point-to-point encryption (p2pe) instruction manual...
TRANSCRIPT
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 1
Point-to-Point Encryption (P2PE) Instruction
Manual (PIM)
Core P2PE PIM V1.13
Issued on 03/25/2019
©Bluefin Payment Systems, 2019
All Rights Reserved.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 2
1. P2PE Solution Information and Solution Provider Contact Details
1.1 P2PE Solution Information
Solution name: Bluefin P2PE
Solution reference number per PCI SSC website:
2014-00897.001
1.2 Solution Provider Contact Information
Company name: Bluefin Payment Systems
Company address: 8200 Roberts Drive, Suite 150
Atlanta, GA 30350
Company URL: http://www.bluefin.com
Contact name: Trey Edge
Contact phone number: 800-675-6573 option #4
Contact e-mail address: [email protected]
P2PE and PCI DSS
Merchants using this P2PE Solution may be required to validate PCI DSS compliance and should be
aware of their applicable PCI DSS requirements. Merchants should contact their acquirer or payment
brands to determine their PCI DSS validation requirements.
2. Approved POI Devices, Applications/Software, and the Merchant
Inventory
2.1 POI Device Details
The following information lists the details of the PCI-approved POI devices approved for use in this P2PE
solution. Note all POI device information can be verified by visiting:
https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_secu
rity.php
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 3
POI device vendor: ID Tech
POI device model name and number: SecuRED
Hardware version #(s): IDSR-33x1xxxxx
Firmware version #(s): 1.07, 1.08, 2.00
PCI PTS Approval #(s): 4-10144
POI device vendor: ID Tech
POI device model name and number: SREDKey
Hardware version #(s): IDSK-53xxxxxxx
Firmware version #(s): 1.01, 1.02, 1.02.xxx.S
PCI PTS Approval #(s): 4-10156
POI device vendor: ID Tech
POI device model name and number: Augusta S
Hardware version #(s): IDEM-8xxx, IDEM-8xxxx
Firmware version #(s): V1.00, V1.01.xxx.S, V1.02.xxx.S
PCI PTS Approval #(s): 4-10218
POI device vendor: ID Tech
POI device model name and number: VP5300
Hardware version #(s): SPTP2-988-33-2C-0C, ID-80152002-00x (CTLS Antenna)
Firmware version #(s): VP5300 V1.00.xxx.xxxx.S
PCI PTS Approval #(s): 4-10245 (PTS 5.x)
POI device vendor: ID Tech
POI device model name and number: SmartPIN L100
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 4
Hardware version #(s): IDPB-60x400M Rev A, IDPB-60x400M Rev B
Firmware version #(s): V1.00.xxx.S, V1.01.xxx.S, V1.02.xxx.S (SRED)
PCI PTS Approval #(s): 4-10223 (PTS 4.x)
POI device vendor: Ingenico
POI device model name and number: iPP320, iPP350, iPP310, iPP315*
Hardware version #(s): PTS 2.x: IPP3xx-01Txxxxx
PTS 3.x: IPP3xx-11Txxxxx
PTS 4.x: iPP3xx-21Txxxxx, iPP3xx-31Txxxxx, iPP3xx-41Txxxxx,
iPP3xx-51Txxxxx
Firmware version #(s): PTS 2.x: 820305V01.xx, 820365V02.xx, SRED (Non CTLS)
:820157V01.xx
PTS 3.x: SRED (CTLS): 820365 V02.xx, 820305V02.xx,
820528V02.xx, SRED (Non CTLS): 820375V01.xx, 820554v01.xx
PTS 4.x: 820305 V11.xx, 820180 V01.xx
PCI PTS Approval #(s): 4-20142 (PTS 2.x), 4-20184 (PTS 3.x), 4-30176 (PTS 4.x)
*Note: Only PTS 4.x listing includes iPP315 device
POI device vendor: Ingenico
POI device model name and number: iSC250
Hardware version #(s): iSC2xx-01Txxxxx
Firmware version #(s): 820518V01.xx, 820518V02.xx, SRED (Non CTLS) 820157V01.xx
PCI PTS Approval #(s): 4-30062
POI device vendor: Ingenico
POI device model name and number: iSC Touch 250
Hardware version #(s): PTS 3.x: iSC2xx-21Txxxxx, iSC2xx-31Txxxxx
PTS 4.x: iSC2xx-21Txxxxx, iSC2xx-31Txxxxx
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 5
Firmware version #(s): PTS 3.x: 820365 V02.xx, 820518 V02.xx, 820528V02.xx
PTS 4.x: 820518 V12.xx, SRED (CTLS): 820528V02.xx
PCI PTS Approval #(s): 4-30135 (PTS 3.x), 4-30132 (PTS 4.x)
POI device vendor: Ingenico
POI device model name and number: ISC Touch 480
Hardware version #(s): PTS 3.x: ISC4xx-01Txxxxxx (no CTLS), ISC4xx-11Txxxxx (CTLS)
PTS 4.x: ISC4xx-01Txxxxx, ISC4xx-11Txxxxx
Firmware version #(s): PTS 3.x: 820365 V02.xx, 820518V01.xx, 820518V02.xx, SRED
(CTLS): 820528V02.xx
PTS 4.x: 820518 V11.xx, 820518 V12.xx, 820528V02.xx
PCI PTS Approval #(s): 4-30098 (PTS 3.x), 4-30125 (PTS 4.x)
POI device vendor: Ingenico
POI device model name and number: iUR255, iUR255P
Hardware version #(s): iUR2xx-01Txxxxx, iUR2xx-11Txxxxx
Firmware version #(s): 820168 v01.xx
PCI PTS Approval #(s): 4-30155
POI device vendor: Ingenico
POI device model name and number: iUP250LE
Hardware version #(s): IUP2xx-11Txxxxx
Firmware version #(s): 820305v12.xx, 820305V13.xx
PCI PTS Approval #(s): 4-30251
POI device vendor: Ingenico
POI device model name and number: iUC150B
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 6
Hardware version #(s): iUC15x-01Txxxxx
Firmware version #(s): 820168 v01.xx
PCI PTS Approval #(s): 4-30172
POI device vendor: Ingenico
POI device model name and number: Lane/3000, Desk/1500
Hardware version #(s): LAN30AA, LAN30BA, LAN30CA, LAN30DA, LAN30EA, LAN30FA,
LAN30GA, LAN30HA
Firmware version #(s): 820547v01.xx, 820561v01.xx (base firmware)
PCI PTS Approval #(s): 4-30310 (PTS 5.x)
POI device vendor: Ingenico
POI device model name and number: Lane/5000
Hardware version #(s): LAN50AB (non CTLS), LAN50BB (CTLS)
Firmware version #(s): 820547v01.xx, 820376v01.xx, 820549V01.xx (SRED),
820555V01.xx (SRED), 820556V01.xx (SRED)
PCI PTS Approval #(s): 4-20286 (PTS 4.x)
POI device vendor: Ingenico
POI device model name and number: Lane/7000
Hardware version #(s): LAN70AA, LAN70AB
Firmware version #(s): 820547v01.xx
PCI PTS Approval #(s): 4-30237 (PTS 5.x)
POI device vendor: Ingenico
POI device model name and number: Lane/8000
Hardware version #(s): LAN80AA
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 7
Firmware version #(s): 820547v01.xx
PCI PTS Approval #(s): 4-30257 (PTS 5.x)
POI device vendor: Ingenico
POI device model name and number: Move/5000
Hardware version #(s): MOV50AA (Non CTLS); MOV50BA (CTLS), MOV50JA (CTLS),
MOV50CA, MOV50DA, MOV50AB, MOV50BB (CTLS),
MOV50CB, MOV50DB (CTLS), MOV50JB (CTLS)
Firmware version #(s): 820547v01.xx; 820376v01.xx; (SRED) CTLS: 820549V01.xx,
820555v01.xx (SRED), 820549v01.xx (SRED OnGuard FPE),
820556v01.xx (SRED OnGuard SDE), 820559v01.xx (SRED
ANL), 820565v01.xx (SRED FF1)
PCI PTS Approval #(s): 4-20282 (PTS 4.x)
POI device vendor: Ingenico
POI device model name and number: Link/2500
Hardware version #(s): LIN25AA, Non CTLS, LIN25BA, CTLS, LIN25CA, LIN25DA,
LIN25EA; Touchscreen version; no CTLS support, LIN25FA;
Touchscreen version; with CTLS support, LIN25GA; Dual Head
version; no CTLS support, LIN25HA; Dual Head version; with
CTLS support, LIN25IA (Companion version with rear connector
and no CTLS support), LIN25JA (Companion version with rear
connector and with CTLS)
Firmware version #(s): 820547v01.xx, 820556v01.xx (SRED On-Guard SDE),
820555v01.xx (SRED AWL)
PCI PTS Approval #(s): 4-30230 (PTS 4.x)
POI device vendor: Anywhere Commerce
POI device model name and number: Nomad 2.0
Hardware version #(s): Nomad2.0-A1-B1, Nomad2.0-A2-B2
Firmware version #(s): 4.0 (SRED), 5.0 (SRED)
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 8
PCI PTS Approval #(s): 4-10149
POI device vendor: BBPOS
POI device model name and number: WisePad, WisePad W300
Hardware version #(s): WisePad-A1-B0 (WisePad), WisePad-A1-B2 (WisePad W300),
WisePad-A2-B0 (WisePad), WisePad-A2-B2 (WisePad W300),
WisePad-B1-B0 (WisePad), WisePad-B1-B2 (WisePad W300)
Firmware version #(s): SRED: 4.0, SRED: 5.0
PCI PTS Approval #(s): 4-10146
POI device vendor: PAX
POI device model name and number: S500
Hardware version #(s): S500-xxx-xx4-0xxx
Firmware version #(s): 4.00.xx
PCI PTS Approval #(s): 4-40151
POI device vendor: PAX
POI device model name and number: S300, S300 (MOS)
Hardware version #(s): S300-abc-dx3-0xxx (where a=0, M b=0, G, C, T, W, E c=0, L, A
and d=0, 3)
Firmware version #(s): SRED (CTLS): Prolin 21.3xx.xxx.xxx.1xx (Boot 1.0.0 PED 001),
3.02.xx
PCI PTS Approval #(s): 4-40094
POI device vendor: PAX
POI device model name and number: S300
Hardware version #(s): S300-abc-dx3-1xxx (where a=0, M b=0, G, C, T, W, E c=0, L, A
and D=0, 3)
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 9
Firmware version #(s): SRED (CTLS): Prolin 21.3xx.xxx.xxx.1xx (Boot 1.0.0 PED 001)
PCI PTS Approval #(s): 4-40109
POI device vendor: PAX
POI device model name and number: A920
Hardware version #(s): A920-xxx-0x5-0xxx, (Non CTLS), A920-xxx-Rx5-0xxx (CTLS),
