Frequently Asked Questions

< Back to search page

Is a “P2PE Assessor” required for a merchant’s PCI DSS assessment if the merchant uses a Council-listed P2PE solution?

FAQ Response

No, merchants using PCI-listed P2PE solutions are not required to engage a P2PE assessor [that is, a QSA (P2PE) or PA-QSA (P2PE)] for their PCI DSS assessments.

Merchants should contact their acquirer (merchant bank) or payment brand(s) directly to understand their PCI DSS validation requirements. See How do I contact the payment card brands? for information regarding contacting the payment brands.

Merchants wishing to engage a QSA for their PCI DSS review can find a list of QSAs on the PCI Council website - https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php

June 2016
Article Number 1163

How do PCI PTS-approved HSM expiry dates affect a PCI-listed P2PE Solution or Component?

What effect does the use of a PCI-listed P2PE solution have on a merchant’s PCI DSS validation?

Who can use SAQ P2PE?

Does PCI DSS, PA-DSS, or PTS apply to ATMs?

How do PCI PTS-approved POI device expiry dates affect a PCI-listed P2PE solution?

Frequently Asked Questions

Is a “P2PE Assessor” required for a merchant’s PCI DSS assessment if the merchant uses a Council-listed P2PE solution?

Related Articles