 4
The following additional PCI SSC documents are used in conjunction with the P2PE Standard:
The following additional PCI SSC documents are used in conjunction with v1.1.1 of the P2PE Standard:
Modified
p. 4
Payment Card Industry (PCI) Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms v1.2 (the “P2PE Glossary”) PCI Data Security Standard Requirements and Security Assessment Procedures PA-DSS Requirements and Security Assessment Procedures PTS PIN Security Requirements PTS Hardware Security Module (HSM) Security Requirements PTS POI Modular Security Requirements PTS Device Testing and Approval Program Guide PCI DSS Glossary of Terms, Abbreviations, and Acronyms PCI Qualification Requirements for Point-to-Point Encryption (P2PE) Qualified Security …
Modified
p. 4
The QSA Qualification Requirements • Supplement for Point-to-Point Encryption Security Assessors defines the requirements that must be met by a QSA (P2PE) and PA-QSA (P2PE) in order to perform assessments.
The P2PE Qualification Requirements define the requirements that must be met by a QSA (P2PE) and PA-QSA (P2PE) in order to perform P2PE Assessments.
Removed
p. 5
Application P-ROV P-ROV covering a P2PE Application Assessment relating to a P2PE Application.
Modified
p. 5
c) Confirmed that the P-ROV is correct as to form, the P2PE Assessor adequately reported the P2PE compliance of the P2PE Solution or P2PE Application in accordance with the P2PE Program requirements and the detail provided in the P- ROV meets PCI SSC’s reporting requirements; and
c) Confirmed that the P-ROV is correct as to form, the P2PE Assessor adequately reported the P2PE compliance of the P2PE Solution or P2PE Application in accordance with the P2PE Program requirements and the detail provided in the P-ROV meets PCI SSC’s reporting requirements; and
Modified
p. 5
AOV The “Attestation of Validation” is a declaration of the P2PE Solution or P2PE Application’s validation status with the P2PE Standard (as further described in the PCI DSS QSA Qualification Requirements supplement for Point-to-Point Encryption Qualified Security Assessors
• QSA (P2PE) and PA-QSA (P2PE)).
• QSA (P2PE) and PA-QSA (P2PE)).
AOV The “Attestation of Validation” is a declaration of the P2PE Solution or P2PE Application’s validation status with the P2PE Standard (as further described in the PCI DSS QSA Qualification Requirements supplement for Point-to- Point Encryption Qualified Security Assessors
• QSA (P2PE) and PA-QSA (P2PE)).
• QSA (P2PE) and PA-QSA (P2PE)).
Modified
p. 6
P2PE Application Refer to definition in P2PE Glossary.
P2PE Application Refer to definition in P2PE Glossary v1.2.
Modified
p. 6
P2PE Application Assessment An assessment of a P2PE Application against the P2PE Domain 2 Application Vendor Testing Procedures in isolation of any point-to- point solution, for purposes of ensuring in connection with the P2PE Assessor Program that the application itself is secure and the vendor has robust application-development processes.
P2PE Application Assessment An assessment of a P2PE Application against the P2PE Domain 2 Application Vendor Testing Procedures in isolation of any point-to-point solution, for purposes of ensuring in connection with the P2PE Assessor Program that the application itself is secure and the vendor has robust application-development processes.
Modified
p. 6
P2PE Assessor A company then qualified by PCI SSC as either a QSA (P2PE) or PA- QSA (P2PE).
P2PE Assessor A company then qualified by PCI SSC as either a QSA (P2PE) or PA-QSA (P2PE).
Modified
p. 6
P2PE Components Refer to definition in P2PE Glossary.
P2PE Components Refer to definition in P2PE Glossary v1.2.
Modified
p. 6
P2PE Glossary The then-current version of (or successor document to) the PCI Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms, as from time to time amended and made available on the PCI SSC website.
P2PE Glossary v1.2 of the PCI Point-to-Point Encryption Glossary of Terms, Abbreviations, and Acronyms, available on the Website.
Removed
p. 7
P2PE Standard The then-current versions of (or successor documents to) each component of PCI SSC's solution requirements and assessment procedures for Point-to-Point Encryption, including but not limited to the Payment Card Industry (PCI) Point-to-Point Encryption Solution Requirements and Testing Procedures, any and all appendices, exhibits, schedules, and attachments to any of the foregoing and all materials incorporated therein, in each case, as from time to time amended and made available on the PCI SSC website.
P2PE Vendor Release Agreement or P2PE VRA The then-current and applicable form of release agreement that PCI SSC:
P2PE Vendor Release Agreement or P2PE VRA The then-current and applicable form of release agreement that PCI SSC:
Modified
p. 7
P2PE Solution Refer to definition in P2PE Glossary.
P2PE Solution Refer to definition in P2PE Glossary v1.2.
Modified
p. 7
P2PE Solution Provider Refer to definition in P2PE Glossary.
P2PE Solution Provider Refer to definition in P2PE Glossary v1.2.
