PCI Security Standards Council®

PCI Point to Point Encryption (P2PE)™ Assessor Qualification

The Point-to-Point Encryption Qualified Security Assessor (P2PE QSA) and Payment Application Point-to-Point Encryption Qualified Security Assessor (P2PE PA-QSA ) training programs prepare candidates to perform validation of Point-to-Point Encryption solutions and applications against the latest standard in order for those solutions and applications to be listed on the PCI Council website. This course provides a solid foundation of understanding of each of the comprehensive requirements included in the Point-to-Point Encryption Standard. Depending on prerequisites, candidates may earn the certification of Point-to-Point Encryption Qualified Security Assessor qualification or Point-to-Point Encryption Payment Application Qualified Security Assessor qualification.

Become Qualified

Download a Case Study

Right for you if…

You are a current Qualified Security Assessor who is employed by a QSA company performing assessments of third-party Point-to-Point Encryption applications and solutions. Typical job titles include: IT Security Auditor, Payment System Security, Auditor & Information Risk Consultant, Security Consultant.

Course Details

Course Description

The Point-to-Point Encryption Standard is a comprehensive set of requirements focused on providing the requisite security requirements necessary to support the deployment of secure encryption solutions. The two-part training program is comprised of a two-hour online fundamentals prerequisite course and exam, followed by an intensive two-day instructor-led course and exam.

This training program covers the point-to-point encryption requirements, sub-requirements and associated testing procedures in depth, along with cryptography, key management techniques, and solution-specific assessment techniques. Candidates will learn how to:

  • Build, test and deploy solutions that provide the tools necessary for PCI Data Security Standard compliance 
  • Evaluate point-to-point encryption solutions  on behalf of the applicable Solution Providers and submit them directly to the Council for review and acceptance
  • Assess in-depth information about all six domains included in the Point-to-Point Encryption Standard 
  • Test and assess point-to-point encryption solutions
  • Prepare basic cryptography, key management techniques, and solution specific assessment techniques 

In addition, candidates for Point-to-Point Encryption Payment Application Assessor will learn how to:

  • Evaluate point-to-point encryption solutions and applications
  • Submit corresponding Report on Validation on behalf of the applicable Solution Providers and the applicable Application Vendors

Candidates for both training courses will participate in the same two day class. Payment Application candidates will be required to attend an additional session on Domain 2 and take a second exam. Candidates must pass both examinations to become approved Payment Application assessors.

How to Prepare

Prior to attending the assessor training session it is strongly recommended you familiarize yourself with the following publications:

  • PCI DSS Requirements and Security Assessment Procedures
  • PCI Payment Application Data Security Standard – Requirements and Security Assessment Procedures
  • PCI PIN Transaction Security (PTS) Point of Interaction (POI) - Modular Security Requirements
  • PCI Hardware Security Module (HSM) Security Requirements
  • PCI PIN Transaction Security (PTS) Device Testing and Program Approval Guide
  • PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms
  • PCI DSS QSA Qualification Requirements – Supplement for Point-to-Point Encryption Security Assessors

The following documents must be reviewed in advance of the course:

  • P2PE Standard
  • P2PE Glossary
Training and Exam

P2PE Fundamentals eLearning Prerequisite

After the candidate’s application has been approved, he or she will be registered for the on-site instructor-led session that the Primary Contact requested. An invoice for the full amount of the course will be issued to the Primary Contact and once it has been paid, login credentials for the online prerequisite course will be emailed to the candidate with instructions on how to complete the course.

The two-hour self-paced P2PE Fundamentals online prerequisite course concludes with a 25 question multiple-choice exam. Once the candidate has completed the prerequisite training and exam, the Primary Contact will be notified of either a passing or failing grade. If the candidate failed the exam, he or she will be allowed one additional attempt to take and pass without being charged an additional fee.*

Once the candidate passes the P2PE Fundamentals exam, the candidate's seat will be confirmed for training and a confirmation email will be sent to the Primary Contact with complete location details. Your seat is not confirmed until your Primary Contact receives a confirmation email.

*If the candidate receives a failing grade for the prerequisite course after the second attempt, his or her seat at the instructor-led session will be forfeited. If he or she wishes to try again, the candidate will be required to pay the full course fee for a second time and receive a passing grade in the P2PE Fundamentals course to be allowed to attend the two-day instructor-led session. There will be no exceptions made and by paying the invoice, you agree to these terms.

