P2PE Instruction Manual

• 1. P2PE Solution Information and Solution Provider Contact Details

  • 1.1 P2PE Solution Information

    Solution name: Adyen P2PE Solution Solution reference number per PCI SSC website: 2023-01213.005

  • 1.2 Solution Provider Contact Information

    Company name: Adyen N.V. Company address: Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, The Netherlands Company URL: www.adyen.com Contact name: Niels de Vries Contact phone number: https://www.adyen.com/contact Contact e-mail address: possupport@adyen.com Note: P2PE and PCI DSS; Merchants using this P2PE Solution may be required to validate PCI DSS compliance and should be aware of their applicable PCI DSS requirements. Merchants should contact their acquirer or payment brands to determine their PCI DSS validation requirements.

• 2. Approved POI Devices, Applications/Software, and the Merchant Inventory

  • 2.1 POI Device Details

    The following information lists the details of the PCI-approved POI devices approved for use in this P2PE solution. Note all POI device information can be verified by visiting: https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php

  • 2.2 POI Software/application Details

    The following information lists the details of all software/applications (both P2PE applications and P2PE non-payment software) on POI devices used in this P2PE solution:

    • Application vendor, name and version #: Adyen P2PE application v1.1.*

    • P2PE Application Listing Reference #: 2023-01213.004

    • POI device vendor: Verifone

    • POI device model name(s) and number: See 2.1

    • POI Device Hardware & Firmware Version #: See 2.1

    • Is application PCI listed?: Yes

    • Does application have access to clear-text account data (Y/N): No

  • 2.3 POI Inventory & Monitoring

    Your Adyen Customer Area (CA), which is available at https://ca-live.adyen.com/ca/ca/postfm/showposterminals.shtml, provides real-time insight into the payment terminal inventory from Adyen’s perspective:

    • From the moment you order a payment terminal, the CA offers real-time tracking of the payment terminal.

    • When the payment terminal is located at your store, the CA shows whether the payment terminal is connected to the Adyen platform.

    • When you return a payment terminal to Adyen, the CA shows the payment terminal is being returned and is excluded from the merchant inventory.

    You must check your payment terminal inventory every year, to ensure the inventory is accurate.  An example process to do the yearly check of the payment terminal inventory is provided below. 

    Note: You are allowed to implement your own process as long as you check the payment terminals in the CA and in your stores, verify whether the CA inventory and the store inventory match, and capture the results in the central payment terminal inventory table.

    1. Make sure each store submits a list of payment terminals available at the store. The list needs to include the device names and serial numbers.

    2. Download a list of the available payment terminals from the CA.

    3. Check the list of payment terminals available in the stores against the list of payment terminals downloaded from the CA.

       • For a positive match, add the payment terminal to the central payment terminal inventory table (see the example below).

       • For a negative match (the payment terminal is only on the list provided by a store or only on the list downloaded from the CA), investigate the issue, update according to the results of the investigation, and add the terminal to the central payment terminal inventory table. 

    4. For future auditing purposes, save the central payment terminal inventory table resulting from the yearly inventory check. Adyen can request it at any time.

    The central payment terminal inventory table should contain the following columns (see the central payment terminal inventory table below for an example of how to fill out this table):

    • Device vendor: Verifone.

    • Device model name(s) and number: One of the device model names mentioned in section 2.1.

    • Device location: The location of the payment terminal.

    • Device status: One of the following states:

      • “Deployed”:  The payment terminal is in active use in a store, used at least on a weekly basis over the past three months.

      • “In Stock”: The payment terminal is stored for further distribution, either at a store or at a central storage facility.

      • “Warehouse”: The payment terminal is distributed to the Adyen warehouse, for inspection or further distribution.

    • Serial Number: The serial number of the payment terminal.

    Central payment terminal inventory table (Example):

• 3. POI Device Installation Instructions

  Do not connect non-approved cardholder data capture devices. The P2PE solution is approved to include specific PCI-approved POI devices. Only these devices denoted above in table 2.1 are allowed for cardholder data capture.

  If a merchant’s PCI-approved POI device is connected to a data capture mechanism that is not PCI approved, (for example, if a PCI-approved SCR was connected to a keypad that was not PCI-approved):

  • The use of such mechanisms to collect PCI payment-card data could mean that more PCI DSS requirements are now applicable for the merchant.

  • Only P2PE approved capture mechanisms as designated on PCI’s list of Validated P2PE Solutions and in the PIM can be used.

