PCI P2PE SAQ is designed for merchants using a P2PE solution for payment transactions. Merchants can significantly reduce the amount of SAQ questions they have to answer using the P2PE solution.
Narrowing down the scope for your organization’s payment channels and using the right SAQ is very important as it will save resources and costs, and SAQ P2PE, in particular, is another excellent example of scope reduction when it comes to maintaining compliance.
There are only 33 questions in SAQ P2PE. The small number of questions makes PCI compliance much easier and faster for vendors using P2PE.
To comply with SAQ P2PE, the merchant should not have access to clear-text cardholder data in any computer system and only manage data from a PCI SSC approved P2PE solution through hardware payment terminals.
With these hardware payment terminals, the card is encrypted as soon as it is swiped on the device. In this way, it is ensured that the card information remains encrypted from the moment the card is swiped for payment until it reaches the payment processor.
The critical part of this is that only the payment processor can access the encryption process’s secret key.
P2PE device vendors must place keys at each terminal during manufacture and maintain a detailed chain of custody when shipped and installed to the merchant.
For example, a mail/phone order vendor may be eligible for SAQ P2PE if it receives cardholder data on paper or phone and processes it only on an approved P2PE hardware device.
Who is SAQ P2PE valid for?
SAQ P2PE is only applicable to merchants using card-present transaction solutions. Card-present transaction means that SAQ P2PE is not open to the use of e-commerce organizations. Besides, merchants should not store any cardholder data to comply with SAQ P2PE and protect cardholder data using a validated point-to-point encryption (P2PE) solution.
You can view all approved P2P encryption solutions listed by the PCI Security Standards Council here: PCI SSC Certified P2PE Solutions.
If you are not using an approved encryption provider for SAQ P2PE, your PCI compliance will also be impossible. Therefore, it is essential to be careful when choosing your point-to-point encryption solution and select a PCI certified solution.
SAQ P2PE merchants must meet the following eligibility criteria for payment channels:
- All payment transactions must be made through a PCI P2PE solution listed and approved by PCI SSC.
- The only systems that store, process, or transmit cardholder data in the merchant environment must be Point of Interaction (POI) devices approved for use with the P2PE solution listed in the PCI SSC.
- Merchant must not otherwise receive cardholder data or transmit it electronically.
- The merchant should not store cardholder data electronically.
- Merchant must store cardholder information only in paper reports or paper receipts. This information should not be copied or accessible online.
- Merchant must implement all controls published in the P2PE Instruction Manual (PIM) by the P2PE Solution Provider.
It should be noted that SAQ P2PE is not valid for e-commerce businesses.
If there are PCI DSS requirements that apply to your environment and are not covered by this SAQ, it means that the PCI SAQ P2PE is not suitable for your environment.
What are the requirements of SAQ P2PE?
SAQ P2PE includes fewer criteria than other SAQs because it deals with card data over a PCI certified P2PE solution, thereby avoiding specific potential security concerns.
The requirements that SAQ P2PE deals with are as follows:
- PCI DSS Requirement 3: Protect cardholder data
- PCI DSS Requirement 9: Restrict physical access to cardholder data
- PCI DSS Requirement 12: Maintain a policy that addresses information security for all personnel
Although there are only three PCI DSS requirements for SAQ P2PE compliance, it would be a good idea if your company also meets other PCI DSS requirements.
What questions will I answer at SAQ P2PE?
Unlike other SAQs that list questions based on PCI DSS requirements, the questions found in the SAQ P2PE correspond to the P2PE Instruction Manual (PIM) requirements. All SAQ P2PE questions can be answered “Yes or No,” and a summary of PIM requirements.
Below is an example of some of the questions you will answer for the SAQ P2PE:
- Does cardholder data require unique storage requirements?
- Is the card verification code stored on paper after authorization?
- Are all media containing card data destroyed when not required, except for commercial or legal reasons?
- Are devices that collect card data through physical contact protected from tampering and tampering?
- Are employees trained to be notified of any potential tampering or modification attempts?
- Do security policies and procedures clearly define obligations for all personnel regarding information security?
- Has an incident response plan been created to be executed in the event of a violation?
How to Complete the PCI DSS Self-Assessment Questionnaire P2PE?
There are several answers to each question on the SAQ P2PE form where you can indicate your company’s status regarding the requirement. Your answers to the items may be “Yes, No, Compensating Control or Not Applicable.” Only one answer should be chosen for each question.
You can complete the SAQ P2PE form by following the steps below in order:
- First, determine the applicable SAQ for your environment.
- Confirm that your environment’s scope is appropriately defined and meets the eligibility criteria for the SAQ you are using.
- Confirm that you have implemented all the elements of the PIM.
- Assess your environment for compliance with current PCI DSS requirements.
- Complete all sections of the SAQ P2PE form.
- Communicate SAQ and Confirmation of Conformity (AOC) and any other requested documentation to the recipient, your payment brand, or other requestors.
Additional tips for PCI DSS compliance with SAQ P2PE
Here are additional tips you should consider for SAQ P2PE and PCI DSS compliance:
Limit data access: Make sure that physical access to card data is limited to employees who need it.
Establish a policy for stolen and replaced devices: Establish a procedure for what employees should do when they discover a device has been stolen or replaced.
Train employees at least every three months: Your employees need to be aware of and comply with security policies and procedures.
You can view the latest (version 3.2.1) PCI Self-Assessment Questionnaire P2PE pdf form here.
You can check our PCI DSS SAQ article to review all PCI SAQ types and get detailed information.