Document Comparison
P2PE_Program_Guide_v2.0.pdf
→
P2PE_Program_Guide_v2.0_r1.2_Mar_2020.pdf
98% similar
71 → 71
Pages
22090 → 22357
Words
122
Content Changes
Content Changes
122 content changes. 77 administrative changes (dates, page numbers) hidden.
Added
p. 5
• Program Background (Section 1.1)
• P2PE Initiative and Overview (Section 1.4)
• Program Roles and Responsibilities (Section 2)
• Overview of the Validation Process (Section 3)
• Preparation for the Review (Section 4)
• Managing a Validated P2PE Listing (Section 5)
• Reporting Considerations (Section 6)
• Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures (PCI DSS)
• Payment Card Industry (PCI) Payment Application Data Security Standard Requirements and Security Assessment Procedures (PA-DSS)
• Payment Card Industry (PCI) PIN Security Requirements
• Payment Card Industry (PCI) PTS Hardware Security Module (HSM) Security Requirements
• Payment Card Industry (PCI) PTS POI Modular Security Requirements
• Payment Card Industry (PCI) PTS Device Testing and Approval Program Guide
• P2PE Initiative and Overview (Section 1.4)
• Program Roles and Responsibilities (Section 2)
• Overview of the Validation Process (Section 3)
• Preparation for the Review (Section 4)
• Managing a Validated P2PE Listing (Section 5)
• Reporting Considerations (Section 6)
• Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures (PCI DSS)
• Payment Card Industry (PCI) Payment Application Data Security Standard Requirements and Security Assessment Procedures (PA-DSS)
• Payment Card Industry (PCI) PIN Security Requirements
• Payment Card Industry (PCI) PTS Hardware Security Module (HSM) Security Requirements
• Payment Card Industry (PCI) PTS POI Modular Security Requirements
• Payment Card Industry (PCI) PTS Device Testing and Approval Program Guide
Added
p. 14
• P2PE security requirements and assessment procedures
• Processes for recognizing P2PE Assessor-validated P2PE Solutions, P2PE Components, and P2PE Applications
• Decryption-management services
• Key-Injection Facility services
• Certification Authority/Registration Authority services
• Maintains a centralized repository for all P-ROVs for P2PE Products listed on the Website;
• Hosts the List of Validated P2PE Solutions, the List of Validated P2PE Components, and the List of Validated P2PE Applications on the Website;
• Provides required training for and qualifies QSA (P2PE) and PA-QSA (P2PE) Companies and Employees to assess and validate P2PE Products for P2PE compliance;
• Maintains and updates the P2PE Standard and related documentation according to a standards lifecycle management process; and
• Reviews all P-ROVs submitted to PCI SSC and related change submissions for compliance with baseline quality standards, including but not limited to, confirmation that:
• Submissions (including P-ROVs, updates and Interim Self Assessments/Annual Revalidations) are correct as to form;
• QSA (P2PE) and PA-QSA (P2PE) Companies adequately …
• Processes for recognizing P2PE Assessor-validated P2PE Solutions, P2PE Components, and P2PE Applications
• Decryption-management services
• Key-Injection Facility services
• Certification Authority/Registration Authority services
• Maintains a centralized repository for all P-ROVs for P2PE Products listed on the Website;
• Hosts the List of Validated P2PE Solutions, the List of Validated P2PE Components, and the List of Validated P2PE Applications on the Website;
• Provides required training for and qualifies QSA (P2PE) and PA-QSA (P2PE) Companies and Employees to assess and validate P2PE Products for P2PE compliance;
• Maintains and updates the P2PE Standard and related documentation according to a standards lifecycle management process; and
• Reviews all P-ROVs submitted to PCI SSC and related change submissions for compliance with baseline quality standards, including but not limited to, confirmation that:
• Submissions (including P-ROVs, updates and Interim Self Assessments/Annual Revalidations) are correct as to form;
• QSA (P2PE) and PA-QSA (P2PE) Companies adequately …
Added
p. 27
• Use the “SCD Domain Applicability” matrix in the Introduction section of the P2PE Standard.
• If a P2PE Application is not already on the List of Validated P2PE Applications, both the Application P-ROV and the Solution P-ROV must be submitted before the P2PE Solution can be Accepted. This applies for each P2PE Solution in which the application is used.
