The PCI P2PE Standard provides a comprehensive set of security requirements for validation of P2PE solutions, applications and components to protect payment card data. Expected in December of 2019, the P2PE v3.0 Standard and Program have been streamlined to facilitate a greater degree of flexibility for industry stakeholders as well as to improve the assessment process.
1. Added flexibility will open the door to more PCI-validated P2PE solutions.
The changes to the security requirements in P2PE v3.0 are minor. What is significant are some of the program changes. These changes were recommended by the industry via an extensive RFC process and will ultimately result in more P2PE solutions available to the marketplace.
In 2015, the PCI SSC first introduced the ability to validate P2PE solution components, which are services that fulfill specific P2PE requirements. Version 3.0 of the Standard maintains the same approach to protecting payment data but doubles the amount of component providers which can validate against the Standard. The listing of individual components makes it easier for a solution provider to be aware of and select validated components for integration. This will allow for more outsourcing for the solution and component providers. There will also be an extra level of granularity and more reporting aspects which will make it easier to demonstrate providers are meeting the goal of the Standard.
2. Merchants should not wait to implement a solution validated to P2PE v3.0.
PCI Point-to-Point Encryption solutions help merchants by encrypting cardholder data at the earliest point of acceptance, making that data less valuable to attackers even if compromised in a breach. Use of a PCI-approved P2PE solution can also allow merchants to reduce where and how the PCI Data Security Standard (PCI DSS) applies within their retail environment, increasing security of customer data while simplifying compliance with the PCI DSS.
It’s important to note that the P2PE technology that protects their payment data isn’t changing- the changes are aimed to provide more solutions for merchants. Therefore, merchants considering a P2PE solution should not wait for a P2PE v3.0 validated solution. Solutions validated against v2.0 of the Standard will provide the same level of security. Merchants should talk with their acquirer about selecting and using a PCI-listed P2PE v2.0 solution.
3. P2PE v2.0and v3.0 will both be valid assessment options for 18 months after publication of the Standard.
One of the benefits of using a validated P2PE Solution is the assurance that the validation process is repeated every three years. P2PE Solution Providers (and P2PE Application and Component Providers) can choose to use P2PE v2.0 or P2PE v3.0 for their validations for 18 months after the publication of P2PE v3.0. P2PE v3.0 becomes mandatory for new assessments and reassessments around mid-year 2021.