Modified
p. 8
a) Is qualified by PCI SSC to provide services to P2PE Solution Providers and/or P2PE Application Vendors in order to validate that such providers’ or vendors’ P2PE Solutions and/or P2PE Applications adhere to all aspects of the P2PE Standard, including but not limited to, validation that payment applications, when incorporated into or used as part of a P2PE Solution, adhere to all P2PE Domain 2 Requirements; and b) Remains in Good Standing (as defined in Section 1.3 of the QSA …
a) Is qualified by PCI SSC to provide services to P2PE Solution Providers and/or P2PE Application Vendors in order to validate that such providers’ or vendors’ P2PE Solutions and/or P2PE Applications adhere to all aspects of the P2PE Standard, including but not limited to, validation that payment applications, when incorporated into or used as part of a P2PE Solution, adhere to all P2PE Domain 2 Requirements; and b) Remains in Good Standing (as defined in Section 1.3 of the QSA …
Modified
p. 8
PCI Security Standards Council, LLC.
Modified
p. 8
PCI SSC website The then-current PCI SSC web site, which is currently available at http://www.pcisecuritystandards.org.
PCI SSC website or Website The then-current PCI SSC web site and its accompanying web pages, which is currently available at www.pcisecuritystandards.org.
Modified
p. 8
PCI-approved POI Device Refer to definition in P2PE Glossary.
PCI-approved POI Device Refer to definition in P2PE Glossary v1.2.
Modified
p. 8
Qualified Security Assessor for Point-to-Point Encryption or QSA (P2PE) A Qualified Security Assessor (QSA) company that:
Qualified Security Assessor for Point-to- Point Encryption or QSA (P2PE) A Qualified Security Assessor (QSA) company that:
Modified
p. 8
Secure Cryptographic Device (SCD) Refer to definition in P2PEGlossary.
Secure Cryptographic Device (SCD) Refer to definition in P2PE Glossary v1.2.
Removed
p. 9
PCI SSC reflects a desire among constituents of the Payment Card Industry (PCI) at all levels for a single, standardized set of security requirements, security assessment procedures, and processes for recognizing P2PE Solutions validated by P2PE Assessors. The P2PE and related PCI SSC standards define a common security assessment framework that is currently recognized by all Participating Payment Brands.
Modified
p. 9
Validated P2PE Solution A P2PE Solution that has been assessed by a QSA (P2PE) or PA- QSA (P2PE) to be in scope for the P2PE Program and to have met all of the requirements of the P2PE Standard and then Accepted by PCI SSC, so long as such Acceptance has not been revoked, suspended, withdrawn or terminated.
Validated P2PE Solution A P2PE Solution that has been assessed by a QSA (P2PE) or PA-QSA (P2PE) to be in scope for the P2PE Program and to have met all of the requirements of the P2PE Standard and then Accepted by PCI SSC, so long as such Acceptance has not been revoked, suspended, withdrawn or terminated.
Modified
p. 9
Stakeholders in the payments value chain benefit from these requirements in a variety of ways, including but not limited to the following:
Stakeholders in the payments value chain benefit from the P2PE Standard in a variety of ways, including but not limited to the following:
Modified
p. 10 → 11
Note that PCI SSC does not approve reports from a validation perspective. The role of the QSA (P2PE) and PA-QSA (P2PE) is to validate the P2PE Solution meets all requirements of the P2PE Standard as of the date of the P2PE Assessment. PCI SSC Accepts P2PE Solutions only after performing quality
Note that PCI SSC does not approve reports from a validation perspective. The role of the QSA (P2PE) and PA-QSA (P2PE) is to validate the P2PE Solution meets all requirements of the P2PE Standard as of the date of the P2PE Assessment. PCI SSC Accepts P2PE Solutions only after performing quality assurance reviews to help ensure that QSAs (P2PE) and PA-QSAs (P2PE) accurately and thoroughly document the results of their P2PE Assessments.
Removed
p. 12
It is the PA-QSA (P2PE)’s responsibility to validate that the P2PE Application meets all applicable P2PE Domain 2 Requirements.
Modified
p. 12
2. PA-QSA (P2PE)s PA-QSA (P2PE)s are companies that have been (and remain) qualified by PCI SSC to perform P2PE Solution Assessments and P2PEApplication Assessments.
2. PA-QSA (P2PE)s PA-QSA (P2PE)s are companies that have been (and remain) qualified by PCI SSC to perform P2PE Solution Assessments and P2PE Application Assessments.
Modified
p. 12 → 13
PCI PTS Laboratories Security laboratories qualified by PCI SSC under the PCI SSC PTS laboratory program (“PCI PTS laboratories”) are responsible for the evaluation of POI devices against PCI SSC’s PTS standards and requirements (“PTS requirements”). Evaluation reports on devices found compliant with the PTS requirements are submitted by the PCI PTS laboratories to PCI SSC for approval, and if approved, the device is listed on PCI SSC‘s "List of Approved PTS Devices" on the PCI SSC website.
PCI Recognized Laboratories Security laboratories qualified by PCI SSC under the PCI SSC laboratory program (“PCI-recognized laboratories”) are responsible for the evaluation of POI devices against PCI SSC’s PTS Standards and requirements (“PTS requirements”). Evaluation reports on devices found compliant with the PTS requirements are submitted by the PCI-recognized laboratories to PCI SSC for approval, and if approved, the device is listed on PCI SSC‘s "List of Approved PTS Devices" on the PCI SSC website.
