Knowledge Base

Why Should You Care?

Protecting your customers’ payment card data from security threats is one of the most important aspects of your business and implementing a PCI-validated P2PE solution is the best way to do that. Although non-validated E2EE solutions exist, you don’t really know to what extent the solution provider has ensured that their product will adequately protect against security breaches and other vulnerabilities within your network. Why take the chance on an incomplete solution?

What is a Validated P2PE Solution?

In 2004, the Payment Card Industry Security Standards Council (PCI SSC) released its first version of a set of security controls. Merchants who accept credit and debit cards must follow these controls to protect against security threats to their customers’ payment card information. These controls apply to all businesses that process, transmit or store cardholder data, and they address the requirements that merchants must implement to protect cardholder data and comply with the PCI Data Security Standard (PCI DSS).

In addition to technical, operational, and physical controls, the PCI DSS also requires merchants to implement data encryption procedures to protect cardholder data throughout the transaction process. To address the need for guidance about how merchants should implement encryption solutions, the PCI DSS created the first point-to-point encryption standard, known as P2PE, in 2012. In 2015, they updated the standard and created a specific set of criteria that an encryption solution provider or business must meet to be considered PCI validated.

https://www.pcisecuritystandards.org/documents/P2PE_At_a_Glance_v2.pdf

Non-Validated (Unlisted) Encryption Solutions

Encryption solutions that have not been validated by the PCI SSC, but still provide functions such as encrypting within the point of interaction (POI) terminal and decrypting outside the merchant environment, are generally called unlisted P2PE solutions or End to End Encryption (E2EE) solutions.

Additionally, unlisted solutions do not qualify for the reduced SAQ P2PE, so merchants using these solutions should use the SAQ D.

PCI-Validated (PCI-Listed) P2PE Solutions

PCI-Validated P2PE solutions have been assessed by a QSA (P2PE) as having met the PCI P2PE standard and are therefore listed on the PCI website under Approved P2PE Solutions. In addition to meeting the P2PE standard, the decryption component of the solution must operate within a secure environment that has been assessed to the full PCI DSS standard.

Other requirements include

  • Assessment of the key management practices and cipher strength
  • The use of certified key injection facilities (KIFs)
  • Use and configuration of PTS-approved POI devices with encryption performed in the SRED (secure reading and exchange of data) tamper-resistant security module (TRSM)
  • Positive device identification prior to decryption
  • Key management/decryption in hardware security modules (HSMs) that have been validated by PCI and/or FIPS 140-2 Level 3

P2PE removes customer data from the premises

Aside from merchants protecting their customer’s payment data, there are numerous other tangible benefits merchants receive from using a P2PE solution that has been through the validation process.

We offer point-to-point encryption (P2PE) through CardPointe at no additional cost to help merchants reduce the scope and cost of PCI-DSS compliance, while further protecting cardholder data from potential hackers. With P2PE, merchants don’t ever acquire, house or manage personal data, making it easy to satisfy your system auditor.

PCI-Authorized Scope Reduction

Merchants who use a validated solution within their environment and keep this environment segmented from any card data from other channels (e.g., e-commerce) are eligible to complete the authorized self-assessment questionnaire SAQ P2PE that is known and accepted by all acquirers. Under PCI DSS v3.2, this represents a significant reduction of controls, reducing the number of questions by nearly 90% for merchants moving from the SAQ D (329 questions) to SAQ P2PE (33 questions).

Another aspect of scope reduction is the impact of PCI P2PE on the definition of the CDE itself. Since merchant systems can no longer access the cardholder data once it is properly encrypted, P2PE effectively reduces the number of networks and systems considered to be within the scope of the PCI DSS assessment. This scoping guidance is endorsed by PCI and commonly followed by assessors, but only for solutions that have been through the validation process.