Frequently Asked Questions

< Back to search page

Is a “P2PE Assessor” required for a merchant’s PCI DSS assessment if the merchant uses a Council-listed P2PE solution?

FAQ Response

No, merchants using PCI-listed P2PE solutions are not required to engage a P2PE assessor [that is, a QSA (P2PE) or PA-QSA (P2PE)] for their PCI DSS assessments.
 
Merchants should contact their acquirer (merchant bank) or payment brand(s) directly to understand their PCI DSS validation requirements. See FAQ 1142 How do I contact the payment card brands? for information regarding contacting the payment brands.
 
Merchants wishing to engage a QSA for their PCI DSS review can find a list of QSAs on the PCI Council website - https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php
 

June 2016
Article Number 1163

Related Articles

Who can use SAQ P2PE?

What effect does the use of a PCI-listed P2PE solution have on a merchant’s PCI DSS validation?

How do PCI PTS-approved POI device expiry dates affect a PCI-listed P2PE solution?

Are P2PE Products (P2PE Solutions, P2PE Components, P2PE Applications) on the P2PE Expired Listings still considered “validated” per the P2PE Program Guide?

Can merchants use encryption solutions not listed on the PCI Council’s website to reduce their PCI DSS validation effort?