P2PE Implementation ManualPayPal Here M10

P2PE Instruction Manual for PCI P2PE v2.0 2020 © 2020 PayPal PIM Page 2

1. P2PE Solution Information and Solution Provider Contact Details

1.1 P2PE Solution Information

Solution name: PayPal Here

Solution reference number per PCI SSC website:

2016-1092.001

1.2 Solution Provider Contact Information

Company name: PayPal Inc.

Company address: 2211 North First Street, San Jose, CA 95131

Company URL: https://www.paypal.com/us/webapps/mpp/credit-card-reader

Contact name: PayPal Here Customer Service

Contact phone number: (877) 569 –1136

Contact e-mail address: paypalhere-apps@paypal.com

P2PE and PCI DSS

Merchants using this P2PE Solution may be required to validate PCI DSS compliance and should be aware of their applicable PCI DSS requirements. Merchants should contact their acquirer or payment brands to determine their PCI DSS validation requirements.

2. Approved POI Devices, Applications/Software, and the Merchant Inventory

2.1 POI Device Details

The following information lists the details of the PCI-approved POI devices approved for use in this P2PE solution. Note all POI device information can be verified by visiting: https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php POI device vendor: Miura Systems Limited

POI device model name and number:

Hardware version #(s): M010-PRODxx-V2-x

Firmware version #(s): M000-OS-V7-x

PCI PTS Approval #(s): 4-30084

2.2 POI Software/application Details

The following information lists the details of all software/applications (both P2PE applications and P2PE non-payment software) on POI devices used in this P2PE solution.

P2PE Instruction Manual for PCI P2PE v2.0 2020 © 2020 PayPal PIM Page 3

Note that all applications with access to clear-text account data must be reviewed according to Domain 2 and are included in the P2PE solution listing. These applications may also be optionally included in the PCI P2PE list of Validated P2PE Applications list at vendor or solution provider discretion.

Application vendor, name and version #

POI device vendor

POI device model name(s) and

number:

POI Device Hardware &

Firmware Version #

Is application PCI listed?

(Y/N)

Does application have access to

clear-text account data (Y/N)

Miura Payments Interface M000-MPI-V5-X

Miura Systems Limited

M010 Hardware: M010-PRODxx-v2-x Firmware: M000-OS-V7-x

Yes Yes

2.3 POI Inventory & Monitoring

§ All POI devices must be documented via inventory control and monitoring procedures,including device status (deployed, awaiting deployment, undergoing repair or otherwise not in use, or in transit).

§ This inventory must be performed annually, at a minimum.§ Any variances in inventory, including missing or substituted POI devices, must be

reported to PayPal via the contact information in Section 1.2 above. § Sample inventory table below is for illustrative purposes only. The actual inventory

should be captured and maintained by the merchant in an external document. Maintain an up to date list of devices, which includes the following:

• Make and model of device• Location of the device (for example, the address of the site or facility where the device is located)• Device serial number or other method of unique identification.

Note: The sample inventory table provided (as an illustrative example) below could be used to keep track of the locations of the devices, and quickly identify if a device is missing or lost. The method of maintaining a list of devices could be automated or manual. For devices in transit, the location may include the name of personnel to whom the device is assigned in transit.

If you have any questions related to the devices please kindly call PayPal Here Customer Service at 1(877) 569 –1136 and they will get back to you with any device specific answers.

Sample Inventory Table

Device vendor Device model name(s)

and number: Device Location Device Status

Serial Number or other Unique

Identifier Miura System Limited

M010 Location A Deployed 010-XXXXX1

P2PE Instruction Manual for PCI P2PE v2.0 2020 © 2020 PayPal PIM Page 4

Miura System Limited

M010 Location B Awaiting Deployment

010-XXXXX2

3. POI Device Installation InstructionsDo not connect non-approved cardholder data capture devices.

The P2PE solution is approved to include specific PCI-approved POI devices. Only these devices denoted above in table 2.1 are allowed for cardholder data capture. If a merchant’s PCI-approved POI device is connected to a data capture mechanism that is not PCI approved, (for example, if a PCI-approved SCR was connected to a keypad that was not PCI-approved): § The use of such mechanisms to collect PCI payment-card data could mean that more PCI DSS requirements are

now applicable for the merchant. § Only P2PE approved capture mechanisms as designated on PCI’s list of Validated P2PE Solutions and in the PIM

can be used.