• Refer to definition in P2PE Glossary.
• If a P2PE Component is not already on the List of Validated P2PE Components but is being added to the List of Validated P2PE Components, the Component P-ROV must be submitted and Accepted before the Solution P-ROV can be Accepted.
• Perform a gap analysis between the Solution’s, Component’s, or Application’s security functionality and the P2PE Standard;
• Correct any gaps; and
• If desired, the P2PE Assessor Company may perform a pre-assessment or gap analysis of a P2PE Solution, Component, or Application. If the P2PE Assessor Company …
• If a P2PE Application is not already on the List of Validated P2PE Applications, both the Application P-ROV and the Solution P-ROV must be submitted before the P2PE Solution can be Accepted. This applies for each P2PE Solution in which the application is used.
• Refer to definition in P2PE Glossary.
• If a P2PE Component is not already on the List of Validated P2PE Components but is being added to the List of Validated P2PE Components, the Component P-ROV must be submitted and Accepted before the Solution P-ROV can be Accepted.
• Perform a gap analysis between the Solution’s, Component’s, or Application’s security functionality and the P2PE Standard;
• Correct any gaps; and
• If desired, the P2PE Assessor Company may perform a pre-assessment or gap analysis of a P2PE Solution, Component, or Application. If the P2PE Assessor Company …
Added
p. 31
• Extensive rewrites will delay validation.
• Prompt payment of the fees due to PCI SSC
• Quality of the P2PE Assessor Company's submission to PCI SSC
• Covers confidentiality issues;
• Prompt payment of the fees due to PCI SSC
• Quality of the P2PE Assessor Company's submission to PCI SSC
• Covers confidentiality issues;
Added
p. 33
• Requires P2PE Vendors to adopt and comply with industry standard Vulnerability Handling Policies.
• Add/Remove P2PE Component;
• Add/Remove P2PE Application.
• Any other change that does not impact compliance with the requirements of the P2PE standard for a given P2PE Product.
• Changes where less than half of the P2PE Application’s functionality is affected; and
• Changes where less than half of the Domain 2 Requirements/sub- Requirements are affected; and
• Name and reference number of the Validated P2PE Listing
• Add/Remove P2PE Component;
• Add/Remove P2PE Application.
• Any other change that does not impact compliance with the requirements of the P2PE standard for a given P2PE Product.
• Changes where less than half of the P2PE Application’s functionality is affected; and
• Changes where less than half of the Domain 2 Requirements/sub- Requirements are affected; and
• Name and reference number of the Validated P2PE Listing
Added
p. 37
• Add/remove a validated POI device; or
• Add/remove a validated P2PE Application ; or
• Name and reference number of the Validated P2PE Listing
• Description of why the change is necessary
• Addition of a POI device type to be supported by the P2PE Application
• Discontinuing support of a POI device currently supported by the P2PE Application
• Inclusion of updates or patches
• Add/remove a validated P2PE Application ; or
• Name and reference number of the Validated P2PE Listing
• Description of why the change is necessary
• Addition of a POI device type to be supported by the P2PE Application
• Discontinuing support of a POI device currently supported by the P2PE Application
• Inclusion of updates or patches
Added
p. 41
• P2PE Change Impact document** Implementation Guide *
• P2PE Change Impact document***
• P2PE Implementation
• P2PE Change Impact document **
• Red-lined P-ROV Implementation Guide *
• The name, PCI SSC approval number, and any other relevant identifiers of each of the P2PE Vendor’s P2PE Product(s) affected by the Security Issue;
• A description of the general nature of the Security Issue;
• Assurance that the P2PE Vendor is following its Vulnerability Handling Policies.
• P2PE Change Impact document***
• P2PE Implementation
• P2PE Change Impact document **
• Red-lined P-ROV Implementation Guide *
• The name, PCI SSC approval number, and any other relevant identifiers of each of the P2PE Vendor’s P2PE Product(s) affected by the Security Issue;
• A description of the general nature of the Security Issue;
• Assurance that the P2PE Vendor is following its Vulnerability Handling Policies.
