369 FAQ Links Changed
March 28, 2026 — PCI SSC changed the URL format for these FAQs. Content is unchanged.
Are merchants allowed to request card-verification codes/values from cardholders?
Who do I report insecure merchant behavior to?
Do parent/subsidiary companies validate as a single entity or as separate entities?
What are the expiry dates for PTS POI device approvals?
Are disaster-recovery (DR) sites in scope for PCI DSS?
What changes are PFI companies allowed to make to the PFI Reporting Templates?
Does PCI SSC provide a "PCI DSS Compliant" logo?
How does PCI DSS apply to EMVCo Payment Tokens?
Do PANs need to be masked on cardholder statements sent by issuers to customers?
Where can I find the current version of PCI DSS?
What is the current version of PA-DSS?
For P2PE solutions, can you use PCI approved POI devices with SRED, where the PTS listing indicates "Non CTLS"?
Can SAQ eligibility criteria be used as a guide for determining applicability of PCI DSS requirements for merchant assessments documented in a Report on Compliance?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/can-saq-eligibility-criteria-be-used-as-a-guide-for-determining-applicability-of-pci-dss-requirements-for-merchant-assessments-documented-in-a-report-on-compliance/ to https://www.pcisecuritystandards.org/faqs/1331/
Is a merchant website still in scope for PCI DSS if it meets all the criteria for SAQ A?
Can PCI DSS compliance be determined by testing only pre-production environments using test data?
Where can I find unlocked versions of the AOCs and SAQs?
Does PCI DSS apply to bank account data?
What is a P2PE component?
What is the difference between POI firmware and additional software that may be present on the POI device?
Are POI devices with only PTS-approved firmware (i.e., no additional software) eligible for use in a PCI P2PE solution?
Must SRED devices leave the deployment facility in an already-encrypting state? In lieu of this, can a solution provider use a tool or method to monitor and alert if any unencrypted transactions are received?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/must-sred-devices-leave-the-deployment-facility-in-an-already-encrypting-state-in-lieu-of-this-can-a-solution-provider-use-a-tool-or-method-to-monitor-and-alert-if-any-unencrypted-transactions-are-received/ to https://www.pcisecuritystandards.org/faqs/1340/
For third parties that undergo P2PE assessments for services they offer on behalf of P2PE solution providers, what is acceptable evidence they can provide to those P2PE solution providers?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/for-third-parties-that-undergo-p2pe-assessments-for-services-they-offer-on-behalf-of-p2pe-solution-providers-what-is-acceptable-evidence-they-can-provide-to-those-p2pe-solution-providers/ to https://www.pcisecuritystandards.org/faqs/1341/
Why does the PCI P2PE standard require SRED for PCI approved Point-of-Interaction (POI) devices?
Is it expected that P2PE applications be assessed per Domain 2 requirements (for example, 2A-1.2.c) if forensics tools are not effective due to architectural constraints of the POI device?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/is-it-expected-that-p2pe-applications-be-assessed-per-domain-2-requirements-for-example-2a-1-2-c-if-forensics-tools-are-not-effective-due-to-architectural-constraints-of-the-poi-device/ to https://www.pcisecuritystandards.org/faqs/1343/
Does P2PE Requirement 2A-2.1 mean that PIN data (which is an element of SAD) must be encrypted by the SRED functions of the PCI-approved POI device? How does this impact PIN Security Requirements for PTS devices processing PINs?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/does-p2pe-requirement-2a-2-1-mean-that-pin-data-which-is-an-element-of-sad-must-be-encrypted-by-the-sred-functions-of-the-pci-approved-poi-device-how-does-this-impact-pin-security-requirements-for-pts-devices-processing-pins/ to https://www.pcisecuritystandards.org/faqs/1344/
Is there an exception to P2PE Requirement 2A-2.1 that a P2PE application can only export PAN or SAD encrypted by the firmware of the PCI-approved POI device, where there is a legal or regulatory obligation to print the full PAN on merchant receipts?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/is-there-an-exception-to-p2pe-requirement-2a-2-1-that-a-p2pe-application-can-only-export-pan-or-sad-encrypted-by-the-firmware-of-the-pci-approved-poi-device-where-there-is-a-legal-or-regulatory-obligation-to-print-the-full-pan-on-merchant-receipts/ to https://www.pcisecuritystandards.org/faqs/1345/
For P2PE Requirement 2A-3, can a P2PE PCI-approved POI device have a "separation layer" that is assessed once in a P2PE assessment and thereafter relied upon to exclude from review those applications on the device with no access to cardholder data?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/for-p2pe-requirement-2a-3-can-a-p2pe-pci-approved-poi-device-have-a-separation-layer-that-is-assessed-once-in-a-p2pe-assessment-and-thereafter-relied-upon-to-exclude-from-review-those-applications-on-the-device-with-no-access-to-cardholder-data/ to https://www.pcisecuritystandards.org/faqs/1346/