A920-xxx-0x5-1xxx, A920-xxx-Rx5-1xxx (CTLS)
Firmware version #(s): 25.00.xxxx
PCI PTS Approval #(s): 4-40215
POI device vendor: PAX
POI device model name and number: A80
Hardware version #(s): A80-xxx-Rx5-0xxx (with CTLS), A80-xxx-0x5-0xxx (without
CTLS)
Firmware version #(s): 25.00.xxxx
PCI PTS Approval #(s): 4-30301
POI device vendor: Infinite Peripherals
POI device model name and number: Prima M
Hardware version #(s): 01.01
Firmware version #(s): 02.08, 02.08.xx
PCI PTS Approval #(s): 4-30123
POI device vendor: Ingenico
POI device model name and number: iCMP
Hardware version #(s): ICMxxx-01Txxxxx, ICMxxx-11Txxxxx, ICMxxx-21Txxxxx,
ICMxxx-31Txxxxx
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 10
Firmware version #(s): 820305V01.xx, 820365V02.xx, SRED (CTLS): 820528V02.xx,
820539V01.xx
PCI PTS Approval #(s): 4-20235
POI device vendor: Ingenico
POI device model name and number: iUC285
Hardware version #(s): IUC28x-01Txxxxx
Firmware version #(s): 820177V01.xx
PCI PTS Approval #(s): 4-30161
POI device vendor: Ingenico
POI device model name and number: iWL 220, 250
Hardware version #(s): IWL2xx-01Txxxxx
Firmware version #(s): SRED (Non CTLS): 820073v01.xx, 820528v02.xx
PCI PTS Approval #(s): 4-20181
POI device vendor: PAX
POI device model name and number: D210
Hardware version #(s): D210-xxx-xx4-0xxx
Firmware version #(s): 4.00.xx
PCI PTS Approval #(s): 4-40157
POI device vendor: Ingenico
POI device model name and number: iSMP4
Hardware version #(s): MP6xx-01Txxxxx (without contactless),
IMP6xx-11Txxxxx (with contactless)
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 11
Firmware version #(s): 820305v11.xx
PCI PTS Approval #(s): 4-30220
POI device vendor: ID Tech
POI device model name and number: Spectrum Pro
Hardware version #(s): 106
Firmware version #(s): 1.00
PCI PTS Approval #(s): 4-10217
POI device vendor: Miura
POI device model name and number: Shuttle
Hardware version #(s): M003-PRODxx-V1-x, M003-PRODxx-V2-x, M004-PRODxx-V1-x,
M005-PRODxx-V2-x, M006-PRODxx-V1-x, M006-PRODxx-V2-x,
M010-PRODxx-V1-x, M010-PRODxx-V2-x
Firmware version #(s): M000-OS-V7-x
PCI PTS Approval #(s): 4-30084
POI device vendor: BBPOS
POI device model name and number: WisePad 2
Hardware version #(s): WPX2XXXX-XX-XXX
Firmware version #(s): WPX20.003-12
PCI PTS Approval #(s): 4-10198
POI device vendor: MagTek
POI device model name and number: DynaPro, DynaPro 3.0
Hardware version #(s): 31PCIX308A (Online & Offline),
31PCIX508A (Online & Offline; CTLS),
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 12
31PCI1308A (Online & Offline),
31PCI1508A (Online & Offline; CTLS),
31PCI3308A (Online & Offline),
31PCI3508A (Online & Offline; CTLS)
Firmware version #(s): 30050851-Ex-PCI (Online & Offline; SRED)
PCI PTS Approval #(s): 4-10137
POI device vendor: Verifone
POI device model name and number: Mx915, Mx925 (PTS 3.x)
Hardware version #(s): P132-509-01-R (MX 925), P132-509-11-R (MX 925), P132-509-
21-R (MX 925), P132-509-11-PF (MX 925), P132-409-01-R (MX
915), P132-509-02-R (MX 925), P132-509-12-R (MX 925),
P132-509-22-R (MX 925), P132-509-12-PF (MX 925), P132-
409-02-R (MX 915)
Firmware version #(s): Vault: 1.x.x, 3.x.x, 4.x.x, 11.x.x, 12.x.x, AppM: 1.x.x; 3.x.x; 4.x.x;
5.x.x, 5A.x.x, 6.x.x, SRED: 1.x.x, 3.x.x; 4.x.x; 5.x.x, OP: 1.x.x,
3.x.x; 4.x.x; 7.x.x, SRED 5.x.x.xxx, Vault: 13.x.x, AppM: 7.x.x
PCI PTS Approval #(s): 4-10110
POI device vendor: Verifone
POI device model name and number: Mx915, Mx925 (PTS 4.x)
Hardware version #(s): P177-40x-xx-xxx (Mx915), P177-50x-xx-xxx (Mx925)
Firmware version #(s): Vault: 11.x.x; 12.x.x, 13.x.x, AppM: 5.x.x; 5A.x.x; 6.x.x; 7.x.x,
SRED: 4.x.x; 5.x.x, OP: 5.x.x; 6.x.x; 7.x.x, Vault: 14.x.x; AppM:
8.x.x; SRED: 7.x.x
PCI PTS Approval #(s): 4-10177
POI device vendor: Verifone
POI device model name and number: e355, e265, e265G
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 13
Hardware version #(s): M087-351-x1-xxx, M087-361-x0-xxx, M087-381-x0-xxx, M087-
381-xx-xxx
Firmware version #(s): QTE35301.xxxxxxxx, OP: 1.x.x.x, QTE50301.xxxxxxxx,
QTE35302.xxxxxxxx, QTE50320.xxxxxxxx, QTE50330.xxxxxxxx,
QTE50340.xxxxxxxx, OP: 2.x.x, QTE50350.xxxxxxxx
PCI PTS Approval #(s): 4-30168
POI device vendor: Verifone
POI device model name and number: VX 690, VX 690B
Hardware version #(s): M260-x1x-xx-xxx-3, M260-x5x-xx-xxx-3, M260-x1x-xx-xxx-3B,
M260-x5x-xx-xxx-3B, M260-x1x-xx-xxx-3C, M260-x5x-xx-xxx-
3C, M260-x1x-xx-xxx-3D, M260-x5x-xx-xxx-3D
Firmware version #(s): SRED (CTLS): QT690260, QT690261, QT690262, QT690263,
QT690262.xxxxxxxx, QT690264.xxxxxxxx, QTyy0500.xxxxxxxx
PCI PTS Approval #(s): 4-30128
POI device vendor: Verifone
POI device model name and number: Vx805
Hardware version #(s): M280-70x-xx-xxx-3
Firmware version #(s): SRED: QT850104, QT850109, QT850110, QT850120,
QT850121, QT850240, QT850340, QT850245,
QT850240.xxxxxxxx, QTyy0400.xxxxxxxx, QTyy0500.xxxxxxxx,
QTyy0540.xxxxxxxx; OP 2.x.x.x
PCI PTS Approval #(s): 4-10106
POI device vendor: Verifone
POI device model name and number: Vx820
Hardware version #(s): M282-XXX-XX-XXX-3
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 14
Firmware version #(s): SRED: QT820104, QT820106, QT820107, QT820109,
QT820110, QT820111, QT820112, QT820113, QT820120,
QT820121, QT820201, QT820240, QT820340, QT820301,
QT820242, QT820241, QT820243, QT820244, QT820245,
QT820240.xxxxxxxx, QT820246.xxxxxxxx, QTyy0400.xxxxxxxx,
QTyy0500.xxxxxxxx, QTyy520.xxxxxxxx, QTyy0530.xxxxxxxx,
OP: 2.x.x, QTyy0540.xxxxxxxx
PCI PTS Approval #(s): 4-40054
POI device vendor: Verifone
POI device model name and number: P200/P200 Plus
Hardware version #(s): PTS 4.x: H430-07-02-xx0-x0-A0 (P200), H430-07-32-xx0-x0-A0
(P200 Plus), H430-07-02-xx0-x0-A1 (P200), H430-07-32-xx0-
x0-A1 (P200 Plus), H430-07-02-XX0-X0-A1 (P200), H430-07-
32-XX0-X0-A1 (P200 Plus)
PTS 5.x: H430-07-02-xxx-x0-B0, H430-07-32-xxx-x0-B0, H430-
07-02-xx0-x0-A1 (P200), H430-07-32-xx0-x0-A1 (P200 Plus)
Firmware version #(s): PTS 4.x: VAULT: 2.x.x, 3.x.x, 4.x.x, AppM: 7.x.x, 8.x.x, 9.x.x,
VFSRED: 5.x.x, VFOP: 1.x.x, VAULT: 5.x.x, AppM: 10.x.x, VAULT:
7.x.x, AppM: 11.x.x, VFSRED: 7.x.x, VAULT: 8.x.x, AppM: 12.x.x,
VFSRED: 9.x.x
PTS 5.x: Vault: 7.x.x.x, AppM: 11.x.x.x, SRED: 7.x.x.x, OP: 1.x.x,
VAULT: 8.x.x, AppM: 12.x.x, VFSRED: 9.x.x
PCI PTS Approval #(s): 4-10196 (PTS 4.x), 4-10238 (PTS 5.x)
POI device vendor: Verifone
POI device model name and number: P400/P400 Plus
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 15
Hardware version #(s): PTS 4.x: H435-07-02-xx0-x0-A0 (P400), H435-07-32-xx0-x0-A0
(P400 Plus), H435-07-02-xx0-x0-A1 (P400), H435-07-32-xx0-
x0-A1 (P400 Plus), H435-07-02-XX0-X0-A0 (P400), H435-07-
32-XX0-X0-A0 (P400 Plus), H435-07-02-XX0-X0-A1 (P400),
H435-07-32-XX0-X0-A1 (P400 Plus), H435-07-02-xxx-x0-B0
(P400), H435-07-32-xxx-x0-B0 (P400 Plus), H435-07-02-xxx-x0-
A2 (P400), H435-07-02-xxx-x0-B1 (P400), H435-07-32-xxx-x0-
A2 (P400 Plus), H435-07-32-xxx-x0-B1 (P400 Plus)
PTS 5.x: H435-07-02-xxx-x0-B0, H435-07-32-xxx-x0-B0, H435-
07-02-xx0-x0-A0, H435-07-02-xx0-x0-A1 (P400), H435-07-32-
xx0-x0-A0, H435-07-32-xx0-x0-A1 (P400 Plus), H435-07-02-
xxx-x0-B0 (P400), H435-07-32-xxx-x0-B0 (P400 Plus), H435-07-
02-xx0-x0-A0 (P400), H435-07-32-xx0-x0-A0 (P400 Plus),
H435-07-02-xxx-x0-A2 (P400), H435-07-02-xxx-x0-B1 (P400),
H435-07-32-xxx-x0-A2 (P400 Plus), H435-07-32-xxx-x0-B1
(P400 Plus)
Firmware version #(s): PTS 4.x: VAULT: 2.x.x, 3.x.x, 4.x.x, AppM: 7.x.x, 8.x.x, 9.x.x,
VFSRED: 5.x.x, VFOP: 1.x.x, VAULT: 5.x.x, AppM: 10.x.x, VAULT:
7.x.x, AppM: 11.x.x, VFSRED: 7.x.x, VAULT: 8.x.x, AppM: 12.x.x,
VFSRED: 9.x.x
PTS 5.x: Vault: 7.x.x.x, AppM: 11.x.x.x, SRED: 7.x.x.x, OP: 1.x.x,
VAULT: 8.x.x, AppM: 12.x.x, VFSRED: 9.x.x
PCI PTS Approval #(s): 4-10191 (PTS 4.x), 4-10239 (PTS 5.x)
POI device vendor: Datecs
POI device model name and number: Bluepad 50
Hardware version #(s): 02.02.10.xxBR (CTLS Version), 02.02.10.xxBN (without CTLS
support)
Firmware version #(s): 02.04.xxx.xx
PCI PTS Approval #(s): 4-30255
2.2 POI Software/Application Details
The following information lists the details of all software/applications (both P2PE applications and P2PE
non-payment software) on POI devices used in this P2PE solution.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 16
Note that all applications with access to clear-text account data must be reviewed according to Domain
2 and are included in the P2PE solution listing. These applications may also be optionally included in the
PCI P2PE list of Validated P2PE Applications list at vendor or solution provider discretion.