  Do not change or attempt to change device configurations or settings. Changing or attempting to change device configurations or settings will invalidate the PCI-approved P2PE solution in its entirety. Examples include, but are not limited to: 

  • Attempting to enable any device interfaces or data-capture mechanisms that were disabled on the P2PE solution POI device

  • Attempting to alter security configurations or authentication controls

  • Physically opening the device

  • Attempting to install applications onto the device

  • 3.1 Installation and connection instructions

    Correct installation is critical for a successful and secure deployment. Our documentation, available at https://docs.adyen.com/point-of-sale/user-manuals, has a step-by-step explanation of the setup of each payment terminal type and the registration on the Adyen platform. The documentation also contains illustrations and specifications.

    If you experience any issues while getting started or have any questions regarding the installation, contact Adyen via the contact details in section 1.2. 

    Physically secure POI devices in your possession, including devices:

    • Awaiting deployment

    • Undergoing repair or otherwise not in use

    • Waiting transport between sites/locations

  • 3.2 Guidance for selecting appropriate locations for deployed devices

    When selecting the appropriate locations to install the payment terminals, use the following guidelines:

    Public access Ensure that public access to the parts of the payment terminal parts required for payment processing, such as the PIN pad and card reader, is limited. You can achieve this by positioning of the terminal towards the shopper and preventing people in the queue from observing activities on the payment terminal.

    Monitoring Ensure that payment terminals are observed and/or monitored by authorized personnel. You can achieve this via remote controls, via CCTV or security cameras, or on premise via daily checks by authorized staff. 

    Environment Ensure that the environment and position of the payment terminal deter any attempt to tamper with or compromise the payment terminal. You can achieve this for example through the use of appropriate lighting, and visible security measures. 

    Also ensure that the shopper’s use of the PIN pad is not directly observable from any CCTV or security cameras. You can achieve this through the angle of placement of the payment terminal or through the use of PIN-entry privacy shields provided by the payment terminal vendor. 

    CCTV or security cameras can provide additional insights into attempts to tamper with or compromise a payment terminal, especially if history of the video feed is retained for at least two payment terminal inspection periods.

    Unattended or remote devices To minimize the likelihood of unnoticed tampering, ensure that payment terminals which are positioned in a remote or unattended location have additional safeguards. You can achieve this by adding physical mechanisms, such as toughened and tamper-evident housings or brackets. Also consider using monitoring and alarm facilities to detect attempts to tamper with the payment terminal.

  • 3.3 Guidance for physically securing deployed devices to prevent unauthorized removal or substitution

    Payment terminals used in stores need to be physically secured, to prevent unauthorized removal or substitution. You can achieve this with the use of a locking pole mount or tether.

    If payment terminals cannot be physically secured, make sure there is an alternative way to prevent unauthorized removal or substitution. This can be part of the regular site inspection. During the site inspection, authorized staff must validate whether the serial number of the payment terminal is the same as originally received and whether the payment terminal has not been removed. 

    Adyen recommends that you do a site inspection every three months. In these regular site inspections, an authorized staff member must verify that there are not any alterations to the payment terminal. See section 5.1 for more detailed instructions. For future auditing purposes, you need to retain a record of the site inspection. Adyen can request this record at any time.

    Sometimes payment terminals are not actively used, for example when they are being repaired, maintained, or updated. To prevent unauthorized physical access, you need to securely store those payment terminals in a locked room, a locked cupboard, or a safe. Ensure that only authorized staff members are able to access the securely stored payment terminals. Also ensure that payment terminals that are not in active use, are inspected at least every three months. The inspection should include verifying whether the stored payment terminal is still present.  For future auditing purposes, you need to retain a record of the inspection of payment terminals that are not in active use. Adyen can request this record at any time.

• 4. POI Device Transit

  • 4.1 Instructions for securing POI devices intended for, and during, transit

    When you ship payment terminals (for example, from one store to another, to your storage facility, or to Adyen):

    1. Make sure you comply with the following minimal precautions:

       • Store the payment terminal in a tamper-evident sealed box or packaging, and ship it using a shipment company that provides real-time and accurate tracking information.

       • Send the serial number of the payment terminal and the shipment tracking ID to the recipient via a channel that is independent of the terminal shipment (for example, email).

       • Ensure that the recipient validates whether the tamper-evident security label is still intact and whether the shipment tracking ID matches the information received. If the receiving sites opens the tamper-evident sealed box or packaging, they must check the serial number of the payment terminal as well. Storage facilities do not need to check the payment terminal serial number. 

    2. For future auditing purposes, retain a record of the payment terminals you received and returned. Adyen can request this record at any time. The record should at least include the payment terminal serial number, the shipment tracking ID, and the outcome of the verification whether the received payment terminal matched the received information. 

    3. Report exceptions immediately to Adyen via the contact information in section 1.2. 

    4. If the payment terminal must be returned to Adyen, clearly label the payment terminals as compromised, to avoid any misunderstanding which could result in the payment terminal being deployed.