Modified
p. 12 → 13
Note: Device evaluation by a PCI PTS laboratory is a separate process from the assessment and validation of a device as part of a P2PE Solution Assessment; the P2PE Solution Assessment will confirm whether or not a device is listed on PCI SSC‘s List of Approved PTS Devices.
Note: Device evaluation by a PCI-recognized laboratory is a separate process from the validation of a P2PE Solution Assessment; the P2PE Solution Assessment validates whether or not a given P2PE Solution (which may include multiple POI devices) is in compliance with the P2PE Standard.
Modified
p. 15
2. The P2PE Solution Provider then provides access to the P2PE Solution to the P2PE Assessor, including details of all Third-Party Service Providers used, access to facilities, details of applications and devices used within the solution, Implementation Guides for P2PE Applications used in the solution, P2PE Instruction Manual, and all associated manuals and other required documentation, including but not limited to the P2PE Solution Provider’s signed P2PE VRA and all materials required thereby.
2. The P2PE Solution Provider then provides access to the P2PE Solution to the P2PE Assessor, including details of all Third-Party Service Providers used, access to facilities, details of applications and devices used within the solution, Implementation Guides for P2PE Applications used in the solution, P2PE Instruction Manual, and all associated manuals and other required documentation, including but not limited to the P2PE Solution Provider’s signed VRA and all materials required thereby.
Removed
p. 18
Independently listed on the List of Validated P2PE Applications OR Appear only as a component of a specific Validated P2PE Solution (without any independent application listing).
Modified
p. 18
1) Assessments for Applications with Access to Clear-Text Account Data Applications with access to clear-text account data must undergo validation per all P2PE Domain 2 Requirements, and will be either:
1) Assessments for Applications with Access to Clear-Text Account Data Applications with access to clear-text account data must undergo validation per all P2PE Domain 2 Requirements.
Modified
p. 18
If an application is currently listed on the List of Validated P2PE Applications, the Application P- ROV has already been Accepted by PCI SSC. As a result, only the Domain 2 Solution Provider
If an application is currently listed on the List of Validated P2PE Applications, the Application P- ROV has already been Accepted by PCI SSC. As a result, only the Domain 2 Solution Provider Assessment Testing Procedures must be assessed and evidenced in the Solution P-ROV for the P2PE Solution Assessment.
Modified
p. 20
Determine whether any Third-Party Service Providers are used in the P2PE Solution, e.g. key- injection facility or Certification Authority. For each Third-Party Service Provider identified, determine whether the entity has a P2PE Solution Assessment completed, and if so, determine the scope of that assessment in relation to the services being performed for the P2PE Solution Provider. P2PE Solution Providers are responsible for ensuring that the Third-Party Service Providers they use are compliant with all applicable requirements of the P2PE …
Determine whether any Third-Party Service Providers are used in the P2PE Solution, e.g. key- injection facility or Certification Authority. For each Third-Party Service Provider identified, determine whether the entity has a P2PE Solution Assessment completed, and if so, determine the scope of that assessment in relation to the services being performed for the P2PE Solution Provider. P2PE Solution Providers are responsible for ensuring that the Third-Party Service Providers they use are compliant with all applicable requirements of the P2PE …
Modified
p. 21
Complete versions of all required P2PE Solution-related materials (such as manuals, the P2PE Instruction Manual, the P2PE Vendor Release Agreement and all other required materials relating to the review and participation in the P2PE Program) must be delivered to the P2PE Assessor, not to PCI SSC.
Complete versions of all required P2PE Solution-related materials (such as manuals, the P2PE Instruction Manual, the Vendor Release Agreement and all other required materials relating to the review and participation in the P2PE Program) must be delivered to the P2PE Assessor, not to PCI SSC.
Modified
p. 21
4. The executed P2PE Vendor Release Agreement and all materials required thereby (see Section 4.4 below).
4. The executed Vendor Release Agreement and all materials required thereby (see Section 4.4 below).
Modified
p. 22
A P-ROV will not be reviewed by PCI SSC without a current P2PE VRA and accompanying materials on file from the relevant P2PE Vendor.
A P-ROV will not be reviewed by PCI SSC without a current VRA and accompanying materials on file from the relevant P2PE Vendor.
Modified
p. 22
So long as an executed current version of the P2PE VRA is on file with PCI SSC for the relevant P2PE Vendor, it is not required to re-submit a newly executed P2PE VRA with each subsequent P-ROV for the same P2PE Vendor.
So long as an executed current version of the VRA is on file with PCI SSC for the relevant P2PE Vendor, it is not required to re-submit a newly executed VRA with each subsequent P-ROV for the same P2PE Vendor.