Application
vendor, name
and version #
POI device
vendor
POI device
model
name(s) and
number:
POI Device
Hardware &
Firmware Version
#
Is application
PCI listed?
(Y/N)
Does application
have access to
clear-text
account data
(Y/N)
Ingenico:
Retail Based
Application
(RBA) v12.x,
14.x
(Legacy
Deployments)
Ingenico
iPP310,
iPP320,
iPP350,
iSC250,
iSC Touch 250,
iSC Touch 480
Hardware:
iPP310, iPP320,
iPP350:
IPP3xx-01Txxxxx
iSC250:
iSC2xx-01Txxxxx
iSC Touch 250:
iSC2xx-21Txxxxx,
iSC2xx-31Txxxxx
iSC Touch 480:
ISC4xx-01Txxxxx
(no CTLS), ISC4xx-
11Txxxxx (CTLS)
Firmware:
iPP310, iPP320,
iPP350:
820305V01.xx,
820365V02.xx,
SRED (Non CTLS)
:820157V01.xx
iSC250:
820518 V01.xx,
820518 V02.xx,
SRED (Non CTLS):
820157 V01.xx
iSC Touch 250:
820365 V02.xx,
820518 V02.xx,
820528V02.xx
No No
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 17
iSC Touch 480:
820365 V02.xx,
820518V01.xx,
820518V02.xx,
SRED (CTLS):
820528V02.xx
Application
vendor, name
and version #
POI device
vendor
POI device
model
name(s) and
number:
POI Device
Hardware &
Firmware Version
#
Is application
PCI listed?
(Y/N)
Does application
have access to
clear-text
account data
(Y/N)
Ingenico:
Retail Based
Application
P2PE v1.0 and
v1.1
Encompasses
Retail Based
Application
17.x, 21.x,
22.x and 23.x
versioning
schemes
Ingenico iPP320,
iPP350,
iPP310,
iPP315,
iSC250,
iSC Touch
250
iSC Touch
480,
iCMP,
iUC285,
iWL 220,
iWL 250,
iSMP4,
iUR255,
iUR255P,
iUP250LE,
iUC150B
Hardware:
iPP320, iPP350,
iPP310, iPP315:
IPP3xx-11Txxxxx,
iPP3xx-21Txxxxx,
iPP3xx-31Txxxxx,
iPP3xx-41Txxxxx,
iPP3xx-51Txxxxx
iSC250:
iSC2xx-01Txxxxx
iSC Touch 250:
iSC2xx-21Txxxxx,
iSC2xx-31Txxxxx
iSC Touch 480:
ISC4xx-01Txxxxx,
ISC4xx-11Txxxxx
iCMP:
ICMxxx-01Txxxxx,
ICMxxx-11Txxxxx,
ICMxxx-21Txxxxx,
ICMxxx-31Txxxxx
iUC285:
IUC28x-01Txxxxx
Yes Yes
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 18
iWL 220/250:
IWL2xx-01Txxxxx
iSMP4: IMP6xx-
01Txxxxx (without
contactless)
IMP6xx-11Txxxxx
(with contactless)
iUR255, iUR255P:
iUR2xx-01Txxxxx,
iUR2xx-11Txxxxx
iUP250LE:
IUP2xx-11Txxxxx
iUC150B:
iUC15x-01Txxxxx
Firmware:
iPP320, iPP350,
iPP310, iPP315:
SRED (CTLS):
820365 V02.xx,
820305V02.xx,
820528V02.xx,
SRED (Non CTLS):
820375V01.xx,
820554v01.xx
820305 V11.xx,
820180 V01.xx
iSC250:
820518 V01.xx,
820518 V02.xx,
SRED (Non CTLS):
820157 V01.xx
820518 V12.xx
iSC Touch 250:
820365 V02.xx,
820518 V02.xx,
820528V02.xx,
820518 V12.xx,
SRED (CTLS):
820528V02.xx
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 19
iSC Touch 480:
820518 V11.xx,
820518 V12.xx,
820528V02.xx
iCMP:
820305V01.xx,
820365V02.xx,
SRED (CTLS):
820528V02.xx,
820539V01.xx
iUC285:
820177V01.xx
iSMP4:
820305v11.xx
iUR255, iUR255P:
820168 v01.xx
iUP250LE:
820305v12.xx,
820305V13.xx
iUC150B:
820168 v01.xx
Application
vendor,
name and
version #
POI device
vendor
POI device
model name(s)
and number:
POI Device
Hardware &
Firmware
Version #
Is application
PCI listed?
(Y/N)
Does
application have
access to clear-
text account
data (Y/N)
PAX,
Broad POS
v1.0
Build:
Bluefin-HC-
** V1.00.xx
PAX
Technology
INC
PAX S500,
PAX S300,
D210,
A920
Hardware:
PAX S500:
S500-xxx-xx4-
0xxxx
PAX S300:
S300-abc-dx3-
0xxx (where
a=0, M b=0, G,
No Yes
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 20
C, T, W, E c=0, L,
A and d=0, 3)
S300-abc-dx3-
1xxx (where
a=0, M b=0, G,
C, T, W, E c=0, L,
A and D=0, 3)
D210:
D210-xxx-xx4-
0xxx
A920:
A920-xxx-0x5-
0xxx, (Non
CTLS), A920-xxx-
Rx5-0xxx (CTLS),
A920-xxx-0x5-
1xxx, A920-xxx-
Rx5-1xxx (CTLS)
Firmware:
PAX S500:
4.00.xx
PAX S300:
SRED (CTLS):
Prolin
21.3xx.xxx.xxx.1
xx (Boot 1.0.0
PED 001),
3.02.xx
S300-abc-dx3-
1xxx (where
a=0, M b=0, G,
C, T, W, E c=0, L,
A and D=0, 3)
D210:
4.00.xx
A920:
25.00.xxxx
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 21
Application
vendor, name
and version #
POI device
vendor
POI device
model name(s)
and number:
POI Device
Hardware &
Firmware
Version #
Is application
PCI listed?
(Y/N)
Does
application have
access to clear-
text account
data (Y/N)
Miura,
MPI,
M000-MPI-
V4-XX
Miura Shuttle Hardware #:
M003-PRODxx-
V1-x, M003-
PRODxx-V2-x,
M004-PRODxx-
V1-x, M005-
PRODxx-V2-x,
M006-PRODxx-
V1-x, M006-
PRODxx-V2-x,
M010-PRODxx-
V1-x, M010-
PRODxx-V2-x
Firmware #:
M000-OS-V7-x
Yes Yes
Application
vendor, name
and version #
POI device
vendor
POI device
model name(s)
and number:
POI Device
Hardware &
Firmware
Version #
Is application
PCI listed?
(Y/N)
Does
application have
access to clear-
text account
data (Y/N)
Ingenico,
RA1 v20.0x
Ingenico iPP310,
iPP320,
iPP350,
iSMP4,
Lane/3000
Desk 1500
Hardware:
iPP310, iPP320,
iPP350:
IPP3xx-11Txxxxx
iSMP4:
IMP6xx-
01Txxxxx
(without
contactless)
Yes Yes
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 22
IMP6xx-
11Txxxxx (with
contactless)
Lane/3000 Desk
1500:
LAN30AA,
LAN30BA,
LAN30CA,
LAN30DA,
LAN30EA,
LAN30FA,
LAN30GA,
LAN30HA
Firmware:
iPP310, iPP320,
iPP350:
SRED (CTLS):
820365 V02.xx,
820305V02.xx,
820528V02.xx,
SRED (Non
CTLS):
820375V01.xx,
820554v01.xx
iSMP4:
820305v11.xx
Lane/3000 Desk
1500:
820547v01.xx,
820561v01.xx
(base firmware)
Application
vendor, name
and version #
POI device
vendor
POI device
model name(s)
and number:
POI Device
Hardware &
Firmware
Version #
Is application
PCI listed?
