Frequently Asked Question
Is there an exception to P2PE Requirement 3B-3.1 that a merchant cannot view full PAN, for those areas where there is a legal or regulatory obligation to print the full PAN on merchant receipts?
This is a Technical FAQ for P2PE versions 1.x. This is a "normative" FAQ that is considered to be part of the P2PE requirements and shall be considered during a P2PE assessment in the same light as the published P2PE standard. These technical FAQs are also published together in "Technical FAQs for use with P2PE Versions 1.x" available in the Documents Library of this website.
This topic is addressed in P2PE v2.0. First, to clarify, it is not the intention for PCI SSC's standards to supersede local or regional laws, government regulations, or other legal requirements. Our answer is for P2PE versions 1.x and provides an exception ONLY where there is a legal or regulatory obligation in place to print the full PAN on merchant receipts. Where such a legal or regulatory obligation exists, P2PE requirements may still be met as follows (note that this exception applies only to PAN and never applies to SAD):
This topic is addressed in P2PE v2.0. First, to clarify, it is not the intention for PCI SSC's standards to supersede local or regional laws, government regulations, or other legal requirements. Our answer is for P2PE versions 1.x and provides an exception ONLY where there is a legal or regulatory obligation in place to print the full PAN on merchant receipts. Where such a legal or regulatory obligation exists, P2PE requirements may still be met as follows (note that this exception applies only to PAN and never applies to SAD):
- SRED passes the clear-text PAN to an application that transmits the PAN internally within the device for printing. Since this application sees clear-text PAN, it must be assessed to Domain 2 and listed on the PCI SSC website.
- The application can only transmit clear-text PAN to an integrated printer—this printer is part of the PCI-approved POI device itself and is not attached via cabling or other networking mechanisms. This application cannot transmit PAN to any other device, process, or system.
- After completion of printing, the application securely deletes the clear-text PAN, and the device completes the SRED encryption of the account data for transmission to the processor.
- The merchant needs to protect paper receipts in accordance with PCI DSS Requirements 9.5—9.8.
- Merchants are allowed to view PANs printed on receipts in these markets.
September 2015
Article Number: 1350
