point-to-point encryption (p2pe) instruction manual...

P2PE Instruction Manual for PCI P2PE v2.0 March 2019

© 2019 Bluefin Payment Systems All Rights Reserved PIM

Point-to-Point Encryption (P2PE) Instruction

Manual (PIM)

Core P2PE PIM V1.13

Issued on 03/25/2019

©Bluefin Payment Systems, 2019

All Rights Reserved.



1. P2PE Solution Information and Solution Provider Contact Details

1.1 P2PE Solution Information

Solution name: Bluefin P2PE

Solution reference number per PCI SSC website:

2014-00897.001

1.2 Solution Provider Contact Information

Company name: Bluefin Payment Systems

Company address: 8200 Roberts Drive, Suite 150

Atlanta, GA 30350

Company URL: http://www.bluefin.com

Contact name: Trey Edge

Contact phone number: 800-675-6573 option #4

Contact e-mail address: [email protected]

P2PE and PCI DSS

Merchants using this P2PE Solution may be required to validate PCI DSS compliance and should be

aware of their applicable PCI DSS requirements. Merchants should contact their acquirer or payment

brands to determine their PCI DSS validation requirements.

2. Approved POI Devices, Applications/Software, and the Merchant

Inventory

2.1 POI Device Details

The following information lists the details of the PCI-approved POI devices approved for use in this P2PE

solution. Note all POI device information can be verified by visiting:

https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_secu

rity.php

http://www.bluefin.com/

mailto:[email protected]

https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php

https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php



POI device vendor: ID Tech

POI device model name and number: SecuRED

Hardware version #(s): IDSR-33x1xxxxx

Firmware version #(s): 1.07, 1.08, 2.00

PCI PTS Approval #(s): 4-10144


POI device model name and number: SREDKey

Hardware version #(s): IDSK-53xxxxxxx

Firmware version #(s): 1.01, 1.02, 1.02.xxx.S



POI device model name and number: Augusta S

Hardware version #(s): IDEM-8xxx, IDEM-8xxxx

Firmware version #(s): V1.00, V1.01.xxx.S, V1.02.xxx.S



POI device model name and number: VP5300

Hardware version #(s): SPTP2-988-33-2C-0C, ID-80152002-00x (CTLS Antenna)

Firmware version #(s): VP5300 V1.00.xxx.xxxx.S

PCI PTS Approval #(s): 4-10245 (PTS 5.x)


POI device model name and number: SmartPIN L100



Hardware version #(s): IDPB-60x400M Rev A, IDPB-60x400M Rev B

Firmware version #(s): V1.00.xxx.S, V1.01.xxx.S, V1.02.xxx.S (SRED)


POI device vendor: Ingenico

POI device model name and number: iPP320, iPP350, iPP310, iPP315*

Hardware version #(s): PTS 2.x: IPP3xx-01Txxxxx

PTS 3.x: IPP3xx-11Txxxxx

PTS 4.x: iPP3xx-21Txxxxx, iPP3xx-31Txxxxx, iPP3xx-41Txxxxx,

iPP3xx-51Txxxxx

Firmware version #(s): PTS 2.x: 820305V01.xx, 820365V02.xx, SRED (Non CTLS)

:820157V01.xx

PTS 3.x: SRED (CTLS): 820365 V02.xx, 820305V02.xx,

820528V02.xx, SRED (Non CTLS): 820375V01.xx, 820554v01.xx

PTS 4.x: 820305 V11.xx, 820180 V01.xx

PCI PTS Approval #(s): 4-20142 (PTS 2.x), 4-20184 (PTS 3.x), 4-30176 (PTS 4.x)

*Note: Only PTS 4.x listing includes iPP315 device


POI device model name and number: iSC250

Hardware version #(s): iSC2xx-01Txxxxx

Firmware version #(s): 820518V01.xx, 820518V02.xx, SRED (Non CTLS) 820157V01.xx



POI device model name and number: iSC Touch 250

Hardware version #(s): PTS 3.x: iSC2xx-21Txxxxx, iSC2xx-31Txxxxx

PTS 4.x: iSC2xx-21Txxxxx, iSC2xx-31Txxxxx



Firmware version #(s): PTS 3.x: 820365 V02.xx, 820518 V02.xx, 820528V02.xx

PTS 4.x: 820518 V12.xx, SRED (CTLS): 820528V02.xx

PCI PTS Approval #(s): 4-30135 (PTS 3.x), 4-30132 (PTS 4.x)


POI device model name and number: ISC Touch 480

Hardware version #(s): PTS 3.x: ISC4xx-01Txxxxxx (no CTLS), ISC4xx-11Txxxxx (CTLS)

PTS 4.x: ISC4xx-01Txxxxx, ISC4xx-11Txxxxx

Firmware version #(s): PTS 3.x: 820365 V02.xx, 820518V01.xx, 820518V02.xx, SRED

(CTLS): 820528V02.xx

PTS 4.x: 820518 V11.xx, 820518 V12.xx, 820528V02.xx



POI device model name and number: iUR255, iUR255P

Hardware version #(s): iUR2xx-01Txxxxx, iUR2xx-11Txxxxx

Firmware version #(s): 820168 v01.xx



POI device model name and number: iUP250LE

Hardware version #(s): IUP2xx-11Txxxxx

Firmware version #(s): 820305v12.xx, 820305V13.xx



POI device model name and number: iUC150B



Hardware version #(s): iUC15x-01Txxxxx

Firmware version #(s): 820168 v01.xx



POI device model name and number: Lane/3000, Desk/1500

Hardware version #(s): LAN30AA, LAN30BA, LAN30CA, LAN30DA, LAN30EA, LAN30FA,

LAN30GA, LAN30HA

Firmware version #(s): 820547v01.xx, 820561v01.xx (base firmware)



POI device model name and number: Lane/5000

Hardware version #(s): LAN50AB (non CTLS), LAN50BB (CTLS)

Firmware version #(s): 820547v01.xx, 820376v01.xx, 820549V01.xx (SRED),

820555V01.xx (SRED), 820556V01.xx (SRED)




Hardware version #(s): LAN70AA, LAN70AB

Firmware version #(s): 820547v01.xx




Hardware version #(s): LAN80AA






POI device model name and number: Move/5000

Hardware version #(s): MOV50AA (Non CTLS); MOV50BA (CTLS), MOV50JA (CTLS),

MOV50CA, MOV50DA, MOV50AB, MOV50BB (CTLS),

MOV50CB, MOV50DB (CTLS), MOV50JB (CTLS)

Firmware version #(s): 820547v01.xx; 820376v01.xx; (SRED) CTLS: 820549V01.xx,

820555v01.xx (SRED), 820549v01.xx (SRED OnGuard FPE),

820556v01.xx (SRED OnGuard SDE), 820559v01.xx (SRED

ANL), 820565v01.xx (SRED FF1)



POI device model name and number: Link/2500

Hardware version #(s): LIN25AA, Non CTLS, LIN25BA, CTLS, LIN25CA, LIN25DA,

LIN25EA; Touchscreen version; no CTLS support, LIN25FA;

Touchscreen version; with CTLS support, LIN25GA; Dual Head

version; no CTLS support, LIN25HA; Dual Head version; with

CTLS support, LIN25IA (Companion version with rear connector

and no CTLS support), LIN25JA (Companion version with rear

connector and with CTLS)

Firmware version #(s): 820547v01.xx, 820556v01.xx (SRED On-Guard SDE),

820555v01.xx (SRED AWL)


POI device vendor: Anywhere Commerce

POI device model name and number: Nomad 2.0

Hardware version #(s): Nomad2.0-A1-B1, Nomad2.0-A2-B2

Firmware version #(s): 4.0 (SRED), 5.0 (SRED)




POI device vendor: BBPOS

POI device model name and number: WisePad, WisePad W300

Hardware version #(s): WisePad-A1-B0 (WisePad), WisePad-A1-B2 (WisePad W300),

WisePad-A2-B0 (WisePad), WisePad-A2-B2 (WisePad W300),

WisePad-B1-B0 (WisePad), WisePad-B1-B2 (WisePad W300)

Firmware version #(s): SRED: 4.0, SRED: 5.0


POI device vendor: PAX

POI device model name and number: S500

Hardware version #(s): S500-xxx-xx4-0xxx

Firmware version #(s): 4.00.xx



POI device model name and number: S300, S300 (MOS)

Hardware version #(s): S300-abc-dx3-0xxx (where a=0, M b=0, G, C, T, W, E c=0, L, A

and d=0, 3)

Firmware version #(s): SRED (CTLS): Prolin 21.3xx.xxx.xxx.1xx (Boot 1.0.0 PED 001),

3.02.xx



POI device model name and number: S300

Hardware version #(s): S300-abc-dx3-1xxx (where a=0, M b=0, G, C, T, W, E c=0, L, A

and D=0, 3)



Firmware version #(s): SRED (CTLS): Prolin 21.3xx.xxx.xxx.1xx (Boot 1.0.0 PED 001)



POI device model name and number: A920

Hardware version #(s): A920-xxx-0x5-0xxx, (Non CTLS), A920-xxx-Rx5-0xxx (CTLS),

A920-xxx-0x5-1xxx, A920-xxx-Rx5-1xxx (CTLS)

Firmware version #(s): 25.00.xxxx



POI device model name and number: A80

Hardware version #(s): A80-xxx-Rx5-0xxx (with CTLS), A80-xxx-0x5-0xxx (without

CTLS)

