PCI Compliance – Completing an SAQ P2PE

This is the last merchant self-assessment questionnaire to cover in our series going through the organizational requirements to use each of the SAQs. We’ve talked a lot about why it’s so important to try and reduce scope and use the right SAQ for the payment channels utilized by your organization. The SAQ P2PE, in particular, is another good example of why scope reduction can equal resource and cost savings for your organization when it comes to maintaining compliance. It was developed for a very specific payment channel, which will discuss next, and has a very short list of requirements associated with it.

What Organizations Can Use This SAQ

This SAQ was developed specifically for merchants that are only accepting cards via one of the 76 approved point-to-point encryption hardware payment terminals certified by PCI. These hardware terminals encrypt at the swipe, ensuring that from the moment a card is swiped for a payment it remains encrypted until it reaches the payment processor. The important part of this, and the reason there are so few approved P2PE solutions, is because only the payment processor may have access to the secret key used in the encryption process. This means that they have to inject the keys onto each terminal and maintain a detailed chain-of-custody as its sent to and installed at the merchant.

Given these fairly stringent requirements, it makes sense that there are still very few approved P2PE options out there. Many vendors and payment processors will tell you their solution “encrypts at the swipe”, and indeed most of them do, but only solutions listed on the PCI website count as true P2PE solutions and are eligible for this reduced SAQ. With that being said, always talk to your acquiring bank when determining what’s right for you, as we’ve seen in the past that some banks will treat a non-approved solution as P2PE in certain cases (e.g. they can prove an equivalent level of security for this solution but it just isn’t formally approved). This is definitely the exception, and not the rule however, so make sure if you’re looking to move in this direction that you verify your solution is on the approved list.

What Does it Take to Complete an SAQ P2PE?

For your company to complete an SAQ P2PE, you’ve got to confirm for the applicable payment channel that:

  • Most importantly: All payment processing is done via an approved P2PE solution that appears on the list curated by the PCI Council.
  • The only systems in the merchant environment that store, process, or transmit cardholder data are those approved P2PE hardware terminals.
  • The organization does not receive or transmit cardholder data electronically in any other manner.
  • There is no legacy storage of electronic cardholder data, e.g. you don’t still have CHD stored somewhere after switching to a P2PE solution.
  • Any cardholder data you do have stored is on paper only and not received electronically.
  • You’ve implemented all controls/requirements listed in the P2PE Instruction Manual which must be provided to you from the P2PE Solution Provider.