Modified
p. 24
If an updated Solution AOV is not timely submitted for a listed P2PE Solution, the P2PE Solution will be subject to early administrative expiry, as follows: On the Revalidation Date, the List of Validated P2PE Solutions will be updated to show the P2PE Solution in Orange for a period of 60 days. If the updated and complete Solution AOV is received within this 60-day period, PCI SSC will update the List of Validated P2PE Solutions with the new Revalidation Date …
If an updated Solution AOV is not timely submitted for a listed P2PE Solution, the P2PE Solution will be subject to early administrative expiry, as follows: On the Revalidation Date, the List of Validated P2PE Solutions will be updated to show the P2PE Solution in Orange for a period of 90 days. If the updated and complete Solution AOV is received within this 90-day period, PCI SSC will update the List of Validated P2PE Solutions with the new Revalidation Date …
Modified
p. 25
If a new Solution P-ROV and Solution AOV are not submitted in a timely manner for a listed P2PE Solution, the P2PE Solution will be deemed to be subject to expiry, as follows. On the Expiry Date, the List of Validated P2PE Solutions will be updated to show the P2PE Solution in Orange for a period of 60 days. If the updated and complete required documentation is received within this 60-day period, PCI SSC will update the List of Validated …
If a new Solution P-ROV and Solution AOV are not submitted in a timely manner for a listed P2PE Solution, the P2PE Solution will be deemed to be subject to expiry, as follows. On the Reassessment Date, the List of Validated P2PE Solutions will be updated to show the P2PE Solution in Orange for a period of 90 days. If the updated and complete required documentation is received within this 90-day period, PCI SSC will update the List of Validated …
Removed
p. 26
An invoice for the applicable Administrative Change Fee will be issued to the P2PE Solution Provider.
Upon payment of the invoice to PCI SSC as described in Validation Maintenance Fees located on the PCI SSC website, PCI SSC will: (i) update the List of Validated P2PE Solutions on the PCI SSC website accordingly with the new information and (ii) sign and return a copy of the Solution AOV to both the P2PE Solution Provider and the P2PE Assessor. The Revalidation Date and Expiry Date of this P2PE Solution will remain unchanged i.e. an administrative change has no impact on the Revalidation Date or Expiry Date of a listed P2PE Solution. PCI SSC communicates quality issues associated with any aspect of the submission to the P2PE Assessor, and those issues are resolved according to the process depicted in Figure 2. PCI SSC reserves the right to reject any Solution Provider …
Upon payment of the invoice to PCI SSC as described in Validation Maintenance Fees located on the PCI SSC website, PCI SSC will: (i) update the List of Validated P2PE Solutions on the PCI SSC website accordingly with the new information and (ii) sign and return a copy of the Solution AOV to both the P2PE Solution Provider and the P2PE Assessor. The Revalidation Date and Expiry Date of this P2PE Solution will remain unchanged i.e. an administrative change has no impact on the Revalidation Date or Expiry Date of a listed P2PE Solution. PCI SSC communicates quality issues associated with any aspect of the submission to the P2PE Assessor, and those issues are resolved according to the process depicted in Figure 2. PCI SSC reserves the right to reject any Solution Provider …
Modified
p. 26
(i) The P2PE Assessor must so notify the P2PE Solution Provider; (ii) The P2PE Solution Provider prepares and signs a Solution AOV, and sends it to the P2PE (iii) The P2PE Assessor signs their concurrence on the Solution AOV and forwards it, along with the Solution Provider Change Analysis and the P2PE Solution’s updated P2PE Instruction Manual to PCI SSC; and (iv) PCI SSC will then review the Solution AOV and Solution Provider Change Analysis for quality assurance purposes.
(i) The P2PE Assessor must so notify the P2PE Solution Provider; (ii) The P2PE Solution Provider prepares and signs a Solution AOV, and sends it to the P2PE (iii) The P2PE Assessor signs their concurrence on the Solution AOV and forwards it, along with the Solution Provider Change Analysis and the P2PE Solution’s updated P2PE Instruction Manual to PCI SSC; and (iv) PCI SSC will then issue an invoice to the P2PE Vendor for the applicable change fee; and (v) …
Modified
p. 26
If the P2PE Assessor does not agree with the P2PE Solution Provider that the change, as documented, has no impact on the P2PE related functions of the P2PE Solution, the P2PE Assessor must return the Solution Provider Change Analysis to the P2PE Solution Provider and should work with them to consider what actions are necessary to address the P2PE Assessor’s observations.
Note: If the P2PE Assessor does not agree with the P2PE Solution Provider that the change, as documented, has no impact on the P2PE related functions of the P2PE Solution, the P2PE Assessor must return the Solution Provider Change Analysis to the P2PE Solution Provider and should work with them to consider what actions are necessary to address the P2PE Assessor’s observations.