Added
p. 49
• Solution Details P2PE Solution Identifier: Detail
• Solution Details Clicking on this link brings up a list of details specific to this Solution consisting of the following fields (fields are explained in detail below):
• PTS Devices Supported
• P2PE Application(s) Supported
• P2PE Components Solution Details: Detail
• P2PE Component Name
• Component Details P2PE Component Identifier: Detail
• PTS Devices Supported
• P2PE Application(s) Supported
• P2PE Application Name
• P2PE Application Version #
• Application Details P2PE Application Identifier: Detail
• Is set by the vendor,
• May consist of a combination of alphanumeric characters and
• Solution Details Clicking on this link brings up a list of details specific to this Solution consisting of the following fields (fields are explained in detail below):
• PTS Devices Supported
• P2PE Application(s) Supported
• P2PE Components Solution Details: Detail
• P2PE Component Name
• Component Details P2PE Component Identifier: Detail
• PTS Devices Supported
• P2PE Application(s) Supported
• P2PE Application Name
• P2PE Application Version #
• Application Details P2PE Application Identifier: Detail
• Is set by the vendor,
• May consist of a combination of alphanumeric characters and
Added
p. 55
• PTS Devices Supported Application Details: Detail
Added
p. 70
• Numbers of digits used for each element
• Format of separators used between elements
• Character set used for each element (consisting of alphabetic, numeric, and/or alphanumeric characters)
• The hierarchy of the elements
• Definition of what each element represents in the version scheme
• Type of change: major, minor, maintenance release, wildcard, etc.
• The definition of elements that indicate any use of wildcards
• Format of separators used between elements
• Character set used for each element (consisting of alphabetic, numeric, and/or alphanumeric characters)
• The hierarchy of the elements
• Definition of what each element represents in the version scheme
• Type of change: major, minor, maintenance release, wildcard, etc.
• The definition of elements that indicate any use of wildcards
Added
p. 71
• Changes that have impact on the application functionality but no impact on security or P2PE Requirements
Modified
p. 1
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE) Program Guide Version 2.0
Payment Card Industry (PCI) Point-to-Point Encryption (P2PE) Program Guide Version 2.0 Revision 1.2
Modified
p. 5
• Assessor Quality Management Program (Section 6.3) 1.1 Program Background In response to requests from merchants and other members of the Payment Card Industry (PCI) for a unified set of point-to-point encryption security requirements, PCI SSC has adopted and maintains the Point-to-Point Encryption Standard (P2PE), the current version of which is available on the PCI SSC Website. When implemented appropriately, a P2PE Solution provides a rigorous defense against data exposure and compromise.
Removed
p. 6
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures (PCI DSS) Payment Card Industry (PCI) Payment Application Data Security Standard Requirements and Security Assessment Procedures (PA-DSS) Payment Card Industry (PCI) PIN Security Requirements Payment Card Industry (PCI) PTS Hardware Security Module (HSM) Security Requirements Payment Card Industry (PCI) PTS POI Modular Security Requirements Payment Card Industry (PCI) PTS Device Testing and Approval Program Guide
Modified
p. 8
• The P2PE Solution AOV, signed by a QSA (P2PE) Company and the P2PE Solution Provider, is used when validating, revalidating, or submitting changes to a P2PE Solution. • The P2PE Component AOV, signed by a QSA (P2PE) Company and the P2PE Component Provider, is used when validating, revalidating, or submitting changes to a P2PE Component. • The P2PE Application AOV, signed by a PA-QSA (P2PE) Company and the P2PE Application Vendor, is used when validating, revalidating, or submitting changes …
Modified
p. 12
• Customers benefit from a broader selection of validated P2PE Solutions, the possibility of implementing Validated P2PE Solutions to reduce the scope of PCI DSS assessments, and assurance from using P2PE Products validated by a QSA (P2PE) and/or PA-QSA (P2PE) Companies to be P2PE Standard compliant.
Modified
p. 13
• P2PE Solutions validated and listed by the Council are currently recognized by all Participating Payment Brands.
Modified
p. 14
• Quality assurance processes for P2PE Assessor Companies P2PE Solution Providers may choose to have their P2PE Solutions validated for compliance with the P2PE Standard in accordance with this P2PE Program Guide in order to have those solutions included in the List of Validated P2PE Solutions on the PCI SSC website.
Modified
p. 15
• Assessed per Domains 1 and 6 including Annex A as applicable.
• Assessed per Domains 1 and 6 including Annex A as applicable.