Firmware version #(s): 25.00.xxxx


POI device vendor: Infinite Peripherals

POI device model name and number: Prima M

Hardware version #(s): 01.01

Firmware version #(s): 02.08, 02.08.xx



POI device model name and number: iCMP

Hardware version #(s): ICMxxx-01Txxxxx, ICMxxx-11Txxxxx, ICMxxx-21Txxxxx,

ICMxxx-31Txxxxx



Firmware version #(s): 820305V01.xx, 820365V02.xx, SRED (CTLS): 820528V02.xx,

820539V01.xx



POI device model name and number: iUC285

Hardware version #(s): IUC28x-01Txxxxx

Firmware version #(s): 820177V01.xx



POI device model name and number: iWL 220, 250

Hardware version #(s): IWL2xx-01Txxxxx

Firmware version #(s): SRED (Non CTLS): 820073v01.xx, 820528v02.xx



POI device model name and number: D210

Hardware version #(s): D210-xxx-xx4-0xxx

Firmware version #(s): 4.00.xx



POI device model name and number: iSMP4

Hardware version #(s): MP6xx-01Txxxxx (without contactless),

IMP6xx-11Txxxxx (with contactless)






POI device model name and number: Spectrum Pro

Hardware version #(s): 106

Firmware version #(s): 1.00


POI device vendor: Miura

POI device model name and number: Shuttle

Hardware version #(s): M003-PRODxx-V1-x, M003-PRODxx-V2-x, M004-PRODxx-V1-x,

M005-PRODxx-V2-x, M006-PRODxx-V1-x, M006-PRODxx-V2-x,

M010-PRODxx-V1-x, M010-PRODxx-V2-x

Firmware version #(s): M000-OS-V7-x


POI device vendor: BBPOS

POI device model name and number: WisePad 2

Hardware version #(s): WPX2XXXX-XX-XXX

Firmware version #(s): WPX20.003-12


POI device vendor: MagTek

POI device model name and number: DynaPro, DynaPro 3.0

Hardware version #(s): 31PCIX308A (Online & Offline),

31PCIX508A (Online & Offline; CTLS),



31PCI1308A (Online & Offline),

31PCI1508A (Online & Offline; CTLS),

31PCI3308A (Online & Offline),

31PCI3508A (Online & Offline; CTLS)

Firmware version #(s): 30050851-Ex-PCI (Online & Offline; SRED)


POI device vendor: Verifone

POI device model name and number: Mx915, Mx925 (PTS 3.x)

Hardware version #(s): P132-509-01-R (MX 925), P132-509-11-R (MX 925), P132-509-

21-R (MX 925), P132-509-11-PF (MX 925), P132-409-01-R (MX

915), P132-509-02-R (MX 925), P132-509-12-R (MX 925),

P132-509-22-R (MX 925), P132-509-12-PF (MX 925), P132-

409-02-R (MX 915)

Firmware version #(s): Vault: 1.x.x, 3.x.x, 4.x.x, 11.x.x, 12.x.x, AppM: 1.x.x; 3.x.x; 4.x.x;

5.x.x, 5A.x.x, 6.x.x, SRED: 1.x.x, 3.x.x; 4.x.x; 5.x.x, OP: 1.x.x,

3.x.x; 4.x.x; 7.x.x, SRED 5.x.x.xxx, Vault: 13.x.x, AppM: 7.x.x



POI device model name and number: Mx915, Mx925 (PTS 4.x)

Hardware version #(s): P177-40x-xx-xxx (Mx915), P177-50x-xx-xxx (Mx925)

Firmware version #(s): Vault: 11.x.x; 12.x.x, 13.x.x, AppM: 5.x.x; 5A.x.x; 6.x.x; 7.x.x,

SRED: 4.x.x; 5.x.x, OP: 5.x.x; 6.x.x; 7.x.x, Vault: 14.x.x; AppM:

8.x.x; SRED: 7.x.x



POI device model name and number: e355, e265, e265G

https://www.pcisecuritystandards.org/popups/pts_device.php?appnum=4-10110

https://www.pcisecuritystandards.org/popups/pts_device.php?appnum=4-10110



Hardware version #(s): M087-351-x1-xxx, M087-361-x0-xxx, M087-381-x0-xxx, M087-

381-xx-xxx

Firmware version #(s): QTE35301.xxxxxxxx, OP: 1.x.x.x, QTE50301.xxxxxxxx,

QTE35302.xxxxxxxx, QTE50320.xxxxxxxx, QTE50330.xxxxxxxx,

QTE50340.xxxxxxxx, OP: 2.x.x, QTE50350.xxxxxxxx



POI device model name and number: VX 690, VX 690B

Hardware version #(s): M260-x1x-xx-xxx-3, M260-x5x-xx-xxx-3, M260-x1x-xx-xxx-3B,

M260-x5x-xx-xxx-3B, M260-x1x-xx-xxx-3C, M260-x5x-xx-xxx-

3C, M260-x1x-xx-xxx-3D, M260-x5x-xx-xxx-3D

Firmware version #(s): SRED (CTLS): QT690260, QT690261, QT690262, QT690263,

QT690262.xxxxxxxx, QT690264.xxxxxxxx, QTyy0500.xxxxxxxx



POI device model name and number: Vx805

Hardware version #(s): M280-70x-xx-xxx-3

Firmware version #(s): SRED: QT850104, QT850109, QT850110, QT850120,

QT850121, QT850240, QT850340, QT850245,

QT850240.xxxxxxxx, QTyy0400.xxxxxxxx, QTyy0500.xxxxxxxx,

QTyy0540.xxxxxxxx; OP 2.x.x.x



POI device model name and number: Vx820

Hardware version #(s): M282-XXX-XX-XXX-3



Firmware version #(s): SRED: QT820104, QT820106, QT820107, QT820109,

QT820110, QT820111, QT820112, QT820113, QT820120,

QT820121, QT820201, QT820240, QT820340, QT820301,

QT820242, QT820241, QT820243, QT820244, QT820245,

QT820240.xxxxxxxx, QT820246.xxxxxxxx, QTyy0400.xxxxxxxx,

QTyy0500.xxxxxxxx, QTyy520.xxxxxxxx, QTyy0530.xxxxxxxx,

OP: 2.x.x, QTyy0540.xxxxxxxx



POI device model name and number: P200/P200 Plus

Hardware version #(s): PTS 4.x: H430-07-02-xx0-x0-A0 (P200), H430-07-32-xx0-x0-A0

(P200 Plus), H430-07-02-xx0-x0-A1 (P200), H430-07-32-xx0-

x0-A1 (P200 Plus), H430-07-02-XX0-X0-A1 (P200), H430-07-

32-XX0-X0-A1 (P200 Plus)

PTS 5.x: H430-07-02-xxx-x0-B0, H430-07-32-xxx-x0-B0, H430-

07-02-xx0-x0-A1 (P200), H430-07-32-xx0-x0-A1 (P200 Plus)

Firmware version #(s): PTS 4.x: VAULT: 2.x.x, 3.x.x, 4.x.x, AppM: 7.x.x, 8.x.x, 9.x.x,

VFSRED: 5.x.x, VFOP: 1.x.x, VAULT: 5.x.x, AppM: 10.x.x, VAULT:

7.x.x, AppM: 11.x.x, VFSRED: 7.x.x, VAULT: 8.x.x, AppM: 12.x.x,

VFSRED: 9.x.x

PTS 5.x: Vault: 7.x.x.x, AppM: 11.x.x.x, SRED: 7.x.x.x, OP: 1.x.x,

VAULT: 8.x.x, AppM: 12.x.x, VFSRED: 9.x.x



POI device model name and number: P400/P400 Plus



Hardware version #(s): PTS 4.x: H435-07-02-xx0-x0-A0 (P400), H435-07-32-xx0-x0-A0

(P400 Plus), H435-07-02-xx0-x0-A1 (P400), H435-07-32-xx0-

x0-A1 (P400 Plus), H435-07-02-XX0-X0-A0 (P400), H435-07-

32-XX0-X0-A0 (P400 Plus), H435-07-02-XX0-X0-A1 (P400),

H435-07-32-XX0-X0-A1 (P400 Plus), H435-07-02-xxx-x0-B0

(P400), H435-07-32-xxx-x0-B0 (P400 Plus), H435-07-02-xxx-x0-

A2 (P400), H435-07-02-xxx-x0-B1 (P400), H435-07-32-xxx-x0-

A2 (P400 Plus), H435-07-32-xxx-x0-B1 (P400 Plus)

PTS 5.x: H435-07-02-xxx-x0-B0, H435-07-32-xxx-x0-B0, H435-

07-02-xx0-x0-A0, H435-07-02-xx0-x0-A1 (P400), H435-07-32-

xx0-x0-A0, H435-07-32-xx0-x0-A1 (P400 Plus), H435-07-02-

xxx-x0-B0 (P400), H435-07-32-xxx-x0-B0 (P400 Plus), H435-07-

02-xx0-x0-A0 (P400), H435-07-32-xx0-x0-A0 (P400 Plus),

H435-07-02-xxx-x0-A2 (P400), H435-07-02-xxx-x0-B1 (P400),

H435-07-32-xxx-x0-A2 (P400 Plus), H435-07-32-xxx-x0-B1

(P400 Plus)

Firmware version #(s): PTS 4.x: VAULT: 2.x.x, 3.x.x, 4.x.x, AppM: 7.x.x, 8.x.x, 9.x.x,

VFSRED: 5.x.x, VFOP: 1.x.x, VAULT: 5.x.x, AppM: 10.x.x, VAULT:

7.x.x, AppM: 11.x.x, VFSRED: 7.x.x, VAULT: 8.x.x, AppM: 12.x.x,

VFSRED: 9.x.x

PTS 5.x: Vault: 7.x.x.x, AppM: 11.x.x.x, SRED: 7.x.x.x, OP: 1.x.x,

VAULT: 8.x.x, AppM: 12.x.x, VFSRED: 9.x.x


POI device vendor: Datecs

POI device model name and number: Bluepad 50

Hardware version #(s): 02.02.10.xxBR (CTLS Version), 02.02.10.xxBN (without CTLS

support)

Firmware version #(s): 02.04.xxx.xx


2.2 POI Software/Application Details

The following information lists the details of all software/applications (both P2PE applications and P2PE

non-payment software) on POI devices used in this P2PE solution.



