Are you tired of the worn-out phrase “there is no silver bullet to PCI compliance”, or are you still looking for that magic solution to solve all your problems? If you’re a merchant with only a single payment channel, and that channel supports the use of a hardware payment terminal, Point-to-Point Encryption (P2PE) is as close as it gets.
In December, the Payment Card Industry Security Standards Council (PCI SSC), released the third iteration of the P2PE standard, which allows for cardholder data to be secured from the point of interaction (i.e. payment terminal) to a decryption point. Even if P2PE will never automate compliance, it gets you as close as you can get to that fabled silver bullet. At least for the payment channel the P2PE solution is protecting.
For merchants with payment channels that can be secured using a P2PE solution, they may be eligible for a self-assessment questionnaire (SAQ) instead of a Report on Compliance (RoC). As always, the validation requirements are up to each merchant’s acquirer to determine, for merchants using a P2PE solution, you should speak to your acquirer to determine your validation requirements.
One standard to unite them all
For solution providers, and indeed component providers, the introduction of P2PE version 3 is a welcome step in the right direction. Version 1 of the standard was a bastion of a standard, with little to no flexibility for solution providers to outsource services to third parties, at least not without causing serious implications for themselves in terms of scope expansion and onerous compliance validation requirements.
Version 2 introduced the use of component providers, which allowed for third parties to validate their services against a subset of requirements for the services they provider. Version 3 expands on this, introducing even more flexibility and validation options for component providers. As the PCI SSC has gained a wider grasp of the payment landscape and the plethora of services being provided to solution providers, they realised that the current component provider categories weren’t enough to allow for all types of component providers to validate their services.
Version 3 introduces four new categories of component providers, where key generation and key management service providers can now validate and become listed as certified P2PE component providers, so can POI deployment and POI management service providers as well.
As the P2PE standard is evolving to encompass as many different types of service providers as possible, it is important for you as a merchant, or as a solution provider, to keep up with the changes and stay updated with how the program is changing and what the impact is on you as a payment processing entity.
P2PE has always been closely aligned with PCI PIN, in version 3 this is even more evident as P2PEv3 and PINv3 is now aligned and have the same control numbering format and identical key management requirements. If you are a solution provider that also validates against PIN, or have done so in the past, you are in a position where you can reuse your experience between PIN and P2PE or vice versa.
The evolution of P2PE also introduces requirements such as those for managing keys as key blocks, with a three-phased approach with the last phase ending in 2023 to ensure full adaptation of key blocks across the payment infrastructure.
Other noteworthy changes include the timeline for moving away from PC-based key loading when loading clear-text keys or key components and also setting a date for when the injection of clear-text keys or components will be prohibited for key-injection facilities altogether. Effectively, after January 1, 2021 entities are not allowed to inject clear-text keys or components when performing injection on behalf of third parties, and after January 1, 2023, all injections of keys and key components must be done using encrypted keys/components, including for devices for which the entity is also the processor.
The standard has also been reworked, Annex A and B have been removed and are now in the main body requirements to reduce the number of duplicated requirements, domain 4 that contained the merchant-managed solution, MMS, requirements have been moved to an Annex rather than being a standalone domain. The change to the MMS domain means that domain numbering has been changed, where domain 5 is now domain 4 and domain 6 is now domain 5.
Reporting structures has also been greatly reworked to reduce the work effort for assessors documenting compliance of validated solutions and components, this is a welcome change and will greatly improve the efficiency of P2PE validations going forward.
Is a P2PE solution right for you?
Merchants seeking to reduce their overall PCI DSS compliance effort should work with their QSA and service providers to understand the capabilities of their current environment, and what they can do to reduce scope wherever possible. When deployed correctly, a P2PE solution can greatly reduce the scope of the PCI DSS environment, but there are many things to consider before choosing a P2PE solution, including considerations on how to maintain the solution once deployed.
Service providers seeking to validate their own P2PE solution need to understand the flexibility of the standard. Putting effort into the design of the P2PE solution and the possibility to outsource whole domains to P2PE component providers, prior to attempting to deploy a P2PE solution, can vastly reduce the overall validation effort.
Should you feel the need to discuss any requirements or interpret the impact of any specific control on your environment, SecureTrust can assist you wherever needed, please reach out to your account manager or firstname.lastname@example.org for assistance.
The post Point-to-Point Encryption (P2PE) is evolving – are you? appeared first on Payments Cards & Mobile.