Instructor-Led

The second part of P2PE (QSA) training is a two-day intensive instructor-led course providing:

  • In-person engagement and collaboration as well as networking opportunities
  • Ability to focus on curriculum in classroom setting
  • Learn directly from an expert PCI SSC trainer with hands-on experience assessing merchants and/or service providers

Attendance during the entire two day course is mandatory. Missing more than 30 minutes of the class will automatically result in forfeiture of the PCI SSC P2PE exam and removal from the class.

Taking the exam - The certification exam is given immediately following the instructor-led course. The only document you will be allowed to reference during the testing is a translation dictionary, if needed.  No electronic devices may be used during the exam. This is a closed book exam. The exam consists of 75 multiple choice questions and you will have 90 minutes to complete it. 
*P2PE PA-QSA candidates will also be required to complete an additional exam specifically covering assessment of P2PE applications.

The Primary Contact at the P2PE QSA Company will be notified of results within two weeks after the candidate attends the instructor-led PCI  P2PE QSA training and exam. Employees who fail may retake the training and exam, upon payment of a re-test fee. For each attendee that passes the exam, the P2PE QSA Company will receive a certificate that validates the employee for the next 12 months.

Registration

In order to attend a P2PE training class, your company must already be a validated QSA (P2PE) and/or PA-QSA (P2PE) Company and you must be a full time employee. Please see the P2PE QSA Qualification Requirements for more details.

All training requirements must be submitted by the QSA (P2PE) or PA-QSA (P2PE) Company Assigned Primary Contact through the PCI SSC's Secure P2PE Portal. To receive access to the Portal, the Primary Contact must email the PCI P2PE Program Manager at: p2pe@pcisecuritystandards.org.

All candidates must apply to the program and be approved by the PCI Council to participate. Other requirements include:

  • Must be a Qualified Security Assessor
  • Must be employed by a QSA or PA-QSA company that meets the requirements for a point-to-point encryption company
  • Must have completed two PCI Data Security Standard assessments [and two Payment Application Data Security Standard assessments for PA-QSA (P2PE) candidates]
  • Must have in-depth knowledge of cryptographic and key management techniques
Learn More
Requalification

In order to maintain the high standards set for this certification, all P2PE employees must re-certify every 12 months in order to continue as a P2PE QSA or P2PE PA-QSA.

All training inquiries and assignments must be submitted through the P2PE Company's primary contact. PCI SSC requires all training attendees to be full time employees of the P2PE Company that they were initially hired by.

*Note: Payment of the training invoice must be received before login information will be sent to the candidate.

Continuing Professional Education (CPE) Hours

P2PE candidate is required to submit proof of information systems assessment training within the last 12 months to support professional certifications of a minimum 20 Continuing Professional Education (CPE) hours per year and 120 Continuing Professional Education (CPE) hours over a rolling three year period.

  • Training provided by PCI SSC will count towards the annual CPE hours.
  • New QSA P2PE training is granted 14 CPE hours.
  • New PA-QSA P2PE training is granted 4 CPE hours.
  • These must be included in the CPE report sent to the PCI SSC. They will not be added automatically.
  • Community Meetings  2011-2012 are worth 4 CPE hours; 2013- to present are worth 12 hours.
  • Refer to the Maintenance Guide for further information on activities that qualify.

For CPE hours please submit the following information and CPE hours using the CPE form to coordinator@pcisecuritystandards.org:

  • Name
  • Title or Name of Program/Course
  • Date(s)
  • CPE Hours Earned (Click here for information on how to calculate CPE hours)

Any requalification training request sent without the P2PEs CPE hours for the past 12 months will not be processed.

Upcoming Courses

The Council has scheduled two-day instructor-led classes in various locations worldwide. See schedule below.

2016 New P2PE QSA & P2PE PA QSA Course Schedule

Date
Time
Location
Fee
Date: 21-22 Jun
Time: 09:00-17:30
Location: Boston, MA
Fee: $2750 USD
Date: 15-16 Sep
Time: 09:00-17:30
Location: Las Vegas, NV
Fee: $2750 USD
Date: 15-16 Oct
Time: 09:00-17:30
Location: Edinburgh, Scotland
Fee: $2750 USD
Annual P2PE requalification training fee is $2,750 USD per Assessor

Please note: Unless otherwise specified, all fees are in US Dollars. All course fees are NON-TRANSFERABLE and NON-REFUNDABLE. An invoice will be issued upon completion of registration and will include instructions to pay by check, credit card or wire transfer. Payment is required prior to beginning the course. Course conducted in English. Examination delivered in English. Confirmation and location details will be sent once payment is received and prerequisite courses are passed.

Download Case Studies

View IPS-Paul Smith Case Study
View Bluefin-Hillman Case Study