Note that all applications with access to clear-text account data must be reviewed according to Domain

2 and are included in the P2PE solution listing. These applications may also be optionally included in the

PCI P2PE list of Validated P2PE Applications list at vendor or solution provider discretion.

Application

vendor, name

and version #

POI device

vendor

POI device

model

name(s) and

number:

POI Device

Hardware &

Firmware Version

#

Is application

PCI listed?

(Y/N)

Does application

have access to

clear-text

account data

(Y/N)

Ingenico:

Retail Based

Application

(RBA) v12.x,

14.x

(Legacy

Deployments)

Ingenico

iPP310,

iPP320,

iPP350,

iSC250,

iSC Touch 250,

iSC Touch 480

Hardware:

iPP310, iPP320,

iPP350:

IPP3xx-01Txxxxx

iSC250:

iSC2xx-01Txxxxx

iSC Touch 250:

iSC2xx-21Txxxxx,

iSC2xx-31Txxxxx

iSC Touch 480:

ISC4xx-01Txxxxx

(no CTLS), ISC4xx-

11Txxxxx (CTLS)

Firmware:

iPP310, iPP320,

iPP350:

820305V01.xx,

820365V02.xx,

SRED (Non CTLS)

:820157V01.xx

iSC250:

820518 V01.xx,

820518 V02.xx,

SRED (Non CTLS):

820157 V01.xx

iSC Touch 250:

820365 V02.xx,

820518 V02.xx,

820528V02.xx

No No



iSC Touch 480:

820365 V02.xx,

820518V01.xx,

820518V02.xx,

SRED (CTLS):

820528V02.xx

Application

vendor, name

and version #

POI device

vendor

POI device

model

name(s) and

number:

POI Device

Hardware &

Firmware Version

#

Is application

PCI listed?

(Y/N)

Does application

have access to

clear-text

account data

(Y/N)

Ingenico:

Retail Based

Application

P2PE v1.0 and

v1.1

Encompasses

Retail Based

Application

17.x, 21.x,

22.x and 23.x

versioning

schemes

Ingenico iPP320,

iPP350,

iPP310,

iPP315,

iSC250,

iSC Touch

250

iSC Touch

480,

iCMP,

iUC285,

iWL 220,

iWL 250,

iSMP4,

iUR255,

iUR255P,

iUP250LE,

iUC150B

Hardware:

iPP320, iPP350,

iPP310, iPP315:

IPP3xx-11Txxxxx,

iPP3xx-21Txxxxx,

iPP3xx-31Txxxxx,

iPP3xx-41Txxxxx,

iPP3xx-51Txxxxx

iSC250:

iSC2xx-01Txxxxx

iSC Touch 250:

iSC2xx-21Txxxxx,

iSC2xx-31Txxxxx

iSC Touch 480:

ISC4xx-01Txxxxx,

ISC4xx-11Txxxxx

iCMP:

ICMxxx-01Txxxxx,

ICMxxx-11Txxxxx,

ICMxxx-21Txxxxx,

ICMxxx-31Txxxxx

iUC285:

IUC28x-01Txxxxx

Yes Yes



iWL 220/250:

IWL2xx-01Txxxxx

iSMP4: IMP6xx-

01Txxxxx (without

contactless)

IMP6xx-11Txxxxx

(with contactless)

iUR255, iUR255P:

iUR2xx-01Txxxxx,

iUR2xx-11Txxxxx

iUP250LE:

IUP2xx-11Txxxxx

iUC150B:

iUC15x-01Txxxxx

Firmware:

iPP320, iPP350,

iPP310, iPP315:

SRED (CTLS):

820365 V02.xx,

820305V02.xx,

820528V02.xx,

SRED (Non CTLS):

820375V01.xx,

820554v01.xx

820305 V11.xx,

820180 V01.xx

iSC250:

820518 V01.xx,

820518 V02.xx,

SRED (Non CTLS):

820157 V01.xx

820518 V12.xx

iSC Touch 250:

820365 V02.xx,

820518 V02.xx,

820528V02.xx,

820518 V12.xx,

SRED (CTLS):

820528V02.xx



iSC Touch 480:

820518 V11.xx,

820518 V12.xx,

820528V02.xx

iCMP:

820305V01.xx,

820365V02.xx,

SRED (CTLS):

820528V02.xx,

820539V01.xx

iUC285:

820177V01.xx

iSMP4:

820305v11.xx

iUR255, iUR255P:

820168 v01.xx

iUP250LE:

820305v12.xx,

820305V13.xx

iUC150B:

820168 v01.xx

Application

vendor,

name and

version #

POI device

vendor

POI device

model name(s)

and number:

POI Device

Hardware &

Firmware

Version #

Is application

PCI listed?

(Y/N)

Does

application have

access to clear-

text account

data (Y/N)

PAX,

Broad POS

v1.0

Build:

Bluefin-HC-

** V1.00.xx

PAX

Technology

INC

PAX S500,

PAX S300,

D210,

A920

Hardware:

PAX S500:

S500-xxx-xx4-

0xxxx

PAX S300:

S300-abc-dx3-

0xxx (where

a=0, M b=0, G,

No Yes



C, T, W, E c=0, L,

A and d=0, 3)

S300-abc-dx3-

1xxx (where

a=0, M b=0, G,

C, T, W, E c=0, L,

A and D=0, 3)

D210:

D210-xxx-xx4-

0xxx

A920:

A920-xxx-0x5-

0xxx, (Non

CTLS), A920-xxx-

Rx5-0xxx (CTLS),

A920-xxx-0x5-

1xxx, A920-xxx-

Rx5-1xxx (CTLS)

Firmware:

PAX S500:

4.00.xx

PAX S300:

SRED (CTLS):

Prolin

21.3xx.xxx.xxx.1

xx (Boot 1.0.0

PED 001),

3.02.xx

S300-abc-dx3-

1xxx (where

a=0, M b=0, G,

C, T, W, E c=0, L,

A and D=0, 3)

D210:

4.00.xx

A920:

25.00.xxxx



Application

vendor, name

and version #

POI device

vendor

POI device

model name(s)

and number:

POI Device

Hardware &

Firmware

Version #

Is application

PCI listed?

(Y/N)

Does

application have

access to clear-

text account

data (Y/N)

Miura,

MPI,

M000-MPI-

V4-XX

Miura Shuttle Hardware #:

M003-PRODxx-

V1-x, M003-

PRODxx-V2-x,

M004-PRODxx-

V1-x, M005-

PRODxx-V2-x,

M006-PRODxx-

V1-x, M006-

PRODxx-V2-x,

M010-PRODxx-

V1-x, M010-

PRODxx-V2-x

Firmware #:

M000-OS-V7-x

Yes Yes

Application

vendor, name

and version #

POI device

vendor

POI device

model name(s)

and number:

POI Device

Hardware &

Firmware

Version #

Is application

PCI listed?

(Y/N)

Does

application have

access to clear-

text account

data (Y/N)

Ingenico,

RA1 v20.0x

Ingenico iPP310,

iPP320,

iPP350,

iSMP4,

Lane/3000

Desk 1500

Hardware:

iPP310, iPP320,

iPP350:

IPP3xx-11Txxxxx

iSMP4:

IMP6xx-

01Txxxxx

(without

contactless)

Yes Yes



IMP6xx-

11Txxxxx (with

contactless)

Lane/3000 Desk

1500:

LAN30AA,

LAN30BA,

LAN30CA,

LAN30DA,

LAN30EA,

LAN30FA,

LAN30GA,

LAN30HA

Firmware:

iPP310, iPP320,

iPP350:

SRED (CTLS):

820365 V02.xx,

820305V02.xx,

820528V02.xx,

SRED (Non

CTLS):

820375V01.xx,

820554v01.xx

iSMP4:

820305v11.xx

Lane/3000 Desk

1500:

820547v01.xx,

820561v01.xx

(base firmware)

Application

vendor, name

and version #

POI device

vendor

POI device

model name(s)

and number:

POI Device

Hardware &

Firmware

Version #

Is application

PCI listed?

(Y/N)

Does

application have

access to clear-

text account

data (Y/N)



Ingenico,

Unified

Payment

Platform

(UPP) #

1.0.x

Ingenico Lane/3000

Desk 1500,

Lane/5000,

Lane/7000,

Lane/8000,

Move/5000,

Link/2500

Hardware:

Lane/3000

Desk/1500:

LAN30AA,

LAN30BA,

LAN30CA,

LAN30DA,

LAN30EA,

LAN30FA,

LAN30GA,

LAN30HA

Lane/5000:

LAN50AB (non

CTLS), LAN50BB

(CTLS)

Lane/7000:

LAN70AA,

LAN70AB

Lane/8000:

LAN80AA

Move/5000:

MOV50AA (Non

CTLS);

MOV50BA

(CTLS),

MOV50JA

(CTLS),

MOV50CA,

MOV50DA,

MOV50AB,

MOV50BB

(CTLS),

MOV50CB,

MOV50DB

(CTLS),

MOV50JB (CTLS)

Link/2500:

LIN25AA, Non

CTLS, LIN25BA,

CTLS, LIN25CA,

Yes Yes



LIN25DA,

LIN25EA;

Touchscreen

version; no CTLS

support,

LIN25FA;

Touchscreen

version; with

CTLS support,

LIN25GA; Dual

Head version;

no CTLS

support,

LIN25HA; Dual

Head version;

with CTLS

support, LIN25IA

(Companion

version with

rear connector

and no CTLS

support),

LIN25JA

(Companion

version with

rear connector

and with CTLS)

Firmware:

Lane/3000

Desk/1500:

820547v01.xx,

820561v01.xx

(base firmware)

Lane/5000:

820547v01.xx,

820376v01.xx,

820549V01.xx

(SRED),

820555V01.xx

(SRED),



820556V01.xx

(SRED)

Lane/7000:

820547v01.xx

Lane/8000:

820547v01.xx

Move/5000:

820547v01.xx;

820376v01.xx;

(SRED) CTLS:

820549V01.xx,

820555v01.xx

(SRED),

820549v01.xx

(SRED OnGuard

FPE),

820556v01.xx

(SRED OnGuard

SDE),

820559v01.xx

(SRED ANL),

820565v01.xx

(SRED FF1)

Link/2500:

820547v01.xx,

820556v01.xx

(SRED On-Guard

SDE),

820555v01.xx

(SRED AWL)

Application

vendor, name

and version #

POI device

vendor

POI device

model name(s)

and number:

POI Device

Hardware &

Firmware

Version #

Is application

PCI listed?