  • 4.2 Instructions for ensuring POI devices originate from, and are only shipped to, trusted sites/locations

    Receiving a payment terminal from Adyen is managed via the Adyen Customer Area (CA). Proceed as follows:

    1. Place an order in the CA.

    2. Follow the order updates in the CA. The order is continuously updated during the process of preparing the payment terminal. For example, the serial numbers are added when the payment terminals have been personalized in the warehouse. Also tracking information and the tamper-evident security label ID are added when the payment terminal is shipped to a store.

    3. Ensure that the recipient validates whether the tamper-evident security label is still intact and whether the shipment tracking ID and security label ID match the information received. 

    4. If the recipient opens the tamper-evident sealed box, ensure they check the serial number of the payment terminal. Storage facilities do not need to check the payment terminal serial number. 

    5. For future auditing purposes, retain a record of receiving the payment terminal. Adyen can request this record at any time. The record should at least include the tamper-evident security label ID, the payment terminal serial number, the shipment tracking ID, and the outcome of the verification whether the received payment terminal matched the received information. See the received payment terminal inventory table below as an example. 

    6. Report exceptions immediately to Adyen via the contact information in section 1.2. 

    7. If the payment terminal must be returned to Adyen because of suspected tampering, clearly label the payment terminal as compromised, to avoid any misunderstanding which could result in the payment terminal being deployed. See below for further instructions

    When returning a payment terminal to Adyen, proceed as follows:

    1. Pack the payment terminal in a tamper-evident sealed box provided by Adyen.

    2. Cover the original shipping label with the return label provided by Adyen.

    3. Ship the package using a shipment company providing tracking information.

    4. For future auditing purposes, retain a record of the payment terminals that were returned to Adyen. Adyen can request this record at any time. The record should at least include the payment terminal serial number and the shipment tracking ID.

    5. Report exceptions immediately to Adyen via the contact information in section 1.2.

    Received payment terminal inventory table (Example):

• 5. POI Device Tamper Monitoring and Skimming Prevention

  • 5.1. Instructions for physically inspecting POI devices and preventing skimming, including instructions and contact details for reporting any suspicious activity

    Additional guidance for skimming prevention on POI terminals can be found in the document entitled Skimming Prevention: Best Practices for Merchants, available at www.pcisecuritystandards.org.

    You need to regularly inspect the payment terminals that are in use at your store. Adyen recommends that you repeat the inspection every three months.

    1. Carry out the following checks:

       • Visual inspection: Verify that the payment terminal is visually similar to the pictures shown in the Security Policy of the manufacturer (see the table below).

       • Physical inspection: Inspect the payment terminal to identify potential physical tampering. For example, check the payment terminal for missing seals or screws, additional wires, holes in the device, addition of labels, etc. For detailed instructions, refer to the Security Policy of the manufacturer (see the details below).

         • Verifone V400c Plus: https://listings.pcisecuritystandards.org/ptsdocs/4-30306Verifone_V400c_PCI_PTS_POI_Security_Policy_Rev_2.0-1576789685.19634.pdf

         • Verifone M400: https://listings.pcisecuritystandards.org/ptsdocs/4-10231Verifone_M400_PCI_PTS_POI_Security_Policy_Rev_2.0-1576866564.20649.pdf

         • Verifone V400m: https://listings.pcisecuritystandards.org/ptsdocs/4-30260Verifone_V400m_PCI_PTS_POI_Security_Policy_Rev_2.1-1576790305.41088.pdf

         • Verifone P400 Plus: https://listings.pcisecuritystandards.org/ptsdocs/4-10191Verifone_P400_PCI_PTS_POI_Security_Policy_Rev_2.1-1524251520.03427-1543588730.72836.pdf

         • Verifone e285, e285 Plus: https://listings.pcisecuritystandards.org/ptsdocs/4-30276Verifone_e285_PCI_PTS_POI_Security_Policy_Rev_2.3-1576788534.34352.pdf

         • Verifone e280: https://listings.pcisecuritystandards.org/ptsdocs/4-30336Verifone_e280_generic_PCI_PTS_POI_Security_Policy_Rev_2_1-1592586424.3758.pdf

         • Verifone V210m: https://listings.pcisecuritystandards.org/ptsdocs/4-60230%20Verifone_V210_Series_PCI_PTS_POI_Security_Policy_Rev_2.13-1667485870.46831.pdf

         • Verifone V240m: https://listings.pcisecuritystandards.org/ptsdocs/4-80023Verifone_V240m_PCI_PTS_POI_v5.1_Security_Policy_Rev_2.7-1607110296.47955.pdf

         • Verifone UX300: https://listings.pcisecuritystandards.org/ptsdocs/4-20353DOC159_076_EN_A_UX_Series_UX_300_UX_301_UX_410_Security_Policy-1593026440.33768.pdf

         • Verifone UX410: https://listings.pcisecuritystandards.org/ptsdocs/4-20353DOC159_076_EN_A_UX_Series_UX_300_UX_301_UX_410_Security_Policy-1593026440.33768.pdf

    2. For future auditing purposes, retain a record of the payment terminal inspection. Adyen can request this record at any time. The record should at least include the result of the visual inspection and the physical inspection for each individual payment terminal. 

