Frequently Asked Question

This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a P2PE assessment in the same light as the published P2PE standard. These technical FAQs are also published together in "Technical FAQs for use with P2PE Versions 1.x" available in the Documents Library of this website.

PCI SSC believes there may be security risks that won't be addressed if these applications are excluded from further assessment and maintenance requirements. In general, the only requirement that applies to applications that never have access to account data is 2A-3 with three sub-requirements. 2A-3 requires that applications with no access to account data 1) only communicate with SRED firmware via APIs that provide no access to account data, 2) are authenticated with an approved security protocol of the POI, and 3) that dual control is required for the application signing process. It is unclear how an assessor could demonstrate that an application has no access to account data without confirming that the application meets these requirements. Additionally, while it is understood that these applications may be frequently updated and thus require management and maintenance to remain valid for use in a P2PE solution, the fact remains that security risks can be introduced by changes to any application on a device, and it is necessary to confirm that any changes result in the application still meeting Requirement 2A-3.

That being said, PCI SSC understands that there may be market needs for more flexibility for P2PE solutions regarding applications on devices, and is considering other options for the future including the feasibility of a separation layer and what testing procedures may be required to adequately prove that separation.