Supplemental Terms - P2PE Bundled Solution
Verifone’s P2PE Bundled Solution is a PCI Point-to-Point Encryption (P2PE)-validated solution offering, which includes the components set forth below, which are P2PE-validated. Other components of Verifone’s standard Bundled Solution are not in scope of PCI-P2PE and, accordingly, are not listed below.
| Verifone Payment Application | The Verifone Payment Application provided by Verifone as part of the P2PE Bundled Solution will have been P2PE validated. |
| P2PE Validated Decryption Service | The P2PE Validated Decryption Service is a hosted decryption service which provides credit/debit card track data decryption and response and credit/debit card PAN (Primary Account Number) decryption and response. |
| P2PE Asset Management Web Application | Verifone P2PE Asset Management is a web-based tool for device asset management which allows to maintain and monitor real-time chain of custody events, performing device integrity inspections, device inventory management and transaction monitoring of each P2PE device. |
| P2PE Instruction Manual | The P2PE Instruction Manual describes the requirements for ongoing compliance activities to assist a merchant in claiming in its attestations the proper execution of duties and claim coverages in conjunction with the P2PE Bundled Solution, and provides guidance to be followed by a merchant for PCI SAQ P2PE compliance. |
| Verifone Key Injection Service | Verifone’s designated key injection facility and/or deployment services which provides certified injection of P2PE and PIN/Debit keys for P2PE-validated Verifone terminals. |
| VeriShield Remote Key Loading Service | VeriShield Remote Key (VRK) solution is Verifone’s P2PE, PCI PIN and TR-39 compliant remote key loading solution to securely manage key injection to Verifone devices in the field or service center, using online or offline methods. POI devices do not need to be removed from their locations, decreasing downtime and reducing the risk of fraud. VRK is built on the ANSI TR-34 financial industry standard using asymmetric encryption and factory established keys and certificates to strengthen security for data encryption key management. |
(a) PCI PTS Devices. Only certain Verifone payment device models are compatible for use with the P2PE Bundled Solution, as designated by Verifone in its discretion. Any such devices must be approved and listed by PCI SSC as approved PCI PIN Transaction Security (PTS) 3.X or higher, SRED payment devices. Merchant must either (a) lease a P2PE-validated device from Verifone as part of its the P2PE Bundled Solution subscription, or (b) in the event that Merchant wishes to separately procure P2PE-validated devices for use with the P2PE Bundled Solution, must receive prior written authorization from Verifone and must coordinate delivery and custody management of such Devices with Verifone.
(b) Maintenance of P2PE Solution Listing. Verifone agrees to maintain the P2PE Bundled Solution on the PCI Security Standards Council (“PCI SSC”) website in accordance with applicable P2PE Standards. For purposes hereof, “P2PE Standards” means the standards issued by the PCI SSC in relation to point-to-point encryption solutions, as updated from time to time, including (i) the Point-to-Point Encryption Solution Requirements and Testing Procedures and (ii) the P2PE Program Guide. Verifone will remain aware of changes to the P2PE Standards applicable to the P2PE Bundled Solution and implement such changes as necessary to remain in compliance, at Verifone’s expense.
(c) Vulnerability Handling. Verifone will adopt, implement, maintain, and adhere to documented security vulnerability handling programs and processes consistent with industry practices (“Vulnerability Handling Policies”), including, without limitation, programs and detailed processes regarding detection, receipt, triage, prioritization, and repair of any actual or suspected defect, flaw, weakness, or vulnerability of the P2PE Bundled Solution that Verifone believes has caused or permitted, or could reasonably be expected to cause or permit, unauthorized access to information or data required to be protected pursuant to the P2PE Standards applicable to the P2PE Bundled Solution (a “Security Issue”).
(d) Notifications. Upon becoming aware of a Security Issue, Verifone will comply with its Vulnerability Handling Policies and promptly, and in any event within thirty days of becoming so aware, notify Merchant of such Security Issue and the information required by the P2PE Standards, including (i) the name and PCI SSC approval number of each Product or Service potentially impacted by such Security Issue, (ii) the name and a description of the applicable P2PE Component, (iii) a description of the general nature of the Security Issue, and (iv) any additional information reasonably requested by Merchant for Merchant to make and provide to PCI SSC a good faith assessment as to the impact or potential impact of such Security Issue on Merchant’s products and customers and as to whether the Security Issue in question is the result of an exploit that is being or could reasonably be expected to be directed at a general class of products without significant modification.
(e) Revocation of Listing. Merchant acknowledges that PCI SSC has the ability to revoke or suspend an approval of a listed P2PE Component or a P2PE Solution in its sole discretion. In the event of such revocation or suspension with respect to the P2PE Component or P2PE Solution, Verifone shall use commercially reasonable efforts to resolve any issues that arose to cause such revocation or suspension.
(f) Implementation. Merchant is responsible for ensuring that its use, implementation and configuration of any P2PE Component or P2PE Solution is suitable for its purposes and follows applicable P2PE Standards.