(Y/N)
Does
application have
access to clear-
text account
data (Y/N)
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 23
Ingenico,
Unified
Payment
Platform
(UPP) #
1.0.x
Ingenico Lane/3000
Desk 1500,
Lane/5000,
Lane/7000,
Lane/8000,
Move/5000,
Link/2500
Hardware:
Lane/3000
Desk/1500:
LAN30AA,
LAN30BA,
LAN30CA,
LAN30DA,
LAN30EA,
LAN30FA,
LAN30GA,
LAN30HA
Lane/5000:
LAN50AB (non
CTLS), LAN50BB
(CTLS)
Lane/7000:
LAN70AA,
LAN70AB
Lane/8000:
LAN80AA
Move/5000:
MOV50AA (Non
CTLS);
MOV50BA
(CTLS),
MOV50JA
(CTLS),
MOV50CA,
MOV50DA,
MOV50AB,
MOV50BB
(CTLS),
MOV50CB,
MOV50DB
(CTLS),
MOV50JB (CTLS)
Link/2500:
LIN25AA, Non
CTLS, LIN25BA,
CTLS, LIN25CA,
Yes Yes
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 24
LIN25DA,
LIN25EA;
Touchscreen
version; no CTLS
support,
LIN25FA;
Touchscreen
version; with
CTLS support,
LIN25GA; Dual
Head version;
no CTLS
support,
LIN25HA; Dual
Head version;
with CTLS
support, LIN25IA
(Companion
version with
rear connector
and no CTLS
support),
LIN25JA
(Companion
version with
rear connector
and with CTLS)
Firmware:
Lane/3000
Desk/1500:
820547v01.xx,
820561v01.xx
(base firmware)
Lane/5000:
820547v01.xx,
820376v01.xx,
820549V01.xx
(SRED),
820555V01.xx
(SRED),
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 25
820556V01.xx
(SRED)
Lane/7000:
820547v01.xx
Lane/8000:
820547v01.xx
Move/5000:
820547v01.xx;
820376v01.xx;
(SRED) CTLS:
820549V01.xx,
820555v01.xx
(SRED),
820549v01.xx
(SRED OnGuard
FPE),
820556v01.xx
(SRED OnGuard
SDE),
820559v01.xx
(SRED ANL),
820565v01.xx
(SRED FF1)
Link/2500:
820547v01.xx,
820556v01.xx
(SRED On-Guard
SDE),
820555v01.xx
(SRED AWL)
Application
vendor, name
and version #
POI device
vendor
POI device
model name(s)
and number:
POI Device
Hardware &
Firmware
Version #
Is application
PCI listed?
(Y/N)
Does
application have
access to clear-
text account
data (Y/N)
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 26
Verifone,
FormAgent
/XPI v5300
Verifone,
Inc
Mx915,
Mx925
Hardware:
P132-509-01-R
(MX 925), P132-
509-11-R (MX
925), P132-509-
21-R (MX 925),
P132-509-11-PF
(MX 925), P132-
409-01-R (MX
915), P132-509-
02-R (MX 925),
P132-509-12-R
(MX 925), P132-
509-22-R (MX
925), P132-509-
12-PF (MX 925),
P132-409-02-R
(MX 915),
P177-40x-xx-xxx
(Mx915), P177-
50x-xx-xxx
(Mx925)
Firmware
Vault: 1.x.x,
3.x.x, 4.x.x,
11.x.x, 12.x.x
14.x.x, AppM:
1.x.x; 3.x.x;
4.x.x; 5.x.x,
5A.x.x, 6.x.x,
7.x.x, 8.x.x,
SRED: 1.x.x,
3.x.x; 4.x.x;
5.x.x, 7.x.x, OP:
1.x.x, 3.x.x;
4.x.x, 5.x.x,
6.x.x, 7.x.x, SRED
5.x.x.xxx
Yes Yes
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 27
Application
vendor, name
and version #
POI device
vendor
POI device
model name(s)
and number:
POI Device
Hardware &
Firmware
Version #
Is application
PCI listed?
(Y/N)
Does
application have
access to clear-
text account
data (Y/N)
Verifone,
XPI version
# 12.11.x
Verifone,
Inc
e355, e265,
e265G
VX 690, VX
690B,
Vx805,
Vx820
Hardware:
e355, e265,
e265G:
M087-351-x1-
xxx, M087-361-
x0-xxx, M087-
381-x0-xxx,
M087-381-xx-
xxx
VX 690, VX
690B:
M260-x1x-xx-
xxx-3, M260-
x5x-xx-xxx-3,
M260-x1x-xx-
xxx-3B, M260-
x5x-xx-xxx-3B,
M260-x1x-xx-
xxx-3C, M260-
x5x-xx-xxx-3C,
M260-x1x-xx-
xxx-3D, M260-
x5x-xx-xxx-3D
Vx805:
M280-70x-xx-
xxx-3
Vx820:
M282-XXX-XX-
XXX-3
Firmware
e355, e265,
e265G:
QTE35301.xxxxx
xxx, OP: 1.x.x.x,
QTE50301.xxxxx
Yes Yes
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 28
xxx,
QTE35302.xxxxx
xxx,
QTE50320.xxxxx
xxx,
QTE50330.xxxxx
xxx,
QTE50340.xxxxx
xxx, OP: 2.x.x,
QTE50350.xxxxx
xxx
VX 690, VX
690B:
SRED (CTLS):
QT690260,
QT690261,
QT690262,
QT690263,
QT690262.xxxxx
xxx,
QT690264.xxxxx
xxx,
QTyy0500.xxxxx
xxx
Vx805:
QT850017,
SRED:
QT850104,
QT850109,
QT850110,
QT850120,
QT850121,
QT850240,
QT850340,
QT850245,
QT850240.xxxxx
xxx,
QTyy0400.xxxxx
xxx,
QTyy0500.xxxxx
xxx,
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 29
QTyy0540.xxxxx
xxx; OP 2.x.x.x
Vx820:
SRED:
QT820104,
QT820106,
QT820107,
QT820109,
QT820110,
QT820111,
QT820112,
QT820113,
QT820120,
QT820121,
QT820201,
QT820240,
QT820340,
QT820301,
QT820242,
QT820241,
QT820243,
QT820244,
QT820245,
QT820240.xxxxx
xxx,
QT820246.xxxxx
xxx,
QTyy0400.xxxxx
xxx,
QTyy0500.xxxxx
xxx,
QTyy520.xxxxxx
xx,
QTyy0530.xxxxx
xxx, OP: 2.x.x,
QTyy0540.xxxxx
xxx
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 30
Application
vendor, name
and version #
POI device
vendor
POI device
model name(s)
and number:
POI Device
Hardware &
Firmware
Version #
Is application
PCI listed?
(Y/N)
Does
application have
access to clear-
text account
data (Y/N)
Verifone,
Point
Secure
Commerce
Application
Engage #
4.x.y-z
Verifone,
Inc
P200/P200
Plus
P400/400
Plus
Hardware:
P200/P200
Plus:
H430-07-02-xx0-
x0-A0 (P200),
H430-07-32-xx0-
x0-A0 (P200
Plus), H430-07-
02-xx0-x0-A1
(P200), H430-
07-32-xx0-x0-A1
(P200 Plus),
H430-07-02-
XX0-X0-A1
(P200), H430-
07-32-XX0-X0-
A1 (P200 Plus)
H430-07-02-xxx-
x0-B0, H430-07-
32-xxx-x0-B0,
H430-07-02-xx0-
x0-A1 (P200),
H430-07-32-xx0-
x0-A1 (P200
Plus)
P400/P400
Plus:
H435-07-02-
xx0-x0-A0
(P400), H435-
07-32-xx0-x0-A0
(P400 Plus),
H435-07-02-
xx0-x0-A1
(P400), H435-
Yes Yes
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 31
07-32-xx0-x0-A1
(P400 Plus),
H435-07-02-
XX0-X0-A0
(P400), H435-
07-32-XX0-X0-
A0 (P400 Plus),
H435-07-02-
XX0-X0-A1
(P400), H435-
07-32-XX0-X0-
A1 (P400 Plus),
H435-07-02-xxx-
x0-B0 (P400),
H435-07-32-xxx-
x0-B0 (P400
Plus), H435-07-
02-xxx-x0-A2
(P400), H435-
07-02-xxx-x0-B1
(P400), H435-
07-32-xxx-x0-A2
(P400 Plus),
H435-07-32-xxx-
x0-B1 (P400
Plus)
H435-07-02-xxx-
x0-B0, H435-07-
32-xxx-x0-B0,
H435-07-02-
xx0-x0-A0,
H435-07-02-
xx0-x0-A1
(P400), H435-
07-32-xx0-x0-
A0, H435-07-32-
xx0-x0-A1 (P400
Plus), H435-07-
02-xxx-x0-B0
(P400), H435-
07-32-xxx-x0-B0
(P400 Plus),
H435-07-02-
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 32
xx0-x0-A0
(P400), H435-
07-32-xx0-x0-A0
(P400 Plus),
H435-07-02-xxx-
x0-A2 (P400),
H435-07-02-xxx-
x0-B1 (P400),
H435-07-32-xxx-
x0-A2 (P400
Plus), H435-07-
32-xxx-x0-B1
(P400 Plus)
Firmware
P200/P200 Plus:
VAULT: 2.x.x,
3.x.x, 4.x.x,
AppM: 7.x.x,
8.x.x, 9.x.x,
VFSRED: 5.x.x,
VFOP: 1.x.x,
VAULT: 5.x.x,
AppM: 10.x.x,
VAULT: 7.x.x,
AppM: 11.x.x,
VFSRED: 7.x.x,
VAULT: 8.x.x,
AppM: 12.x.x,
VFSRED: 9.x.x
Vault: 7.x.x.x,
AppM: 11.x.x.x,
SRED: 7.x.x.x,
OP: 1.x.x,
400/P400 Plus:
VAULT: 2.x.x,
3.x.x, 4.x.x,
AppM: 7.x.x,
8.x.x, 9.x.x,
VFSRED: 5.x.x,
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 33
VFOP: 1.x.x,
VAULT: 5.x.x,
AppM: 10.x.x,
VAULT: 7.x.x,
AppM: 11.x.x,
VFSRED: 7.x.x,
VAULT: 8.x.x,
AppM: 12.x.x,
VFSRED: 9.x.x
Vault: 7.x.x.x,
AppM: 11.x.x.x,
SRED: 7.x.x.x,
OP: 1.x.x,
2.3 POI Inventory & Monitoring
• All POI devices must be documented via inventory control and monitoring procedures, including device status (deployed, awaiting deployment, undergoing repair or otherwise not in use, or in transit).
