Frequently Asked Question
For P2PE Requirement 2A-3, can a P2PE PCI-approved POI device have a "separation layer" that is assessed once in a P2PE assessment and thereafter relied upon to exclude from review those applications on the device with no access to cardholder data?
This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a P2PE assessment in the same light as the published P2PE standard. These technical FAQs are also published together in "Technical FAQs for use with P2PE Versions 1.x" available in the Documents Library of this website.
PCI SSC believes there may be security risks that won't be addressed if these applications are excluded from further assessment and maintenance requirements. In general, the only requirement that applies to applications that never have access to account data is 2A-3 with three sub-requirements. 2A-3 requires that applications with no access to account data 1) only communicate with SRED firmware via APIs that provide no access to account data, 2) are authenticated with an approved security protocol of the POI, and 3) that dual control is required for the application signing process. It is unclear how an assessor could demonstrate that an application has no access to account data without confirming that the application meets these requirements. Additionally, while it is understood that these applications may be frequently updated and thus require management and maintenance to remain valid for use in a P2PE solution, the fact remains that security risks can be introduced by changes to any application on a device, and it is necessary to confirm that any changes result in the application still meeting Requirement 2A-3.
That being said, PCI SSC understands that there may be market needs for more flexibility for P2PE solutions regarding applications on devices, and is considering other options for the future including the feasibility of a separation layer and what testing procedures may be required to adequately prove that separation.
Related
-
When should an entity implement PCI DSS requirements noted as best practices until a future date?
-
For PCI DSS, can multi-factor authentication (MFA) implementations indicate the success of a factor prior to presentation of subsequent factors?
-
What is the completion date for PCI DSS assessments documented in a Report on Compliance and its related Attestations of Compliance?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
When should an entity implement PCI DSS requirements noted as best practices until a future date?
-
For PCI DSS, can multi-factor authentication (MFA) implementations indicate the success of a factor prior to presentation of subsequent factors?
-
What is the completion date for PCI DSS assessments documented in a Report on Compliance and its related Attestations of Compliance?
-
What is the completion date for PCI DSS assessments documented in a Self-Assessment Questionnaire and its related Attestations of Compliance?
-
How does PCI DSS Requirement 6.4.3 apply to 3DS scripts called from a merchant check-out page as part of 3DS processing?
Most Recently Updated
-
How are third-party service providers (TPSPs) expected to demonstrate PCI DSS compliance for TPSP services that meet customers’ PCI DSS requirements or may impact the security of a customer’s cardholder data and/or sensitive authentication data?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
-
What should an entity do if its PCI DSS assessment will not be complete prior to that standard's retirement date?
-
Where can I find the current version of PCI DSS?
-
When should an entity implement PCI DSS requirements noted as best practices until a future date?