Modified
p. 15
• Assessed per Domains 5 and 6 including Annex A as applicable.
• Assessed per Domains 5 and 6 including Annex A as applicable.
Modified
p. 15
• Assessed per Annex B of Domain 6 including Annex A as applicable.
• Assessed per Annex B of Domain 6 including Annex A as applicable.
Modified
p. 15
• Assessed per Domain 6 Annex
• Assessed per Domain 6 and Annex A Part A2 (in addition to Annex A Part A1, as applicable).
Removed
p. 17
Maintains a centralized repository for all P-ROVs for P2PE Products listed on the Website; Hosts the List of Validated P2PE Solutions, the List of Validated P2PE Components, and the List of Validated P2PE Applications on the Website; Provides required training for and qualifies QSA (P2PE) and PA-QSA (P2PE) Companies and Employees to assess and validate P2PE Products for P2PE compliance; Maintains and updates the P2PE Standard and related documentation according to a standards lifecycle management process; and Reviews all P-ROVs submitted to PCI SSC and related change submissions for compliance with baseline quality standards, including but not limited to, confirmation that:
Modified
p. 17
• QSA (P2PE) and PA-QSA (P2PE) Companies properly determine whether candidate P2PE Products meet baseline eligibility criteria for validation under the P2PE Program (PCI SSC reserves the right to reject or de-list any P2PE Solution, P2PE Component, and/or P2PE Application determined to be ineligible for the P2PE Program);
Modified
p. 18
• QSA (P2PE): QSA (P2PE) Companies are QSA companies that have been additionally qualified by PCI SSC to perform P2PE Assessments of P2PE Solutions and P2PE Components. QSA (P2PE) Companies are not qualified by PCI SSC to perform P2PE Application Assessments.
Modified
p. 18
• PA-QSA (P2PE): PA-QSA (P2PE) Companies are PA-QSA companies that have been additionally qualified by PCI SSC to perform P2PE Assessments of P2PE Solutions, P2PE Components, and P2PE Applications.
Modified
p. 18
• Not all QSA Companies are PA-QSA Companies
•there are additional qualification requirements that must be met for a QSA Company to become a PA-QSA Company.
•there are additional qualification requirements that must be met for a QSA Company to become a PA-QSA Company.
Modified
p. 18
• Not all QSA Companies are QSA (P2PE) Companies
•there are additional qualification requirements that must be met for a QSA Company to become a QSA (P2PE) Company.
•there are additional qualification requirements that must be met for a QSA Company to become a QSA (P2PE) Company.
Modified
p. 18
• Not all PA-QSA Companies are PA-QSA (P2PE) Companies
•there are additional qualification requirements that must be met for a PA-QSA Company to become a PA-QSA (P2PE) Company.
•there are additional qualification requirements that must be met for a PA-QSA Company to become a PA-QSA (P2PE) Company.
Modified
p. 18
• Performing assessments of P2PE Solutions and P2PE Components (and P2PE Applications for PA-QSA (P2PE) Assessor Companies) in accordance with the P2PE Standard and the P2PE Qualification Requirements.
Modified
p. 18
• Providing an opinion regarding whether the P2PE Solution or P2PE Component (or P2PE Application for PA-QSA (P2PE) Assessor Companies) meets the P2PE Standard.
Modified
p. 18
• Documenting each P2PE Assessment in a P-ROV using the applicable P2PE P-ROV Reporting Template.
Modified
p. 18
• Providing adequate documentation within the applicable P-ROV to demonstrate the P2PE Solution’s or P2PE Component’s (or P2PE Application’s for PA-QSA (P2PE) Assessor Companies) P2PE compliance.
Modified
p. 18
• Where applicable, submitting the applicable P-ROV and/or any change submission to PCI SSC, along with the applicable P-AOV signed by both the P2PE Assessor Company and P2PE Vendor;
Modified
p. 18
• Staying up-to-date with Council statements and guidance, P2PE Technical FAQs, industry trends and best practices.
Modified
p. 18
• Determining the scope and applicability of the P2PE Standard as it applies to a given P2PE Solution Assessment, in accordance with the P2PE Standard.
Modified
p. 19
• Implementing Validated P2PE Solutions in compliance with:
Modified
p. 19
• Configuring P2PE Solutions (where configuration options are provided) according to the validated processes provided by the P2PE Solution Provider, as documented in the P2PE Instruction Manual.