(Y/N)

Does

application have

access to clear-

text account

data (Y/N)



Verifone,

FormAgent

/XPI v5300

Verifone,

Inc

Mx915,

Mx925

Hardware:

P132-509-01-R

(MX 925), P132-

509-11-R (MX

925), P132-509-

21-R (MX 925),

P132-509-11-PF

(MX 925), P132-

409-01-R (MX

915), P132-509-

02-R (MX 925),

P132-509-12-R

(MX 925), P132-

509-22-R (MX

925), P132-509-

12-PF (MX 925),

P132-409-02-R

(MX 915),

P177-40x-xx-xxx

(Mx915), P177-

50x-xx-xxx

(Mx925)

Firmware

Vault: 1.x.x,

3.x.x, 4.x.x,

11.x.x, 12.x.x

14.x.x, AppM:

1.x.x; 3.x.x;

4.x.x; 5.x.x,

5A.x.x, 6.x.x,

7.x.x, 8.x.x,

SRED: 1.x.x,

3.x.x; 4.x.x;

5.x.x, 7.x.x, OP:

1.x.x, 3.x.x;

4.x.x, 5.x.x,

6.x.x, 7.x.x, SRED

5.x.x.xxx

Yes Yes



Application

vendor, name

and version #

POI device

vendor

POI device

model name(s)

and number:

POI Device

Hardware &

Firmware

Version #

Is application

PCI listed?

(Y/N)

Does

application have

access to clear-

text account

data (Y/N)

Verifone,

XPI version

# 12.11.x

Verifone,

Inc

e355, e265,

e265G

VX 690, VX

690B,

Vx805,

Vx820

Hardware:

e355, e265,

e265G:

M087-351-x1-

xxx, M087-361-

x0-xxx, M087-

381-x0-xxx,

M087-381-xx-

xxx

VX 690, VX

690B:

M260-x1x-xx-

xxx-3, M260-

x5x-xx-xxx-3,

M260-x1x-xx-

xxx-3B, M260-

x5x-xx-xxx-3B,

M260-x1x-xx-

xxx-3C, M260-

x5x-xx-xxx-3C,

M260-x1x-xx-

xxx-3D, M260-

x5x-xx-xxx-3D

Vx805:

M280-70x-xx-

xxx-3

Vx820:

M282-XXX-XX-

XXX-3

Firmware

e355, e265,

e265G:

QTE35301.xxxxx

xxx, OP: 1.x.x.x,

QTE50301.xxxxx

Yes Yes



xxx,

QTE35302.xxxxx

xxx,

QTE50320.xxxxx

xxx,

QTE50330.xxxxx

xxx,

QTE50340.xxxxx

xxx, OP: 2.x.x,

QTE50350.xxxxx

xxx

VX 690, VX

690B:

SRED (CTLS):

QT690260,

QT690261,

QT690262,

QT690263,

QT690262.xxxxx

xxx,

QT690264.xxxxx

xxx,

QTyy0500.xxxxx

xxx

Vx805:

QT850017,

SRED:

QT850104,

QT850109,

QT850110,

QT850120,

QT850121,

QT850240,

QT850340,

QT850245,

QT850240.xxxxx

xxx,

QTyy0400.xxxxx

xxx,

QTyy0500.xxxxx

xxx,



QTyy0540.xxxxx

xxx; OP 2.x.x.x

Vx820:

SRED:

QT820104,

QT820106,

QT820107,

QT820109,

QT820110,

QT820111,

QT820112,

QT820113,

QT820120,

QT820121,

QT820201,

QT820240,

QT820340,

QT820301,

QT820242,

QT820241,

QT820243,

QT820244,

QT820245,

QT820240.xxxxx

xxx,

QT820246.xxxxx

xxx,

QTyy0400.xxxxx

xxx,

QTyy0500.xxxxx

xxx,

QTyy520.xxxxxx

xx,

QTyy0530.xxxxx

xxx, OP: 2.x.x,

QTyy0540.xxxxx

xxx



Application

vendor, name

and version #

POI device

vendor

POI device

model name(s)

and number:

POI Device

Hardware &

Firmware

Version #

Is application

PCI listed?

(Y/N)

Does

application have

access to clear-

text account

data (Y/N)

Verifone,

Point

Secure

Commerce

Application

Engage #

4.x.y-z

Verifone,

Inc

P200/P200

Plus

P400/400

Plus

Hardware:

P200/P200

Plus:

H430-07-02-xx0-

x0-A0 (P200),

H430-07-32-xx0-

x0-A0 (P200

Plus), H430-07-

02-xx0-x0-A1

(P200), H430-

07-32-xx0-x0-A1

(P200 Plus),

H430-07-02-

XX0-X0-A1

(P200), H430-

07-32-XX0-X0-

A1 (P200 Plus)

H430-07-02-xxx-

x0-B0, H430-07-

32-xxx-x0-B0,

H430-07-02-xx0-

x0-A1 (P200),

H430-07-32-xx0-

x0-A1 (P200

Plus)

P400/P400

Plus:

H435-07-02-

xx0-x0-A0

(P400), H435-

07-32-xx0-x0-A0

(P400 Plus),

H435-07-02-

xx0-x0-A1

(P400), H435-

Yes Yes



07-32-xx0-x0-A1

(P400 Plus),

H435-07-02-

XX0-X0-A0

(P400), H435-

07-32-XX0-X0-

A0 (P400 Plus),

H435-07-02-

XX0-X0-A1

(P400), H435-

07-32-XX0-X0-

A1 (P400 Plus),

H435-07-02-xxx-

x0-B0 (P400),

H435-07-32-xxx-

x0-B0 (P400

Plus), H435-07-

02-xxx-x0-A2

(P400), H435-

07-02-xxx-x0-B1

(P400), H435-

07-32-xxx-x0-A2

(P400 Plus),

H435-07-32-xxx-

x0-B1 (P400

Plus)

H435-07-02-xxx-

x0-B0, H435-07-

32-xxx-x0-B0,

H435-07-02-

xx0-x0-A0,

H435-07-02-

xx0-x0-A1

(P400), H435-

07-32-xx0-x0-

A0, H435-07-32-

xx0-x0-A1 (P400

Plus), H435-07-

02-xxx-x0-B0

(P400), H435-

07-32-xxx-x0-B0

(P400 Plus),

H435-07-02-



xx0-x0-A0

(P400), H435-

07-32-xx0-x0-A0

(P400 Plus),

H435-07-02-xxx-

x0-A2 (P400),

H435-07-02-xxx-

x0-B1 (P400),

H435-07-32-xxx-

x0-A2 (P400

Plus), H435-07-

32-xxx-x0-B1

(P400 Plus)

Firmware

P200/P200 Plus:

VAULT: 2.x.x,

3.x.x, 4.x.x,

AppM: 7.x.x,

8.x.x, 9.x.x,

VFSRED: 5.x.x,

VFOP: 1.x.x,

VAULT: 5.x.x,

AppM: 10.x.x,

VAULT: 7.x.x,

AppM: 11.x.x,

VFSRED: 7.x.x,

VAULT: 8.x.x,

AppM: 12.x.x,

VFSRED: 9.x.x

Vault: 7.x.x.x,

AppM: 11.x.x.x,

SRED: 7.x.x.x,

OP: 1.x.x,

400/P400 Plus:

VAULT: 2.x.x,

3.x.x, 4.x.x,

AppM: 7.x.x,

8.x.x, 9.x.x,

VFSRED: 5.x.x,



VFOP: 1.x.x,

VAULT: 5.x.x,

AppM: 10.x.x,

VAULT: 7.x.x,

AppM: 11.x.x,

VFSRED: 7.x.x,

VAULT: 8.x.x,

AppM: 12.x.x,

VFSRED: 9.x.x

Vault: 7.x.x.x,

AppM: 11.x.x.x,

SRED: 7.x.x.x,

OP: 1.x.x,

2.3 POI Inventory & Monitoring

• All POI devices must be documented via inventory control and monitoring procedures, including device status (deployed, awaiting deployment, undergoing repair or otherwise not in use, or in transit).

• This inventory must be performed annually, at a minimum.

• Any variances in inventory, including missing or substituted POI devices, must be reported to Bluefin Payment Systems via the contact information in Section 1.2 above.

• Sample inventory table below is for illustrative purposes only. The actual inventory should be captured and maintained by the merchant in an external document.

Bluefin’s P2PE solution provides a unique advantage to customers in that it allows for a convenient process to build an annual inventory for all POI devices. All devices that are issued to a merchant are tracked by Bluefin within their P2PE management platform - the P2PE Manager®. Merchants can review an inventory of all devices that have been in their possession. This includes units that have been temporarily removed from service, awaiting deployment, actively processing, or devices that are retired and no longer eligible to run transactions. Merchants can update devices on their own in real time to ensure that when annual inventories are performed, all records are up to date. The reports generated by the P2PE Manger are compliant with the P2PE guidance as it relates to what information needs to be collected for each device during an inventory. See the PCI provided example table below.



Device vendor

Device model

name(s) and

number: Device Location Device Status

Serial Number or

other Unique

Identifier

Specific operational instructions on how to perform an inventory are provided below.