• This inventory must be performed annually, at a minimum.
• Any variances in inventory, including missing or substituted POI devices, must be reported to Bluefin Payment Systems via the contact information in Section 1.2 above.
• Sample inventory table below is for illustrative purposes only. The actual inventory should be captured and maintained by the merchant in an external document.
Bluefin’s P2PE solution provides a unique advantage to customers in that it allows for a convenient process to build an annual inventory for all POI devices. All devices that are issued to a merchant are tracked by Bluefin within their P2PE management platform - the P2PE Manager®. Merchants can review an inventory of all devices that have been in their possession. This includes units that have been temporarily removed from service, awaiting deployment, actively processing, or devices that are retired and no longer eligible to run transactions. Merchants can update devices on their own in real time to ensure that when annual inventories are performed, all records are up to date. The reports generated by the P2PE Manger are compliant with the P2PE guidance as it relates to what information needs to be collected for each device during an inventory. See the PCI provided example table below.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 34
Device vendor
Device model
name(s) and
number: Device Location Device Status
Serial Number or
other Unique
Identifier
Specific operational instructions on how to perform an inventory are provided below.
Inventory Reporting
Bluefin P2PE Manager
The Bluefin P2PE Manager can be accessed at the following link: http://www.p2pemanager.com
Inventory Report
To generate a report of all POI devices, please go to the REPORTS link in the top global navigation bar. From there you can select the date range for your device inventory report. By selecting ALL POIs, ALL CUSTODIANS, and ALL LOCATIONS, any POI devices in the custody of the merchant during the time frame selected will be displayed. Those results can then be exported by hitting either the CSV or PDF button. When viewing the report, you can reference this glossary to understand the different columns of information that are provided.
• POI MODEL: This is the manufacturer name for the device.
• POI SERIAL NUMBER: This is the unique serial number for the device. This should match the
serial number sticker on the device. It should also match the serial number on the box that the
device was shipped in originally.
• LOCATION: This is the last confirmed location of the device.
• ADDRESS: This is the address detail that matches the LOCATION name.
• CITY: This is the city that matches the LOCATION name.
• STATE/PROVIENCE: This is the state or province that matches the LOCATION name.
• POSTAL CODE: This is the zip code that matches the LOCATION name.
• COUNTRY: This is the country that matches the LOCATION name.
• CUSTODIAN: This is the individual person who is associated as the primary person responsible
for the receipt and stewardship of the device for the LOCATION.
• STATUS: This is the current operational STATUS of the device.
State Changes
During the course of an annual inventory report, or at any other given time, the merchant can update
the state of their device to reflect its current condition.
This can be done by going to the DEVICES link in the top global navigation bar.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 35
From there the merchant can click on a specific device and click the EDIT link. This will provide the ability
to view and potentially change the device state.
Merchants can change devices to the following temporary states that leave the device unable to process
transactions:
➢ Damaged
➢ Malfunctioning
➢ Lost
➢ In Repair
➢ Stored
Merchant can change devices to the following permanent states that leave the device unable to process
transactions:
➢ Retired
➢ Destroyed
➢ Tampered
*Please note if this state is accidently selected there may be remediation options available by contacting
the Bluefin P2PE contact found in Section 1.2 of this document.
Additionally, as a safeguard, devices that exhibit TAMPERED behaviors such as passing credit card data
in the clear or repeatedly failed decryptions will be automatically disabled and marked as TAMPERED. In
such events, a Bluefin representative will follow up from those automated events to coordinate an
inspection/review of the device with the merchant
Additional device states that may be displayed but are not eligible to be modified by the merchant are:
➢ Quarantined (by KIF)
➢ DOA (by KIF)
➢ Injected
➢ Authorizing
Dealing with missing devices
The P2PE Manager is a reporting tool, and reviewing devices in the field is still needed to validate
against missing devices. If a device has been lost or stolen, the merchant should log into the P2PE
Manager, find the serial number of the device that can’t be inventoried, and change the state of the
device to LOST. This will ensure that the device won’t be able to process P2PE transactions in Bluefin’s
P2PE environment. After the device state has been changed, contact Bluefin via the contact information
in Section 1.2 to report the device as missing. At the merchant’s discretion, a replacement device can be
ordered.
If a missing device is found, the merchant should conduct a full visual inspection. If the device appears
to be untampered, the merchant at their own discretion can choose to activate the device again. If the
merchant is unable to ascertain the integrity of the device, at the merchant’s own discretion they may
choose to order a replacement device, and have the now found device sent to Bluefin for destruction.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 36
All device destructions will include formal attestation for the destruction of the device. Please see
Section 4.1 for guidance on shipping a device to a Bluefin KIF.
Dealing with substituted devices
The P2PE Manager is a reporting tool, and reviewing devices in the field is still needed to validate
against substituted devices. Substituted devices may be found when the merchant completes their
annual attestation, or during periodic inspection.
A substituted device may appear to be identical to the merchant’s equipment, which is why it’s
important to follow the inspection guidance in Section 5.1. If the merchant believes that there may be a
device substitution, the merchant should immediately discontinue use of the device. Most likely a
substituted device will not match the printed serial number of the device.
If a device has been substituted, and the merchant believes the substituted device has a forged serial
number that matches the serial number that should be in the P2PE Manager, the merchant should log
into the P2PE Manager, find the serial number of the device and change the state of the device to
TAMPERED.
If the suspected substituted device has replaced the merchant’s working device, then the working
device that was stolen in the swap will not be able to process P2PE transactions in Bluefin’s P2PE
solution. If the substituted device turns out to be a modified and/or tampered version of the actual
device owned by the merchant, then this will ensure that the device will not be able to process P2PE
transactions in Bluefin’s P2PE solution. If a device is marked to TAMPERED, a Bluefin representative will
contact the merchant, but the merchant may still initiate the contact via the contact information found
in Section 1.2.
Substituted devices should never be returned to service. At the discretion of the merchant, the device
should either be sent to Bluefin to coordinate a validated destruction of the device, or at the merchant’s
discretion the device can be sent to a PCI forensic auditor for inspection. For either destruction or PCI
forensic inspection, please coordinate via the contact information found in Section 1.2. In either
shipping scenario, the devices should be shipped in accordance to the guidance in Section 4.1.
3. POI Device Installation Instructions
Do not connect non-approved cardholder data capture devices.
The P2PE solution is approved to include specific PCI-approved POI devices. Only these devices
denoted above in table 2.1 are allowed for cardholder data capture.
If a merchant’s PCI-approved POI device is connected to a data capture mechanism that is not PCI
approved (for example, if a PCI-approved SCR was connected to a keypad that was not PCI-approved):
• The use of such mechanisms to collect PCI payment-card data could mean that more PCI DSS requirements are now applicable for the merchant.
• Only P2PE approved capture mechanisms as designated on PCI’s list of Validated P2PE Solutions and in the PIM can be used.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 37
Do not change or attempt to change device configurations or settings.
Changing or attempting to change device configurations or settings will invalidate the PCI-approved
P2PE solution in its entirety. Examples include, but are not limited to:
• Attempting to enable any device interfaces or data-capture mechanisms that were disabled on the P2PE solution POI device
• Attempting to alter security configurations or authentication controls
• Physically opening the device
• Attempting to install applications onto the device
Remote Device Administration
Per P2PE requirement 1B-2.3.a, merchants are not allowed to have remote access to administer P2PE
POI devices. Modifications to POI devices (software/firmware updates, configuration changes) must
be tested and approved by the solution provider, and signed under dual control. Approved signed
updates will be provided to merchants or installed on merchant POI devices either manually or via a
Terminal Management System (TMS).
*Please work with your Solution Provider representative found in the contact section under 1.2 of this
document to determine what update methods are available for the administration and support of your
device. Not all POI devices support remote/TMS administration.
3.1 Installation and connection instructions
Please make sure that device receiving instructions in Section 5 were properly followed before installing a device. Devices that do not follow the tamper inspection, logging and activation process detailed in Section 5 will not work properly when deployed in the field. Specific steps for activating a device within P2PE Manager can be found in your Bluefin P2PE Manager User Guide or via the following video link: https://vimeo.com/182772442/30b87f999e Device Configurations Devices come preconfigured to specific hardened security guidelines that meet P2PE governance requirements. These configuration parameters are digitally signed to confirm authenticity and ensure that security risks are minimized. As part of the secure terminal configuration, SRED (secure reading and exchange of data) is enabled and enforced for all payment card capture mechanisms prior to being serviced at the secure key injection facility and before deployment to the merchant, and may not be disabled at any time. Universal installation and connection instructions
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 38
The following guidance represents best practices and are not direct P2PE requirements. This guidance is provided to minimize the opportunity for anything to be added “in-line” between the POI device and point of sale device that could impact secure deployment or interfere with standard operations.
• Merchants should use the cables provided with the device whenever possible.
• If cables were not provided with the device (as is the case sometimes with merchant owned redeployed devices) best efforts should be made to ensure that existing cabling is manufacturer issued cabling.
Specific instructions for individual devices and supported connection types can be found in the
corresponding device appendix.
Appendix A: ID Tech SecuRED
Appendix B: ID Tech SREDKey
Appendix C: Ingenico iPP 310, iPP 320, iPP350
Appendix D: Ingenico ISC 250
Appendix E: Ingenico ISC Touch 250
Appendix F: Ingenico ISC Touch 480
Appendix G: Anywhere Commerce Nomad 2.0
Appendix H: BBPOS WisePad
Appendix I: PAX S500
Appendix J: PAX S300
Appendix K: Infinite Peripherals Prima M
Appendix L: Ingenico iCMP
Appendix M: Ingenico iUC 285
Appendix N: Ingenico iWL 252, 222
Appendix O: Ingenico iWL 258, 228
Appendix P: PAX D210
Appendix Q: Ingenico iSMP4 Companion
Appendix R: ID Tech Spectrum Pro
Appendix S: Miura Shuttle
Appendix T: BBPOS WisePad 2
Appendix U: Magtek Dynapro, DynaPr 3
Appendix V: Verifone Mx915/Mx925
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 39
Appendix W: ID Tech Augusta S
Appendix X: PAX A920
Appendix Y: PAX A80
Appendix Z: Datecs BluePad 50
Appendix AA: Verifone Vx805
Appendix AB: Verifone Vx820
Appendix AC: Verifone VX 690
Appendix AD: Verifone e355
Appendix AE: Ingenico iSelf Series
Appendix AF: Ingenico Lane/3000
Appendix AG: Ingenico Lane/5000
Appendix AH: Ingenico Lane/7000
Appendix AI: Ingenico Lane/8000
Appendix AJ: Ingenico Move/5000
Appendix AK: Ingenico Link/2500
Appendix AL: Verifone P200/P200 Plus
Appendix AM: Verifone P400/P400 Plus
Appendix AN: ID Tech VP5300 (Optional L100 Pin Pad add-on)
Note: Only PCI-approved POI devices listed in the PIM are allowed for use in the P2PE solution for
account data capture.
