Self-Assessment Questionnaire (SAQ) P2PE Changes in PCI DSS v4.0

Right around this time last year, the Payment Card Industry Security Standards Council (PCI SSC) published version 4.0 of the PCI Data Security Standard (PCI DSS). PCI DSS v4.0 replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats. The updated standard and Summary of Changes document are available now on the PCI SSC website. To provide organizations time to understand the changes in version 4.0 and implement any updates needed, the current version of PCI DSS, v3.2.1 will remain active for two years until it is retired on March 31st, 2024.

As part of PCI DSS, SAQ P2PE was developed to address requirements applicable to merchants who process cardholder data only via hardware payment terminals included in a validated and PCI-listed Point-to-Point Encryption (P2PE) solution. SAQ P2PE merchants do not have access to clear-text cardholder data on any computer system and only enter account data via hardware payment terminals from a PCI SSC-approved P2PE solution. SAQ P2PE merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants. Merchant’s SAQ P2PE eligibility criteria remain the same from PCI DSS v3.2.1 to v4.0.

Merchant organizations that qualify and are adhering to PCI DSS v3.2.1 SAQ P2PE currently have 3 requirements with 23 specific controls that must be in-place to achieve a PCI DSS “compliant” rating. In PCI DSS v4.0, merchant organizations will also need to adhere to 3 requirements and now only 21 specific controls to receive a “compliant” rating. Below is a list of the additional requirements that have been included in the PCI DSS v4.0 SAQ-P2PE.

NEW REQUIREMENT - Requirement 3.2.1

Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:

• Coverage for all locations of stored account data.
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date March 31, 2025.

The 2nd bullet requires that any SAD (the three or four digit value printed on the front or back of a payment card) that is received must be accounted for by the merchant to ensure that SAD is unrecoverable and not stored in any history or log files. If account data is stored by a third-party service provider (for example, in a cloud environment), the merchant organization is responsible for working with their third-party service provider (TPSP) to understand how the TPSP meets this requirement for the merchant. Considerations include ensuring that all geographic instances of a data element are securely deleted.

NEW REQUIREMENT – Requirement 9.4.1.1

Offline media backups with cardholder data are stored in a secure location.

For secure storage of backup media, a good practice is to store media in an off-site facility, such as an alternate or backup site or commercial storage facility.

While many controls for the SAQ P2PE have remained the same or were consolidated, merchant organizations should review each applicable requirement in PCI DSS v4.0 to ensure that all criteria is being met by the organization prior to March 31st, 2024 when PCI DSS v3.2.1 is retired and v4.0 is required for all assessments.

Since our founding in 2010, PCI DSS services have been at the core of what Compass IT Compliance does. Our firm has served as a Qualified Security Assessor (QSA) in Good Standing since the start. We were early adopters of the standard, and our assessors were some of the first in the nation to be certified. We have assisted countless organizations in understanding their cardholder data environment and strengthening security controls to achieve and maintain compliance. Contact us today to discuss the upcoming changes to the PCI DSS P2PE and the steps your organization should take to maintain compliance!