Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Self-Assessment Questionnaires (SAQs) are designed to help organisations prove that they are PCI DSS compliant, allowing them to validate and show their Acquiring Bank (and consequently the Payment Card Industry Security Standards Council - PCI SSC) that they are following the requirements for projecting cardholder data.
In total, there are eight different SAQs that organisations can take: A, A-EP, B, B-IP, C, C-VT, D, and P2PE-HW, which all apply to different sorts of business (from service providers to merchants that only store cardholder data in paper form and everything in between).
The SAQ P2PE-HW is one of the smallest questionnaire as it only has 35 questions, but it is for a very specific type of merchants.
Read on to find out whether or not your organisation is eligible and what sort of questions this SAQ includes.
SAQ P2PE-HW is only for merchants that use card-present type of transactions, which means that it is not applicable to organisations that deal in e-commerce. Moreover, in order to be eligible these merchants must not store any cardholder data and they must also protect cardholder data using a validated point to point encryption (P2PE) solution.
NOTE: Organisations that have failed to implement all of the controls in the P2P encryption manual provided by the vendor will not be eligible for this particular questionnaire.
Here a useful link where you can find all the validated P2P encryption solutions listed by the PCI Security Standards Council. The list features the company's name, the regions the service is available in, the version of P2PE it uses as well as the company that assessed the solution and the reassessment date. These last two factors are incredibly important because if an encryption vendor fails to have their encryption service reassessed before the expiry date then they will no longer be eligible.
If an encryption service becomes ineligible then your compliance will be ineligible too which is why it is so important to be diligent when choosing an encryption vendor.
Choosing a solution is not a simple and easy process as there may be dependencies on different components (such as the application and point of sale device you can use). And although vendors should explain any dependencies to you, it is also recommended that you get additional help from experts - such as Advantio.
The full list of SAQ P2PE-HW eligibility requirements is listed below:
Unlike other SAQs which list questions according to PCI DSS requirements, SAQ P2PE-HW's questions instead correspond to the P2PE Instruction Manual (PIM) requirements. All of the questions can be answered with either Yes or No and they are also listed alongside a description of that PIM requirement.
Here are some examples:
As mentioned, failure to implement all of the PIM requirements can mean that your organisation is not compliant, something which could leave cardholder data at risk and result in hefty fines. In order to ensure that you have implemented all of the PIM controls and are doing what you need to to keep this important data protected, work with security experts such as Advantio, as we will walk you through it, ensuring that nothing is missed.
PCI QSA and Information Security professional with more than 14 years of experience within the payment card industry. I’ve been involved in dozens of ATM compliance and security projects having worked for global payment service providers alongside the Fraud team, engaged in end-to-end fraud prevention process (from monitoring of suspicious transactions to seizure of criminals).
Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council.