Physically secure POI devices in your possession, including devices:
• Awaiting deployment
• Undergoing repair or otherwise not in use
• Waiting transport between sites/locations
3.2 Guidance for selecting appropriate locations for deployed devices
The following guidance in this section represents best practices that merchants can follow. Merchants
may utilize comparable measures adapted to their deployment environments to ensure safe storage
and usage of their POI devices.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 40
Guidance for countertop/cabled devices
Devices should be placed in a low access yet high visibility area. For example, in a retail environment,
the unit should be placed on the counter where it can be observed, but not so close to the customers
where the customer could gain easy access to manipulate the device without supervision. For a call
center type environment, the device should be placed on a desk where it is not obstructed by desktop
clutter and should not be placed in such a manner where people other than the individual responsible
for the device can get convenient access to the POI device.
Merchants should take steps to ensure a level of protection with their devices when left unattended
for long periods of time. Methods could include, but are not limited to, securing corded devices via
their cords, securing devices via mounting guidelines provided by the manufacturer, locking up the
POI separately in the evenings, or ensuring the devices remain under video monitoring.
Guidance for mobile devices
Special care should be taken in the deployment of mobile POI devices. If you must allow the
cardholder to hold and directly interact with the POI, never let the device out of your sight or
presence and remain with the cardholder at all times during the interaction. When you have the POI
back in your hands, visually inspect that the POI device for any anomalies. Periodically, inspect that
the POI swiper serial number matches the serial numbers in the P2PE Manager to prevent device
substitutions.
3.3 Guidance for physically securing deployed devices to prevent unauthorized
removal or substitution
The following guidance in this section represents best practices that merchants can follow. Merchants
may utilize comparable measures adapted to their deployment environments to ensure safe storage
and usage of their POI devices.
Guidance for countertop/cabled devices
Please note that modification to the device such as attachment of adhesives, cable locks, or other add-on hardware, while not banned by the P2PE specifications, can have negative impacts when conducting tamper evidence inspections. Merchants should be cognizant of the impact of anything attached to the main unit of their POI device when performing a visual inspection. Merchants can explore using cable lock systems, or even cable staples/fasteners to ensure that the device is not easily pulled free. Many POI device manufacturers provide mounting instructions or even mounting hardware to secure the device to a stationary object such as a counter or desk. The use of a system like this does not modify the device or in any way impede visual inspection.
Guidance for mobile devices
Mobile POI devices will not accommodate any sort of physical fasteners since they are not corded devices. Because of this, care should be taken in the deployment environment with the POI units. Merchants should consider having a lockable area where the unit could be stored for a short period
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 41
of time, or merchant should ensure that the unit will be in view of a camera system to ensure that unauthorized access of the device is captured. Merchants should also consider using a system by which a particular POI device is assigned to an individual employee, and make sure that employee follows the practices outlined in the mobile device deployment in Section 3.2.
4. POI Device Transit
4.1 Instructions for securing POI devices intended for, and during, transit
After receipt of the device, if the merchant is shipping the devices between multiple locations, the following practices should be followed. If the POI device is still in the original packaging and the device is still in the unopened tamper evident bag then the merchant may place that device in its original packaging into another shipment box and ship it to another location under the control of the merchant. The P2PE Manager should be updated by the merchant to show the new intended location of the device. The device should only be addressed to the person associated as the contact for the merchant location as found in the P2PE Manager. If the device has been logged into the P2PE Manager already, the status of the device should be set to STORED. This will ensure that during transit and subsequent storage at the new merchant location, the device will be ineligible to run transactions. If the device has not been logged in and activated in the P2PE Manager, the device can be logged as received at the new location by the authorized contact at the new merchant location. Merchants, for their own validation processes, should use only trusted couriers (such as FedEx, UPS, etc.) and document the tracking number for the shipment. That tracking number should be conveyed to the specific recipient at the new merchant location via a separate communication method such as email or phone.
If the POI device has been removed from the tamper evident packaging then the merchant should obtain new tamper evident packaging. New tamper evident packaging can either be independently obtained by the merchant, or tamper evident packing can be requested from Bluefin. The merchant should place the device in the tamper evident packaging and record the serial number of the tamper evident packaging. The P2PE Manager should be updated by the merchant to show the new intended location of the device. The device should only be addressed to the person associated as the contact for the merchant location as found in the P2PE Manager. If the device has been logged into the P2PE Manager already, the status of the device should be set to STORED. This will ensure that during transit and subsequent storage at the new merchant location, the device will be ineligible to run transactions.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 42
Merchants for their own validation processes should use only trusted couriers (such as FedEx, UPS, etc.) and document the tracking number for the shipment. That tracking number, and the tamper evident serial number, should be conveyed to the specific recipient at the new merchant location via a separate communication method such as email or phone.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 43
4.2 Instructions for ensuring POI devices originate from, and are only shipped to,
trusted sites/locations
Validating device shipments from Bluefin to the merchant
The Bluefin P2PE solutions help to manage and validate all POI device shipments from Bluefin and its key injection facilities (KIF) to specific merchant locations. Device orders for merchants are coordinated with a Bluefin Payment Systems representative who then coordinates device shipments from the KIF. Utilizing the Bluefin P2PE Manager, the Bluefin employee sets up the merchant profile in the system, the individual merchant user accounts, and then creates the merchant locations that are eligible for devices. Each location profile contains an address, contact information, and a recipient’s name. All shipments from the KIF to that location will be addressed to the recipient listed in the location profile. Before leaving the KIF, the POI device is placed in a tamper evident bag, and then sealed with a serialized tamper sticker. The KIF then records the serial number from the tamper bag, and the serial number of the device into P2PE Manager. When the POI devices arrive at the customer location, the employee listed as the contact for the location logs into the P2PE Manager and starts the process for confirming the devise they received. The merchant employee manually keys (or scans) in the serial number of the device, and the serial number from the tamper seal into the P2PE Manager, and if they both match the injection and shipment records recorded by the KIF, then the device is marked as being eligible for use. If the serial number of the device and the serial number on the tamper bag do not match, the device is programmatically barred from use. Without the validation of those two authenticating serial numbers, substituted devices could not be put into use. In the event that a merchant receives devices that they are unable to activate through the use of the serial number on the device and the serial number on the bag, Bluefin should be contacted via the contact information found in Section 1.2 of this document to report the issue. Devices should be held on to by the merchant until further instructions are provided by Bluefin.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 44
Validating device shipments from merchants back to Bluefin
In the event that a merchant needs to return a device back to Bluefin, the merchant will need to contact Bluefin via the contact information found in Section 1.2 of this document. The Bluefin representative will then coordinate the shipment of the device back to the appropriate location. Shipments to Bluefin should be limited to the Bluefin supported key injection facilities listed below. The Bluefin representative coordinating the device returns will confirm which location the device should be shipped to.
Spencer Technologies
Inbound and outbound shipping address
Spencer Technologies
102 Otis St.
Northborough, MA 01532-2415
CDE
Inbound and outbound shipping address
CDE
1200 Williams Dr. Suite 1210
Marietta, GA 30066
MagTek
Inbound and outbound shipping address
MagTek, INC
1710 Apollo Ct.
Seal Beach, CA 90740
Ingenico
Outbound - Deployment center
Ingenico 6430 Shiloh Road East, Suite B Alpharetta, GA 30005
Inbound and outbound - Ingenico Repair Facility
Ingenico 4020 Steve Reynolds Blvd Norcross, GA 30093
Ingenico UK KIF
Inbound and outbound shipping address
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 45
Ingenico Northern Europe 17 Ridge Way, Donibristle Industrial Park Dalgety Bay, Fife KY11 9JU United Kingdom Verifone
Inbound and outbound shipping address
1401 Aviation Blvd, Lincoln, CA 95648 Secure Retail KIF
Inbound and outbound shipping address
Secure Retail Ltd Walker Road, Bardon Hill, Coalville, Leicestershire, England, LE67 1TU PayCipher
Inbound and outbound shipping address
PayCipher, Inc. 12655 Edison Dr., Suite 104 Alpharetta, GA 30005
FDHS Canada (f.k.a. TASQ Technology)
Inbound and outbound shipping address
FDHS Canada
205 Export Blvd, Mississauga, ON L5S 1Y4
First Data Hardware Services (f.k.a. TASQ Technology)
Inbound and outbound shipping address
TASQ Technology Inc 1169 Canton Rd, Marietta, GA 30066
Lantec UK Ltd
Inbound and outbound shipping address Lantec UK
Unit 10, Lovett Way,
Woodside, Dunstable
LU5 4TU
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 46
POS Portal, Inc
Inbound and outbound shipping address
POS Portal 1920 Watterson Trail # A, Louisville, KY 40299
5. POI Device Tamper Monitoring and Skimming Prevention
5.1 Instructions for physically inspecting POI devices and preventing skimming,
including instructions and contact details for reporting any suspicious activity
Additional guidance for skimming prevention on POI terminals can be found in the document entitled
Skimming Prevention: Best Practices for Merchants, available at www.pcisecuritystandards.org.
Inspection Frequency
Devices deployed in retail or customer service environment should be inspected periodically, but no
less then annually. The merchant should keep their own logs that detail the inspection date and the
individual responsible for the inspection. These logs are for the merchant’s own record keeping to
help in troubleshooting whether or not a device has been tampered with.
Inspection procedures for un-deployed devices
Devices should be logged into the P2PE Manager upon receipt. However, in the event that a device
will be stored upon receipt, best practice would be to leave the device in the tamper evident bag. The
tamper evident packaging should be checked for signs of forced entry before deployment in the field.
