Frequently Asked Question

For third parties that undergo P2PE assessments for services they offer on behalf of P2PE solution providers, what is acceptable evidence they can provide to those P2PE solution providers?

This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a P2PE assessment in the same light as the published P2PE standard. These technical FAQs are also published together in "Technical FAQs for use with P2PE Versions 1.x" available in the Documents Library of this website.

This topic is addressed in P2PE v2.0. For P2PE v1.x assessments, a third party who is providing services on behalf of P2PE solution providers can provide a statement to solution providers pursuing a P2PE assessment based on a prior P2PE assessment of the third-party entity. Note that this FAQ applies only to services governed under P2PE Domains 1, 5, or 6 (including Annexes A and B) such as POI device management, decryption environment related functions, Key Injection Facility (KIF) services, Certification Authority (CA), or Registration Authority (RA).

The date the P2PE statement is signed for the third party's P2PE assessment (whether assessed as part of a full P2PE solution or in isolation) must be less than one year before the date of any subsequent solutions provider's P2PE assessment completion date (i.e., the statement described herein is only valid for one year).

This statement, as stated above, must be prepared by the QSA (P2PE) who assessed the third party. The statement must be signed and dated by both the third party and the QSA (P2PE), and must attest to the fact that the third-party entity is compliant with all applicable P2PE requirements. The statement must also contain (at a minimum) the following information, as applicable to the third party. Note that the statement is not required to contain any sensitive information.
  • A summary of services being offered by the third party.
  • Information per the following bullets, which reference sections and tables present in the Solution P-ROV Template v1.1.1. Please refer to that document as applicable. Provide all information:
  • Regarding the third party and the QSA (P2PE), using Section 1.1 as a reference.
  • Requested in Sections 1.2 and 1.3 regarding the date and timeframe of the assessment, as well as the version of the P2PE Standard utilized.
  • Requested in Section 2.4 regarding the P2PE decryption environment(s).
  • Requested in Section 3.5 regarding key management.
  • Requested in Table 1.1 and 1.2 in Domain 1 regarding the POI devices used. Exclude information regarding payment applications, as they are not relevant to third-party P2PE services applicable to this attestation.
  • Requested in Tables 1.3 and 1.4 in Domain 1 regarding SCDs used to generate, load, or encrypt cryptographic keys. Examples include HSMs, key-injection/loading devices (KLDs) and other devices that generate or load keys.
  • Requested in Tables 5.1 and 5.2 in Domain 5 regarding HSMs used in the decryption environment. 
  • Requested in Table 5.3 in Domain 5 regarding Host Systems used in the decryption environment (HW/Hybrid ONLY).
  • Requested in Tables 6.1 and 6.2 (Domain 6), as well as Tables 6A.1 (Domain 6, Annex A) and 6B.1 (Domain 6, Annex B) regarding cryptographic key types and their associated hardware devices.
    • List each high-level P2PE requirement assessed and indicate whether the requirement was assessed in full (i.e., inclusive of all its sub-requirements), partially, or deemed not applicable. Provide a justification for all applicable requirements only tested partially or deemed not applicable. "Not applicable" in this context implies the requirement may apply but was deemed not applicable via the assessment process and the review of relevant information. For example, applicable in this context would not refer to Domain 2 requirements that govern POI-resident payment applications. An example of requirements later deemed not applicable via the course of the assessment would be a KIF facility that doesn't utilize DUKPT keys.
    • Include an explicit confirmation attesting to the fact the third-party entity's prior P2PE assessment includes all services, processes, and systems appropriate to the services the third party offers to P2PE solution providers. At any time during the one-year period of the statement's validity, if any services, processes, or systems were changed or added, the third party must document any additions or changes and provide that documentation to applicable current and potential P2PE solution providers.
    • The QSA (P2PE) performing a P2PE assessment of a third-party per this FAQ must prepare this statement in accordance with the Council's template available, from the P2PE Program Manager.
QSA (P2PE)s that are relying on these statements for a P2PE solution provider's assessment must submit this statement(s) to the Council to accompany any P2PE Reports on Validation in which the third-party service(s) is used.
Last updated: June 2016
Originally published: December 2015
Article Number: 1341

Featured FAQ Articles