It would be an understatement to say that the coming release of PCI DSS version 4 generated the most buzz and was the topic of most conversation at this year’s PCI North America Community Meeting. However, the Council also managed to introduce the pending release of its point-to-point encryption (P2PE) standard version 3.0. Expected to be published in December 2019, the Council boasts that “the P2PE v3.0 Standard and Program have been streamlined to facilitate a greater degree of flexibility for industry stakeholders as well as to improve the assessment process.” P2PE is one of the more misunderstood and misapplied concepts among merchants, and so any new developments in this compliance standard tend to get the assessors’ attention.
What is the P2PE Standard?
The P2PE standard was established to better secure payment data and, as an added benefit, present merchants the opportunity to reduce their scope of compliance. By utilizing a validated P2PE solution, a merchant can conceivably remove every part of their network environment except the point of interaction (POI) device(s) from scope. Note the key part of that sentence is the word validated. Unless a solution has gone through the rigorous third-party assessment process and found to comply with the PCI P2PE standard, it cannot be utilized to reduce the scope of compliance. Merchants and, sadly, solution providers are commonly found to misinterpret this requirement, applying scope reduction to products and solutions that have not been formally validated. POI devices can be validated as eligible for P2PE solutions. This means that they can perform data encryption sufficient for a P2PE solution. However, unless they are part of a complete P2PE solution, they cannot by themselves be used for scope reduction. Think of P2PE solutions as packaged products that include several components, including the POI device, encryption key management services, and payment decryption providers. In order to apply scope reduction, you must utilize a package that includes all validated components.
What is changing with P2PE 3.0?
Keep in mind that the new P2PE v3.0 standard is aimed at companies that provide a piece of the P2PE ecosystem (P2PE Solution Providers, Key Management Providers, Encryption/Decryption Management Providers) and not merchants who consume these products and services. If you are a P2PE component provider or self-certify under a Merchant Managed P2PE environment, then this update is for you. First, as part of the revision, the Council has created additional component provider sub-categories that can be assessed independently against the P2PE standard. This will allow a modular approach for P2PE Solution Providers or self-certifying merchants to choose the components that they need to compile a full P2PE Solution. Second, Reports on Validation, the equivalent of a merchant’s Report on Compliance or Self-Assessment Questionnaire, are to be simplified. This will reduce the overhead to component and solution providers validating their solutions.
Timeline for the change
The Council’s lists of P2PE v2.0 validated solution providers and component providers will remain valid for a period of time. In addition, there will be an 18-month transition time where solution and component providers may be validated against either standard. It bears re-emphasizing that although these developments don’t directly affect how merchants implement or use a P2PE solution, they will hopefully expand the marketplace of solution components by driving innovation and cost reduction. This should make P2PE solutions, and their scope-reduction benefits more accessible to merchants of all sizes and segments. If you’re considering implementing a P2PE solution, let LBMC’s team of experienced assessors guide you in the process. We have guided leading merchants with their P2PE implementations, and we know the technology inside and out.