Inspection procedures for deployed devices
Devices should be visually inspected for evidence of tampering or substitution. When inspecting a device, a merchant should confirm the serial number of the device and make sure it’s logged in the P2PE Manager appropriately. The PCI provided document entitled Skimming Prevention: Best Practices for Merchants, available at www.pcisecuritystandards.org, is a good document to reference in every inspection. Specific device inspection instructions can be found in the associated device appendix.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 47
5.2 Instructions for responding to evidence of POI device tampering
Evaluating a device for evidence of tampering upon receipt of shipment
For all devices that are received from Bluefin and its partner KIF, please see the information in Section 5.3 for detailed inspection guidance when reviewing the shipment at the merchant location. If the devices come in any packaging other than described in Section 5.3, if the tamper evident packaging appears to have been opened, if the device does not match the photos in the inspection guide, or the devices appear to have been damaged or altered, and/or if the serial numbers do not match when entered into the P2PE Manager, do not deploy the device. Please see the detailed instructions on removing the device and notifying Bluefin at the bottom of this section. Please revisit Section 5.1 and the appropriate device appendixes for more detailed inspection instructions.
Evaluating a device in the field for evidence of tampering
If during the course of a scheduled inspection or observed during use of the product the device
appears to be physically tampered with or substituted, the device should immediately be pulled from
use. Please see the detailed instructions on removing the device and notifying Bluefin at the bottom
of this section.
Dealing with a tampered device
If you feel that a device may have been tampered with, follow these steps. In the event that the merchant feels that they have observed visual signs or device activity that they believe may indicate tampering with the device, the merchant can log into the P2PE Manager, identify the device in inventory by the device serial number and change the status of the device to TAMPERED. This status change will do two things. First, it will send a notification email to Bluefin that a device and its output needs to be reviewed. Second, it will disable the device from processing through Bluefin. A Bluefin representative will then respond back to the merchant with a follow up regarding the device. Merchants may also contact Bluefin via the contact information provided in Section 1.2 of this document. Please note that if the device has not been logged into P2PE Manager, contact Bluefin as soon as possible.
5.3 Instructions for confirming device and packaging were not tampered with, and
for establishing secure, confirmed communications with the solution provider
Once a merchant receives confirmation that the order for their units has been submitted, within a few business days (once the order is prepared for shipment) the merchant will be able to log into the P2PE Manager and review the status of their pending shipment. The merchant can review the serial numbers of the devices contained in the shipment and confirm the carrier and tracking number for
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 48
the shipment, the destination location information, as well as the merchant representative whom the order is targeted for. When the responsible party at the merchant location takes possession of the shipment of POI devices they must log the confirmation of the receipt of those devices into Bluefin’s P2PE Manager. Immediately upon receipt, the merchant should inspect the shipment box for major damage such as tears or holes and must visually inspect that the packaging has not been re-taped or resealed. The merchant representative should also visually inspect the contents of the shipment box which should contain the expected number of cardboard boxes which contain an outer sticker that indicates the serial number of each POI device. The POI device should be contained within two packaging elements. The outer element is a tamper-evident bag. This bag will be sealed with serialized sticker/tape. This sticker is a tamper-evident sticker. If the sticker/tape has not been tampered with, it should look like Figure 1. Minor evidence of potential tampering with the sticker (rumpling or minor stretching) may occur while the box is in transit.
Figure 1: POI Device in tamper evident
bag with a tamper evident sticker on it.
If the sticker/tape has been removed or tampered with, the sticker may look like Figure 2.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 49
Figure 2: Potentially Tampered Device
If you see a sticker on the tamper-evident bag near this level of evidence you should consider the device as having been tampered with. Notice that the tamper sticker is in two parts, and the word “void” can clearly be seen. Please note that your serialized tamper evident stickers may look like Figure 3, rather than the blue one shown in Figure 2. If a merchant believes that a device may have been tampered with either during shipment or upon receipt at the merchant facility, do not attempt to activate the device. If the device has not been activated please contact your Bluefin representative.
Figure 3: Example of a White Security Seal
Your device bags may reflect the blue strip shown in the previous photos, or it may also contain one
of these other colors on the tamper strip, as shown in Figure 4.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 50
Figure 4: Example of Tamper Strip Colors
Confirming receipt of your shipment and preparing the device for activation
After receipt of the shipment, the merchant is required to confirm their shipment order in the P2PE Manager by navigating to the receipt of shipment screen. Once on this screen, the merchant representative will be required to attest to the receipt of each POI device. Proper attestation requires confirming the serial number of the device (found on a sticker on the cardboard packaging of the device box, and on a sticker on the device itself) and then opening the cardboard box and verifying the serial number from the tamper-evident bag. Specific steps for activating a device within P2PE Manager can be found in your Bluefin P2PE Manager User Guide or via the following video link: https://vimeo.com/182772442/30b87f999e Please note that the tamper-evident bag SHOULD NOT BE OPENED UNTIL THE DEVICE IS IN THE FIELD LOCATION WHERE IT WILL BE DEPLOYED. This is important to preserve the tracking, device activation and chain of custody. Additionally, the merchant should keep the cardboard box that the device was shipped in as it will be the primary way in which a merchant can identify the serial number of the device without having to remove the device from the tamper-evident bag.
*For merchants using Ingenico units, please consult the following appendixes for additional
instructions on how to properly enter serial numbers into the P2PE Manager.
Appendix C: Ingenico iPP 310, iPP 320, iPP 350
Appendix D: Ingenico ISC 250
Appendix E: Ingenico ISC Touch 250
Appendix F: Ingenico ISC Touch 480
Appendix M Ingenico iUC 285
Appendix N: Ingenico iWL 252, 222
Appendix O: Ingenico iWL 258, 228
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 51
Appendix Q: Ingenico iSMP4 Companion
Appendix AE: Ingenico iSelf Series
Appendix AF: Ingenico Lane/3000
Appendix AG: Ingenico Lane/5000
Appendix AH: Ingenico Lane/7000
Appendix AI: Ingenico Lane/8000
Appendix AJ: Ingenico Move/5000
Appendix AK: Ingenico Link/2500
5.4 Guidance for third party device support
Bluefin service agents
Bluefin will never send a Bluefin employee or designated agent of the company or subcontracted employee or designated agent of the company to a merchant’s location to inspect / repair / remove devices without first contacting the merchant representatives listed in P2PE Manager for that specific location where the device is located. If a merchant receives a communication from someone claiming to be a Bluefin employee or designated agent of the company and the merchant has doubts as to the validity of that representative, the merchant should contact Bluefin via the contact in Section 1.2 of this document. The Bluefin team member will be able to confirm the validity of the representative who requested access to the merchant and their POI devices. If the representative cannot be confirmed, then access to the merchant’s facility and POI devices should be denied by the merchant.
If the merchant is sure that the representative is a confirmed representative of Bluefin, the merchant
can make preparations for the representative to visit their facility.
Third party entities employed by the merchant, or merchant partners
In many instances, a merchant may employee third party IT, accounting, vendor, or operational resources to service point of sale equipment, including P2PE POI devices. In such events, exact policies and procedures are at the discretion of the merchant, but Bluefin suggests the following best practices.
Prior to giving access to the POI device:
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 52
• Verifications of work orders should be escalated through the organization until the
management layer that approved the service request has verified the authenticity of the
work order.
• Service technicians should provide credentials that identify them as being an employee of the
validate third party company.
Once given access to the POI device:
• Third party employees should be accompanied / monitored while interacting with POI
devices.
• If the device needs to leave the facility, under the control of the third-party employee, transit
guidance found in Section 4.1 of this document should be applied.
• Merchants should maintain their own activity logs to record interactions with a device from a
third party.
Logging activity
The merchant should keep a log of any onsite visits by a Bluefin representative or one of its
contracting representatives. The log should contain the name of the representative who visits, their
contact phone number, contact email address, their company name, the date of their visit, the time
they arrived and the time they departed. These logs should be saved for a period of up to one year.
6. Device Encryption Issues
6.1 Instructions for responding to POI device encryption failures
Understanding the Automated Device Protection Services
The Bluefin P2PE solution features several automated safeguards to help ensure the safety and
security of our merchants’ credit card data. When these automated protective services are engaged,
it can lead to temporary or permanent deactivation of your device. Those actions are done to protect
your organization from the liability that could occur with the loss of cardholder data. There are two
automated protection scenarios listed below.
Cardholder Data Protection
Credit card numbers are often referred to as the primary account number or PAN. Bluefin’s P2PE
solution is designed to protect against PAN data ever being improperly displayed. P2PE is built on the
principle that PAN data is encrypted in the POI device prior to the data entering the merchant’s
computer or device.
Clear-text card holder data should never exit the P2PE terminal, and clear-text cardholder data
should never be returned from the Bluefin P2PE environment to the merchant P2PE environment.
The restriction for clear-text PAN data includes properly formatted PAN truncation (limited to the
first 6 and last 4 digits of the PAN), tokenization methods, and any other representation of the PAN.
Bluefin’s P2PE solution has automated systems to detect the presence of clear-text PAN and will
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 53
return a processing error when detected.
In the event that a device is ever tampered with, a common tactic that is seen is that the POI device is
modified to transmit PAN data in the clear. The Bluefin POI Management Application is able to detect
if there is ever any unencrypted PAN data, and if there is, it immediately deactivates the POI device
so that it is no longer able to run transactions. This event also causes an alert to a Bluefin account
manager who will contact the impacted merchant to arrange for removal of the device.
Data Irregularity
Data irregularity can sometimes be an indicator that tampering may have occurred. Bluefin’s POI Management Application is constantly surveying the data output from the POI units to make sure that the formatting and structure of the data is within expectations. In the event that data falls outside of expectations, an email alert is sent to a Bluefin employee or designated agent of the company who will manually review the output of the POI device in question. Should that device be deemed problematic, a Bluefin employee or designated agent of the company will then mark the device as tampered and remove it from being able to run transactions. If such a decision is made, a Bluefin employee or designated agent of the company will immediately contact the merchant and coordinate a replacement for the POI unit.
Customer initiated reporting and deactivation
In the event that the merchant feels that there may be an encryption failure or other activity that
they believe may indicate tampering with the device, the merchant can log into the P2PE Manager,
identify the device in inventory by the device serial number, and change the status of the device to
Tampered.
