Self-Assessment Questionnaires (SAQs) are designed to help organisations prove that they are PCI DSS compliant, allowing them to validate and show their Acquiring Bank (and consequently the Payment Card Industry Security Standards Council - PCI SSC) that they are following the requirements for projecting cardholder data.

self-assessment-questionnaire-saq-p2pe-hw.png

In total, there are eight different SAQs that organisations can take: A, A-EP, B, B-IP, C, C-VT, D, and P2PE-HW, which all apply to different sorts of business (from service providers to merchants that only store cardholder data in paper form and everything in between).

The SAQ P2PE-HW is one of the smallest questionnaire as it only has 35 questions, but it is for a very specific type of merchants.

Read on to find out whether or not your organisation is eligible and what sort of questions this SAQ includes.

Who is Self-Assessment Questionnaire P2PE-HW for?

SAQ P2PE-HW is only for merchants that use card-present type of transactions, which means that it is not applicable to organisations that deal in e-commerce. Moreover, in order to be eligible these merchants must not store any cardholder data and they must also protect cardholder data using a validated point to point encryption (P2PE) solution.

NOTE: Organisations that have failed to implement all of the controls in the P2P encryption manual provided by the vendor will not be eligible for this particular questionnaire.

Here a useful link where you can find all the validated P2P encryption solutions listed by the PCI Security Standards Council. The list features the company's name, the regions the service is available in, the version of P2PE it uses as well as the company that assessed the solution and the reassessment date. These last two factors are incredibly important because if an encryption vendor fails to have their encryption service reassessed before the expiry date then they will no longer be eligible.

If an encryption service becomes ineligible then your compliance will be ineligible too which is why it is so important to be diligent when choosing an encryption vendor.

Choosing a solution is not a simple and easy process as there may be dependencies on different components (such as the application and point of sale device you can use). And although vendors should explain any dependencies to you, it is also recommended that you get additional help from experts - such as Advantio.

The full list of SAQ P2PE-HW eligibility requirements is listed below:

  • Your company does not store, process, or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks, or audio recordings) outside of the hardware payment terminal used as part of a validated PCI P2PE solution;
  • Your company has confirmed that the implemented PCI P2PE solution is listed on the PCI SSC’s List of Validated P2PE Solutions;
  • Your company does not store any cardholder data in electronic format, including no legacy storage of cardholder data from prior payment devices or systems, and
  • Your company has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.

What sort of questions are in SAQ P2PE-HW?

Unlike other SAQs which list questions according to PCI DSS requirements, SAQ P2PE-HW's questions instead correspond to the P2PE Instruction Manual (PIM) requirements. All of the questions can be answered with either Yes or No and they are also listed alongside a description of that PIM requirement.

Here are some examples:

  • Where POI devices cannot be physically secured – for example, wireless or handheld devices – procedures are implemented to prevent unauthorized removal or substitution of devices
  • If a PCI-approved POI component is connected to another device or data-capture mechanism, the non PCI-approved capture mechanism is not secured by the P2PE solution, and the use of any such mechanisms to collect PCI payment-card data would negate any PCI DSS scope reduction
  • A device-tracking system is in place to identify and locate all point-of-interaction (POI) devices
  • POI devices not in use (including devices awaiting deployment or transport, or undergoing repair) are stored in a physically secure location
  • A detailed inventory of all POI devices is maintained and secured to prevent unauthorized access

Do you or your Merchants need help completing their SAQ?

As mentioned, failure to implement all of the PIM requirements can mean that your organisation is not compliant, something which could leave cardholder data at risk and result in hefty fines. In order to ensure that you have implemented all of the PIM controls and are doing what you need to to keep this important data protected, work with security experts such as Advantio, as we will walk you through it, ensuring that nothing is missed.

Irmantas Brazaitis

Written by Irmantas Brazaitis

PCI QSA and Information Security professional with a vast experience within payment card industry, I have got a sound experience in ATM security having worked for global payment service provider alongside the Fraud team, involved in end-to-end fraud prevention process (from monitoring of suspicious transactions to seizure of criminals).

Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council.