{ "id": "saq_p2pe", "name": "SAQ P2PE", "version": "PCI DSS v4.0", "description": "For merchants using hardware payment terminals included in a validated, PCI SSC-listed Point-to-Point Encryption (P2PE) solution. No electronic cardholder data storage after authorization.", "applicability": "This SAQ applies to merchants whose payment processing is performed only via hardware payment terminals included in a validated P2PE solution listed on the PCI SSC website. The solution handles all encryption of cardholder data at the point of interaction (POI). Merchants in this category do not have access to clear-text PAN in their environments.", "requirements": [ { "id": "8", "title": "Identify Users and Authenticate Access to System Components", "objective": "For SAQ P2PE, Requirement 8 applies only to the limited system components involved in managing and supporting the P2PE solution. Authentication controls are required for personnel who manage the POI devices and the P2PE solution.", "controls": [ { "id": "8.1", "title": "Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.", "items": [ { "id": "8.1.1", "question": "Are all security policies and operational procedures that are identified in Requirement 8:\n• Documented?\n• Kept up to date?\n• In use?\n• Known to all affected parties?", "guidance": "Examine documentation and interview personnel to verify policies and procedures are documented, current, in use, and known to all affected parties." }, { "id": "8.1.2", "question": "Are all roles and responsibilities for performing activities in Requirement 8 documented, assigned, and understood?", "guidance": "Examine documentation and interview personnel to verify roles and responsibilities are documented, assigned, and understood." } ] }, { "id": "8.3", "title": "User authentication for users and administrators is established and managed.", "items": [ { "id": "8.3.1", "question": "Are all user passwords/passphrases for user access to system components (including POI device management systems) set to meet all the following minimum requirements:\n• A minimum length of at least 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).\n• Contains both numeric and alphabetic characters.", "guidance": "Examine system configuration settings to verify passwords/passphrases meet minimum length and complexity requirements." }, { "id": "8.3.4", "question": "Is invalid authentication attempt tracking implemented as follows:\n• Invalid attempts are limited to not more than 10 attempts.\n• The account is locked out for a minimum of 30 minutes or until the account is reset by an administrator.", "guidance": "Examine system configuration settings to verify invalid authentication attempts are limited and lock-out is implemented." }, { "id": "8.3.9", "question": "If passwords/passphrases are used as the only authentication factor for user access, are passwords/passphrases changed at least once every 90 days?\nOR\nIs the security posture of accounts dynamically analyzed, and real-time access to resources automatically determined accordingly?", "guidance": "Examine system configuration settings to verify passwords are changed at least once every 90 days or dynamic analysis is implemented." } ] }, { "id": "8.4", "title": "Multi-factor authentication (MFA) is implemented to secure access into the CDE.", "items": [ { "id": "8.4.3", "question": "Is MFA implemented for all remote network access originating from outside the entity's network that could access or impact the CDE, including:\n• All remote access by all personnel, both users and administrators, originating from outside the entity's network.\n• All remote access by third parties and vendors.", "guidance": "Examine network and/or system configurations and interview personnel to verify MFA is implemented for all remote access." } ] } ] }, { "id": "9", "title": "Restrict Physical Access to Cardholder Data", "objective": "Physical security of POI devices is the primary focus of Requirement 9 for SAQ P2PE merchants. Since the P2PE solution handles encryption, protecting the physical integrity of POI devices is critical to maintaining the security of the solution.", "controls": [ { "id": "9.1", "title": "Processes and mechanisms for restricting physical access to cardholder data are defined and understood.", "items": [ { "id": "9.1.1", "question": "Are all security policies and operational procedures that are identified in Requirement 9:\n• Documented?\n• Kept up to date?\n• In use?\n• Known to all affected parties?", "guidance": "Examine documentation and interview personnel to verify policies and procedures are documented, current, in use, and known to all affected parties." }, { "id": "9.1.2", "question": "Are all roles and responsibilities for performing activities in Requirement 9 documented, assigned, and understood?", "guidance": "Examine documentation and interview personnel to verify roles and responsibilities are documented, assigned, and understood." } ] }, { "id": "9.5", "title": "Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.", "items": [ { "id": "9.5.1", "question": "Are POI devices that capture payment card data via direct physical interaction with the payment card form factor protected from tampering and unauthorized substitution, including the following:\n• Maintaining a list of POI devices.\n• Periodically inspecting POI devices to look for tampering or unauthorized substitution.\n• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.", "guidance": "Examine documented policies and procedures and interview responsible personnel to verify POI devices are protected from tampering and unauthorized substitution." }, { "id": "9.5.1.1", "question": "Is the list of POI devices maintained, and does it include the following:\n• Make and model of the device.\n• Location of device (for example, the address of the site or facility where the device is located).