BLOG HOME > PCI > A Quick Look at SAQ P2PE: Reducing Your PCI Workload

A Quick Look at SAQ P2PE: Reducing Your PCI Workload

George Mateaki, SecurityMetrics, CISSP, QSA
By: George Mateaki
Security Analyst

Learn more about this SAQ and who qualifies for it.

Get Started with PCI Compliance

Start Here
The P2PE SAQ is for merchants that use a P2PE solution for their payment transactions. By doing so, they greatly reduce the number of SAQ questions they have to fill out.

Compared to SAQ D, which has 329 questions, SAQ P2PE has only 33 questions and doesn’t require a vulnerability scan or a penetration test. This makes PCI compliance much easier and faster for merchants that use P2PE.

These merchants don’t have any access to clear-text cardholder data on any computer system, and only deal with data through hardware payment terminals from a PCI SSC-approved P2PE solution.

White Paper: PCI DSS Scoping Updates

Download Here

Who qualifies for SAQ P2PE?

According to the PCI SSC, here are some factors that qualify merchants for this particular SAQ:

  • All payment processing is through a validated PCI P2PE solution approved and listed by the PCI SSC
  • The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCI-listed P2PE solution
  • Your business doesn't otherwise receive or transmit cardholder data electronically
  • There's no legacy storage of electronic cardholder data in the environment
  • If your business stores cardholder data, that data is only in paper reports or copies of paper receipts and isn't received electronically
  • Your business has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider
Remember that this SAQ does not apply to e-commerce businesses. This SAQ also includes questions that apply to a specific type of small merchant environment.

Get my free SecurityMetrics PCI Guide

Download Now

What requirements does P2PE cover?

This SAQ covers fewer requirements than other SAQs, mostly since P2PE helps eliminate many potential security issues with card data. Here are the requirements it handles:

Keep in mind that while this SAQ covers a few requirements, it would be a good idea to look over the other PCI requirements to ensure your business is fulfilling them where applicable.

What questions will I address in SAQ P2PE? 

Here is a sample of a few questions you’ll be answering for this SAQ:
  • Are there specific retention requirements for cardholder data? 
  • For all paper storage, is the card verification code not stored after authorization? 
  • Is all media destroyed when it’s no longer needed for business or legal reasons? 
  • Are devices that capture card data through direct physical interaction with the card protected against tampering and substitution? 
  • Are personnel trained to be aware of attempted tampering or replacement of devices? 
  • Do security policies and procedures clearly define information security responsibilities for all personnel?
  • Has an incident response plan been created to be implemented in the event of a breach? Follow for more data security articles like this

Additional tips for PCI DSS compliance with SAQ P2PE

Here are a few things to consider when getting PCI compliant:

  • Limit access to data:  Make sure to restrict physical access to card data to only the employees that need it 
  • Establish a stolen device policy:  Have a procedure set in place for what employees should do if they discover a device has been stolen/tampered with
  • Train employees at least quarterly:  It’s crucial that your employees are aware of and follow security policies and procedures 

Need help with PCI compliance? Talk to us! 

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT. 

Join Thousands of Security Professionals and Subscribe