PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1251 Published

What is the process to use previously-deployed POI devices in a PCI P2PE solution?

This FAQ is applicable to both version 1 and version 2 of the PCI P2PE standards and associated documents. Please refer to the latest P2PE glossary for definitions of terms used in this FAQ.

Premise: Solution provider intends to use PCI-approved POI devices in a P2PE solution that were deployed (i.e., in a merchant?s possession) prior to being enabled for use in the solution provider?s P2PE solution. Therefore, a P2PE assessor may be unable to confirm that applicable Domain 1, 2, and 6 requirements were met for those deployed POI devices (e.g., requirements related to how devices and applications were originally managed and implemented). Refer to the P2PE Standard for acceptable POI devices for use in a PCI P2PE solution.

The following table depicts various scenarios based on the premise above.

(Note that, for P2PE v2, the term ?Solution Provider? below can be used interchangeably with ?Encryption Management Component Provider,? depending on the entity managing the POI devices.)

| Scenario | Process | | 1. A P2PE assessor has been engaged to perform an initial assessment of a new P2PE solution. Some of the POI device type(s) to be assessed have already been deployed to merchant locations. | P2PE Assessor: Follow the FAQ process detailed below and document results in the applicable P-ROV per the P2PE standard and associated Program Guide. | | 2. A solution provider with a listed P2PE solution wants to add a merchant that has already deployed POI devices of the same device type as those approved for use in their P2PE solution. | P2PE Solution Provider: Follow the FAQ process detailed below, including documenting and retaining the results for future review. | | 3. A solution provider with a listed P2PE solution wants to add a merchant that has already deployed POI devices of a different device type as those approved for use in their P2PE solution. | P2PE Assessor: Follow the P2PE Program Guide Designated Change process to add the new POI device type(s) to the associated PCI P2PE listing.

P2PE Solution Provider: Follow the FAQ assessment process detailed below, including documenting and retaining the results for future review.

The solution provider with previously-deployed POI devices meeting one of the above scenarios must adhere to at least one of the two options below: - Option 1: The solution provider has sufficient evidence to meet (and therefore verify) that all POIs were deployed in accordance with all applicable P2PE requirements, OR - Option 2: If there is insufficient evidence to support Option 1 (and therefore it is impossible to meet and/or verify all applicable P2PE requirements), the previously-deployed POI devices must be reset and all firmware, cryptographic keys, configurations, and software must be reloaded in accordance with all applicable P2PE requirements.

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.