The updates to the P2PE Standard and supporting program are part of the Council’s mission to evolve security standards and validation programs to support a range of environments, technologies and methodologies for achieving security. Ultimately, the updated PCI Point-to-Point Encryption (P2PE)® Standard and supporting program will result in more PCI P2PE®Solutions available to the marketplace. We sit down with PCI SSC Vice President, Global Head of Programs Gill Woodcock to discuss the changes to the program.
What are some of the high-level changes to the P2PE program?
Gill Woodcock: The changes to the P2PE program introduce more flexibility into the assessment process for solution providers and others. As a result of feedback received during the Request For Comment process we are introducing four new component provider types; POI Management, POI Deployment, Key Management and Key Loading. This allows providers of these services to undergo assessment against the P2PE Standard and be listed on PCI SSC’s website, avoiding the need for re-assessment each time their service is included in a P2PE Solution.
We’ve also simplified the change management process for keeping the listing updated and we are introducing an “Expired” listing which will show P2PE Solutions, Components and Applications for which the validation has expired.
HSM’s used within P2PE Solutions and Components will now be included in the listing information and the P2PE Program Guide v3.0 gives detailed information on how the expiry of HSM’s and POI’s affect P2PE listings.
There is an important change as to how the P2PE requirements which each P2PE Component Provider must meet is shown – this is no longer included in the P2PE Standard itself and instead a new Applicability Matrix has been added to the P2PE Program Guide which provides an ‘At a Glance’ mapping of all the P2PE requirements to P2PE Solutions, Components and Applications.
What are some of the changes that will impact solution providers?
Gill Woodcock: P2PE Solution Providers need to look at all the changes, especially the introduction of the new Component Provider types and consider how it may benefit the assessment of their solution in future. They should also consider carefully the timing and impact of the HSM and POI device approvals on their solution and therefore their customers.
P2PE Component Providers should also look at how the changes affect them, and whether they wish to use the new Component Provider types to help with the assessment process.
Also on the blog: 3 Things to Know About P2PE v3.0
What should P2PE Assessors know about?
Gill Woodcock: P2PE Assessors should ensure they are familiar with all of the changes especially the new Component Provider types and the revised Program guide and P-ROVs. We will be providing more information directly to P2PE Assessors and updating training materials, including a computer-based transition training for existing assessors, early in 2020.
How are the P2PE Report on Validation (P-ROVs) changing?
Gill Woodcock: A lot of effort has been put into making the P-ROVs easier to use. There are now 6 P-ROVs covering P2PE Solution, P2PE Application, Decryption Management Services, Encryption Management Services, Key Management Services and Merchant-Managed Solutions. The P-ROVs contain information on how they should be used to document the results of different types of P2PE Assessments and relevant parts of the Applicability Matrix (the complete version is in the P2PE Program Guide v3.0) indicating which P2PE requirements must be validated for each type of P2PE Assessment.
How does this impact solutions validated against P2PE v2.0?
Gill Woodcock: There is no direct impact on P2PE Solutions, Components and Applications already validated to P2PE v2.0. P2PE v2.0 submissions will continue to be accepted until end of June 2021 (18 months after the launch of P2PE v3.0).
Can P2PE Solutions use a mixture of components and applications validated to P2PE v2.0 and P2PE v3.0?
Gill Woodcock: P2PE Solutions validated using P2PE v3.0 can contain P2PE Components and Applications validated using P2PE v2.0. P2PE Solutions validated using P2PE v2.0 can contain P2PE Components and Applications validated using P2PE v3.0 with the exception of the new component types introduced as part of the P2PE v3.0 changes.
Also on the blog: P2PE v3.0: What Merchants Need to Know