Diff: FAQ #1247
Who can use SAQ P2PE?
Earlier Version
Later Version
Removed
Added
SAQ P2PE is intended for SAQ-eligible merchants or merchant environments (as determined by the individual payment card brands), whothat process cardholder data only via PCI-approved pointa validated PCI-listed P2PE solution. Whether a merchant is eligible to use an SAQ is determined by the individual payment card brands and/or merchant acquirers. Merchants wishing to use SAQ P2PE must meet payment brand requirements for using an SAQ, and must also confirm that they:
Are using a validated * PCI P2PE solution (per the PCI P2PE Program Guide).
Do not store, process, or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks, or audio recordings) outside ofinteraction (POI)the payment terminal used as part of the validated PCI P2PE solution.
Do not store any cardholder data in electronic format. This includes verifying that there is no legacy storage of cardholder data from other payment devicesas partor systems.
Have implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
* Expired P2PE solutions are listed on PCI's list ofa validatedPoint-to-Point Encryption Solutions with Expired Validations. These solutions are no longer considered "validated" per the P2PE Program Guide. Because these P2PE solution (per theproviders did not renew their listings in accordance with PCI P2PE Program Guide).SSC requirements, the validations are therefore expired. Merchants wishingusing an expired P2PE solution should check with their acquirer or individual payment brands about their eligibility to usecomplete SAQ P2PE must meet payment brand requirements for using an SAQ, and must also confirm that they:
- Are using a validated PCI P2PE solution (per the PCI P2PE Program Guide).
- Do not store, process, or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks, or audio recordings) outside of the payment terminal used as part of the validated P2PE solution.
- Do not store any cardholder data in electronic format. This includes verifying that there is no legacy storage of cardholder data from other payment devices or systems.
- Have implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.P2PE.
Are using a validated * PCI P2PE solution (per the PCI P2PE Program Guide).
Do not store, process, or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks, or audio recordings) outside of
Do not store any cardholder data in electronic format. This includes verifying that there is no legacy storage of cardholder data from other payment devices
Have implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
* Expired P2PE solutions are listed on PCI's list of
- Are using a validated PCI P2PE solution (per the PCI P2PE Program Guide).
- Do not store, process, or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks, or audio recordings) outside of the payment terminal used as part of the validated P2PE solution.
- Do not store any cardholder data in electronic format. This includes verifying that there is no legacy storage of cardholder data from other payment devices or systems.
- Have implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.