Modified
p. 26
Following successful PCI SSC quality assurance review of an Administrative Change:
Following successful PCI SSC quality assurance review of an Administrative Change, PCI SSC will:
Removed
p. 27
An invoice for the Designated Change Fee will be issued to the P2PE Solution Provider; and Upon payment of the invoice to PCI SSC as described in Validation Maintenance Fees below, PCI SSC will: (i) update the List of Validated P2PE Solutions on the PCI SSC website accordingly with the new information; and (ii) sign and return a copy of the Solution AOV to both the P2PE Solution Provider and the P2PE Assessor. The Revalidation Date and Expiry Date of this P2PE Solution will remain unchanged i.e. a designated change has no impact on the Revalidation Date or Expiry Date of a listed P2PE Solution. PCI SSC will communicate quality issues associated with any aspect of the submission to the P2PE Assessor, and those issues are resolved according to the process depicted in Figure 2. PCI SSC reserves the right to reject any Designated Change Assessment Report if …
Modified
p. 27
(i) The P2PE Assessor must perform an assessment of the requirements of the P2PE Standard that are affected by the change. Details of the tests which must be performed are available from the PCI SSC website. For example, for device changes, a subset of Domain 1 tests will be required; for application changes, a subset of Domain 2 tests will be required; (ii) The P2PE Assessor must produce a Designated Change Assessment Report and document the testing completed per PCI …
(i) The P2PE Assessor must perform an assessment of the requirements of the P2PE Standard that are affected by the change. Details of the tests which must be performed are available from the PCI SSC website. For example, for device changes, a subset of Domain 1 tests will be required; for application changes, a subset of Domain 2 tests will be required; (ii) The P2PE Assessor must complete the P2PE Designated Changes to Solutions:
Modified
p. 27
If the P2PE Assessor does not agree with the P2PE Solution Provider that the change, as documented in the Solution Provider Change Analysis, is eligible as a Designated Change, the P2PE Assessor must return the Solution Provider Change Analysis to the P2PE Solution Provider and should work with them to consider what actions are necessary to address the P2PE Assessor’s observations.
Note: If the P2PE Assessor does not agree with the P2PE Solution Provider that the change, as documented in the Solution Provider Change Analysis, is eligible as a Designated Change, the P2PE Assessor must return the Solution Provider Change Analysis to the P2PE Solution Provider and should work with them to consider what actions are necessary to address the P2PE Assessor’s observations.
Modified
p. 27
Following successful PCI SSC quality assurance review of a Designated Change:
Following successful PCI SSC quality assurance review of a Designated Change, PCI SSC will:
Modified
p. 29
The name, PCI SSC approval number and any other relevant identifiers of the P2PE Solution; A description of the general nature of the Security Issue; The P2PE Solution Provider’s good faith assessment, to its knowledge at the time, as to the severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS scoring or an alternative industry accepted standard that is reasonably acceptable to PCI SSC); and The P2PE Solution Provider’s good faith determination, …
The name, PCI SSC approval number and any other relevant identifiers of the P2PE Solution; A description of the general nature of the Security Issue; The P2PE Solution Provider’s good faith assessment, to its knowledge at the time, as to the severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS scoring or an alternative industry accepted standard that is reasonably acceptable to PCI SSC); and The P2PE Solution Provider pays all P2PE Solution …
Modified
p. 29
A P2PE Solution must be listed on the List of Validated P2PE Solutions and not have reached its Expiry Date in order to have a change Accepted and Listed.
A P2PE Solution must be listed on the List of Validated P2PE Solutions and not have reached its Reassessment Date in order to have a change Accepted and Listed.
Modified
p. 30
PCI SSC reserves the right to suspend, withdraw, revoke, cancel or place conditions upon its Acceptance of (and accordingly, remove from the List of Validated P2PE Solutions) any listed P2PE Solution in accordance with the P2PE VRA, including but not limited to, when it is clear that the P2PE Solution does not offer sufficient protection against current threats and does not conform to the requirements of the P2PE Program, when the continued Acceptance of the P2PE Solution represents a significant …
PCI SSC reserves the right to suspend, withdraw, revoke, cancel or place conditions upon its Acceptance of (and accordingly, remove from the List of Validated P2PE Solutions) any listed P2PE Solution in accordance with the VRA, including but not limited to, when it is clear that the P2PE Solution does not offer sufficient protection against current threats and does not conform to the requirements of the P2PE Program, when the continued Acceptance of the P2PE Solution represents a significant and …
Modified
p. 33
Completed Solution P-ROV P2PE Solution AOV signed by both the P2PE Solution Provider and the P2PE Assessor P2PE Instruction Manual for the assessed P2PE Solution Current version of P2PE VRA signed by the P2PE Solution Provider together with any related documentation 6.2.3 New P2PE Applications For all initial submissions to PCI SSC, the P2PE Assessor must submit the following by uploading to the Portal:
Completed Solution P-ROV P2PE Solution AOV signed by both the P2PE Solution Provider and the P2PE Assessor P2PE Instruction Manual for the assessed P2PE Solution Current version of VRA signed by the P2PE Solution Provider together with any related documentation 6.2.3 New P2PE Applications For all initial submissions to PCI SSC, the P2PE Assessor must submit the following by uploading to the Portal:
Modified
p. 33
Completed Application P-ROV P2PE Application AOV signed by both the P2PE Application Vendor and the P2PE Assessor Implementation Guide for the assessed P2PE Application Current version of P2PE VRA signed by the P2PE Application Vendor together with any related documentation
Completed Application P-ROV P2PE Application AOV signed by both the P2PE Application Vendor and the P2PE Assessor Implementation Guide for the assessed P2PE Application Current version of VRA signed by the P2PE Application Vendor together with any related documentation
Modified
p. 34
Solution Provider Change Analysis document Updated P2PE Instruction Manual for the assessed P2PE Solution Solution AOV signed by both the P2PE Solution Provider and the P2PE Assessor If requested by PCI SSC, current version of P2PE VRA, together with any related documentation 6.2.6 Designated Changes For all submissions of a Designated Change to an already listed P2PE Solution, the P2PE Assessor must submit the following documents through the Portal.
