Guide · PCI DSS v4.0 · SAQ P2PE

SAQ P2PE: Who Qualifies, What It Covers, and How to Confirm It

SAQ P2PE is the questionnaire for merchants whose only card acceptance runs through a point-to-point encryption solution on the PCI Security Standards Council’s validated list. The listing is the whole test. An encrypting terminal alone doesn’t qualify, and that one distinction decides who gets this SAQ and who doesn’t.

Plain-English · SAQ P2PE eligibility · Free 2-minute check

“Our processor said the terminals encrypt everything, so PCI is basically handled.” If you’ve heard some version of that, this guide is for you. Encrypted and PCI-listed are two different claims, and SAQ P2PE only follows from the second. Here’s who fits, what disqualifies you, and how to check your solution against the list before you attest to anything.

Who SAQ P2PE fits

SAQ P2PE was written for merchants who take cards in person and let a validated encryption solution do the heavy lifting. If any of these sound like your business, you’re in the right neighborhood:

The common thread: cards go into the validated solution, and your own systems never see a readable card number. When that’s genuinely your setup, SAQ P2PE is one of the lightest questionnaires a card-present merchant can honestly claim, because the validated solution absorbed most of the risk before it ever reached you.

The exact eligibility criteria

Per the PCI SSC SAQ Instructions and Guidelines for PCI DSS v4.0, SAQ P2PE is for merchants that meet all of the following:

There’s an operating condition attached: use the solution the way it was validated. Listed solutions come with instructions from the solution provider covering how devices are received, stored, inspected, and returned. Following those instructions is part of what your eligibility rests on, not an optional extra.

The listing is the test, not the word “encryption”

Plenty of terminals encrypt card data in some fashion, and plenty of processors sell end-to-end encryption that has never been validated against the PCI P2PE standard. The encryption may be perfectly good security. It still doesn’t grant SAQ P2PE, because eligibility is tied to one specific fact: the solution appears on the PCI Security Standards Council’s list of validated P2PE solutions.

A listed solution has been assessed as a whole: the devices, how they’re managed, and how decryption is handled away from your environment. That end-to-end validation is what lets the card brands accept a much shorter questionnaire from you. No listing, no shortcut.

How to check your solution against the PCI SSC list

Not sure the listing covers you? Check free, in about 2 minutes.

Answer a few questions about how you accept cards and the free check computes your likely SAQ type on screen. No email to see it, no card, nothing to install. It’s indicative, not a QSA assessment, but it tells you exactly which questionnaire to pressure-test with your bank.

SAQ P2PE vs SAQ B-IP: the boundary that trips people

Both SAQs cover in-person, terminal-based acceptance with no electronic storage of cardholder data, which is exactly why they get confused. The qualifying test is different, and it’s worth getting right before you attest.

Boundary checkSAQ P2PESAQ B-IP
What qualifies youYour only card acceptance is a point-to-point encryption solution on the PCI SSC’s validated list, used as the solution provider instructs, with no access to clear-text cardholder data.Your only card acceptance is standalone, PTS-approved payment terminals with an IP connection to your processor.
Electronic storage of cardholder dataNone.None.
Where merchants usually missThe terminal encrypts, but the solution was never validated and listed by the PCI SSC.The terminal isn’t standalone (it’s integrated with a POS system), or it isn’t PTS-approved.

If your encrypting terminal turns out not to be part of a listed solution, you haven’t lost everything. A standalone, PTS-approved terminal with an IP connection to your processor points to SAQ B-IP. A standalone terminal that dials out over a phone line points to SAQ B. A payment-application system connected to the internet points to SAQ C. Each of those is still a reduced SAQ. They cover more of your own environment than SAQ P2PE does, because less of the risk was handed to a validated solution.

What disqualifies you

Four things take SAQ P2PE off the table, and the first one catches the most merchants:

What you answer, at a high level

We don’t quote question counts because they vary by SAQ version. The qualitative picture: a shorter SAQ covers fewer requirements, and SAQ P2PE sits at the short end for card-present merchants because the listed solution carries so much of the load. What remains is the part only you can do:

That’s the trade at the heart of this SAQ: the solution provider proved the hard parts to an assessor so that your remaining obligations stay small, specific, and physical.

How to confirm SAQ P2PE is yours

Three checks, in order:

Confirm your SAQ, then close the gaps.

The free check names your likely SAQ on screen in about two minutes. When you’re ready to act on it, the $1,495 PCI DSS v4.0 Readiness & Gap Analysis confirms your SAQ with full rationale, marks every one of the 12 PCI DSS v4.0 requirements covered, partial, or gap, and hands you a prioritized 30/60/90 remediation roadmap with the evidence an assessor will ask for. Intake-based, PDF in your inbox within hours, backed by a 7-day pre-delivery money-back guarantee.

Frequently asked questions

Is an encrypting terminal enough to qualify for SAQ P2PE?

No. SAQ P2PE requires a point-to-point encryption solution that appears on the PCI Security Standards Council’s list of validated P2PE solutions, used the way the solution provider instructs. A terminal that encrypts but isn’t part of a listed solution doesn’t qualify, even if the encryption itself is strong security.

How do I check whether my P2PE solution is PCI-listed?

Ask your processor or terminal vendor for the exact solution name and solution provider as they appear on the PCI SSC listing, then look the solution up on the PCI Security Standards Council’s website. If your vendor can only tell you the terminal is encrypted, treat eligibility as unconfirmed and ask your acquiring bank which SAQ applies.

What is the difference between SAQ P2PE and SAQ B-IP?

SAQ P2PE applies when your only card acceptance runs through a PCI SSC-listed point-to-point encryption solution and you have no access to clear-text cardholder data. SAQ B-IP applies when you use only standalone, PTS-approved payment terminals with an IP connection to your processor. Neither allows electronic storage of cardholder data.

Can I store card numbers under SAQ P2PE?

No. SAQ P2PE assumes no electronic storage of cardholder data. If any system you control stores card data electronically, in a database, spreadsheet, application log, or call recording, SAQ D generally applies instead.

What if I also take cards on my website?

SAQ P2PE only describes the card acceptance that runs through the listed P2PE solution. An e-commerce channel is assessed on its own terms, and your environment can span more than one SAQ. Your acquiring bank confirms how to validate the whole picture.

Related guides

This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. The free check is indicative, not a QSA assessment. Confirm your SAQ and obligations with your acquiring bank or a Qualified Security Assessor.