\n• Device serial number or other method of unique identification.", "guidance": "Examine the list of POI devices and interview personnel to verify the list includes make, model, location, and serial number or other unique identification." }, { "id": "9.5.1.2", "question": "Are POI device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices) and unauthorized substitution (for example, checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device), as follows:\n• The frequency of inspections and the type of inspections performed is defined in the entity's targeted risk analysis.\n• All POI devices are inspected.", "guidance": "Examine documented procedures and interview personnel to verify POI devices are periodically inspected to detect tampering and unauthorized substitution." }, { "id": "9.5.1.2.1", "question": "Are inspections of POI devices performed at the frequency or more frequently as defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1?", "guidance": "Examine the entity's targeted risk analysis for the frequency of POI device inspections and compare the analysis to documented evidence of inspections." }, { "id": "9.5.1.3", "question": "Is training provided to personnel to be aware of attempted tampering or replacement of POI devices, and does the training include the following:\n• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.\n• Do not install, replace, or return devices without verification.\n• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).\n• Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).", "guidance": "Examine training materials and interview personnel to verify training covers awareness of POI device tampering and unauthorized substitution." } ] } ] }, { "id": "12", "title": "Support Information Security with Organizational Policies and Programs", "objective": "Organizational policies and programs support the overall security posture of the P2PE merchant environment, including management of the validated P2PE solution and associated POI devices.", "controls": [ { "id": "12.1", "title": "A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current.", "items": [ { "id": "12.1.1", "question": "Is an overall information security policy established, published, maintained, and disseminated to all relevant personnel, as well as to relevant vendors and business partners?", "guidance": "Examine the information security policy and interview personnel to verify an overall information security policy is established, published, maintained, and disseminated." }, { "id": "12.1.2", "question": "Is the information security policy reviewed at least once every 12 months and updated when the environment changes?", "guidance": "Examine the information security policy and interview personnel to verify the policy is reviewed at least annually and updated as needed." }, { "id": "12.1.3", "question": "Does the information security policy clearly define information security roles and responsibilities for all personnel, and do all personnel understand and acknowledge their information security responsibilities?", "guidance": "Examine the information security policy and interview personnel to verify roles and responsibilities are clearly defined and acknowledged." }, { "id": "12.1.4", "question": "Is responsibility for information security formally assigned to a Chief Information Security Officer or other information security knowledgeable member of executive management?", "guidance": "Examine the information security policy and interview personnel to verify information security responsibility is formally assigned to a CISO or equivalent." } ] }, { "id": "12.3", "title": "Risks to the cardholder data environment are formally identified, evaluated, and managed.", "items": [ { "id": "12.3.1", "question": "For each PCI DSS requirement that specifies completion of a targeted risk analysis, is the analysis performed and documented to include:\n• Identifies the assets being protected.\n• Identifies the threat(s) that the requirement is protecting against.\n• Identifies factors that contribute to the likelihood and/or impact of a threat being realized.\n• Resulting risk analysis results in an assignment of risk (high, medium, or low).\n• The risk analysis is performed by a qualified individual.", "guidance": "Examine risk analysis documentation and interview personnel to verify targeted risk analyses include all required elements." } ] }, { "id": "12.5", "title": "PCI DSS scope is documented and validated.", "items": [ { "id": "12.5.1", "question": "Is an inventory of system components that are in scope for PCI DSS maintained, including a description of function/use, as follows:\n• The inventory is kept current.\n• The inventory includes all hardware and software in use (including the P2PE solution components).\n• The inventory includes all POI devices.", "guidance": "Examine system component inventory documentation and interview personnel to verify an inventory of in-scope components is maintained, including all P2PE solution components and POI devices." }, { "id": "12.5.2", "question": "Is PCI DSS scope documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment, including:\n• Confirming that the P2PE solution in use remains on the PCI SSC list of validated P2PE solutions.\n• Confirming that all POI devices in use are included on the P2PE solution's list of validated devices.\n• Confirming all account data flows and that no clear-text PAN is present in the merchant environment.", "guidance": "Examine documentation and interview personnel to verify PCI DSS scope is confirmed at least annually, including confirming the P2PE solution and devices remain validated." } ] }, { "id": "12.6", "title": "Security awareness education is an ongoing activity.", "items": [ { "id": "12.6.1", "question": "Is a formal security awareness program implemented to make all personnel aware of the entity's information security policy and procedures and personnel's role in protecting the cardholder data?", "guidance": "Examine the security awareness program to verify it exists and is implemented." }, { "id": "12.6.2", "question": "Is the security awareness program:\n• Reviewed at least once every 12 months.