Frequently Asked Questions

< Back to search page

Is a “P2PE Assessor” required for a merchant’s PCI DSS assessment if the merchant uses a Council-listed P2PE solution?

FAQ Response

No, merchants using PCI-listed P2PE solutions are not required to engage a P2PE assessor [that is, a QSA (P2PE) or PA-QSA (P2PE)] for their PCI DSS assessments.
 
Merchants should contact their acquirer (merchant bank) or payment brand(s) directly to understand their PCI DSS validation requirements. See FAQ 1142 How do I contact the payment card brands? for information regarding contacting the payment brands.
 
Merchants wishing to engage a QSA for their PCI DSS review can find a list of QSAs on the PCI Council website - https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php
 

June 2016
Article Number 1163

Related Articles

What effect does the use of a PCI-listed P2PE solution have on a merchant’s PCI DSS validation?

Who can use SAQ P2PE?

How do PCI PTS-approved POI device expiry dates affect a PCI-listed P2PE solution?

If a P2PE Solution is on PCI’s list of Point-to-Point Encryption Solutions with Expired Validations, does the solution meet the eligibility criteria for SAQ P2PE?

Can merchants use encryption solutions not listed on the PCI Council’s website to reduce their PCI DSS validation effort?