Who qualifies for SAQ P2PE?

Merchants using only PCI SSC validated Point-to-Point Encryption (P2PE) terminals for card acceptance. The P2PE solution must be listed on the official PCI SSC P2PE Solutions list (separate from the QSA and ASV directories) and must be the merchant's only card acceptance mechanism. Mixed environments where some payments go through P2PE terminals and others go through non-P2PE channels (e-commerce, mail order, virtual terminal) require SAQ D-Merchant or a multi-SAQ submission. Bluefin, Verifone (select models), Ingenico (select models), and PAX (select models) all offer PCI-validated P2PE solutions.

How many controls does SAQ P2PE have?

33 controls in PCI DSS v4.0 SAQ P2PE, the smallest of any SAQ type other than SAQ A (22 controls). The reduced control set reflects the descoping effect of validated P2PE: cardholder data is encrypted at the point of card capture and never decrypts on the merchant's network. The merchant's environment is therefore largely out of PCI scope, leaving only the controls around physical terminal security, basic security policies, and third-party service provider management. SAQ P2PE typically takes 1 to 2 weeks of internal effort to complete.

Is any encrypted terminal a P2PE terminal?

No, and this is a common misunderstanding that causes merchants to incorrectly claim SAQ P2PE eligibility. Only terminals that are part of a PCI SSC validated P2PE solution qualify. The PCI SSC validation tests the full encryption flow from card capture through decryption at the validated decryption environment (typically the payment processor's HSM), including key management, terminal injection processes, and chain-of-custody documentation. Many terminals advertise 'encryption' or 'end-to-end encryption' without being PCI-validated P2PE solutions. Check the official PCI SSC P2PE Solutions list at pcisecuritystandards.org before claiming SAQ P2PE eligibility.

Does SAQ P2PE require ASV scanning?

Yes, though the scope is minimal because most of the merchant's environment is out of PCI scope under P2PE. The ASV scan typically covers any internet-facing IPs that connect to the P2PE terminal's communication channel, plus any merchant infrastructure that is still in scope (typically a small management interface for terminal monitoring). ASV scanning for SAQ P2PE merchants runs $100 to $500 per year, the lowest of any SAQ type with internet-connected infrastructure.

Does the P2PE terminal hardware cost pay back?

Yes, almost always, for any merchant with more than 3 to 5 terminals. The hardware premium for P2PE terminals over non-P2PE terminals runs $200 to $800 per terminal. The annual SAQ cost saving versus SAQ B-IP ($400 to $1,500 lower) and versus SAQ C ($1,100 to $4,500 lower) compounds across terminals and years. A 10-terminal retailer typically spends $2,000 to $8,000 on incremental P2PE hardware once, then saves $4,000 to $15,000 per year on SAQ costs. Payback is typically within the first year for any multi-terminal merchant.

How long does SAQ P2PE take to complete?

One to two weeks end to end for first-time SAQ P2PE completion. The qualification verification (confirming the P2PE solution is on the PCI SSC validated list and that all terminals are deployed correctly under the validated configuration) takes 2 to 5 days. The actual SAQ questions (33 controls) take 1 to 2 days. Renewals typically take 2 to 4 days because the qualification carries forward. This is the fastest SAQ type to complete other than SAQ A.

SAQ pricing

PCI SAQ P2PE cost 2026: hardware-encrypted-terminal pricing read

SAQ P2PE is the cheapest SAQ type for in-person card acceptance, at $400 to $1,500 per year with just 33 controls. Qualifying requires using a PCI SSC validated P2PE solution exclusively. For multi-terminal merchants the P2PE hardware premium pays back within the first compliance cycle, and the descoping benefit is dramatic: cardholder data never decrypts on the merchant's network.

Updated April 2026

Annual cost

$400 - $1,500

Bundled with ASV: $400-$1,000/yr

Controls

Second-smallest SAQ; cardholder data fully out of scope

Qualifies

Validated P2PE terminals only

What "validated P2PE" actually means

P2PE stands for Point-to-Point Encryption: cardholder data is encrypted at the point of card capture (typically the terminal's PIN entry device) and remains encrypted until it reaches a validated decryption environment (typically the payment processor's hardware security module). The merchant's network never sees decrypted cardholder data. This is dramatically different from terminals that advertise "encryption" or "end-to-end encryption" without PCI SSC validation, where encryption may be in place but the key management, terminal injection, and chain-of-custody processes have not been independently verified.

The PCI SSC maintains the official P2PE Solutions list showing every PCI-validated P2PE solution by solution provider, validated date, and expiry. For SAQ P2PE eligibility the merchant's terminal must be deployed as part of one of these listed solutions, configured per the solution's Solution Provider Implementation Manual, and used exclusively for card acceptance. Common validated P2PE solutions include Bluefin (across multiple terminal models), Verifone P2PE (Verifone-branded P2PE solution), Ingenico P2PE, Worldpay P2PE, FreedomPay P2PE, Adyen P2PE, and Square P2PE.