\n• Updated as needed to address any new threats or vulnerabilities that may impact the security of the entity's CDE, or the information provided to personnel about their role in protecting cardholder data.", "guidance": "Examine the security awareness program and interview personnel to verify the program is reviewed and updated at least annually." }, { "id": "12.6.3", "question": "Are personnel trained upon hire and at least once every 12 months, and does training include:\n• Awareness of threats and vulnerabilities that could impact the security of the CDE.\n• Awareness of acceptable use policies for end-user technologies.\n• Personnel roles in protecting cardholder data.\n• Specific training on the P2PE solution requirements, including POI device security and anti-tampering procedures.", "guidance": "Examine security awareness training records and interview personnel to verify training occurs upon hire and at least annually, and includes P2PE-specific content." }, { "id": "12.6.3.1", "question": "Does security awareness training include awareness of threats and vulnerabilities that could impact the security of the CDE, including phishing and related attacks?", "guidance": "Examine security awareness training content to verify phishing and related attacks are addressed." } ] }, { "id": "12.8", "title": "Risk to information assets associated with third-party service provider (TPSP) relationships is managed.", "items": [ { "id": "12.8.1", "question": "Is a list of all third-party service providers (TPSPs) maintained with which account data is shared or that could affect the security of account data (including the P2PE solution provider), including a description of the service(s) provided?", "guidance": "Examine the list of TPSPs to verify it includes the P2PE solution provider and all other TPSPs with a description of services." }, { "id": "12.8.2", "question": "Are written agreements with all TPSPs (including the P2PE solution provider) maintained to include an acknowledgment that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity?", "guidance": "Examine written agreements with TPSPs to verify they include an acknowledgment of TPSP responsibility for account data security." }, { "id": "12.8.3", "question": "Is an established process implemented for engaging TPSPs, including proper due diligence prior to engagement?", "guidance": "Examine policies and procedures and interview personnel to verify a process exists for engaging TPSPs with due diligence." }, { "id": "12.8.4", "question": "Is a program implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months, including confirming that the P2PE solution remains on the PCI SSC list of validated P2PE solutions?", "guidance": "Examine documentation and interview personnel to verify TPSP PCI DSS compliance status is monitored at least annually, including P2PE solution validation status." }, { "id": "12.8.5", "question": "Is information maintained about which PCI DSS requirements are managed by each TPSP (including the P2PE solution provider), which are managed by the entity, and any that are shared?", "guidance": "Examine documentation to verify information is maintained about PCI DSS responsibility allocation between entity and TPSPs." } ] }, { "id": "12.9", "title": "Third-party service providers (TPSPs) support their customers' PCI DSS compliance.", "items": [ { "id": "12.9.1", "question": "Additional requirement for service providers only: Is there a written acknowledgment provided to customers that TPSPs are responsible for the security of account data that the TPSP possesses or otherwise stores, processes, or transmits on behalf of the entity?", "guidance": "This requirement applies only to service providers." } ] }, { "id": "12.10", "title": "Suspected and confirmed security incidents that could impact the CDE are responded to immediately.", "items": [ { "id": "12.10.1", "question": "Is an incident response plan created and implemented to be initiated in the event of a system breach, and does the plan address the following, at a minimum:\n• Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed compromise, including notification of payment brands and acquirers, at a minimum.\n• Incident response procedures with specific containment and mitigation activities for different types of incidents.\n• Business recovery and continuity procedures.\n• Data backup processes.\n• Analysis of legal requirements for reporting compromises.\n• Coverage and responses of all critical system components.\n• Reference or inclusion of incident response procedures from payment brands.\n• Procedures specifically addressing suspected or confirmed tampering or substitution of POI devices.", "guidance": "Examine the incident response plan and interview personnel to verify the plan includes all required elements, including POI device tampering response." }, { "id": "12.10.2", "question": "Is the incident response plan reviewed and tested at least once every 12 months, including all elements listed in Requirement 12.10.1?", "guidance": "Examine the incident response plan and review and testing documentation to verify the plan is reviewed and tested at least annually." }, { "id": "12.10.3", "question": "Are specific personnel designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents, including suspected or confirmed POI device tampering?", "guidance": "Examine policies and procedures and interview personnel to verify specific personnel are available 24/7 to respond to security incidents." }, { "id": "12.10.4", "question": "Is personnel appropriate to respond to a suspected or confirmed security incident trained at least once every 12 months?", "guidance": "Examine training documentation and interview personnel to verify incident response personnel are trained at least annually." }, { "id": "12.10.5", "question": "Is the incident response plan modified and evolved according to lessons learned and to incorporate industry developments?", "guidance": "Examine the incident response plan and interview personnel to verify the plan is modified and improved based on lessons learned." } ] } ] } ] }