In Council-listed P2PE, which statement about merchant involvement is correct?

• A. The merchant is involved in encryption operations
• B. The merchant is involved in key management but not encryption
• C. The merchant has no involvement in encryption, decryption operations, or key management
• D. The merchant is responsible for the decryption environment

Answer: (C)

In Council-listed P2PE, the cryptographic work is handled entirely within the validated P2PE solution, not by the merchant. The device at the point of interaction performs encryption, keys are managed by the P2PE provider, and decryption happens only within the secure, PCI-listed environment of the solution. Because of this separation, the merchant does not participate in encryption or decryption operations, nor in key management, and is not responsible for the decryption environment. The other options would imply the merchant handles encryption, keys, or decryption, which does not align with how a validated P2PE solution is designed to minimize the merchant’s cryptographic responsibilities.