FAQ #1158 Diff

Are merchants using Council-listed P2PE solutions out of scope for PCI DSS?

Earlier Version
2012-08-22T00:00:00+00:00

Later Version
2016-06-28T00:00:00+00:00

Removed

Added

~~No.~~A ~~While use of a validated, listed~~PCI-listed P2PE solution can significantly help to reduce the ~~scope~~PCI DSS validation effort of a merchant?s cardholder data ~~environment,~~environment. However, it does not completely remove the need for PCI DSS validation in the merchant environment. ~~The~~See ~~merchant~~FAQ ~~environment remains in scope~~1247 for ~~PCI~~additional DSS because cardholder data is always present within the merchant environment. For example, in a card-present environment, merchants have physical access to the payment cards in order to complete a transaction, and may also have paper reports or receipts with cardholder data. As another example, in card-not-present environments (such as mail-order or telephone-order), payment card details are provided via other channels that need to be evaluated and protected according to PCI DSS.

Only Council-listed P2PE solutions are recognized as meeting the requirements necessary for merchants to reduce the scope of their cardholder data environment through use of a P2PE solution. Merchants using encryption solutions that are not included on the Council?s List of Validated P2PE Solutions should consult with their acquirer or payment brand about use of these solutionsinformation.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.