Point-to-Point Encryption (P2PE) is a critical technology for devaluing payment card data and preventing cardholder data breaches. The growing use of the PCI P2PE Standard to provide solutions that minimize exposure of card data and simplify security and compliance efforts for businesses will be a key topic of discussion at the PCI Europe Community Meeting in Edinburgh on 18-20 October. Here we talk with PCI SSC Standards Manager Mike Thompson, who chairs the PCI Council’s P2PE Working Group, for an update on how P2PE is gaining traction among organizations.
What is point-to-point encryption and how does it work?
Mike Thompson: Point-to-Point Encryption (P2PE) provides merchants with strong cryptographic protection of payment card data from the point it is used at a payment terminal until that data reaches a secure point of decryption. A PCI P2PE Solution is one that has been validated as meeting the PCI P2PE Standard. Using strong cryptography means the payment data is devalued; it can’t be used even if stolen. This brings obvious benefits for merchants and cardholders alike. Merchants want secure solutions and cardholders want their data protected.
What’s the benefit of using a PCI P2PE Solution versus other solutions out there?
Mike Thompson: Using a solution that has been validated as meeting the PCI P2PE Standard has several benefits for merchants:
- Assurance that the solution has undergone in-depth examination by a specially-trained P2PE Assessor;
- A PCI-listed P2PE solution can significantly help reduce the PCI Data Security Standard (PCI DSS) validation effort for merchants;
- Validated PCI P2PE Solutions are managed and updated according to a robust PCI Council program. This isn’t a one-time assessment; it provides assurance that ongoing security is in place including full re-assessment of the solution every three years, and annual checks in the meantime.
Our case studies point to the strong business cases and tangible benefits that PCI P2PE Solutions provide merchants.
How does using a PCI P2PE Solution make PCI DSS compliance easier?
Mike Thompson: PCI P2PE Solutions reduce where and how PCI DSS requirements apply to merchant environments. Merchants using a PCI P2PE Solution may be eligible to use Self-Assessment Questionnaire (SAQ) P2PE; and merchants that undergo an onsite assessment with a resulting Report on Compliance (ROC) may be able to use SAQ P2PE as a reference to identify the applicable PCI DSS requirements for their P2PE environment. Using a PCI P2PE Solution doesn’t remove the need for all PCI DSS controls, but it does greatly reduce the number of controls that have to be validated, making compliance a lot easier. Each PCI P2PE Solution has a P2PE Instruction Manual, or PIM, which sets out exactly what merchants must do to use the solution properly.
What’s the current state of adoption of PCI P2PE solutions?
Mike Thompson: We are seeing a big increase in the adoption of P2PE, both in terms of solutions coming through the validation process and in merchants making use of those solutions. The rollout of P2PE v2 in 2015 has had a very positive impact, and as we progress through the remainder of 2016 and into 2017 we expect to see many more solutions finishing the validation process and getting listed on the PCI SSC website. A recent survey of P2PE Assessors indicated they have many P2PE assessments currently in their pipeline. We’re looking forward to hearing even more success stories in 2017.
