What is a PCI-listed P2PE solution and how do I verify mine?

A PCI-listed Point-to-Point Encryption (P2PE) solution is a payment terminal and encryption system that has been independently validated by a P2PE Qualified Security Assessor (P2PE QSA) and listed on the PCI Security Standards Council website. You can verify your solution by checking the PCI SSC List of Validated P2PE Solutions at pcisecuritystandards.org. The listing confirms that the solution encrypts cardholder data at the point of interaction (POI) device and that decryption only occurs in a secure hardware-based environment managed by the solution provider. Using a non-listed solution disqualifies you from SAQ P2PE.

How does SAQ P2PE differ from SAQ B and SAQ B-IP?

SAQ B applies to merchants using standalone, dial-up card imprint machines or standalone dial-up POS terminals that connect directly to the processor over a phone line. SAQ B-IP covers merchants using standalone PTS-approved payment terminals with an IP connection to the processor. SAQ P2PE applies specifically to merchants using a PCI-validated P2PE solution where cardholder data is encrypted at the POI device and the merchant has no access to cleartext cardholder data. SAQ P2PE has the fewest requirements (approximately 33) because the P2PE solution handles most security controls, while SAQ B has around 41 requirements and SAQ B-IP has around 82 requirements.

How does P2PE reduce PCI DSS scope?

P2PE dramatically reduces PCI DSS scope by encrypting cardholder data at the first point of interaction — the payment terminal itself — using tamper-resistant hardware and secure encryption keys. Because the merchant environment never has access to cleartext cardholder data, most PCI DSS requirements related to protecting stored data, securing network transmissions, and maintaining secure systems become non-applicable. The merchant only needs to comply with requirements related to maintaining the P2PE environment per the solution provider's P2PE Instruction Manual (PIM), physical security of POI devices, and organizational security policies.

What is a P2PE Instruction Manual (PIM) and why is it important?

The P2PE Instruction Manual (PIM) is a document provided by the P2PE solution provider that details the merchant's specific responsibilities for maintaining the validated P2PE environment. It covers topics such as device installation and inspection procedures, acceptable device configurations, permitted physical and logical connections, and incident response procedures specific to the P2PE solution. Compliance with the PIM is a mandatory requirement for SAQ P2PE eligibility. Failure to follow the PIM's instructions can invalidate the P2PE validation and may require the merchant to complete a different, more rigorous SAQ type.

Can I use SAQ P2PE if I also accept e-commerce or MOTO payments?

SAQ P2PE only covers the card-present payment channel processed through the validated P2PE solution. If you also accept e-commerce (card-not-present) or mail-order/telephone-order (MOTO) payments, those channels must be assessed separately under the appropriate SAQ type — such as SAQ A for fully outsourced e-commerce or SAQ C-VT for virtual terminal MOTO. Your acquiring bank may require separate SAQ submissions for each payment channel, or you may need to complete a broader SAQ (such as SAQ D) that covers all channels. Consult your acquirer or a QSA to determine the correct approach for your multi-channel environment.

← All SAQ Types

SAQ P2PE — Fewest Requirements

PCI DSS SAQ P2PE Compliance Guide

The lightest PCI DSS self-assessment for card-present merchants using a validated Point-to-Point Encryption (P2PE) solution that encrypts cardholder data at the terminal.

Understand SAQ P2PE eligibility, requirements, common pitfalls, and how GRCTrack streamlines your compliance journey.

Start Your SAQ P2PE Assessment Talk to a PCI Expert

What Is SAQ P2PE?

SAQ P2PE is a PCI DSS Self-Assessment Questionnaire designed for merchants who process card-present transactions exclusively through a PCI-validated Point-to-Point Encryption (P2PE) solution. With approximately 33 requirements, it is the SAQ with the fewest controls of any SAQ type because the P2PE solution handles the vast majority of cardholder data security.

Point-to-Point Encryption works by encrypting cardholder data at the point of interaction (POI) device — the payment terminal — using tamper-resistant hardware and strong cryptographic keys. The encrypted data travels through the merchant environment without ever being decrypted, and decryption only occurs within the P2PE solution provider's secure decryption environment. This means the merchant never has access to cleartext cardholder data.

Because the merchant environment is effectively removed from the cardholder data flow, most PCI DSS requirements become non-applicable. The remaining requirements in SAQ P2PE focus on maintaining the validated P2PE environment as documented in the P2PE Instruction Manual (PIM), physically securing POI devices, and maintaining organizational security policies under Requirements 9 and 12.

