A Quick Look at SAQ P2PE: Reducing Your PCI Workload

Learn more about this SAQ and who qualifies for it.

The P2PE SAQ is for merchants that use a P2PE solution for their payment transactions. By doing so, they greatly reduce the number of SAQ questions they have to fill out.

Compared to SAQ D, which has 329 questions, SAQ P2PE has only 33 questions and doesn’t require a vulnerability scan or a penetration test. This makes PCI compliance much easier and faster for merchants that use P2PE.

These merchants don’t have any access to clear-text cardholder data on any computer system, and only deal with data through hardware payment terminals from a PCI SSC-approved P2PE solution.

See also: White Paper: PCI DSS Scoping Updates

Who qualifies for SAQ P2PE?

According to the PCI SSC, here are some factors that qualify merchants for this particular SAQ:

• All payment processing is through a validated PCI P2PE solution approved and listed by the PCI SSC
• The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCI-listed P2PE solution
• Your business doesn't otherwise receive or transmit cardholder data electronically
• There's no legacy storage of electronic cardholder data in the environment
• If your business stores cardholder data, that data is only in paper reports or copies of paper receipts and isn't received electronically
• Your business has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider

Remember that this SAQ does not apply to e-commerce businesses. This SAQ also includes questions that apply to a specific type of small merchant environment.

See also: Free SecurityMetrics PCI Guide

What requirements does P2PE cover?

This SAQ covers fewer requirements than other SAQs, mostly since P2PE helps eliminate many potential security issues with card data. Here are the requirements it handles:

• Requirement 3: Protect Cardholder data
• Requirement 9: Restrict physical access to cardholder data
• Requirement 12: Maintain a policy that addresses information security for all personnel

Keep in mind that while this SAQ covers a few requirements, it would be a good idea to look over the other PCI requirements to ensure your business is fulfilling them where applicable.

What Questions will I address in SAQ P2PE?

‍Here is a sample of a few questions you’ll be answering for this SAQ:

• Are there specific retention requirements for cardholder data?
• For all paper storage, is the card verification code not stored after authorization?
• Is all media destroyed when it’s no longer needed for business or legal reasons?
• Are devices that capture card data through direct physical interaction with the card protected against tampering and substitution?
• Are personnel trained to be aware of attempted tampering or replacement of devices?
• Do security policies and procedures clearly define information security responsibilities for all personnel?
• Has an incident response plan been created to be implemented in the event of a breach? Follow for more data security articles like this‍

Additional tips for PCI DSS Compliance with SAQ P2PE

Here are a few things to consider when getting PCI compliant:

• Limit access to data: Make sure to restrict physical access to card data to only the employees that need it
• Establish a stolen device policy: Have a procedure set in place for what employees should do if they discover a device has been stolen/tampered with
• Train employees at least quarterly: It’s crucial that your employees are aware of and follow security policies and procedures

Need help with PCI compliance? Talk to us!