Today, the PCI SSC published a minor revision to the PCI Point-to-Point Encryption (P2PE) ® Standard. We talk with Mike Thompson, Senior Manager of Emerging Standards and the Chair of the PCI Council’s P2PE Working Group, about some of these changes.
What is driving the changes to the PCI P2PE Standard?
Mike Thompson: Industry feedback drove many of the changes to the Standard, which consist primarily of minor revisions and errata updates. Revisions include clarifications and updates previously released via technical FAQs and bulletins, corrections to proofing errors, and responses to stakeholder comments. This version of the Standard also incorporates changes made in the PCI PIN v3.1 Standard published earlier this year. These updates are reflected primarily in Domain 5 and Annex C of the P2PE Standard regarding cryptographic key operations and device management.
Does the release of P2PE v3.1 impact P2PE Products validated against previous versions of the P2PE Standard and Program?
Mike Thompson: The release of P2PE v3.1 does not impact P2PE Solutions, Components or Applications already validated to P2PE v2.0 or v3.0. P2PE vendors will continue to maintain their validated P2PE v2.0 and v3.0 products in accordance with the P2PE v2.0 and v3.0 Standard and Program, respectively. This includes any necessary changes, for example, those covered under designated changes/deltas, as detailed in the respective P2PE Program Guide.
When will the new Standard be available for use?
Mike Thompson: P2PE v3.1 is available for use upon its publication, along with the updated v3.1 P2PE Report on Validation (P-ROV) templates.
Will there be a transition period from P2PE v3.0 to v3.1?
Mike Thompson: Absolutely. P2PE v3.0 submissions (new assessments and reassessments) will continue to be accepted until 31 December 2021. All v3.0 submissions will need to have completed the quality review process by 31 March 2022. After 1 January 2022, new submissions of P2PE products (including those for reassessments of existing listed products) must be in accordance with version 3.1 of the P2PE Standard and Program.
The release of P2PE v3.1 also includes updated P2PE reporting templates- can you provide more information on the updated templates?
Mike Thompson: The P2PE Report on Validation (P-ROV) templates have been revised for the release of P2PE v3.1. In part, they needed to be updated to capture the changes made to v3.1 of the P2PE Standard. However, we also took the opportunity to make additional value-add updates based on stakeholder feedback.
We’ve updated the look and feel to be more consistent with templates used for other PCI Council programs. Additional instructions and guidance have been included to help P2PE QSAs populate the required information. For example, considerable enhancements have been made in the first three sections, which consist of numerous information gathering tables, as well as increasing the consistency across the various P-ROV templates that might be used in a single P2PE assessment. This in turn will make the use of P-ROV templates more efficient and accurate, both for P2PE QSAs to use, as well as for the PCI Council to review as part of the submission process. Everyone benefits.
We want to thank our stakeholders for providing valuable feedback that helps the PCI Council improve our documents and helps mature our Standards and Programs.