The validation context is meaningful because PCI breach investigations have repeatedly found merchants claiming SAQ P2PE eligibility while actually using non-validated encryption. Post-breach PFI investigations identify the misclassification and the regulatory consequences compound the original breach cost. Confirm validation explicitly with the terminal vendor and solution provider in writing before completing SAQ P2PE.

SAQ P2PE cost decomposition

Cost component	Range	Frequency
SAQ P2PE completion	$400 - $1,500/yr	Annual
ASV quarterly scanning	$100 - $500/yr	Quarterly scans, annual subscription
P2PE terminal hardware premium	$200 - $800/terminal	One-off (5-7 year terminal lifecycle)
P2PE solution monthly fee (some providers)	$5 - $20/terminal/mo	Monthly recurring (varies by provider)
Annual P2PE device inspection	$0 - $200/terminal	Per device, annual

The headline SAQ P2PE annual cost of $400 to $1,500 covers SAQ completion only. The total SAQ P2PE programme cost including ASV and terminal monthly fees runs $600 to $3,000 per year for a typical small merchant, plus the one-off terminal hardware premium amortised over 5-7 years.

The P2PE hardware payback math

For multi-terminal merchants, the P2PE terminal hardware premium pays back rapidly against the annual SAQ cost saving. A 10-terminal retailer comparing SAQ C ($3,000 to $6,000 per year) to SAQ P2PE ($400 to $1,500 per year) saves $2,000 to $5,000 per year on SAQ costs. The P2PE hardware premium of $2,000 to $8,000 (10 terminals at $200 to $800 each) pays back within the first or second year. After payback, the saving compounds across the 5-7 year terminal lifecycle for a total compliance cost saving of $10,000 to $35,000 per terminal-refresh cycle.

For single-terminal merchants the math is tighter. A single-terminal restaurant comparing SAQ B-IP ($800 to $3,000) to SAQ P2PE ($400 to $1,500) saves $400 to $1,500 per year. The P2PE terminal hardware premium of $200 to $800 pays back within the first year, but the absolute saving is modest. For single-terminal merchants the P2PE choice is more about descoping benefit (cardholder data fully out of the merchant's environment, dramatic breach-risk reduction) than absolute cost saving.

For multi-location merchants the math is most favourable. A 5-location restaurant chain with 3 terminals per location (15 terminals total) saves $6,000 to $22,500 per year on SAQ costs by moving to SAQ P2PE, against a one-off P2PE hardware premium of $3,000 to $12,000. The annual saving compounds over the terminal lifecycle for total savings of $30,000 to $150,000 per refresh cycle. This is the single highest-leverage PCI cost reduction available to multi-location card-present merchants.

Common SAQ P2PE qualification mistakes

Three errors recur. First, claiming SAQ P2PE eligibility with a non-validated encrypted terminal. Many terminals advertise "encryption" or "end-to-end encryption" without PCI SSC P2PE validation. Eligibility requires the terminal to be part of a listed validated P2PE solution per the PCI SSC P2PE Solutions list. If the solution is not listed, SAQ B-IP or SAQ C applies regardless of marketing claims about encryption.

Second, deploying validated P2PE terminals outside the validated configuration. Each PCI-validated P2PE solution has a Solution Provider Implementation Manual specifying acceptable deployment patterns. Deploying outside the validated configuration (using the terminal with a non-listed payment processor, modifying the terminal firmware, using non-validated peripherals) invalidates the SAQ P2PE eligibility even if the terminal itself is listed.

Third, mixed-channel card acceptance. A merchant using validated P2PE for in-person payments and a non-P2PE payment method for e-commerce, mail-order, or virtual terminal cannot use SAQ P2PE alone. The mixed environment typically requires SAQ D-Merchant or a multi-SAQ submission covering each channel separately. The qualifying SAQ P2PE merchant uses validated P2PE for all card acceptance and nothing else.

Check the official PCI SSC P2PE Solutions list

The PCI SSC publishes the validated P2PE Solutions list. Confirm your terminal solution is listed before claiming SAQ P2PE eligibility.

PCI SSC P2PE Solutions list →

Frequently asked

PCI SAQ P2PE completion runs $400 to $1,500 per year for the typical merchant using a validated P2PE solution. This is the cheapest SAQ type for in-person card acceptance and is dramatically cheaper than SAQ B-IP ($800 to $3,000) or SAQ C ($1,500 to $6,000) for merchants who can qualify. Bundled with ASV scanning through SecurityMetrics or similar providers, the total annual SAQ-plus-ASV cost runs $400 to $1,000. The P2PE terminal hardware investment is separate: $200 to $800 per terminal incremental versus a non-P2PE terminal, paid once with typical 5-7 year terminal lifecycle.

SAQ A cost

The e-commerce equivalent of P2PE's descoping benefit.

SAQ C cost

$1.5k to $6k for POS-on-internet merchants.

SAQ D cost

$5k to $20k for full-scope self-assessment.

Reduce PCI costs

P2PE is one of seven proven cost-reduction strategies.

Level 3 PCI cost

Where SAQ P2PE typically fits in the level taxonomy.

SecurityMetrics ASV

The bundled SAQ P2PE + ASV product.