Modified
p. 19
•for example, troubleshooting, delivering remote updates, and providing remote support
•according to the validated processes in the P2PE Instruction Manual.
• Servicing POI devices used in a P2PE Solution
•for example, troubleshooting, delivering remote updates, and providing remote support
•according to the validated processes in the P2PE Instruction Manual.
•for example, troubleshooting, delivering remote updates, and providing remote support
•according to the validated processes in the P2PE Instruction Manual.
Modified
p. 19
• Ensuring that customers are provided (either directly from the Vendor or from the reseller or integrator) with a current copy of the P2PE Instruction Manual.
Modified
p. 19
• Use of Validated P2PE Solutions, coordinating with their acquirers to determine which solutions and devices to implement.
Modified
p. 19
• Adherence to the P2PE Instruction Manual (PIM), provided to the merchant by the P2PE Solution Provider and/or integrator/reseller.
Modified
p. 19
•if the merchant has other non-P2PE payment channels
•that the P2PE environment is adequately segmented (isolated) from any non-P2PE payment channels.
• Ensuring
•if the merchant has other non-P2PE payment channels
•that the P2PE environment is adequately segmented (isolated) from any non-P2PE payment channels.
•if the merchant has other non-P2PE payment channels
•that the P2PE environment is adequately segmented (isolated) from any non-P2PE payment channels.
Modified
p. 19
• Removing any legacy cardholder data or systems from the P2PE environment.
Modified
p. 19
• Ensuring that their payment environments are validated against applicable PCI DSS requirements in accordance with applicable payment card brand requirements.
Modified
p. 27
• Refer to “Definition of Secure Cryptographic Devices (SCDs) to be used in P2PE Solutions” in the Introduction section of the P2PE Standard for requirements for these devices;
Modified
p. 28
• Refer to “P2PE Solutions and Use of P2PE Applications and/or P2PE Non- payment Software” in the Introduction section of the P2PE Standard.
Modified
p. 28
• Refer to “P2PE Solutions and Use of P2PE Applications and/or P2PE Non- payment Software” in the Introduction section of the P2PE Standard.
Modified
p. 28
• Must undergo validation per all P2PE Domain 2 Requirements by a PA-QSA (P2PE), and will be either:
Modified
p. 28
• Independently listed on the List of Validated P2PE Applications OR • Not listed on the List of Validated P2PE Applications and therefore only considered an element of the specific Validated P2PE Solution for which it has been submitted.
Modified
p. 28
• If a P2PE Application is currently listed on the List of Validated P2PE Applications AND was assessed against the same major version of the P2PE standard, only the applicable Domain 1 Testing Procedures must be assessed and evidenced in the Solution P-ROV for each P2PE Solution Assessment in which the application is used.
Modified
p. 28
• Refer to definition in P2PE Glossary.
Modified
p. 28
• Assessed only per designated P2PE Domain 1 Requirements as noted in the above referenced section of the P2PE Standard, by a P2PE Assessor Company.
Modified
p. 28
• Not eligible for PCI-listing.
Modified
p. 29 → 28
• Refer to definition in P2PE Glossary.
Modified
p. 29
• Refer to “P2PE Solutions and Use of Third Parties and/or P2PE Component Providers” in the Introduction section of the P2PE Standard.
Modified
p. 29
• If a P2PE Component is currently listed on the List of Validated P2PE Components, the Component P-ROV has already been Accepted by PCI SSC. As a result, only the applicable Testing Procedures must be assessed and evidenced in the Solution P-ROV for each Validated P2PE Component included in the applicable P2PE Solution
Removed
p. 30
Perform a gap analysis between the Solution’s, Component’s, or Application’s security functionality and the P2PE Standard; Correct any gaps; and If desired, the P2PE Assessor Company may perform a pre-assessment or gap analysis of a P2PE Solution, Component, or Application. If the P2PE Assessor Company notes deficiencies that would prevent a compliant result, the P2PE Assessor Company will provide a list of P2PE features to be addressed before the formal review process begins.
Modified
p. 30
• Review the requirements of both the PCI DSS and the P2PE Standard and all related documentation located at the Website.