Inventory Reporting

Bluefin P2PE Manager

The Bluefin P2PE Manager can be accessed at the following link: http://www.p2pemanager.com

Inventory Report

To generate a report of all POI devices, please go to the REPORTS link in the top global navigation bar. From there you can select the date range for your device inventory report. By selecting ALL POIs, ALL CUSTODIANS, and ALL LOCATIONS, any POI devices in the custody of the merchant during the time frame selected will be displayed. Those results can then be exported by hitting either the CSV or PDF button. When viewing the report, you can reference this glossary to understand the different columns of information that are provided.

• POI MODEL: This is the manufacturer name for the device.

• POI SERIAL NUMBER: This is the unique serial number for the device. This should match the

serial number sticker on the device. It should also match the serial number on the box that the

device was shipped in originally.

• LOCATION: This is the last confirmed location of the device.

• ADDRESS: This is the address detail that matches the LOCATION name.

• CITY: This is the city that matches the LOCATION name.

• STATE/PROVIENCE: This is the state or province that matches the LOCATION name.

• POSTAL CODE: This is the zip code that matches the LOCATION name.

• COUNTRY: This is the country that matches the LOCATION name.

• CUSTODIAN: This is the individual person who is associated as the primary person responsible

for the receipt and stewardship of the device for the LOCATION.

• STATUS: This is the current operational STATUS of the device.

State Changes

During the course of an annual inventory report, or at any other given time, the merchant can update

the state of their device to reflect its current condition.

This can be done by going to the DEVICES link in the top global navigation bar.

http://www.p2pemanager.com/



From there the merchant can click on a specific device and click the EDIT link. This will provide the ability

to view and potentially change the device state.

Merchants can change devices to the following temporary states that leave the device unable to process

transactions:

➢ Damaged

➢ Malfunctioning

➢ Lost

➢ In Repair

➢ Stored

Merchant can change devices to the following permanent states that leave the device unable to process

transactions:

➢ Retired

➢ Destroyed

➢ Tampered

*Please note if this state is accidently selected there may be remediation options available by contacting

the Bluefin P2PE contact found in Section 1.2 of this document.

Additionally, as a safeguard, devices that exhibit TAMPERED behaviors such as passing credit card data

in the clear or repeatedly failed decryptions will be automatically disabled and marked as TAMPERED. In

such events, a Bluefin representative will follow up from those automated events to coordinate an

inspection/review of the device with the merchant

Additional device states that may be displayed but are not eligible to be modified by the merchant are:

➢ Quarantined (by KIF)

➢ DOA (by KIF)

➢ Injected

➢ Authorizing

Dealing with missing devices

The P2PE Manager is a reporting tool, and reviewing devices in the field is still needed to validate

against missing devices. If a device has been lost or stolen, the merchant should log into the P2PE

Manager, find the serial number of the device that can’t be inventoried, and change the state of the

device to LOST. This will ensure that the device won’t be able to process P2PE transactions in Bluefin’s

P2PE environment. After the device state has been changed, contact Bluefin via the contact information

in Section 1.2 to report the device as missing. At the merchant’s discretion, a replacement device can be

ordered.

If a missing device is found, the merchant should conduct a full visual inspection. If the device appears

to be untampered, the merchant at their own discretion can choose to activate the device again. If the

merchant is unable to ascertain the integrity of the device, at the merchant’s own discretion they may

choose to order a replacement device, and have the now found device sent to Bluefin for destruction.



All device destructions will include formal attestation for the destruction of the device. Please see

Section 4.1 for guidance on shipping a device to a Bluefin KIF.

Dealing with substituted devices

The P2PE Manager is a reporting tool, and reviewing devices in the field is still needed to validate

against substituted devices. Substituted devices may be found when the merchant completes their

annual attestation, or during periodic inspection.

A substituted device may appear to be identical to the merchant’s equipment, which is why it’s

important to follow the inspection guidance in Section 5.1. If the merchant believes that there may be a

device substitution, the merchant should immediately discontinue use of the device. Most likely a

substituted device will not match the printed serial number of the device.

If a device has been substituted, and the merchant believes the substituted device has a forged serial

number that matches the serial number that should be in the P2PE Manager, the merchant should log

into the P2PE Manager, find the serial number of the device and change the state of the device to

TAMPERED.

If the suspected substituted device has replaced the merchant’s working device, then the working

device that was stolen in the swap will not be able to process P2PE transactions in Bluefin’s P2PE

solution. If the substituted device turns out to be a modified and/or tampered version of the actual

device owned by the merchant, then this will ensure that the device will not be able to process P2PE

transactions in Bluefin’s P2PE solution. If a device is marked to TAMPERED, a Bluefin representative will

contact the merchant, but the merchant may still initiate the contact via the contact information found

in Section 1.2.

Substituted devices should never be returned to service. At the discretion of the merchant, the device

should either be sent to Bluefin to coordinate a validated destruction of the device, or at the merchant’s

discretion the device can be sent to a PCI forensic auditor for inspection. For either destruction or PCI

forensic inspection, please coordinate via the contact information found in Section 1.2. In either

shipping scenario, the devices should be shipped in accordance to the guidance in Section 4.1.

3. POI Device Installation Instructions

Do not connect non-approved cardholder data capture devices.

The P2PE solution is approved to include specific PCI-approved POI devices. Only these devices

denoted above in table 2.1 are allowed for cardholder data capture.

If a merchant’s PCI-approved POI device is connected to a data capture mechanism that is not PCI

approved (for example, if a PCI-approved SCR was connected to a keypad that was not PCI-approved):

• The use of such mechanisms to collect PCI payment-card data could mean that more PCI DSS requirements are now applicable for the merchant.

• Only P2PE approved capture mechanisms as designated on PCI’s list of Validated P2PE Solutions and in the PIM can be used.



Do not change or attempt to change device configurations or settings.

Changing or attempting to change device configurations or settings will invalidate the PCI-approved

P2PE solution in its entirety. Examples include, but are not limited to:

• Attempting to enable any device interfaces or data-capture mechanisms that were disabled on the P2PE solution POI device

• Attempting to alter security configurations or authentication controls

• Physically opening the device

• Attempting to install applications onto the device

Remote Device Administration

Per P2PE requirement 1B-2.3.a, merchants are not allowed to have remote access to administer P2PE

POI devices. Modifications to POI devices (software/firmware updates, configuration changes) must

be tested and approved by the solution provider, and signed under dual control. Approved signed

updates will be provided to merchants or installed on merchant POI devices either manually or via a

Terminal Management System (TMS).

*Please work with your Solution Provider representative found in the contact section under 1.2 of this

document to determine what update methods are available for the administration and support of your

device. Not all POI devices support remote/TMS administration.

3.1 Installation and connection instructions

Please make sure that device receiving instructions in Section 5 were properly followed before installing a device. Devices that do not follow the tamper inspection, logging and activation process detailed in Section 5 will not work properly when deployed in the field. Specific steps for activating a device within P2PE Manager can be found in your Bluefin P2PE Manager User Guide or via the following video link: https://vimeo.com/182772442/30b87f999e Device Configurations Devices come preconfigured to specific hardened security guidelines that meet P2PE governance requirements. These configuration parameters are digitally signed to confirm authenticity and ensure that security risks are minimized. As part of the secure terminal configuration, SRED (secure reading and exchange of data) is enabled and enforced for all payment card capture mechanisms prior to being serviced at the secure key injection facility and before deployment to the merchant, and may not be disabled at any time. Universal installation and connection instructions

https://vimeo.com/182772442/30b87f999e




The following guidance represents best practices and are not direct P2PE requirements. This guidance is provided to minimize the opportunity for anything to be added “in-line” between the POI device and point of sale device that could impact secure deployment or interfere with standard operations.

• Merchants should use the cables provided with the device whenever possible.

• If cables were not provided with the device (as is the case sometimes with merchant owned redeployed devices) best efforts should be made to ensure that existing cabling is manufacturer issued cabling.

Specific instructions for individual devices and supported connection types can be found in the

corresponding device appendix.

Appendix A: ID Tech SecuRED

Appendix B: ID Tech SREDKey

Appendix C: Ingenico iPP 310, iPP 320, iPP350

Appendix D: Ingenico ISC 250

Appendix E: Ingenico ISC Touch 250

Appendix F: Ingenico ISC Touch 480

Appendix G: Anywhere Commerce Nomad 2.0

Appendix H: BBPOS WisePad

Appendix I: PAX S500

Appendix J: PAX S300

Appendix K: Infinite Peripherals Prima M

Appendix L: Ingenico iCMP

Appendix M: Ingenico iUC 285

Appendix N: Ingenico iWL 252, 222

Appendix O: Ingenico iWL 258, 228

Appendix P: PAX D210

Appendix Q: Ingenico iSMP4 Companion

Appendix R: ID Tech Spectrum Pro

Appendix S: Miura Shuttle

Appendix T: BBPOS WisePad 2

Appendix U: Magtek Dynapro, DynaPr 3

Appendix V: Verifone Mx915/Mx925



Appendix W: ID Tech Augusta S

Appendix X: PAX A920

Appendix Y: PAX A80

Appendix Z: Datecs BluePad 50

Appendix AA: Verifone Vx805

Appendix AB: Verifone Vx820

Appendix AC: Verifone VX 690

Appendix AD: Verifone e355

Appendix AE: Ingenico iSelf Series

Appendix AF: Ingenico Lane/3000

Appendix AG: Ingenico Lane/5000

Appendix AH: Ingenico Lane/7000

Appendix AI: Ingenico Lane/8000

Appendix AJ: Ingenico Move/5000

Appendix AK: Ingenico Link/2500

Appendix AL: Verifone P200/P200 Plus

Appendix AM: Verifone P400/P400 Plus

Appendix AN: ID Tech VP5300 (Optional L100 Pin Pad add-on)

Note: Only PCI-approved POI devices listed in the PIM are allowed for use in the P2PE solution for

account data capture.

