Deleted FAQs

FAQs that have been removed from the PCI SSC website or have dead links.

FAQ #1272 Deleted Last seen: 16 May 2019, 19:37

Can my payment application be validated using PA-DSS Version 1.2.1?

No. PA-DSS version 1.2.1 is expired. New application validations using PA-DSS 1.2.1 and changes for existing listings using PA-DSS 1.2.1 are no longer accepted. In addition, applications validated using PA-DSS …

FAQ #1353 Deleted Last seen: 13 Jun 2016, 17:14

My company is providing services to several P2PE Solution Providers listed on the PCI SSC website. We want to become listed as a P2PE Component Provider to avoid multiple assessments – what do we need to do?

If your company provides services which meet the definition of a P2PE component provider as set out in the P2PE Program Guide v2, then it may be possible for those …

FAQ #1340 Deleted Last seen: 1 Dec 2015, 22:13

Must SRED devices leave the deployment facility in an already-encrypting state? In lieu of this, can a solution provider use a tool or method to monitor and alert if any unencrypted transactions are received?

This is a Technical FAQ for P2PE versions 1.x. This is a “normative” FAQ that is considered to be part of the P2PE requirements and shall be considered during a …

FAQ #1351 Deleted Last seen: 1 Dec 2015, 22:13

For P2PE Requirement 3B-5, is it the responsibility of the solution provider to "push" patches to all affected POI devices, or is it sufficient for them to make it available for download and advise the merchant how to download and install the patches?

This is a Technical FAQ for P2PE versions 1.x. This is a “normative” FAQ that is considered to be part of the P2PE requirements and shall be considered during a …

FAQ #1346 Deleted Last seen: 1 Dec 2015, 22:13

For P2PE Requirement 2A-3, can a P2PE PCI-approved POI device have a "separation layer" that is assessed once in a P2PE assessment and thereafter relied upon to exclude from review those applications on the device with no access to cardholder data?

This is a Technical FAQ for P2PE versions 1.x. This is a “normative” FAQ that is considered to be part of the P2PE requirements and shall be considered during a …

FAQ #1344 Deleted Last seen: 27 Sep 2015, 04:07

Does P2PE Requirement 2A-2.1 mean that PIN data (which is an element of SAD) must be encrypted by the SRED functions of the PCI-approved POI device? How does this impact PIN Security Requirements for PTS devices processing PINs?

This is a Technical FAQ for P2PE versions 1.x. This is a “normative” FAQ that is considered to be part of the P2PE requirements and shall be considered during a …

FAQ #1347 Deleted Last seen: 26 Sep 2015, 14:56

What are secure methods for a merchant to transport a terminal to meet requirements specified in P2PE Requirement 3A-2.4 and the P2PE Instruction Manual?for example, if a merchant has to return a POI device to their vendor for repair?

This is a Technical FAQ for P2PE versions 1.x. This is a “normative” FAQ that is considered to be part of the P2PE requirements and shall be considered during a …

FAQ #1348 Deleted Last seen: 26 Sep 2015, 13:40

For P2PE Requirement 3A-4.2, are POI devices required to be physically secured (e.g., bolted to a counter-top or tethered with a cable) in the merchant environment? How does this requirement apply to handheld/wireless POI devices?

This is a Technical FAQ for P2PE versions 1.x. This is a “normative” FAQ that is considered to be part of the P2PE requirements and shall be considered during a …

FAQ #1309 Deleted Last seen: 20 Nov 2014, 18:49

Must payment applications ensure that hashed and truncated versions cannot be correlated?

Yes, a payment application designed to store both hashed and truncated PAN is required to have additional controls to prevent their correlation, as noted in PA-DSS Requirement 2.3. This is …

FAQ #1289 Deleted Last seen: 11 Jun 2014, 22:58

Does the PA-DSS v3.0 requirement for hashing stored passwords meet PCI DSS Requirement 8.2.1?

Yes; PA-DSS v3.0 requires that a strong, one-way cryptographic algorithm with a unique input variable be used to render all payment application passwords unreadable during storage. This meets the intent …