Recently version 4.0 of the Payment Card Industry Data Security Standard was published. Along with this change, new versions of the Self-Assessment Questionnaires (SAQs) were published. This blog will discuss changes made to the SAQ P2PE version 4.0 and will review the process of performing a self-assessment using the SAQ P2PE.
Changes introduced in version 4.0 of the SAQ P2PE
Unlike some of the SAQs, very few changes were made to the SAQ P2PE between version 3.2.1 to version 4.0. For merchants familiar with performing an SAQ P2PE assessment in version 3.2.1 you may notice that some of the requirement numbers have changed with version 4.0. For instance, PCI DSS Requirement 3.2.2 which prohibits the storage of card verification codes or values after authorization was changed to Requirement 18.104.22.168. The underlying requirement and the method of validation, however, have not changed.
Another difference you may notice is there are fewer questions to answer or boxes to check when completing a version 4.0 SAQ P2PE. The version 4.0 SAQ has consolidated several requirements into one checkbox in places where version 3.2.1 used multiple checkboxes to cover the same requirements. For instance, in version 3.2.1 of the SAQ P2PE, merchants would need to check ten boxes to validate their compliance with PCI DSS Requirement 9.9 (POI tamper prevention policies and procedures). A merchant validating those same requirements using version 4.0 of the SAQ P2PE would only need to check four boxes even though the same policies and procedures would need to be in place to be compliant (this requirement is now numbered 9.5.1).
The version 4.0 SAQ P2PE now has 21 questions for a merchant to answer. All SAQs in version 4.0 have added the additional response of “In Place with Remediation”. If you check this box, it means the requirement in question was not initially in place when the assessment began but is in place as of the date your assessment was completed. This may be useful to see in future assessments if your organization is consistently having difficulties maintaining compliance with particular requirements. The other possible responses are “In Place”, “In Place with CWW”, “Not Applicable”, or “Not in Place."
New Future-Dated Requirements
Only one new future-dated requirement has been added to the SAQ P2PE. PCI DSS version 4.0 Requirement 3.2.1 now requires merchants to have documented data retention and disposal requirements that cover any sensitive authentication data (SAD) stored prior to authorization.
3.2.1 Storage of account data is kept to a minimum.
If full PAN data is stored on paper by the merchant or stored in any format by the merchant’s third-party service provider (TPSP), this requirement will apply. Any merchant that stores cardholder data must follow a documented data retention and disposal policy.
For requirement 3.2, the merchant is expected to work with their TPSP(s) to identify any cardholder data storage and to understand how the TPSP meets this requirement for the data being stored on behalf of the merchant.
After March 31, 2025, merchants will need to be sure their data retention and disposal policies cover any storage of SAD. This portion of requirement 3.2.1 is a best practice before this date.
Completing an SAQ P2PE Assessment
Unlike all other SAQ types, SAQ P2PE merchants are required to attest compliance with all PCI DSS requirements listed in the SAQ P2PE along with following any additional requirements listed in the P2PE Implementation Manual (PIM) for their P2PE solution. If you do not have a copy of the PIM for your particular P2PE solution, you should reach out to your solution provider to request a copy. Most PIMs will include requirements surrounding how to ensure point-of-interaction (POI) terminals are not tampered with during transit when being received through the mail or via a courier service. In addition to this there will be additional requirements and guidance for how to secure your payment terminals and how to prevent physical tampering of these P2PE POI terminals.
A majority of requirements listed in the SAQ P2PE focus on the physical security of these P2PE terminals. Merchants are required to maintain an inventory of all P2PE terminals and train employees to be aware of suspicious behavior around the terminals and how to identify signs of tampering or substitution. Employees should also be aware of who to report signs of tampering or suspicious behavior to so that the merchant’s incident response process can be followed. Be sure to refer to your solution PIM when drafting your incident response plan as the PIM may require you to notify the P2PE solution provider of any signs of tampering.
In addition to training employees on tamper prevention techniques, SAQ P2PE merchants are required to provide general security awareness training to all employees working in the cardholder data environment. This training should be provided when an employee is hired and at least annually thereafter.
In PCI DSS version 4.0, merchants should perform a targeted risk analysis to determine how often devices are inspected for signs of tampering or substitution. The frequency of these inspections will depend upon many factors including whether the terminals are attended or unattended, the overall security of the location the devices are located, and the type of hardware in use.
Monitoring Third-Party Service Providers (TPSPs)
All SAQs, including the SAQ P2PE, require merchants to have policies and procedures in place to vet any third-party service provider prior to engaging service that could affect the security of the merchant’s cardholder data environment. Merchants are also required to maintain a list of their TPSPs and have a written agreement with each TPSP where the TPSP acknowledges its responsibility to protect the merchant's cardholder data. Merchants are also required to have a process in place to monitor the PCI DSS compliance status of their TPSPs services at least annually. For more guidance on how the use of TPSPs affects a merchant’s PCI DSS compliance status view the “Use of Third-Party Service Providers” section of the Executive Summary of the PCI DSS Requirements and Testing Procedures version 4.0 document.
Version 3.2.1 of the PCI DSS will be retired on March 31, 2024. After that date, merchants performing self-assessments will be required to use version 4.0 of the Self-Assessment Questionnaires.
Due to the risk reduction provided by the use of a validated Point-to-Point encryption solution, the SAQ P2PE is the simplest of all SAQs to complete. The SAQ P2PE will have 21 compliance questions that will need to be answered as either “In Place”, “In Place with CWW”, “In Place with Remediation”, “Not Applicable”, or “Not in Place”. Compare this with the 251 questions asked by the SAQ D-Merchant and you can quickly see this risk reduction has greatly simplified merchant compliance.
Since the SAQ P2PE has seen very little change since version 3.2.1, SAQ P2PE merchants should not hesitate to validate their compliance using the new version 4.0 SAQ.