Modified
p. 30
• Determine/assess the Solution’s, Component’s, or Application’s readiness to comply with P2PE:
Modified
p. 30
• Determine whether the P2PE Application Provider’s Implementation Guide meets P2PE Standard requirements and correct any gaps.
Modified
p. 30
• Determine whether the P2PE Solution Provider’s P2PE Instruction Manual meets P2PE Standard requirements and correct any gaps.
Modified
p. 30
• P2PE Solution Providers are responsible for ensuring that the various components and applications (including those provided by Third-Party Service Providers, P2PE Application Vendors, and/or P2PE Component Providers) used as part of their P2PE Solutions are all compliant with all applicable requirements of the P2PE Standard, and that appropriate agreements are in place with such providers and vendors to ensure proper information disclosures if required under the Vendor Release Agreement.
Modified
p. 30
• How close the P2PE Product is to being P2PE-compliant at the start of the Assessment
Modified
p. 30
• Those that are being listed on the Website separately must be Listed before the P2PE Solution can be reviewed.
Modified
p. 31
• PCI SSC will not commence review of the P-ROV until the applicable fee has been paid.
Modified
p. 31
•for example, missing or unsigned documents, incomplete or inconsistent submissions
•will result in delays in the review process.
• Incomplete submissions or those containing errors
•for example, missing or unsigned documents, incomplete or inconsistent submissions
•will result in delays in the review process.
•for example, missing or unsigned documents, incomplete or inconsistent submissions
•will result in delays in the review process.
Modified
p. 31
• If PCI SSC reviews the P-ROV more than once, providing comments back to the P2PE Assessor Company to address each time, this will increase the length of time for the review process.
Modified
p. 31
• For each P2PE Assessment, the resulting P2PE Assessor report must follow the P2PE Report on Validation (P-ROV) template and instructions, as outlined in the corresponding P2PE Solution, P2PE Component, and P2PE Application P2PE P-ROV Reporting Template.
Modified
p. 31
• The P2PE Assessor Company must prepare each P-ROV based on evidence obtained by following the P2PE Standard.
Modified
p. 31
• Each P-ROV submitted to PCI SSC must be accompanied by a corresponding P2PE Attestation on Validation (P-AOV) in the form available through the Website, signed by a duly authorized officer of the P2PE Assessor Company, that summarizes whether the entity is in compliance or is not in compliance with PCI P2PE and any related findings, as well as the P2PE Application Implementation Guide (as applicable) and P2PE Implementation Manual.
Modified
p. 32
• Guidance on designing P2PE Solutions in accordance with the P2PE Standard • Review of P2PE Solution design, response to questions via e-mail or phone, and participation in conference calls to clarify requirements • Guidance on preparing the P2PE Instruction Manual and/or P2PE Application Implementation Guide • Pre-assessment (gap analysis) services prior to beginning formal P2PE Assessment • Guidance for bringing the Solution, Component, or Application into compliance with the P2PE Standard if gaps or areas of non-compliance are noted …
Modified
p. 32
• Covers the P2PE Vendor’s agreement to P2PE Program requirements, policies and procedures;
Modified
p. 33
• The P2PE Assessor Company must provide to PCI SSC the P2PE Vendor’s signed copy of the then-current VRA, along with the initial P-ROV submitted to PCI SSC in connection with that P2PE Assessment.
Modified
p. 33
• So long as an executed copy of the current VRA is on file with PCI SSC for the relevant P2PE Vendor, the P2PE Assessor is not required to re-submit the same VRA with each subsequent P- ROV for the same P2PE Vendor.
Modified
p. 34
• On the Interim Assessment Due Date, the corresponding List will be updated to show the P2PE Listing in Orange for a period of 90 days.
Modified
p. 34
• If the updated and complete P-AOV is received within this 90-day period, PCI SSC will update the corresponding List with the new Interim Assessment Due Date and remove the Orange status.
Modified
p. 34
• If the updated and complete P-AOV is not received within this 90-day period, the corresponding List will be updated to show the P2PE Listing in Red.
Modified
p. 34
• Once in Red, a full assessment (including applicable fees) is required to return the P2PE Listing status to good standing.
Modified
p. 35
• Add/Remove PCI-approved POI Device Type;
Modified
p. 35
• Any change that impacts compliance with the requirements of the P2PE Standard for a P2PE Solution or P2PE Component, but is not considered a “Designated Change.”