Do not change or attempt to change device configurations or settings.

Changing or attempting to change device configurations or settings will invalidate the PCI-approved P2PE solution in its entirety. Examples include, but are not limited to:

§ Attempting to enable any device interfaces or data-capture mechanisms that were disabled on the P2PE solution POI device

§ Attempting to alter security configurations or authentication controls

§ Physically opening the device

§ Attempting to install applications onto the device

3.1 Installation and connection instructions 1. Turn on the card reader: The power button is found at the top of the reader. You can recharge the reader by using the USB cable.

2. Pair the reader: Turn on Bluetooth in your phone or tablet’s settings. Select the PayPal reader from the list. Don’t see the reader? Hold down the reader’s Bluetooth button until the on-screen Bluetooth icon starts to blink.

3. Open the PayPal Here app: Your card reader will now auto-connect to the app. Follow any on-screen prompts to update your software.

Note: Only PCI-approved POI devices listed in the PIM are allowed for use in the P2PE solution for account data capture.

Physically secure POI devices in your possession, including devices: § Awaiting deployment§ Undergoing repair or otherwise not in use§ Waiting transport between sites/locations.

P2PE Instruction Manual for PCI P2PE v2.0 2020 © 2020 PayPal PIM Page 5

3.2 Guidance for selecting appropriate locations for deployed devices The card reader is appropriate to use in all locations as long as it is in the possession of the assigned operating personnel.

3.3 Guidance for physically securing deployed devices to prevent unauthorized removal or substitution The card reader needs to be appropriately stored and secured in a location that has restricted access only to personnel who are authorized to access. When not in use, ensure the reader is locked and the key/combination accessible to authorized personnel. Always maintain a log of who has physical access to the devices at any given time. When assigning devices to cashiers they should sign in and out the devices.

4. POI Device Transit4.1 Instructions for securing POI devices intended for, and during, transit In the event of a need to ship the device, the card reader needs to be sent only through a secure courier service with safe packaging. The Merchant will receive an email that the device is shipped out and the email will contain the tracking # of the shipment.

While the card reader is securely shipped, there are also clear sticker seals on the top and bottom half of the box containing the card reader. This is also indicated in the picture below:

4.2 Instructions for ensuring POI devices originate from, and are only shipped to, trusted sites/locations The card readers are only shipped by the following authorized distributors: IML UK Nasmyth Road Drayton Fields Industrial Estate Daventry, NN11 8NF

IML AU 22-24 Wonderland DriveEastern Creek, NSW 2766

P2PE Instruction Manual for PCI P2PE v2.0 2020 © 2020 PayPal PIM Page 6

IML US 4560 Hamner Ave. Mira Loma, CA 91752

Exigo Service Solutions Unit 3 Befferland Farm Workshops Berne Lane Charmouth Dorset DT6 6RD

If the devices are from any other addresses, please don’t accept the device and report the incident to the PayPal Here Customer Service at 1(877)569 –1136.

If you have a faulty reader or tampered reader, please call PayPal Here Customer Service at 1(877) 569 –1136 and they will send a return kit to you, ship the device in the return kit to the address on the return kit (it will be the same as one of the above addresses).

5. POI Device Tamper Monitoring and Skimming Prevention5.1 Instructions for physically inspecting POI devices and preventing skimming, including instructions and

contact details for reporting any suspicious activity

Additional guidance for skimming prevention on POI terminals can be found in the document entitled Skimming Prevention: Best Practices for Merchants, available at www.pcisecuritystandards.org.