Physically secure POI devices in your possession, including devices:

• Awaiting deployment

• Undergoing repair or otherwise not in use

• Waiting transport between sites/locations

3.2 Guidance for selecting appropriate locations for deployed devices

The following guidance in this section represents best practices that merchants can follow. Merchants

may utilize comparable measures adapted to their deployment environments to ensure safe storage

and usage of their POI devices.



Guidance for countertop/cabled devices

Devices should be placed in a low access yet high visibility area. For example, in a retail environment,

the unit should be placed on the counter where it can be observed, but not so close to the customers

where the customer could gain easy access to manipulate the device without supervision. For a call

center type environment, the device should be placed on a desk where it is not obstructed by desktop

clutter and should not be placed in such a manner where people other than the individual responsible

for the device can get convenient access to the POI device.

Merchants should take steps to ensure a level of protection with their devices when left unattended

for long periods of time. Methods could include, but are not limited to, securing corded devices via

their cords, securing devices via mounting guidelines provided by the manufacturer, locking up the

POI separately in the evenings, or ensuring the devices remain under video monitoring.

Guidance for mobile devices

Special care should be taken in the deployment of mobile POI devices. If you must allow the

cardholder to hold and directly interact with the POI, never let the device out of your sight or

presence and remain with the cardholder at all times during the interaction. When you have the POI

back in your hands, visually inspect that the POI device for any anomalies. Periodically, inspect that

the POI swiper serial number matches the serial numbers in the P2PE Manager to prevent device

substitutions.

3.3 Guidance for physically securing deployed devices to prevent unauthorized

removal or substitution

The following guidance in this section represents best practices that merchants can follow. Merchants

may utilize comparable measures adapted to their deployment environments to ensure safe storage

and usage of their POI devices.

Guidance for countertop/cabled devices

Please note that modification to the device such as attachment of adhesives, cable locks, or other add-on hardware, while not banned by the P2PE specifications, can have negative impacts when conducting tamper evidence inspections. Merchants should be cognizant of the impact of anything attached to the main unit of their POI device when performing a visual inspection. Merchants can explore using cable lock systems, or even cable staples/fasteners to ensure that the device is not easily pulled free. Many POI device manufacturers provide mounting instructions or even mounting hardware to secure the device to a stationary object such as a counter or desk. The use of a system like this does not modify the device or in any way impede visual inspection.

Guidance for mobile devices

Mobile POI devices will not accommodate any sort of physical fasteners since they are not corded devices. Because of this, care should be taken in the deployment environment with the POI units. Merchants should consider having a lockable area where the unit could be stored for a short period



of time, or merchant should ensure that the unit will be in view of a camera system to ensure that unauthorized access of the device is captured. Merchants should also consider using a system by which a particular POI device is assigned to an individual employee, and make sure that employee follows the practices outlined in the mobile device deployment in Section 3.2.

4. POI Device Transit

4.1 Instructions for securing POI devices intended for, and during, transit

After receipt of the device, if the merchant is shipping the devices between multiple locations, the following practices should be followed. If the POI device is still in the original packaging and the device is still in the unopened tamper evident bag then the merchant may place that device in its original packaging into another shipment box and ship it to another location under the control of the merchant. The P2PE Manager should be updated by the merchant to show the new intended location of the device. The device should only be addressed to the person associated as the contact for the merchant location as found in the P2PE Manager. If the device has been logged into the P2PE Manager already, the status of the device should be set to STORED. This will ensure that during transit and subsequent storage at the new merchant location, the device will be ineligible to run transactions. If the device has not been logged in and activated in the P2PE Manager, the device can be logged as received at the new location by the authorized contact at the new merchant location. Merchants, for their own validation processes, should use only trusted couriers (such as FedEx, UPS, etc.) and document the tracking number for the shipment. That tracking number should be conveyed to the specific recipient at the new merchant location via a separate communication method such as email or phone.

If the POI device has been removed from the tamper evident packaging then the merchant should obtain new tamper evident packaging. New tamper evident packaging can either be independently obtained by the merchant, or tamper evident packing can be requested from Bluefin. The merchant should place the device in the tamper evident packaging and record the serial number of the tamper evident packaging. The P2PE Manager should be updated by the merchant to show the new intended location of the device. The device should only be addressed to the person associated as the contact for the merchant location as found in the P2PE Manager. If the device has been logged into the P2PE Manager already, the status of the device should be set to STORED. This will ensure that during transit and subsequent storage at the new merchant location, the device will be ineligible to run transactions.



Merchants for their own validation processes should use only trusted couriers (such as FedEx, UPS, etc.) and document the tracking number for the shipment. That tracking number, and the tamper evident serial number, should be conveyed to the specific recipient at the new merchant location via a separate communication method such as email or phone.



4.2 Instructions for ensuring POI devices originate from, and are only shipped to,

trusted sites/locations

Validating device shipments from Bluefin to the merchant

The Bluefin P2PE solutions help to manage and validate all POI device shipments from Bluefin and its key injection facilities (KIF) to specific merchant locations. Device orders for merchants are coordinated with a Bluefin Payment Systems representative who then coordinates device shipments from the KIF. Utilizing the Bluefin P2PE Manager, the Bluefin employee sets up the merchant profile in the system, the individual merchant user accounts, and then creates the merchant locations that are eligible for devices. Each location profile contains an address, contact information, and a recipient’s name. All shipments from the KIF to that location will be addressed to the recipient listed in the location profile. Before leaving the KIF, the POI device is placed in a tamper evident bag, and then sealed with a serialized tamper sticker. The KIF then records the serial number from the tamper bag, and the serial number of the device into P2PE Manager. When the POI devices arrive at the customer location, the employee listed as the contact for the location logs into the P2PE Manager and starts the process for confirming the devise they received. The merchant employee manually keys (or scans) in the serial number of the device, and the serial number from the tamper seal into the P2PE Manager, and if they both match the injection and shipment records recorded by the KIF, then the device is marked as being eligible for use. If the serial number of the device and the serial number on the tamper bag do not match, the device is programmatically barred from use. Without the validation of those two authenticating serial numbers, substituted devices could not be put into use. In the event that a merchant receives devices that they are unable to activate through the use of the serial number on the device and the serial number on the bag, Bluefin should be contacted via the contact information found in Section 1.2 of this document to report the issue. Devices should be held on to by the merchant until further instructions are provided by Bluefin.



Validating device shipments from merchants back to Bluefin

In the event that a merchant needs to return a device back to Bluefin, the merchant will need to contact Bluefin via the contact information found in Section 1.2 of this document. The Bluefin representative will then coordinate the shipment of the device back to the appropriate location. Shipments to Bluefin should be limited to the Bluefin supported key injection facilities listed below. The Bluefin representative coordinating the device returns will confirm which location the device should be shipped to.

Spencer Technologies

Inbound and outbound shipping address

Spencer Technologies

102 Otis St.

Northborough, MA 01532-2415

CDE


CDE

1200 Williams Dr. Suite 1210

Marietta, GA 30066

MagTek


MagTek, INC

1710 Apollo Ct.

Seal Beach, CA 90740

Ingenico

Outbound - Deployment center

Ingenico 6430 Shiloh Road East, Suite B Alpharetta, GA 30005

Inbound and outbound - Ingenico Repair Facility

Ingenico 4020 Steve Reynolds Blvd Norcross, GA 30093

Ingenico UK KIF




Ingenico Northern Europe 17 Ridge Way, Donibristle Industrial Park Dalgety Bay, Fife KY11 9JU United Kingdom Verifone


1401 Aviation Blvd, Lincoln, CA 95648 Secure Retail KIF


Secure Retail Ltd Walker Road, Bardon Hill, Coalville, Leicestershire, England, LE67 1TU PayCipher


PayCipher, Inc. 12655 Edison Dr., Suite 104 Alpharetta, GA 30005

FDHS Canada (f.k.a. TASQ Technology)


FDHS Canada

205 Export Blvd, Mississauga, ON L5S 1Y4

First Data Hardware Services (f.k.a. TASQ Technology)


TASQ Technology Inc 1169 Canton Rd, Marietta, GA 30066

Lantec UK Ltd

Inbound and outbound shipping address Lantec UK

Unit 10, Lovett Way,

Woodside, Dunstable

LU5 4TU



POS Portal, Inc


POS Portal 1920 Watterson Trail # A, Louisville, KY 40299

5. POI Device Tamper Monitoring and Skimming Prevention

5.1 Instructions for physically inspecting POI devices and preventing skimming,

including instructions and contact details for reporting any suspicious activity

Additional guidance for skimming prevention on POI terminals can be found in the document entitled

Skimming Prevention: Best Practices for Merchants, available at www.pcisecuritystandards.org.

Inspection Frequency

Devices deployed in retail or customer service environment should be inspected periodically, but no

less then annually. The merchant should keep their own logs that detail the inspection date and the

individual responsible for the inspection. These logs are for the merchant’s own record keeping to

help in troubleshooting whether or not a device has been tampered with.

Inspection procedures for un-deployed devices

Devices should be logged into the P2PE Manager upon receipt. However, in the event that a device

will be stored upon receipt, best practice would be to leave the device in the tamper evident bag. The

tamper evident packaging should be checked for signs of forced entry before deployment in the field.

Inspection procedures for deployed devices

Devices should be visually inspected for evidence of tampering or substitution. When inspecting a device, a merchant should confirm the serial number of the device and make sure it’s logged in the P2PE Manager appropriately. The PCI provided document entitled Skimming Prevention: Best Practices for Merchants, available at www.pcisecuritystandards.org, is a good document to reference in every inspection. Specific device inspection instructions can be found in the associated device appendix.

http://www.pcisecuritystandards.org/

http://www.pcisecuritystandards.org/



5.2 Instructions for responding to evidence of POI device tampering

Evaluating a device for evidence of tampering upon receipt of shipment

For all devices that are received from Bluefin and its partner KIF, please see the information in Section 5.3 for detailed inspection guidance when reviewing the shipment at the merchant location. If the devices come in any packaging other than described in Section 5.3, if the tamper evident packaging appears to have been opened, if the device does not match the photos in the inspection guide, or the devices appear to have been damaged or altered, and/or if the serial numbers do not match when entered into the P2PE Manager, do not deploy the device. Please see the detailed instructions on removing the device and notifying Bluefin at the bottom of this section. Please revisit Section 5.1 and the appropriate device appendixes for more detailed inspection instructions.