Solution Provider Change Analysis document Updated P2PE Instruction Manual for the assessed P2PE Solution Solution AOV signed by both the P2PE Solution Provider and the P2PE Assessor If requested by PCI SSC, current version of VRA, together with any related documentation 6.2.6 Designated Changes For all submissions of a Designated Change to an already listed P2PE Solution, the P2PE Assessor must submit the following documents through the Portal.
Modified
p. 34
Solution Provider Change Analysis document Specified testing documentation, dependent on the type of change Updated P2PE Instruction Manual for the assessed P2PE Solution Solution AOV signed by both the P2PE Solution Provider and the P2PE Assessor If requested by PCI SSC, current version of P2PE VRA, together with any related documentation 6.3 P-ROV Review Process
Solution Provider Change Analysis document Specified testing documentation, dependent on the type of change Updated P2PE Instruction Manual for the assessed P2PE Solution Solution AOV signed by both the P2PE Solution Provider and the P2PE Assessor If requested by PCI SSC, current version of VRA, together with any related documentation 6.3 P-ROV Review Process
Removed
p. 37
The process flow for the Assessor Quality Management program is detailed in Figure 3.
Removed
p. 37
The P2PE Solution or P2PE Application is determined to be ineligible for Acceptance under the P2PE Program and the P-ROV will not be Accepted; or The P2PE Solution or P2PE Application is determined to be eligible for Acceptance under the P2PE Program and therefore the P-ROV will be reviewed and determined to either:
Meet the requirements of the P2PE Program; or Not meet the requirements of the P2PE Program in which case all identified issues with the P-ROV must be resolved before the P-ROV review can be completed.
Meet the requirements of the P2PE Program; or Not meet the requirements of the P2PE Program in which case all identified issues with the P-ROV must be resolved before the P-ROV review can be completed.
Removed
p. 37
Each calendar year all P2PE Assessors submitting reports to PCI SSC are subject to an audit of their submissions.
The audit process is a more formalized method of review involving a robust evaluation of the P2PE Assessor’s work. The audit will evaluate the work product of the P2PE Assessor for a set of P-ROVs and related materials. The audit process will encompass the report submission (P-ROV), along with an evaluation of work papers and the P2PE Assessor’s internal Quality Assurance manual. This will help to ensure the organization’s internal Quality Assurance processes are being followed. Additionally, the
The audit process is a more formalized method of review involving a robust evaluation of the P2PE Assessor’s work. The audit will evaluate the work product of the P2PE Assessor for a set of P-ROVs and related materials. The audit process will encompass the report submission (P-ROV), along with an evaluation of work papers and the P2PE Assessor’s internal Quality Assurance manual. This will help to ensure the organization’s internal Quality Assurance processes are being followed. Additionally, the
Modified
p. 37
PCI SSC reviews P-ROVs and P2PE Assessor performance for quality assurance purposes. As stated in the QSA Qualification Requirements
• Supplement for Point-to-Point Qualified Security Assessors and the P2PE QSA Agreement, P2PE Assessors are required to meet all quality assurance standards set by PCI SSC. The various phases of the assessor quality management program are described below.
• Supplement for Point-to-Point Qualified Security Assessors and the P2PE QSA Agreement,
PCI SSC reviews P-ROVs and P2PE Assessor performance for quality assurance purposes. As stated in the QSA Qualification Requirements, P2PE Assessors are required to meet all quality assurance standards set by PCI SSC. The various phases of the assessor quality management program are described below.
Modified
p. 40
No P2PE Solution Provider or other third party may refer to a P2PE Solution as “PCI Approved,” or “PCI SSC Approved” nor otherwise state or imply that PCI SSC has, in whole or part, approved any aspect of a P2PE Solution Provider or its P2PE Solution, except to the extent and subject to the terms and restrictions expressly set forth in a written agreement with PCI SSC, or in a P2PE Solution AOV provided by PCI SSC. All other references …
No P2PE Solution Provider, P2PE Application Vendor or other third party may refer to a P2PE Solution or P2PE Application as “PCI Approved,” or “PCI SSC Approved” nor otherwise state or imply that PCI SSC has, in whole or part, approved any aspect of a P2PE Solution Provider, , P2PE Application Vendor or its P2PE Solution or P2PE Application, except to the extent and subject to the terms and restrictions expressly set forth in a written agreement with PCI SSC, …
Modified
p. 40
When granted, PCI SSC acceptance is provided to ensure certain security and operational characteristics important to the achievement of PCI SSC’s goals, but such acceptance does not under any circumstances include or imply any endorsement or warranty regarding the P2PE Solution Provider or the functionality, quality, or performance of the P2PE Solution or any other product or service. PCI SSC does not warrant any products or services provided by third parties. PCI SSC acceptance does not, under any circumstances, include …
When granted, PCI SSC Acceptance is provided to ensure certain security and operational characteristics important to the achievement of PCI SSC’s goals, but such acceptance does not under any circumstances include or imply any endorsement or warranty regarding the P2PE Solution Provider, P2PE Application Vendor or the functionality, quality, or performance of the P2PE Solution, P2PE Application or any other product or service. PCI SSC does not warrant any products or services provided by third parties. PCI SSC acceptance does …
Removed
p. 41
P2PE Solution Name Reference Number Example of a P2PE Solution Identifier:
Modified
p. 41
P2PE Solution Identifier The P2PE Solution Identifier is used by PCI SSC to denote relevant information for each Validated P2PE Solution, consisting of the following fields (fields are explained in detail below):
P2PE Solution Identifier P2PE Solution Identifiers refers to a subset of fields in the listing below the “Company” entry is used by PCI SSC to denote relevant information for each Validated P2PE Solution, consisting of the following fields (fields are explained in detail below):
Modified
p. 41
P2PE Solution Name Reference Number Solution Details P2PE Solution Identifier: Detail P2PE Solution Name P2PE Solution Name is provided by the P2PE Solution Provider, and is the name by which the P2PE Solution is sold.