    3. Report exceptions immediately to Adyen via the contact information in section 1.2.

    4. If the payment terminal must be returned to Adyen, clearly label the payment terminals as compromised, to avoid any misunderstanding which could result in the payment terminal being deployed. Follow the instructions in section 4.

    If the payment terminal is deployed at a location where there is no authorized staff present, you should still do a visual and physical inspection. You can achieve this for example via remote monitoring and an alarm system. Ensure that an authorized staff member regularly reviews the results, and retain a record of the payment terminal inspection for auditing purposes. Adyen can request this record at any time. The record should at least include the result of the visual inspection and the physical inspection for each individual payment terminal.

  • 5.2 Instructions for responding to evidence of POI device tampering

    If evidence is found that indicates the payment terminal was tampered with:

    1. Do not use the payment terminal for payment processing anymore.

    2. Remove the payment terminal from the shopper facing part of the store, to avoid any payment processing. 

    3. Report any tampering with payment terminals immediately to Adyen via the contact information in section 1.2. 

    4. Clearly label the payment terminal as compromised, to avoid any misunderstanding which could result in the payment terminal being used in the store.

    5. Return the payment terminal to Adyen as instructed in section 4.2.

    6. Keep a record of returning the payment terminal as described in section 4.2. 

  • 5.3 Instructions for confirming device and packaging were not tampered with, and for establishing secure, confirmed communications with the solution provider

    You will receive the payment terminal via one of Adyen’s distribution partners. Adyen is responsible for ensuring that payment terminals are distributed to you in accordance with the process described in section 4.2. Also, a detailed description of how to inspect the payment terminals is available on https://docs.adyen.com/point-of-sale/user-manuals.

  • 5.4 Instructions to confirm the business need for, and identities of, any third-party personnel claiming to be support or repair personnel, prior to granting those personnel access to POI devices

    Payment terminal issues are mostly handled centrally without the need for on-site support. In rare cases there can be a valid reason for a technical support engineer to provide on-site support. We will discuss with you whether this is the case. Adyen, or a recognized field service partner of Adyen, will confirm the name and expected arrival date of the technical support engineer beforehand. When the technical support engineer has arrived, take the following precautions:

    • Validate the identity of the technical support engineer before granting access to the payment terminal.

    • Unexpected and unidentified personnel must be denied access to the payment terminal.

    • Escort and monitor the technical support engineer when access to the payment terminals is granted.

    • Record any access to the payment terminal, making sure the record includes the name of the support engineer, reason for access, and date/time of arrival and departure.

• 6. Device Encryption Issues

  • 6.1 Instructions for responding to POI device encryption failures

    The Adyen payment terminal encrypts sensitive account data. If an encryption error occurs, the transaction is declined and an error is submitted to the Adyen backend. Adyen continuously monitors encryption or decryption issues. In case of an encryption or decryption error, Adyen identifies the root cause and resolves the issue using the normal development process. One of the conclusions of the root cause analysis may be to replace the payment terminal. In this case, Adyen will inform you. Because the Adyen payment terminals are always connected to the Adyen gateway and acquiring services, there are no dependencies on third parties in any setup.

  • 6.2 Instructions for formally requesting of the P2PE solution provider that P2PE encryption of account data be stopped

    It is not possible to stop P2PE encryption of account data on an Adyen P2PE terminal.

• 7. POI Device Troubleshooting

  • 7.1 Instructions for troubleshooting a POI device

    If a payment terminal becomes faulty during operation, you can find a resolution for the most common errors on the Adyen website. See: https://docs.adyen.com/point-of-sale.

    The Adyen website contains a step-by-step description on how to install, update, and configure payment terminals. Moreover, the Adyen website explains how to troubleshoot the most common issues. If you cannot resolve the issue using the Adyen website, you can contact Adyen via the contact details provided in section 1.2.

• 8. Additional Solution Provider Information

  Communication, orders for payment terminals, and any other related correspondence should not be sent/received to/from any other than the list of trusted sites and addresses below:

  • Adyen website: https://www.adyen.com

  • Adyen customer area (incl. TFM): https://ca-live.adyen.com

  • Adyen document index: https://docs.adyen.com/point-of-sale

  • In case of questions, concerns or urgencies:

    • Telephone: https://www.adyen.com/contact 

    • E-mail: possupport@adyen.com

  • Newsletters (do-no-reply) should be received from: news@adyen.com

  Headquarters address: Attn. Pos Support Adyen N.V. Headquarters Amsterdam Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, The Netherlands