This status change will do two things. First, it will send a notification email to Bluefin that a device
and its output needs to be reviewed. Second, it will disable the device from processing through
Bluefin. A Bluefin representative will then respond back to the merchant with a follow-up regarding
the device.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 54
Reactivating a device reported as tampered
Once a device has been set to the tampered state in the P2PE Manager, the device cannot be reset to
an active state by the merchant without coordinating confirmation of proper device functionality
with Bluefin. Using the contact information provided in Section 1.2 of this document, the merchant
can contact Bluefin to have the activity of their device reviewed. If Bluefin and the merchant agree
that the device was erroneously marked as tampered, the Bluefin representative can restore the
device to proper functioning status. The P2PE Manager will then be updated to reflect the active
status, and the device in question will be allowed to process transactions.
In the event that the decision is made to not reactivate a device from a tampered state, the merchant may request that the unit stay in a permanent tampered state, and at the merchant’s option, the merchant can order a replacement unit. The device in question can then be returned to Bluefin where either a certified destruction will occur or the device may be kept for forensic research. Shipping guidance can be found in Section 4.2 of this document.
6.2 Instructions for formally requesting of the P2PE solution provider that P2PE
encryption of account data be stopped
Merchants do not have the ability to disable encryption on Bluefin P2PE POI devices. If the merchant wishes to continue processing with Bluefin but would like to remove themselves from P2PE compliance, the merchant should indicate that to Bluefin no less than 30 days prior to the anticipated end of their usage of the Bluefin P2PE solution. That acknowledgment must contain acknowledgment of the discontinuation risks listed below. If adequate lead time is provided then Bluefin can provide alternate secure methods for the merchant to process card present or MOTO transactions. Bluefin will require that POI units have Bluefin owned P2PE keys removed from POI devices as part of the decommissioning process. Bluefin P2PE keys are exclusive to the Bluefin P2PE solution. In the event the merchant leaves processing with Bluefin, the customer owned devices must have the Bluefin key removed or over written either with another E2EE solution key or a P2PE solution key provided by another payment processor. If the merchant chooses to retire the devices, either a confirmation of the key removal needs to occur or a certificate of destruction must be provided to Bluefin for all devices with Bluefin P2PE Keys. Merchants also have the option to return POI devices to a Bluefin supported P2PE KIF to perform secure key removal. When the merchant is completely ready to be removed from the P2PE solution, a merchant representative will need to review the opt-out language hosted on Bluefin’s P2PE Manager website. The content and language will be similar to the example provided below. Once the merchant representative has acknowledged reading and accepting the opt-out terms, Bluefin will mark all P2PE POI units in the custody of the merchant as “retired.” Retired units will be unable to process credit card transactions. Because this acknowledgment will deactivate the units, it is important that the merchant already have the new end-to-end encrypted units on-site and deployed prior to canceling their P2PE solution.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 55
All opt-out requests must be submitted using the Bluefin P2PE opt-out form, and must contain the signature of an executive of the merchant company in order to ensure the opt-out process is properly captured for PCI compliance reasons. Upon receiving the merchant’s request to opt-out of P2PE encryption services, a Bluefin representative will provide the opt-out form to the merchant. The opt-out language matches the language below.
Opt-out Terms
1. P2PE provides the most secure PCI approved method for the capture and transmission of
credit card data. By encrypting the card data at the point of entry, prior to entering the
merchant’s computer/device the data remains secure and undecipherable until being
captured and decoded by Bluefin’s servers.
By formally requesting to opt-out of the P2PE program, the merchant acknowledges that the
security provided by Bluefin’s P2PE solution will no longer be available to them, and as such,
the merchant puts themselves at risk that card data could be captured in their environment.
2. It is the merchant’s responsibility to pursue alternative means by which to provide secure
card data capture in lieu of using Bluefin’s P2PE solution. The merchant should pursue other
PCI DSS (Data Security Standard) compatible strategies such as exploring the use of other
encrypted devices that provide end-to-end encryption functionality. Bluefin does provide
end-to-end encryption services and products which can help provide a secure card data
capture solution, although these solutions do not provide the same level of PCI DSS scope
reduction as P2PE.
By formally requesting to opt-out of the P2PE program, the merchant acknowledges that they
will be responsible to pursue alternate methods for secure card data capture and
transmission. Merchants should review their own PCI assessment resources or seek the aide
of PCI Qualified Security Assessor (QSA) if unsure of a suitable alternate solution to replace
P2PE with another suitable PCI DSS compliant solution.
All P2PE POI devices in the custody of the merchant will need to have the Bluefin P2PE key
removed or the devices destroyed. It will be the merchant’s responsibility to obtain a formal
certificates of destruction (COD) from a PCI certified KIF or a work order for new key
injections from a PCI certified KIF that clearly identify a new key has been over written on the
existing Bluefin P2PE key.
3. Bluefin’s P2PE solution provides merchant drastic PCI DSS scope reduction.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 56
By formally requesting to opt-out of the P2PE program, the merchant acknowledges that they
will be responsible for reassessing their eligibility for PCI DSS scope reduction, and re-
evaluating the proper assessment status that they will now need to comply with after
removing Bluefin’s P2PE solution from their environment.
Merchants should review their own PCI assessment resources or seek the aid of a PCI QSA if
unsure of the PCI DSS audit impact.
4. By opting out of Bluefin’s P2PE solution, it is the responsibility of the merchant to inform their
Acquirer of their status change. Status changes may impact the services and pricing extended
by their acquirer.
By formally requesting to opt-out of the P2PE program, the merchant acknowledges that they
will be responsible to notify their acquirer directly. In the event that Bluefin has informed the
acquirer of the status change, it is still the obligation of the merchant to directly inform their
acquirer in addition to any notifications that the merchant believes that Bluefin may have
already communicated.
5. By opting out of Bluefin’s P2PE solution, it is the responsibility of the merchant to inform the
card brands they work with of their status change and the subsequent impact that will have
on the merchants PCI DSS status. Status changes may impact the services and pricing
extended by their card brands.
By formally requesting to opt-out of the P2PE program, the merchant acknowledges that they
will be responsible to notify their card brands directly. In the event that Bluefin has informed
the card brands of the status change, it is still the obligation of the merchant to directly
inform the card brands they work with, in addition to any notifications that the merchant
believes that Bluefin may have already communicated.
Handling Instruction for Devices after Leaving the P2PE Solution
All POI devices handled by Bluefin include an encryption key that is unique to Bluefin’s P2PE solution. This encryption key is only valid when used in conjunction with the Bluefin P2PE solution. When a merchant leaves the Bluefin P2PE program, the keys in those devices need to be removed. That can be handled in several different ways.
Merchant returns the devices to the custody of Bluefin via transfer to a Bluefin KIF where the encryption key will be removed as well as any applications resident on the device. Devices will either be returned to the merchant or returned to Bluefin stock based on the contractual agreement between Bluefin and the merchant.
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 57
Merchant returns the devices to a KIF of their choice, merchant provides confirmation that the encryption key was removed for each device. In certain rare events, retired devices will be slated for destruction. In such instances, the merchant returns the devices to the custody of Bluefin via transfer to a Bluefin KIF where the devices will be destroyed and a certificate of destruction will be provided for the device(s).
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 58
7. POI Device Troubleshooting
7.1 Instructions for troubleshooting a POI device
Trouble with activating your device or running an initial transaction
When deploying a device to the field for the first time, please be aware that the device first has to be formally received. That process includes entering the device serial number and the tamper serial number into either the P2PE Manager. If this activity has not been completed the device will not run transactions. Please log into the P2PE Manager to review the current state of the device in question. The devices can be found by their serial number. Likewise, if a device has been transported from one location to another, or retrieved from storage, the device may be in a “stored’ state and unable to run transactions. Please log into either the P2PE Manager to make sure the device is set to an active state. If you need additional guidance please use the contact information found in Section 1.2 of this document.
Trouble with processing payments
During the integration process, if the merchant experiences problems integrating the POI device to work with the applications that the merchant is coding, questions can be sent to [email protected]. During deployment if a POI device is no longer properly submitting transactions the merchant should first log into either the POI Manager or the P2PE Manager and confirm that the state of the device is still set to an active mode. If the device is still set to an active mode, then a request to Bluefin support can be made at [email protected]. The team at [email protected] will look to identify if there are any operational issues with your processing account. If further support is needed the issue will be escalated to ab Bluefin P2PE support specialist. Please note that the contact information listed in Section 1.2 of this document may not be the most efficient contact for immediate support issues around payment processing, and support should be initiated using standard Bluefin support procedures.
Trouble with POI devices not supporting expected functions
Many of the POI devices in Bluefin’s P2PE solution have advanced applications that can support a
wide variety of functions. Those functions can be performed either in conjunction with API responses
within the application itself, or by the device responding to input commands from the physical keys
on the device. In the event that the merchant has any questions or problems in the execution of
those activities, they should reference the device documentation provided by the manufacturer. In
the event that such resources are not readily available to the merchant, Bluefin can assist in
identifying how those resources can be obtained by the merchant. Using the contact information
provided in Section 1.2 of the document the merchant can request guidance in procuring any missing
user manuals for their device.
8. Additional Solution Provider Information
P2PE Instruction Manual for PCI P2PE v2.0 March 2019
© 2019 Bluefin Payment Systems All Rights Reserved PIM Page 59
There is no additional information.
Revision Notes
10/03/16 V1.1 Updated document to clarify P2PE solution name.
10/28/16 V1.2 Added Ingenico iWL 252, 222, iWL 258, 228
11/10/16 V1.3 Added PAX D210
12/15/16 V1.4 Minor clarification to application description
03/22/17 V1.5 Added support for Ingenico iSMP4 companion
05/19/17 V1.6 Added support for ID Tech Spectrum Pro
06/05/17 V1.7 Added support for Miura Shuttle
09/01/17 V1.8 Added support for MagTek DynaPro and BBPOS WisePad
03/09/18 V1.9 Added Verifone MX915/925 devices and RBA 1.1, RA1 v.20, XPI applications
04/11/18 V1.10 Added PAX A920, Augusta S, Ingenico PTS 4.x (iSC Touch, IPP 3xx)
04/18/18 V1.11 Updates to 6.2 and Remote Administration
09/20/18 V1.12 Added Verifone Vx & e355, Datecs BP50, Pax A80, iSelf, TASQ CA KIF, and XPI
03/25/19 V1.13 Added Q1 2019 Designated change POIs (10), KIFs (3), and Applications (2)