What are secure methods for a merchant to transport a terminal to meet requirements specified in P2PE Requirement 3A-2.4 and the P2PE Instruction Manual?for example, if a merchant has to return a POI device to their vendor for repair?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/what-are-secure-methods-for-a-merchant-to-transport-a-terminal-to-meet-requirements-specified-in-p2pe-requirement-3a-2-4-and-the-p2pe-instruction-manual-for-example-if-a-merchant-has-to-return-a-poi-device-to-their-vendor-for-repair/ to https://www.pcisecuritystandards.org/faqs/1347/
For P2PE Requirement 3A-4.2, are POI devices required to be physically secured (e.g., bolted to a counter-top or tethered with a cable) in the merchant environment? How does this requirement apply to handheld/wireless POI devices?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/for-p2pe-requirement-3a-4-2-are-poi-devices-required-to-be-physically-secured-e-g-bolted-to-a-counter-top-or-tethered-with-a-cable-in-the-merchant-environment-how-does-this-requirement-apply-to-handheld-wireless-poi-devices/ to https://www.pcisecuritystandards.org/faqs/1348/
For P2PE Requirement 3B-1, are solution providers required to maintain the physical security of devices throughout their lifecycle regardless of where the devices are located?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/for-p2pe-requirement-3b-1-are-solution-providers-required-to-maintain-the-physical-security-of-devices-throughout-their-lifecycle-regardless-of-where-the-devices-are-located/ to https://www.pcisecuritystandards.org/faqs/1349/
Is there an exception to P2PE Requirement 3B-3.1 that a merchant cannot view full PAN, for those areas where there is a legal or regulatory obligation to print the full PAN on merchant receipts?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/is-there-an-exception-to-p2pe-requirement-3b-3-1-that-a-merchant-cannot-view-full-pan-for-those-areas-where-there-is-a-legal-or-regulatory-obligation-to-print-the-full-pan-on-merchant-receipts/ to https://www.pcisecuritystandards.org/faqs/1350/
For P2PE Requirement 3B-5, is it the responsibility of the solution provider to "push" patches to all affected POI devices, or is it sufficient for them to make it available for download and advise the merchant how to download and install the patches?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/for-p2pe-requirement-3b-5-is-it-the-responsibility-of-the-solution-provider-to-push-patches-to-all-affected-poi-devices-or-is-it-sufficient-for-them-to-make-it-available-for-download-and-advise-the-merchant-how-to-download-and-install-the-patches/ to https://www.pcisecuritystandards.org/faqs/1351/
For P2PE Requirement 6E-4.1, testing procedures 6E-4.1.c and d specify unique POI keys'does this mean that unique public encryption keys must exist for each POI?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/for-p2pe-requirement-6e-4-1-testing-procedures-6e-4-1-c-and-d-specify-unique-poi-keys-does-this-mean-that-unique-public-encryption-keys-must-exist-for-each-poi/ to https://www.pcisecuritystandards.org/faqs/1352/
My company is providing services to several P2PE Solution Providers listed on the PCI SSC website. We want to become listed as a P2PE Component Provider to avoid multiple assessments – what do we need to do?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/my-company-is-providing-services-to-several-p2pe-solution-providers-listed-on-the-pci-ssc-website-we-want-to-become-listed-as-a-p2pe-component-provider-to-avoid-multiple-assessments-what-do-we-need-to-do/ to https://www.pcisecuritystandards.org/faqs/1353/
Can sensitive information be redacted from the PCI DSS Attestation of Compliance before it is shared with other entities?
Are applications listed as Acceptable only for Pre-existing Deployments able to meet the current PA-DSS and PCI DSS?
What does "Duly Authorized Officer" mean?
Which version of the P2PE Standard should be used for a P2PE assessment?
What is the purpose of the P2PE Program Guide v1.2 that was published in October 2015?
For how long are assessments of P2PE Solutions valid?
Can PCI-listed P2PE v2.0 applications be used in PCI P2PE v3 solutions/components?
Can PCI-listed P2PE v3 applications be used in PCI P2PE v2 listed solutions/components?
Does PCI P2PE allow for partial assessments of third parties with services that will be used in one or more P2PE solutions?
Can a P2PE solution provider outsource elements of their P2PE solution?
Can a third-party entity that performs P2PE functions on behalf of a P2PE solution provider undergo their own P2PE assessment, rather than undergoing an assessment each time a customer undergoes a P2PE assessment?
Changed from https://www.pcisecuritystandards.org/faq/articles/Frequently_Asked_Question/can-a-third-party-entity-that-performs-p2pe-functions-on-behalf-of-a-p2pe-solution-provider-undergo-their-own-p2pe-assessment-rather-than-undergoing-an-assessment-each-time-a-customer-undergoes-a-p2pe-assessment/ to https://www.pcisecuritystandards.org/faqs/1371/