Evaluating a device in the field for evidence of tampering

If during the course of a scheduled inspection or observed during use of the product the device

appears to be physically tampered with or substituted, the device should immediately be pulled from

use. Please see the detailed instructions on removing the device and notifying Bluefin at the bottom

of this section.

Dealing with a tampered device

If you feel that a device may have been tampered with, follow these steps. In the event that the merchant feels that they have observed visual signs or device activity that they believe may indicate tampering with the device, the merchant can log into the P2PE Manager, identify the device in inventory by the device serial number and change the status of the device to TAMPERED. This status change will do two things. First, it will send a notification email to Bluefin that a device and its output needs to be reviewed. Second, it will disable the device from processing through Bluefin. A Bluefin representative will then respond back to the merchant with a follow up regarding the device. Merchants may also contact Bluefin via the contact information provided in Section 1.2 of this document. Please note that if the device has not been logged into P2PE Manager, contact Bluefin as soon as possible.

5.3 Instructions for confirming device and packaging were not tampered with, and

for establishing secure, confirmed communications with the solution provider

Once a merchant receives confirmation that the order for their units has been submitted, within a few business days (once the order is prepared for shipment) the merchant will be able to log into the P2PE Manager and review the status of their pending shipment. The merchant can review the serial numbers of the devices contained in the shipment and confirm the carrier and tracking number for



the shipment, the destination location information, as well as the merchant representative whom the order is targeted for. When the responsible party at the merchant location takes possession of the shipment of POI devices they must log the confirmation of the receipt of those devices into Bluefin’s P2PE Manager. Immediately upon receipt, the merchant should inspect the shipment box for major damage such as tears or holes and must visually inspect that the packaging has not been re-taped or resealed. The merchant representative should also visually inspect the contents of the shipment box which should contain the expected number of cardboard boxes which contain an outer sticker that indicates the serial number of each POI device. The POI device should be contained within two packaging elements. The outer element is a tamper-evident bag. This bag will be sealed with serialized sticker/tape. This sticker is a tamper-evident sticker. If the sticker/tape has not been tampered with, it should look like Figure 1. Minor evidence of potential tampering with the sticker (rumpling or minor stretching) may occur while the box is in transit.

Figure 1: POI Device in tamper evident

bag with a tamper evident sticker on it.

If the sticker/tape has been removed or tampered with, the sticker may look like Figure 2.



Figure 2: Potentially Tampered Device

If you see a sticker on the tamper-evident bag near this level of evidence you should consider the device as having been tampered with. Notice that the tamper sticker is in two parts, and the word “void” can clearly be seen. Please note that your serialized tamper evident stickers may look like Figure 3, rather than the blue one shown in Figure 2. If a merchant believes that a device may have been tampered with either during shipment or upon receipt at the merchant facility, do not attempt to activate the device. If the device has not been activated please contact your Bluefin representative.

Figure 3: Example of a White Security Seal

Your device bags may reflect the blue strip shown in the previous photos, or it may also contain one

of these other colors on the tamper strip, as shown in Figure 4.



Figure 4: Example of Tamper Strip Colors

Confirming receipt of your shipment and preparing the device for activation

After receipt of the shipment, the merchant is required to confirm their shipment order in the P2PE Manager by navigating to the receipt of shipment screen. Once on this screen, the merchant representative will be required to attest to the receipt of each POI device. Proper attestation requires confirming the serial number of the device (found on a sticker on the cardboard packaging of the device box, and on a sticker on the device itself) and then opening the cardboard box and verifying the serial number from the tamper-evident bag. Specific steps for activating a device within P2PE Manager can be found in your Bluefin P2PE Manager User Guide or via the following video link: https://vimeo.com/182772442/30b87f999e Please note that the tamper-evident bag SHOULD NOT BE OPENED UNTIL THE DEVICE IS IN THE FIELD LOCATION WHERE IT WILL BE DEPLOYED. This is important to preserve the tracking, device activation and chain of custody. Additionally, the merchant should keep the cardboard box that the device was shipped in as it will be the primary way in which a merchant can identify the serial number of the device without having to remove the device from the tamper-evident bag.

*For merchants using Ingenico units, please consult the following appendixes for additional

instructions on how to properly enter serial numbers into the P2PE Manager.

Appendix C: Ingenico iPP 310, iPP 320, iPP 350

Appendix D: Ingenico ISC 250

Appendix E: Ingenico ISC Touch 250

Appendix F: Ingenico ISC Touch 480

Appendix M Ingenico iUC 285

Appendix N: Ingenico iWL 252, 222

Appendix O: Ingenico iWL 258, 228





Appendix Q: Ingenico iSMP4 Companion

Appendix AE: Ingenico iSelf Series

Appendix AF: Ingenico Lane/3000

Appendix AG: Ingenico Lane/5000

Appendix AH: Ingenico Lane/7000

Appendix AI: Ingenico Lane/8000

Appendix AJ: Ingenico Move/5000

Appendix AK: Ingenico Link/2500

5.4 Guidance for third party device support

Bluefin service agents

Bluefin will never send a Bluefin employee or designated agent of the company or subcontracted employee or designated agent of the company to a merchant’s location to inspect / repair / remove devices without first contacting the merchant representatives listed in P2PE Manager for that specific location where the device is located. If a merchant receives a communication from someone claiming to be a Bluefin employee or designated agent of the company and the merchant has doubts as to the validity of that representative, the merchant should contact Bluefin via the contact in Section 1.2 of this document. The Bluefin team member will be able to confirm the validity of the representative who requested access to the merchant and their POI devices. If the representative cannot be confirmed, then access to the merchant’s facility and POI devices should be denied by the merchant.

If the merchant is sure that the representative is a confirmed representative of Bluefin, the merchant

can make preparations for the representative to visit their facility.

Third party entities employed by the merchant, or merchant partners

In many instances, a merchant may employee third party IT, accounting, vendor, or operational resources to service point of sale equipment, including P2PE POI devices. In such events, exact policies and procedures are at the discretion of the merchant, but Bluefin suggests the following best practices.

Prior to giving access to the POI device:



• Verifications of work orders should be escalated through the organization until the

management layer that approved the service request has verified the authenticity of the

work order.

• Service technicians should provide credentials that identify them as being an employee of the

validate third party company.

Once given access to the POI device:

• Third party employees should be accompanied / monitored while interacting with POI

devices.

• If the device needs to leave the facility, under the control of the third-party employee, transit

guidance found in Section 4.1 of this document should be applied.

• Merchants should maintain their own activity logs to record interactions with a device from a

third party.

Logging activity

The merchant should keep a log of any onsite visits by a Bluefin representative or one of its

contracting representatives. The log should contain the name of the representative who visits, their

contact phone number, contact email address, their company name, the date of their visit, the time

they arrived and the time they departed. These logs should be saved for a period of up to one year.

6. Device Encryption Issues

6.1 Instructions for responding to POI device encryption failures

Understanding the Automated Device Protection Services

The Bluefin P2PE solution features several automated safeguards to help ensure the safety and

security of our merchants’ credit card data. When these automated protective services are engaged,

it can lead to temporary or permanent deactivation of your device. Those actions are done to protect

your organization from the liability that could occur with the loss of cardholder data. There are two

automated protection scenarios listed below.

Cardholder Data Protection

Credit card numbers are often referred to as the primary account number or PAN. Bluefin’s P2PE

solution is designed to protect against PAN data ever being improperly displayed. P2PE is built on the

principle that PAN data is encrypted in the POI device prior to the data entering the merchant’s

computer or device.

Clear-text card holder data should never exit the P2PE terminal, and clear-text cardholder data

should never be returned from the Bluefin P2PE environment to the merchant P2PE environment.

The restriction for clear-text PAN data includes properly formatted PAN truncation (limited to the

first 6 and last 4 digits of the PAN), tokenization methods, and any other representation of the PAN.

Bluefin’s P2PE solution has automated systems to detect the presence of clear-text PAN and will



return a processing error when detected.

In the event that a device is ever tampered with, a common tactic that is seen is that the POI device is

modified to transmit PAN data in the clear. The Bluefin POI Management Application is able to detect

if there is ever any unencrypted PAN data, and if there is, it immediately deactivates the POI device

so that it is no longer able to run transactions. This event also causes an alert to a Bluefin account

manager who will contact the impacted merchant to arrange for removal of the device.

Data Irregularity

Data irregularity can sometimes be an indicator that tampering may have occurred. Bluefin’s POI Management Application is constantly surveying the data output from the POI units to make sure that the formatting and structure of the data is within expectations. In the event that data falls outside of expectations, an email alert is sent to a Bluefin employee or designated agent of the company who will manually review the output of the POI device in question. Should that device be deemed problematic, a Bluefin employee or designated agent of the company will then mark the device as tampered and remove it from being able to run transactions. If such a decision is made, a Bluefin employee or designated agent of the company will immediately contact the merchant and coordinate a replacement for the POI unit.

Customer initiated reporting and deactivation

In the event that the merchant feels that there may be an encryption failure or other activity that

they believe may indicate tampering with the device, the merchant can log into the P2PE Manager,

identify the device in inventory by the device serial number, and change the status of the device to

Tampered.

This status change will do two things. First, it will send a notification email to Bluefin that a device

and its output needs to be reviewed. Second, it will disable the device from processing through

Bluefin. A Bluefin representative will then respond back to the merchant with a follow-up regarding

the device.