Periodically inspect the card reader for any evidence of physical abnormality. The following are images of the card reader device from all sides, which can be compared with the device to detect any tampering with the device or attachment of any malicious parts to it. In addition to observation of the device itself, also look out for the message on the card reader “Damage to Reader,” which indicates that the device is damaged. Front and Back:

Top and Bottom:

P2PE Instruction Manual for PCI P2PE v2.0 2020 © 2020 PayPal PIM Page 7

Sides:

If you detect anything different or see any physical damages to the reader please kindly call PayPal Here Customer Service at 1(877) 569 –1136 and report the incident and follow the steps as per the customer service agent.

5.2 Instructions for responding to evidence of POI device tampering

If there is any evidence of device tampering, DO NOT USE THE DEVICE and kindly call PayPal Here Customer Service number at 1(877)569 –1136 to request a replacement device and procedures to send the device back.

5.3 Instructions for confirming device and packaging were not tampered with, and for establishing secure, confirmed communications with the solution provider

The Card reader shipments are sealed prior to shipping – refer to pictures provided in section 5.1. The Card reader also ships with a packing slip that contains the S/N - verify if the S/N in the packing slip matches the S/N on the device. If there are any evidence of tampering of the seal or the packaging itself or if the device S/N doesn’t match with the packing slip, return the device as provided in section 5.2.

5.4 Instructions to confirm the business need for, and identities of, any third-party personnel claiming to be support or repair personnel, prior to granting those personnel access to POI devices

The Card reader does not have any third party repair personnel. In the event of any damage, tampering or malfunctioning kindly call PayPal Here Customer Service at 1(877) 569 –1136 to request a replacement device and procedures to send the tampered device back. If anyone claims to be a repair personel from Miura or PayPal, please don’t give them access to the readers and report the incident to PayPal Here Customer Service at 1(877) 569 –1136.

6. Device Encryption Issues6.1 Instructions for responding to POI device encryption failures If the error message "payment failed" is displayed on the card reader, attempt to reinitialize the reader by resetting it to factory settings and connecting it back to the app. If it is still not resolved,

P2PE Instruction Manual for PCI P2PE v2.0 2020 © 2020 PayPal PIM Page 8

do not use the device, but call customer service at 1(877) 569 –1136 to attempt to resolve the issue.

Reset Process:

- Insert a reset pin or paperclip into the recess located on top of the card reader next to the blue power button

- Within the Revive Menu, select 3. Total factory reset.- Select the green check mark to proceed.- When the reset is completed, following the steps to update software using the PayPal Here app.

6.2 Instructions for formally requesting of the P2PE solution provider that P2PE encryption of account data be stopped

There is no option to turn off encryption in the card reader.

7. POI Device Troubleshooting7.1 Instructions for troubleshooting a POI device On the card reader: Wake–Press any button on the keypad or the power button Charge–Plug the USB cable into a power source to charge the battery Restart–Hold down the card reader’s power button Reset–Contact Customer Service for assistance On the phone or tablet: Restart–Close and re-open the app on your phone or tablet Un-Pair–Go to Bluetooth settings on your phone or tablet. Select the card reader you want to un-pair, then try re-pairing. You can only be paired to one reader at a time. If you want assistance for troubleshooting please call customer service at 1(877) 569 –1136.

8. Additional Solution Provider InformationThe PayPal HERE P2PE solution has been reviewed to meet the requirements of a PCI P2PE Solution. To use the solution to inform scope reduction of a merchant's PCI DSS assessment, the cardholder data processed (Manual Entry, Card Swipe, or Chip Read, etc.) must be entered using the supported POI devices and POI application software listed in sections 2.1 and 2.2 above. These are provided as part of the PayPal HERE P2PE solution. Note: The PayPal HERE solution as evaluated provides end-to-end encryption of cardholder data transmitted from the PayPal HERE POI device to the PayPal secure decryption environment.

If the merchant chooses to implement their own applications using the PayPal HERE SDK while leveraging the PayPal HERE P2PE Solution for PCI scope reduction, the merchant must ensure that all cardholder data processed is acquired using the PayPal HERE P2PE Solution with supplied and supported POI devices and POI application software listed in sections 2.1 and 2.2 above.

Any merchant that processes, stores, or transmits cardholder data outside of the PayPal HERE P2PE solution must review these processes separately as part of their PCI DSS assessment scope.