Point-to-Point Encryption (P2PE) technology makes data unreadable so it has no value to criminals even if stolen in a breach. Merchants can take advantage of this technology with a P2PE solution, a combination of secure devices, applications, and processes that encrypt payment card data from the point it is used at a payment terminal until it reaches a secure point of decryption. PCI P2PE Solutions are those that have been validated as meeting the rigorous security requirements of the PCI P2PE Standard and are listed on the PCI Security Standards Council (PCI SSC) website. PCI P2PE Solutions provide the strongest protection for payment card data and can simplify merchant efforts to comply with the PCI Data Security Standard (PCI DSS).
Here we talk with PCI SSC Sr. Manager Mike Thompson, chair of the PCI Council’s P2PE Working Group, about what the optional P2PE Solution Inventory Template is and how it should be used.
Why is the Council issuing an optional P2PE Solution Inventory template?
Mike Thompson: The optional-for-use template is intended to provide merchants, QSAs, Solution Providers, etc. a Standardized, Consistent, and Comprehensive means to capture information about a P2PE Solution implemented in a merchant environment where the solution, in whole or in part, is expired.
What does a Solution, “in whole or in part” being expired, mean?
Mike Thompson: Great question. The PCI Council maintains the list of validated P2PE Solutions , as well as P2PE Components and P2PE Applications. The Council also maintains lists of expired Solutions, Components, and Applications. Validated P2PE product listings will move to their respective expired list for a variety of reasons detailed in the P2PE Program Guide. P2PE Solutions can use listed P2PE Component Providers as well as P2PE Applications. A P2PE Solution product listing can move from the validated list to the expired list, however, there are also instances where the P2PE Solution itself is still validated, however a P2PE Component and/or P2PE Application being used by the P2PE Solution has expired. The P2PE Program Guide is a great resource for additional details about the P2PE Program and the P2PE listings.
Who does the template apply to?
Mike Thompson: The template is ultimately intended to capture information about a solution as it pertains to a particular merchant environment. The information used to populate the template can come from the merchant directly, the Solution Provider, a QSA, a combination thereof, etc.
What’s the benefit of the template?
Mike Thompson: As mentioned, the template facilitates a Standardized, Consistent, and Comprehensive means to capture information about a P2PE Solution implemented in a merchant environment where the solution, in whole or in part, is expired. This information can be useful on behalf of the merchant using the P2PE Solution for the payment brands and/or acquirer.
How is the template submitted?
Mike Thompson: The template is optional for use. It is not required as part of the PCI Council’s P2PE Standard or Program and it is not submitted to the PCI Council. Interest in the use of the template should be directed to the payment brands and/or acquirer of the merchant using the P2PE Solution.