by Leon van Aswegen, Senior Consulting Manager
In the last two years, the PCI P2PE Standard has gained in popularity amongst Acquirers, Solution Providers, Merchants and their assessing QSAs.
This is because PCI P2PE Solutions provide independently assured protection for account data from the point of capture, reducing where and how PCI DSS requirements apply to the merchant using them; thereby reducing the time, effort and costs of PCI DSS compliance.
Challenges for merchants
Although popular, merchants still face challenges adopting listed PCI P2PE Solutions for various reasons. One reason is that merchants may be constrained because of investments in technology that remains supported for a number of years, but those technologies are not included in existing validated P2PE Solutions (for example, the merchant’s PCI PTS devices in use are not part of a PCI listed P2PE solution).
As a result, some merchants are unable to take advantage of the risk and assessment scope reduction benefits of a PCI P2PE solution.
The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment (the PCI DSS assessment scope). A cardholder data environment is comprised of the people, processes and technologies involved in storing, processing, and/or transmitting cardholder data or sensitive authentication (collectively: account data).
Sysnet’s QSAs always advise our clients to “reduce scope” where possible in order to minimise the cost and effort of achieving, and subsequently maintaining, PCI DSS compliance.
Many merchants hope to rely on their existing non-listed encryption solutions to remove account data from their cardholder data environments, with the objective of simplifying their PCI DSS programs and assessments.
However, use of existing non-listed encryption solutions introduce additional challenges:
- The existing non-listed encryption solution, as the name suggests, hasn’t been assessed against the PCI P2PE standard;
- The PCI DSS scope reduction claims for non-listed encryption solutions haven’t been formally confirmed;
- QSAs find it hard to define the scope when performing PCI DSS assessments (as a result of the point above), therefore assessments are done inconsistently;
- Unknown risks to account data may remain.
Note: Existing non-listed encryption solutions – are deployed account data encryption solutions that have not been validated against the PCI P2PE Standard.
The PCI Council acknowledges these challenges and reacted as follows: “… many solutions currently being used by merchants are not PCI–listed. The Council recognizes this creates a challenge for Qualified Security Assessors (QSA) in how to complete PCI DSS assessments for these merchants and that guidance is needed”
Guidance from the PCI council
To address this challenge, the PCI Council has published Assessment Guidance for Non-listed Encryption Solutions. The guidance is intended to help the parties involved in a merchant’s PCI DSS compliance assessment understand how that solution impacts the merchant’s PCI DSS compliance scope and responsibilities.
The guidance is to be used by P2PE QSAs, in conjunction with solution providers, to evaluate existing deployed non-listed encryption solutions. The evaluations identify the gaps between the non-listed encryption solution and the PCI P2PE Standard.
The P2PE QSA’s assessment documents recommended applicable PCI DSS controls for merchants that have deployed that encryption solution. As a formalised evaluation, the solution assessment shows acquirers, QSAs and merchants how use of a particular non-listed encryption solution can impact a merchant’s PCI DSS assessment.
Only PCI P2PE Solutions are tested and validated to provide the strongest protection for account data, reducing where and how PCI DSS requirements apply. By developing this guidance, the PCI Council is supporting merchants that have already invested in, and have a continuing need to rely on, non-listed encryption solutions.
There are now three possible encryption solution approaches available to assist merchants with PCI DSS assessment scope reduction and compliance. In order of PCI Council preference, they are:
1. Migrate to a validated PCIP2PESolution (i.e. an existing PCI listed P2PE solution)
2. Validate their non-listed encryption solution against the PCIP2PE v2 standard as a merchant-managed solution (MMS);
3. If neither of the above is possible, pursue their solution provider for an assessment of the existing deployed non-listed encryption solution against the PCI P2PE v2 standard.
The provider’s assessing P2PE QSA writes a P2PE Report on Validation (P-ROV) and creates a Non Listed Encryption Solution Assessment (NESA) document that outlines the risks associated with the non-listed encryption The NESA document can be used by the merchant, their QSA and their acquirer to determine the merchant’s PCI DSS compliance responsibilities.
A QSA can review the solution provider’s NESA document and use it to confirm:
- The components implemented in their merchant’s environment are those listed in the NESA document;
- That PTS POI v2+ device(s) are in use;
- That the merchant does not have access to the encryption/decryption keys;
- That the merchant never has access to clear text account data in their environment (outside of the POI device);
- That the solution provides end-to-end encryption;
- Identify risks with the non-listed encryption
The NESA document provides recommendations as to how the non-listed encryption solution affects a merchant’s PCI assessment. The merchant’s QSA uses the NESA document to help determine and validate the scope the merchant’s environment.
It is also used by the QSA to help determine the PCI DSS requirements applicable to the merchant’s environment. The NESA document provides for a consistent approach amongst QSAs to assess the impact of a merchant’s use of a non-listed encryption solution as part of their PCI DSS assessments.
The NESA document is currently not available, however it’s expected that the PCI SCC will publish it in the near future.
We recommend that acquirers assist their merchants by recommending a company that has specially-trained P2PE QSAs to engaged with the merchant’s encryption solution provider to carry out a non-listed encryption solution assessment. Sysnet is qualified to provide such an assessment, for further information request a call back or email firstname.lastname@example.org
If you are a merchant that requires technical or PCI DSS help, please click here
To understand how full P2PE v2 validation may not be as difficult as encryption solution provider’s think, see our previous article: