Learn more about this SAQ and who qualifies for it.   

By: George Mateaki
Security Analyst
QSA, CISSP
The P2PE SAQ is for merchants that use a P2PE solution for their payment transactions. By doing so, they greatly reduce the number of SAQ questions they have to fill out.

Compared to SAQ D, which has 329 questions, SAQ P2PE has only 33 questions and doesn’t require a vulnerability scan or a penetration test. This makes PCI compliance much easier and faster for merchants that use P2PE.

SEE ALSO: Updating PCI DSS SAQs to 3.2: The Changes You Should Know

These merchants don’t have any access to clear-text cardholder data on any computer system, and only deal with data through hardware payment terminals from a PCI SSC-approved P2PE solution.
Here are a few things you should know about SAQ P2PE.

Who qualifies for SAQ P2PE?

SAQ P2PEAccording to the PCI SSC, here are some factors that qualify merchants for this particular SAQ:
  • All payment processing is through a validated PCI P2PE solution approved and listed by the PCI SSC
  • The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCI-listed P2PE solution
  • Your business doesn't otherwise receive or transmit cardholder data electronically
  • There's no legacy storage of electronic cardholder data in the environment
  • If your business stores cardholder data, that data is only in paper reports or copies of paper receipts and isn't received electronically
  • Your business has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider
Remember that this SAQ does not apply to e-commerce businesses. This SAQ also includes questions that apply to a specific type of small merchant environment.

What requirements does it cover? 

P2PEThis SAQ covers fewer requirements than other SAQs, mostly since P2PE helps eliminate many potential security issues with card data. Here are the requirements it handles:
  • Requirement 3: Protect Cardholder data
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 12: Maintain a policy that addresses information security for all personnel
Keep in mind that while this SAQ covers a few requirements, it would be a good idea to look over the other PCI requirements to ensure your business is fulfilling them where applicable.

What questions will I address? 

Here is a sample of a few questions you’ll be answering for this SAQ:
  • Are there specific retention requirements for cardholder data? 
  • For all paper storage, is the card verification code not stored after authorization? 
  • Is all media destroyed when it’s no longer needed for business or legal reasons? 
  • Are devices that capture card data through direct physical interaction with the card protected against tampering and substitution? 
  • Are personnel trained to be aware of attempted tampering or replacement of devices? 
  • Do security policies and procedures clearly define information security responsibilities for all personnel?
  • Has an incident response plan been created to be implemented in the event of a breach? 

Additional tips

Here are a few things to consider when getting PCI compliant:
  • Limit access to data: Make sure to restrict physical access to card data to only the employees that need it 
  • Establish a stolen device policy: Have a procedure set in place for what employees should do if they discover a device has been stolen/tampered with
  • Train employees at least quarterly: It’s crucial that your employees are aware of and follow security policies and procedures 
Need help with PCI compliance? Talk to us! 

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.