Point-to-Point Encryption (P2PE) technology makes data unreadable so it has no value to criminals even if stolen in a breach. Merchants can take advantage of this technology with a P2PE solution, a combination of secure devices, applications, and processes that encrypt payment card data from the point it is used at a payment terminal until it reaches a secure point of decryption. PCI P2PE Solutions are those that have been validated as meeting the rigorous security requirements of the PCI P2PE Standard and are listed on the PCI Security Standards Council (PCI SSC) website. PCI P2PE Solutions provide the strongest protection for payment card data and can simplify merchant efforts to comply with the PCI Data Security Standard (PCI DSS). Recognizing that many merchants are not yet using PCI-listed solutions, however, the Council has issued guidance to assist security assessors in evaluating non-listed account data encryption solutions and their impact on merchants’ PCI DSS compliance.
Here we talk with PCI SSC Standards Manager Mike Thompson, chair of the PCI Council’s P2PE Working Group, about what the Assessment Guidance for Non-listed Encryption Solutions does and doesn’t mean; how the guidance should be used; and how it contributes towards the goal of devaluing payment card data so that it can’t be used fraudulently even if stolen.
Why is the Council issuing guidance for encryption solutions that are not PCI-listed?
Mike Thompson: We are encouraged by the significant growth of the PCI P2PE Program in the last two years and the increasing number of PCI P2PE Solutions listed on our website. At the same time, many solutions currently being used by merchants are not PCI-listed. The Council recognizes this creates a challenge for Qualified Security Assessors (QSA) in how to complete PCI DSS assessments for these merchants and that guidance is needed.
The guidance is intended to help assessors by providing best practices and a consistent approach to evaluating non-listed encryption solutions in use by their merchant customers, and to encourage merchants to use PCI P2PE Solutions by reinforcing that they provide the strongest protection and simplify PCI DSS compliance.
Who does the guidance apply to?
Mike Thompson: The guidance is specifically for P2PE QSAs and QSAs. P2PE QSAs can use the guidance to assess account data encryption solutions that are not PCI-listed. QSAs can refer to the assessment done by P2PE QSAs based on this guidance to help with their PCI DSS assessments for merchant environments using an associated non-listed encryption solution.
Non-listed account data encryption solution providers are encouraged to review the guidance to understand what to expect should they choose to engage a P2PE QSA to perform an assessment of their encryption solution.
Acquirers and merchants using a non-listed encryption solution should work with their provider to understand the features of that solution and any evaluation that has been done. Acquirers and merchants can request a non-listed encryption solution assessment from a solution provider (which should be done by a specially-trained P2PE QSA), and the merchant’s QSA can use that document to help evaluate risk and determine the appropriate PCI DSS validation effort.
What’s the difference between this guidance and the P2PE Standard?
Mike Thompson: The P2PE Standard provides security requirements that must be met by a vendor’s P2PE solution and validated by a P2PE QSA in order for it to be listed on the PCI SSC website as a PCI P2PE Solution.
PCI P2PE Solutions provide the strongest protection for payment card data and simplify PCI DSS compliance efforts. Many solutions currently being used by merchants are not PCI-listed, however, which is where this new guidance comes in. It is for evaluating solutions that don’t meet the P2PE Standard, but are being used by merchants anyway, so that all the parties involved in a merchant PCI DSS assessment understand how the use of a non-listed encryption solution impacts the merchant’s PCI DSS compliance responsibilities.
Is there a benefit to using PCI P2PE Solutions versus non-listed solutions?
Mike Thompson: Absolutely. A PCI P2PE Solution can significantly help simplify the PCI DSS validation effort for merchants by reducing where and how PCI DSS requirements apply. Only PCI P2PE Solutions have undergone an in-depth examination by a specially-trained P2PE QSA and been validated against the P2PE Standard to ensure the strongest protection for payment card data. And this doesn’t stop with validation. These solutions are managed and updated according to a robust PCI Council program. This provides assurance that ongoing security is in place, including full re-assessment of the solution every three years, and annual checks in the meantime.
What’s the ultimate goal in providing this guidance to assessors?
Mike Thompson: We want to make it easier for assessors, acquirers, and merchants to get the information they need to make decisions about risk and PCI DSS responsibilities when using non-listed account data encryption solutions.
Point-to-point encryption is a critical technology for devaluing payment data; the data can’t be used even if stolen. With this guidance and our growing PCI P2PE Solution listing, we hope to encourage merchant adoption of this technology to better protect payment card data.