Modified
p. 36
• Changes where less than half the P2PE Application’s code-base is changed. See Section 5.2.4, “Delta Changes for P2PE Applications,” for details.
Modified
p. 36
• Description of why the change is necessary It is recommended that the P2PE Vendor submit the Vendor Change Analysis to the same P2PE Assessor Company used for the original P2PE Solution Assessment.
Modified
p. 37
• Add/remove a validated P2PE Component used in a P2PE Solution Designated Changes result in an amendment to a P2PE Solution or P2PE Component as currently listed on the corresponding List on the Website.
Modified
p. 38
• Description of why the change is necessary It is recommended that the P2PE Vendor submit the Vendor Change Analysis to the same P2PE Assessor Company used for the original assessment.
Modified
p. 39
• Changes where less than half of the P2PE Application’s functionality is affected; and • Changes where less than half of the Domain 2 Requirements/sub-Requirements are affected; and • Changes where less than half the P2PE Application’s code-base is changed.
Modified
p. 39
• Name and reference number of the Validated P2PE Application Listing
Modified
p. 41
• P2PE Solutions and P2PE Components documents in the Appendix are mandatory for the P2PE Assessor Company for submitting Administrative and Designated Changes to PCI SSC on behalf of P2PE Solution …
• Recompilation of unchanged code-base 5.3 Change Documentation * If applicable ** Note: The P2PE Change Impact
• P2PE Solutions and P2PE Components documents in the Appendix are mandatory for the P2PE Assessor Company for submitting Administrative and Designated Changes to PCI SSC on behalf of P2PE Solution Providers and P2PE Component Service Providers.
• P2PE Solutions and P2PE Components documents in the Appendix are mandatory for the P2PE Assessor Company for submitting Administrative and Designated Changes to PCI SSC on behalf of P2PE Solution Providers and P2PE Component Service Providers.
Modified
p. 41
Administrative Change (All P2PE Products) Interim Self- Assessment (All P2PE Products) Delta Change (Application) Designated Change (Solution or Component) P2PE Attestation Of Validation P2PE Change Impact document** Implementation Guide * P2PE Instruction Current VRA* P2PE Attestation Of Validation P2PE Attestation Of Validation P2PE Change Impact document*** Red-lined P-ROV P2PE Implementation Current VRA* P2PE Attestation Of Validation P2PE Change Impact document ** Red-lined P-ROV Implementation Guide * …
Administrative Change (All P2PE Products) Interim Self- Assessment (All P2PE Products) Delta Change (Application) Designated Change (Solution or Component)
Modified
p. 42
• New Validation: If the P2PE Vendor wishes the P2PE Product listing to remain on the corresponding P2PE Product list on the Website, the P2PE Vendor must contact a P2PE Assessor Company to have the P2PE Product fully re-evaluated against the then-current version of the P2PE Standard, resulting in a new Acceptance, on or before the applicable Reassessment Date. This reassessment must follow the same process as an initial P2PE Assessment of the applicable P2PE Product.
Modified
p. 42
• Expiry: Listings of P2PE Products for which a new Acceptance has not occurred on or before the applicable expiration date/reassessment date, will appear in Orange for the first 90 days, and in Red thereafter.
Modified
p. 43
• The P2PE Vendor’s good-faith assessment, to its knowledge at the time, as to the scope and severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS or other industry-accepted standard scoring); and
Modified
p. 43
• Notify Participating Payment Brands that a Security Issue has occurred.
Modified
p. 43
• Request a copy of the latest version of the P2PE Vendor’s Vulnerability Handling Policies.
Modified
p. 43
• Communicate with the P2PE Vendor about the Security Issue and, where possible and permitted, share information relating to the Security Issue.
Modified
p. 43
• Support the P2PE Vendor’s efforts to mitigate or prevent further Security Issues.
Modified
p. 43
• Support the P2PE Vendor’s efforts to correct any Security Issues.
Modified
p. 43
• Work with the P2PE Vendor to communicate and cooperate with appropriate law enforcement agencies to help mitigate or prevent further Security Issues.
Modified
p. 49
• P2PE Solution Name P2PE Solution Name is provided by the P2PE Solution Provider, and is the name by which the P2PE Solution is sold.