Reactivating a device reported as tampered

Once a device has been set to the tampered state in the P2PE Manager, the device cannot be reset to

an active state by the merchant without coordinating confirmation of proper device functionality

with Bluefin. Using the contact information provided in Section 1.2 of this document, the merchant

can contact Bluefin to have the activity of their device reviewed. If Bluefin and the merchant agree

that the device was erroneously marked as tampered, the Bluefin representative can restore the

device to proper functioning status. The P2PE Manager will then be updated to reflect the active

status, and the device in question will be allowed to process transactions.

In the event that the decision is made to not reactivate a device from a tampered state, the merchant may request that the unit stay in a permanent tampered state, and at the merchant’s option, the merchant can order a replacement unit. The device in question can then be returned to Bluefin where either a certified destruction will occur or the device may be kept for forensic research. Shipping guidance can be found in Section 4.2 of this document.

6.2 Instructions for formally requesting of the P2PE solution provider that P2PE

encryption of account data be stopped

Merchants do not have the ability to disable encryption on Bluefin P2PE POI devices. If the merchant wishes to continue processing with Bluefin but would like to remove themselves from P2PE compliance, the merchant should indicate that to Bluefin no less than 30 days prior to the anticipated end of their usage of the Bluefin P2PE solution. That acknowledgment must contain acknowledgment of the discontinuation risks listed below. If adequate lead time is provided then Bluefin can provide alternate secure methods for the merchant to process card present or MOTO transactions. Bluefin will require that POI units have Bluefin owned P2PE keys removed from POI devices as part of the decommissioning process. Bluefin P2PE keys are exclusive to the Bluefin P2PE solution. In the event the merchant leaves processing with Bluefin, the customer owned devices must have the Bluefin key removed or over written either with another E2EE solution key or a P2PE solution key provided by another payment processor. If the merchant chooses to retire the devices, either a confirmation of the key removal needs to occur or a certificate of destruction must be provided to Bluefin for all devices with Bluefin P2PE Keys. Merchants also have the option to return POI devices to a Bluefin supported P2PE KIF to perform secure key removal. When the merchant is completely ready to be removed from the P2PE solution, a merchant representative will need to review the opt-out language hosted on Bluefin’s P2PE Manager website. The content and language will be similar to the example provided below. Once the merchant representative has acknowledged reading and accepting the opt-out terms, Bluefin will mark all P2PE POI units in the custody of the merchant as “retired.” Retired units will be unable to process credit card transactions. Because this acknowledgment will deactivate the units, it is important that the merchant already have the new end-to-end encrypted units on-site and deployed prior to canceling their P2PE solution.



All opt-out requests must be submitted using the Bluefin P2PE opt-out form, and must contain the signature of an executive of the merchant company in order to ensure the opt-out process is properly captured for PCI compliance reasons. Upon receiving the merchant’s request to opt-out of P2PE encryption services, a Bluefin representative will provide the opt-out form to the merchant. The opt-out language matches the language below.

Opt-out Terms

1. P2PE provides the most secure PCI approved method for the capture and transmission of

credit card data. By encrypting the card data at the point of entry, prior to entering the

merchant’s computer/device the data remains secure and undecipherable until being

captured and decoded by Bluefin’s servers.

By formally requesting to opt-out of the P2PE program, the merchant acknowledges that the

security provided by Bluefin’s P2PE solution will no longer be available to them, and as such,

the merchant puts themselves at risk that card data could be captured in their environment.

2. It is the merchant’s responsibility to pursue alternative means by which to provide secure

card data capture in lieu of using Bluefin’s P2PE solution. The merchant should pursue other

PCI DSS (Data Security Standard) compatible strategies such as exploring the use of other

encrypted devices that provide end-to-end encryption functionality. Bluefin does provide

end-to-end encryption services and products which can help provide a secure card data

capture solution, although these solutions do not provide the same level of PCI DSS scope

reduction as P2PE.

By formally requesting to opt-out of the P2PE program, the merchant acknowledges that they

will be responsible to pursue alternate methods for secure card data capture and

transmission. Merchants should review their own PCI assessment resources or seek the aide

of PCI Qualified Security Assessor (QSA) if unsure of a suitable alternate solution to replace

P2PE with another suitable PCI DSS compliant solution.

All P2PE POI devices in the custody of the merchant will need to have the Bluefin P2PE key

removed or the devices destroyed. It will be the merchant’s responsibility to obtain a formal

certificates of destruction (COD) from a PCI certified KIF or a work order for new key

injections from a PCI certified KIF that clearly identify a new key has been over written on the

existing Bluefin P2PE key.

3. Bluefin’s P2PE solution provides merchant drastic PCI DSS scope reduction.




will be responsible for reassessing their eligibility for PCI DSS scope reduction, and re-

evaluating the proper assessment status that they will now need to comply with after

removing Bluefin’s P2PE solution from their environment.

Merchants should review their own PCI assessment resources or seek the aid of a PCI QSA if

unsure of the PCI DSS audit impact.

4. By opting out of Bluefin’s P2PE solution, it is the responsibility of the merchant to inform their

Acquirer of their status change. Status changes may impact the services and pricing extended

by their acquirer.


will be responsible to notify their acquirer directly. In the event that Bluefin has informed the

acquirer of the status change, it is still the obligation of the merchant to directly inform their

acquirer in addition to any notifications that the merchant believes that Bluefin may have

already communicated.

5. By opting out of Bluefin’s P2PE solution, it is the responsibility of the merchant to inform the

card brands they work with of their status change and the subsequent impact that will have

on the merchants PCI DSS status. Status changes may impact the services and pricing

extended by their card brands.


will be responsible to notify their card brands directly. In the event that Bluefin has informed

the card brands of the status change, it is still the obligation of the merchant to directly

inform the card brands they work with, in addition to any notifications that the merchant

believes that Bluefin may have already communicated.

Handling Instruction for Devices after Leaving the P2PE Solution

All POI devices handled by Bluefin include an encryption key that is unique to Bluefin’s P2PE solution. This encryption key is only valid when used in conjunction with the Bluefin P2PE solution. When a merchant leaves the Bluefin P2PE program, the keys in those devices need to be removed. That can be handled in several different ways.

Merchant returns the devices to the custody of Bluefin via transfer to a Bluefin KIF where the encryption key will be removed as well as any applications resident on the device. Devices will either be returned to the merchant or returned to Bluefin stock based on the contractual agreement between Bluefin and the merchant.



Merchant returns the devices to a KIF of their choice, merchant provides confirmation that the encryption key was removed for each device. In certain rare events, retired devices will be slated for destruction. In such instances, the merchant returns the devices to the custody of Bluefin via transfer to a Bluefin KIF where the devices will be destroyed and a certificate of destruction will be provided for the device(s).



7. POI Device Troubleshooting

7.1 Instructions for troubleshooting a POI device

Trouble with activating your device or running an initial transaction

When deploying a device to the field for the first time, please be aware that the device first has to be formally received. That process includes entering the device serial number and the tamper serial number into either the P2PE Manager. If this activity has not been completed the device will not run transactions. Please log into the P2PE Manager to review the current state of the device in question. The devices can be found by their serial number. Likewise, if a device has been transported from one location to another, or retrieved from storage, the device may be in a “stored’ state and unable to run transactions. Please log into either the P2PE Manager to make sure the device is set to an active state. If you need additional guidance please use the contact information found in Section 1.2 of this document.

Trouble with processing payments

During the integration process, if the merchant experiences problems integrating the POI device to work with the applications that the merchant is coding, questions can be sent to [email protected]. During deployment if a POI device is no longer properly submitting transactions the merchant should first log into either the POI Manager or the P2PE Manager and confirm that the state of the device is still set to an active mode. If the device is still set to an active mode, then a request to Bluefin support can be made at [email protected]. The team at [email protected] will look to identify if there are any operational issues with your processing account. If further support is needed the issue will be escalated to ab Bluefin P2PE support specialist. Please note that the contact information listed in Section 1.2 of this document may not be the most efficient contact for immediate support issues around payment processing, and support should be initiated using standard Bluefin support procedures.

Trouble with POI devices not supporting expected functions

Many of the POI devices in Bluefin’s P2PE solution have advanced applications that can support a

wide variety of functions. Those functions can be performed either in conjunction with API responses

within the application itself, or by the device responding to input commands from the physical keys

on the device. In the event that the merchant has any questions or problems in the execution of

those activities, they should reference the device documentation provided by the manufacturer. In

the event that such resources are not readily available to the merchant, Bluefin can assist in

identifying how those resources can be obtained by the merchant. Using the contact information

provided in Section 1.2 of the document the merchant can request guidance in procuring any missing

user manuals for their device.

8. Additional Solution Provider Information






There is no additional information.

Revision Notes

10/03/16 V1.1 Updated document to clarify P2PE solution name.

10/28/16 V1.2 Added Ingenico iWL 252, 222, iWL 258, 228

11/10/16 V1.3 Added PAX D210

12/15/16 V1.4 Minor clarification to application description

03/22/17 V1.5 Added support for Ingenico iSMP4 companion

05/19/17 V1.6 Added support for ID Tech Spectrum Pro

06/05/17 V1.7 Added support for Miura Shuttle

09/01/17 V1.8 Added support for MagTek DynaPro and BBPOS WisePad

03/09/18 V1.9 Added Verifone MX915/925 devices and RBA 1.1, RA1 v.20, XPI applications

04/11/18 V1.10 Added PAX A920, Augusta S, Ingenico PTS 4.x (iSC Touch, IPP 3xx)

04/18/18 V1.11 Updates to 6.2 and Remote Administration

09/20/18 V1.12 Added Verifone Vx & e355, Datecs BP50, Pax A80, iSelf, TASQ CA KIF, and XPI

03/25/19 V1.13 Added Q1 2019 Designated change POIs (10), KIFs (3), and Applications (2)

point-to-point encryption (p2pe) instruction manual...

Documents