Modified
p. 41
An example reference number is 2012-XXXXX.XXX consisting of the following:
An example reference number is 2015-XXXXX.XXX consisting of the following:
Modified
p. 41
Field Format Year of listing 4 digits + hyphen Solution Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Solution Number # 3 digits Validated According To “Validated According To” is used by PCI SSC to denote the standard, and the specific version thereof, used to assess the compliance of a Validated P2PE Solution.
Field Format Year of listing 4 digits + hyphen Solution Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Solution Number # 3 digits Solution Details Clicking on this link brings up a list of details specific to this Solution consisting of the following fields (fields are explained in detail below):
Modified
p. 41 → 42
P2PE Assessor This entry denotes the name of qualified P2PE Assessor that performed the validation and determined that the P2PE Solution is compliant with the P2PE Standard.
P2PE Assessor This entry denotes the name of qualified P2PE Assessor Company that performed the validation and determined that the P2PE Solution is compliant with the P2PE Standard.
Removed
p. 42
PCI-approved POI Devices This section identifies the PCI-approved POI devices validated for use with this P2PE Solution. Identification must include specific version/firmware and/or hardware identifiers and any relevant PCI PTS reference numbers.
P2PE Applications with Access to Clear-Text Account Data This section provides a list of all software applications used in the P2PE Solution that have been evaluated per P2PE Domain 2 Requirements•i.e. those that have access to clear-text account data.
For those applications which are separately validated to Domain 2 per Appendix D:
A website link will be provided to the appropriate entry on the List of P2PE Validated Applications The Revalidation Date shown is the annual revalidation date of the Application P-ROV Acceptance for this application. If the expiry date is in the past this will be denoted by a color change The Expiry Date shown is the expiry date of the Application P-ROV Acceptance for this application. …
P2PE Applications with Access to Clear-Text Account Data This section provides a list of all software applications used in the P2PE Solution that have been evaluated per P2PE Domain 2 Requirements•i.e. those that have access to clear-text account data.
For those applications which are separately validated to Domain 2 per Appendix D:
A website link will be provided to the appropriate entry on the List of P2PE Validated Applications The Revalidation Date shown is the annual revalidation date of the Application P-ROV Acceptance for this application. If the expiry date is in the past this will be denoted by a color change The Expiry Date shown is the expiry date of the Application P-ROV Acceptance for this application. …
Modified
p. 42 → 41
PTS Devices Supported P2PE Application(s) Supported Solution Details: Detail PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Solution and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link will be provided to the appropriate entry on the List of Approved PIN …
Modified
p. 42
Reassessment Date The Reassessment Date for Validated P2PE Solution is the date by which the P2PE Solution Provider must have the P2PE Solution re-evaluated against the current P2PE Standard in order to maintain the Acceptance.
Modified
p. 42
Description Provided by Vendor This section allows for the submission of a description of the P2PE Solution to be used in the List of Validated P2PE Solutions, should the Solution P-ROV be Accepted.
Description Provided by Solution Provider This section allows for the Solution Provider’s submission in the Portal via the QSA (P2PE) of a description of the P2PE Solution to be used in the List of Validated P2PE Solutions, should the Solution P-ROV be Accepted.