Modified
p. 49
Field Format Year of listing 4 digits + hyphen Solution Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Solution Number # 3 digits Solution Details Clicking on this link brings up a list of details specific to this Solution consisting of the following fields (fields are explained in detail below):
Field Format Year of listing 4 digits + hyphen Solution Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Solution Number # 3 digits
Modified
p. 49
• PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Solution and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link
Modified
p. 50
• P2PE Applications Supported This section identifies the P2PE Applications validated for use with this P2PE Solution and listed on the List of Validated P2PE Applications, and will include the expiry date of the P2PE Application’s approval.
Modified
p. 50
• P2PE Components This section identifies the P2PE Components validated for use with this P2PE Solution and listed on the List of Validated P2PE Components, and will include the expiry date of the P2PE Component’s approval.
Modified
p. 51
• P2PE Component Name P2PE Component Name is provided by the P2PE Component Provider, and is the name by which the P2PE Component Provider’s services are known.
Modified
p. 51
Field Format Year of listing 4 digits + hyphen Component Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Component Number # 3 digits Component Details
Field Format Year of listing 4 digits + hyphen Component Provider # 5 digits + period (assigned alphabetically initially, then as received) Individual Component Number # 3 digits
Modified
p. 52
• P2PE Components Not all component details will apply, as each component service is different. For example, Encryption-management services may have PTS Devices Supported, others likely will not.
Modified
p. 52
• PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Component and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices.
Modified
p. 52
• P2PE Applications Supported This section identifies the P2PE Applications validated for use with this P2PE Component and listed on the List of Validated P2PE Applications, and will include the expiry date of the P2PE Application’s approval.
Modified
p. 52
• P2PE Components This section identifies the P2PE Components validated for use with this P2PE Component and listed on the List of Validated P2PE Components, and will include the expiry date of the P2PE Component’s approval.
Modified
p. 54
• P2PE Application Name P2PE Application Name is provided by the Application Vendor, and is the name by which the application is sold. The Application Name cannot contain any variable characters.
Modified
p. 54
• P2PE Application Version # P2PE Application Version # represents the specific application version reviewed in the P2PE Application Assessment. The format of the version number:
Modified
p. 54
• Must be consistent with the Application Vendor’s published versioning methodology for this product as documented in the P2PE Application Implementation Guide.
Modified
p. 54
See Appendix H: P2PE Application Software Versioning Methodology for details about content to include in the Application P-ROV and P2PE Application Implementation Guide for the Application Vendor’s versioning methods. Reference Number
See Appendix H: P2PE Application Software Versioning Methodology for details about content to include in the Application P-ROV and P2PE Application Implementation Guide for the Application Vendor’s versioning methods. • Reference Number
Modified
p. 55
• PTS Devices Supported This section identifies the PCI-approved POI devices validated for use with this P2PE Application and will include relevant PCI PTS reference numbers and the expiry date of the PTS approval for this device. If the expiry date is in the past, this will be denoted by a color change. A website link will be provided to the appropriate entry on the List of Approved PIN Transaction Security Devices.
Modified
p. 55
• Contradict any PCI SSC program or requirement.
Modified
p. 55
• Make misleading claims about the application.
Modified
p. 55
• Claim the application is valid under another PCI SSC program or standard.
Removed
p. 70
Number of elements Numbers of digits used for each element Format of separators used between elements Character set used for each element (consisting of alphabetic, numeric, and/or alphanumeric characters) The hierarchy of the elements Definition of what each element represents in the version scheme Type of change: major, minor, maintenance release, wildcard, etc.
Modified
p. 70
• The format of the version scheme, including:
Modified
p. 70
• The specific details of how wildcards are used in the versioning methodology H.2 Version Number Usage All changes to the P2PE Application must result in a new application version number. However, whether this affects the version number listed on the Website depends on the nature of the change and the P2PE Application Vendor’s published versioning methodology (see Section H.3, “Wildcards,” below). All changes that impact security functionality and/or any P2PE Requirements must result in a change to the version …
Modified
p. 70
• Types of changes made to the application
•e.g., major release, minor release, maintenance release, wildcard, etc.
•e.g., major release, minor release, maintenance release, wildcard, etc.
Modified
p. 70
• Changes that have no impact on the functionality of the application or its dependencies