Frequently Asked Questions

< Back to search page

Who can use SAQ P2PE?

FAQ Response

SAQ P2PE is intended for SAQ-eligible merchants or merchant environments (as determined by the individual payment card brands), that process cardholder data only via a validated PCI-listed P2PE solution. Whether a merchant is eligible to use an SAQ is determined by the individual payment card brands and/or merchant acquirers.  Merchants wishing to use SAQ P2PE must meet payment brand requirements for using an SAQ, and must also confirm that they:
  • Are using a validated * PCI P2PE solution (per the PCI P2PE Program Guide).
  • Do not store, process, or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks, or audio recordings) outside of the payment terminal used as part of the validated PCI P2PE solution.
  • Do not store any cardholder data in electronic format.  This includes verifying that there is no legacy storage of cardholder data from other payment devices or systems.
  • Have implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider. 
* Expired P2PE solutions are listed on PCI’s list of Point-to-Point Encryption Solutions with Expired Validations. These solutions are no longer considered “validated” per the P2PE Program Guide.  Because these P2PE solution providers did not renew their listings in accordance with PCI SSC requirements, the validations are therefore expired. Merchants using an expired P2PE solution should check with their acquirer or individual payment brands about their eligibility to complete SAQ P2PE.
 

September 2020
Article Number 1247