Modified
p. 44
If an updated Application AOV is not submitted for a listed application, that application will be subject to an early administrative expiry. As such, the List of Validated P2PE Applications will be updated to identify this by showing the application in Orange color for up to 60 days. If the updated Application AOV is received within this 60-day period PCI SSC will, providing it is completed as above, update the List of Validated P2PE Applications with the new revalidation date …
If an updated Application AOV is not submitted for a listed application, that application will be subject to an early administrative expiry. As such, the List of Validated P2PE Applications will be updated to identify this by showing the application in Orange color for up to 90 days. If the updated Application AOV is received within this 90-day period PCI SSC will, providing it is completed as above, update the List of Validated P2PE Applications with the new revalidation date …
Modified
p. 45
(ii) Changes that have an impact on compliance with requirements of the P2PE Standard or P2PE functionality require a full re-assessment against P2PE Domain 2 Requirements. This requires preparation and submission to PCI SSC of an Application P-ROV and all applicable fees. Essentially this scenario is treated as a new P2PE Application. Upon Acceptance by PCI SSC of an appropriate Application P-ROV and Application AOV, the Listing of Validated P2PE Applications will be updated with new application validation and expiry …
(ii) Changes that have an impact on compliance with requirements of the P2PE Standard or P2PE functionality require a full re-assessment against P2PE Domain 2 Requirements. This requires preparation and submission to PCI SSC of an Application P-ROV and all applicable fees. Essentially this scenario is treated as a new P2PE Application. Upon Acceptance by PCI SSC of an appropriate Application P-ROV and Application AOV, the Listing of Validated P2PE Applications will be updated with new application validation and Reassessment …
Modified
p. 45
C.3.1.3 Renewing Expired P2PE Applications As an application approaches its expiration date, PCI SSC will notify the vendor of the pending expiration. The two options available for application vendor consideration are full review or expiry:
C.3.1.3 Renewing P2PE Applications As an application approaches its Reassessment Date, PCI SSC will notify the vendor of the pending expiration. The two options available for application vendor consideration are full review or expiry:
Modified
p. 45
(ii) Expiry: In all other situations (e.g. the vendor indicates that it does not intend to continue selling the application or has gone out of business, or otherwise fails to submit the application for full re-assessment by the expiration date), PCI SSC will update the List of Validated P2PE Applications to identify this by showing the application in Orange color for up to 60 days. If a new assessment documented in an Application P-ROV is received within this 60-day period …
(ii) Expiry: In all other situations (e.g. the vendor indicates that it does not intend to continue selling the application or has gone out of business, or otherwise fails to submit the application for full re-assessment by the Reassessment Date), PCI SSC will update the List of Validated P2PE Applications to identify this by showing the application in Orange color for up to 90 days. If a new assessment documented in an Application P-ROV is received within this 90- day …
Removed
p. 46
P2PE Application Name P2PE Application Version # Reference Number Example of a P2PE Application Identifier:
Modified
p. 46
P2PE Application Identifier The P2PE Application Identifier is used by PCI SSC to denote relevant information for each validated P2PE Application, consisting of the following fields (fields are explained in detail below):
P2PE Application Identifiers P2PE Application Identifiers refers to a subset of fields in the listing below the “Company” entry used by PCI SSC to denote relevant information for each validated P2PE Application, consisting of the following fields (fields are explained in detail below):
Modified
p. 46
P2PE Application Name P2PE Application Version # Reference Number Application Details P2PE Application Identifier: Detail P2PE Application Name P2PE Application Name is provided by the Application Vendor, and is the name by which the application is sold. The Application Name cannot contain any variable characters.
Modified
p. 46
P2PE Application Version # P2PE Application Version # represents the specific application version reviewed in the P2PE Application Assessment against P2PE Domain 2 Application Vendor Assessment Testing Procedures. The format is set by the vendor and may consist of a combination of alphanumeric characters.
P2PE Application Version # P2PE Application Version # represents the specific application version reviewed in the P2PE Application Assessment against P2PE Domain 2 Application Vendor Assessment Testing Procedures. The format of the version number:
Modified
p. 46
PCI SSC assigns the Reference number once the Validated P2PE Application is posted to the PCI SSC website; this number is unique per Application Vendor and will remain the same for the life of the listing.
PCI SSC assigns the Reference number once the Validated P2PE Application is posted to the Website; this number is unique per Application Vendor and will remain the same for the life of the listing.
Modified
p. 46
An example reference number is 2012-XXXXX.XXX.AAA, consisting of the following:
An example reference number is 2015-XXXXX.XXX.AAA, consisting of the following:
Removed
p. 47
Tested Platforms/Operating Systems This section identifies the PCI-approved POI devices validated for use with this P2PE Application. Identification must include specific version/firmware and/or hardware identifiers and any relevant PCI PTS reference numbers.
Revalidation Date The Revalidation Date is used by PCI SSC to indicate when the Application Vendor’s annual Application AOV is due. The Annual Revalidation is part of the Application AOV form, located on the PCI SSC website.
PCI SSC will endeavor to update the P2PE Standard on a 36-month cycle. Acceptance for P2PE Validated Applications expires three years past the effective date of a subsequent update of the P2PE Standard. The objective is a three-year minimum approval life expectancy, barring a severe threat that may require immediate changes.
Revalidation Date The Revalidation Date is used by PCI SSC to indicate when the Application Vendor’s annual Application AOV is due. The Annual Revalidation is part of the Application AOV form, located on the PCI SSC website.
PCI SSC will endeavor to update the P2PE Standard on a 36-month cycle. Acceptance for P2PE Validated Applications expires three years past the effective date of a subsequent update of the P2PE Standard. The objective is a three-year minimum approval life expectancy, barring a severe threat that may require immediate changes.
Modified
p. 47
P2PE Version “P2PE Version” is used by PCI SSC to denote the standard, and the specific version thereof, used to assess the compliance of a Validated P2PE Application.
Modified
p. 47
Reassessment Date The Reassessment Date for Validated P2PE Application is the date by which the P2PE Application Vendor must have the application re-evaluated in order to maintain Acceptance.
Modified
p. 47
P2PE Assessor This entry denotes the name of qualified PA-QSA (P2PE) Assessor Company that performed the validation and determined that the application is compliant with the P2PE Standard.