PCI P2PE Version 2, Its impact for acquirers and their merchants

0 Shares

by Jason McWhirr, Acquirer Support Consultant

Back in June, the PCI Security Standards Council (PCI SSC) release version 2.0 of the Point to Point Encryption (P2PE) standard.

 

What is P2PE?

A P2PE system in a retail environment is designed to securely encrypt cardholder data from a merchant’s POI (Point of Interaction) device or POS (Point of Sale) system and transfer the data in a secure tunnel to the payment processor where it is decrypted. By doing this it reduces a merchant’s risk of cardholder data loss, and may simplify PCI DSS compliance.

 

A correctly implemented PCI-validated P2PE solution will reduce a merchant’s risk of cardholder data loss, but will also significantly lower their PCI DSS scope. Using a PCI-validated solution will mean the merchant has less applicable PCI DSS requirements, simplified compliance, and potential reduction in the cost of maintaining compliance. 

 

However, despite the advantages of the PCI P2PE standard, it hasn’t been the preferred solution for many merchants due to the additional premiums charged for a validated product. Solution providers have also found validation difficult to attain due to the complexity of the assessment criteria.

 

Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below

LEARN MORE

Updated PCI P2PE – Version 2.0

In response to this feedback, the PCI SSC have launched PCI P2PE version 2.0 . The main changes to the standard are highlighted in PCI P2PE Summary of Changes v1.1 to v2.0

 

The revised standard aims to increase the number of validated PCI P2PE solutions available to merchants, by making it easier for solution providers to achieve validation for their solutions. PCI P2PE v2.0 allows solution components to be individually PCI-validated and listed on the PCI SCC website (not previously an option).

 

P2PE solution providers will be able to integrate these PCI P2PE compliant components into their systems. Once integrated, the P2PE solution must be assessed by a PCI-approved P2PE QSA, before it can be listed.

 

Because all component parts have already been validated independently, the final assessment ensures that the full solution has not changed any of the validated components and should simplify the P2PE solution development and validation process.

 

P2PE v2 for Large Merchants

Large merchants will now be able to implement and manage their own P2PE solution called a merchant-managed solution (MMS), to reduce the PCI DSS scope of their card present retail environment.

 

A new domain has been added for this requirement – Domain 4, which contains additional requirements necessary to control cardholder data and the separation between the merchant’s encryption, secure decryption and key management environments. Careful planning should be carried out to determine the costs of implementing and maintaining an MMS compared to using a third party PCI P2PE solution.

 

P2PE v2 for SMB Merchants

It will take some time for new PCI-validated P2PE solutions to appear, but these changes mean that we are likely to see many more PCI DSS validated P2PE solutions entering the market over the next few months. More solutions should mean greater choice and will help to make PCI P2PE solutions more cost effective for SMB merchants.

 

P2PE v2 for Acquirers

Acquirers should encourage their merchants understand the security and compliance benefits of implementing P2PE in their retail environment, and with an increasing number of solutions entering the market, the cost barrier will begin to fall. A validated P2PE solution will also give the acquirer extra assurance due to the reduction of merchant implemented & managed security controls.

 

Sysnet Risk & Assurance team of specialist Cybersecurity consultants understand the importance of data protection and our staff are highly skilled in a wide range of security disciplines including PCI DSS and ISO27001.

 

We can also assist in designing, implementing and documenting appropriate security controls, procedures and policies, all within a holistic cybersecurity framework that takes into account all applicable standards and regulations. To learn more about our solutions or for more information about our services, please visit Risk & Assurance or email sales@sysnetgs.com

Further Information

PCI P2PE v2 ’At a glance’ document 
PCI P2PE Case Study document
For information about PCI P2PE terms, abbreviations, acronyms

 

Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at marketing@sysnetgs.com We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms