Frequently Asked Question

Can a third-party entity that performs P2PE functions on behalf of a P2PE solution provider undergo their own P2PE assessment, rather than undergoing an assessment each time a customer undergoes a P2PE assessment?

This is a Technical FAQ for P2PE versions 1.x.  This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a P2PE assessment in the same light as the published P2PE standard. These technical FAQs are also published together in "Technical FAQs for use with P2PE Versions 1.x" available in the Documents Library of this website.

Yes, per P2PE "Third parties/Outsourcing" section of the P2PE standard. Note that certain entities may have no P2PE responsibilities. For example, they may only resell the solution and never touch the hardware or the merchant environment. However, for those entities that perform P2PE functions such as key injection, transport and/or installation of devices, securing/managing POI devices during the lifecycle, device administration, merchant support, etc. there are relevant P2PE requirements, for example in Domains 1 and 6.
Last updated: June 2016
Article Number: 1371

Featured FAQ Articles