by Jason McWhirr, Acquirer Support Consultant
Back in June, the PCI Security Standards Council (PCI SSC) release version 2.0 of the Point to Point Encryption (P2PE) standard.
What is P2PE?
A P2PE system in a retail environment is designed to securely encrypt cardholder data from a merchant’s POI (Point of Interaction) device or POS (Point of Sale) system and transfer the data in a secure tunnel to the payment processor where it is decrypted. By doing this it reduces a merchant’s risk of cardholder data loss, and may simplify PCI DSS compliance.
A correctly implemented PCI-validated P2PE solution will reduce a merchant’s risk of cardholder data loss, but will also significantly lower their PCI DSS scope. Using a PCI-validated solution will mean the merchant has less applicable PCI DSS requirements, simplified compliance, and potential reduction in the cost of maintaining compliance.
However, despite the advantages of the PCI P2PE standard, it hasn’t been the preferred solution for many merchants due to the additional premiums charged for a validated product. Solution providers have also found validation difficult to attain due to the complexity of the assessment criteria.
Updated PCI P2PE – Version 2.0
The revised standard aims to increase the number of validated PCI P2PE solutions available to merchants, by making it easier for solution providers to achieve validation for their solutions. PCI P2PE v2.0 allows solution components to be individually PCI-validated and listed on the PCI SCC website (not previously an option).
P2PE solution providers will be able to integrate these PCI P2PE compliant components into their systems. Once integrated, the P2PE solution must be assessed by a PCI-approved P2PE QSA, before it can be listed.
Because all component parts have already been validated independently, the final assessment ensures that the full solution has not changed any of the validated components and should simplify the P2PE solution development and validation process.
P2PE v2 for Large Merchants
Large merchants will now be able to implement and manage their own P2PE solution called a merchant-managed solution (MMS), to reduce the PCI DSS scope of their card present retail environment.
A new domain has been added for this requirement – Domain 4, which contains additional requirements necessary to control cardholder data and the separation between the merchant’s encryption, secure decryption and key management environments. Careful planning should be carried out to determine the costs of implementing and maintaining an MMS compared to using a third party PCI P2PE solution.
P2PE v2 for SMB Merchants
It will take some time for new PCI-validated P2PE solutions to appear, but these changes mean that we are likely to see many more PCI DSS validated P2PE solutions entering the market over the next few months. More solutions should mean greater choice and will help to make PCI P2PE solutions more cost effective for SMB merchants.
P2PE v2 for Acquirers
Acquirers should encourage their merchants understand the security and compliance benefits of implementing P2PE in their retail environment, and with an increasing number of solutions entering the market, the cost barrier will begin to fall. A validated P2PE solution will also give the acquirer extra assurance due to the reduction of merchant implemented & managed security controls.
Sysnet Risk & Assurance team of specialist Cybersecurity consultants understand the importance of data protection and our staff are highly skilled in a wide range of security disciplines including PCI DSS and ISO27001.
We can also assist in designing, implementing and documenting appropriate security controls, procedures and policies, all within a holistic cybersecurity framework that takes into account all applicable standards and regulations. To learn more about our solutions or for more information about our services, please visit Risk & Assurance or email firstname.lastname@example.org
If you are a merchant that requires technical or PCI DSS help, please click here