Who Qualifies for SAQ P2PE?

Card-present merchants using a PCI-listed validated P2PE solution for all payment processing

Merchants whose POI devices encrypt cardholder data at the point of interaction with no access to cleartext CHD

Merchants who do not store, process, or transmit cardholder data outside of the P2PE-validated payment terminals

Merchants who comply with all requirements in the P2PE Instruction Manual (PIM) provided by their solution provider

Merchants who do not process card-not-present (e-commerce, MOTO) transactions through the same SAQ assessment

Merchants whose entire card-present payment environment is managed through the validated P2PE solution

Key SAQ P2PE Requirements

PCI-Listed P2PE Solution

Use only a Point-to-Point Encryption solution that is currently listed on the PCI SSC List of Validated P2PE Solutions. Non-listed or expired solutions disqualify merchants from SAQ P2PE eligibility.

P2PE Instruction Manual (PIM)

Comply with all merchant responsibilities documented in the P2PE Instruction Manual provided by your solution vendor. The PIM defines device installation, inspection, and incident response procedures specific to your environment.

Req 9: Physical Security of POI Devices

Maintain physical security of all payment terminals. Implement tamper-detection procedures including regular device inspections, serial number verification, and training staff to identify signs of terminal tampering or substitution.

Req 9: Device Inventory & Controls

Maintain an up-to-date inventory of all POI devices including make, model, location, and serial number. Restrict physical access to terminals and ensure devices are not moved or connected to unauthorized systems.

Req 12: Security Policies

Maintain an information security policy that addresses the P2PE environment. Define roles and responsibilities, document acceptable use of payment terminals, and establish an incident response plan for suspected device tampering.

Req 12: Security Awareness

Implement a security awareness program that trains personnel on P2PE device handling, tamper recognition, and incident reporting procedures. Staff interacting with POI devices must understand their security responsibilities.

Common SAQ P2PE Mistakes

Using a Non-PCI-Listed P2PE Solution

Some merchants assume that any terminal marketed as "P2PE" or "encrypted" qualifies for SAQ P2PE. Only solutions appearing on the PCI SSC List of Validated P2PE Solutions are eligible. Using a non-listed solution — even one that claims to use point-to-point encryption — requires the merchant to complete a different SAQ type such as SAQ B-IP, SAQ C, or SAQ D depending on the payment architecture.

Not Following the P2PE Instruction Manual

The P2PE Instruction Manual (PIM) is not optional guidance — it is a mandatory compliance document. Merchants must follow every instruction in the PIM, including device installation procedures, network configuration requirements, and periodic inspection schedules. Deviating from the PIM can invalidate the P2PE validation for the merchant's environment and require a more comprehensive SAQ assessment.

Modifying or Tampering with POI Devices

Connecting unauthorized peripherals, installing non-approved software, or physically modifying POI devices can break the P2PE validation chain. Even well-intentioned changes such as adding a custom case, relocating a device without following PIM procedures, or connecting the terminal to a non-approved network can compromise the encrypted environment and disqualify the merchant from SAQ P2PE.

Not Maintaining Physical Security of Terminals

SAQ P2PE requires rigorous physical security of POI devices under Requirement 9. Merchants must regularly inspect terminals for evidence of tampering or substitution, maintain a device inventory with serial numbers and locations, and train staff to recognize suspicious activity. Failing to perform routine inspections or leaving terminals unattended in publicly accessible areas is a common compliance gap.

How GRCTrack Helps with SAQ P2PE Compliance

SAQ type selection wizard that verifies your P2PE solution is PCI-listed and confirms SAQ P2PE eligibility

Pre-built SAQ P2PE control library with all 33 applicable requirements mapped and guided step-by-step

POI device inventory management with serial number tracking, location mapping, and inspection scheduling

P2PE Instruction Manual compliance tracking to ensure every PIM requirement is documented and addressed

Automated tamper inspection reminders with checklists and photographic evidence collection for device audits

AI-powered compliance guidance built by certified QSAs to answer SAQ P2PE-specific questions

SAQ P2PE Compliance — Frequently Asked Questions

Related PCI DSS Resources

All SAQ Types PCI DSS 4.0.1 Guide PCI DSS FAQ SAQ B Guide SAQ B-IP Guide

Ready to Complete Your SAQ P2PE Assessment?

GRCTrack guides you through every SAQ P2PE requirement with step-by-step compliance workflows.

Start Your SAQ P2PE Assessment Compare SAQ Types