SAQ P2PE: Merchants who only process account data via payment terminals from a validated PCI-listed Point to Point Encryption (P2PE) solution.
Minor changes have been made to terminology, as noted above for the other version 4.0 SAQs, and to further clarify the SAQ P2PE eligibility criteria. A new footnote advises merchants using P2PE Solutions with an Expired Validation (as listed on the PCI SSC website) to check their eligibility to complete the SAQ P2PE with their acquirer or with the payment brands, as expired P2PE Solutions are no longer considered ‘validated’.
The SAQ P2PE Part 2e is specific to the PCI Validated P2PE Solution and better explains the required information using language taken from the Solution’s P2PE listing (e.g., ‘PTS POI Devices Supported’) and asks for the P2PE Solution Reassessment date.
The SAQ P2PE includes:
- 1 Requirement is new and effective immediately.
- 1 Requirement is new but future dated.
While one consolidated, redundant, or no longer applicable version 3.2.1 SAQ Requirement has been removed from SAQ P2PE: 12.5.3.
The version 4.0 SAQ P2PE new or additional Requirements are:
- Secure storage of offline media backups with cardholder data (220.127.116.11)
- Data retention and disposal policies and procedures to cover any Sensitive Authentication Data stored pre-authorization (3.2.1)