What happens next with the PCI Point-to-Point Encryption (P2PE) Standard? PCI SSC Chief Technology Officer Troy Leach provides an update.
First, can you provide a quick overview of what the PCI P2PE Standard is and who it’s designed for?
Troy Leach: The PCI P2PE Standard provides a comprehensive set of security requirements for validation of P2PE solutions to protect payment card data via encryption from where it is captured in the payment terminal until it is decrypted in the solution provider’s environment. The intended audience is P2PE solution providers and component providers that develop and provide P2PE services.
Why is P2PE an important technology in payment security right now?
Troy Leach: P2PE provides merchants with one of the most significant ways to minimize where criminals can attempt to steal cardholder data by immediately encrypting at the earliest point of entry in their stores. That achieves one of the most fundamental security objectives, which is to reduce the attack surface. An attack surface represents all the different ways a criminal could potentially exploit a merchant location. And with all the recent advancements in hacking techniques, the more a merchant or other entity can reduce the potential attack surface and limit where cardholder data is exposed, the less risk they are required to manage.
What is the value in using a PCI P2PE Solution over other solutions in the marketplace?
Troy Leach: What is unique is the rigor required for a solution to be independently assessed by our specially qualified P2PE Assessors against a set of detailed testing requirements. This allows for greater security assurance and simplified PCI DSS assessments. Only PCI P2PE Solutions are independently assessed by a P2PE QSA and validated per the PCI P2PE Standard and Program Guide to ensure the strongest protection for payment card data and to simplify PCI DSS efforts for merchants. PCI SSC continues to encourage merchants and acquirers to use the PCI SSC listing in selecting a PCI P2PE Solution that meets their needs.
Last year PCI SSC solicited industry feedback on the PCI P2PE Standard via a request for comments (RFC) period. What can you tell us about plans to update the standard based on this feedback?
Troy Leach: When we began the last RFC for the P2PE standard and program, we really expected the comments would be to minimize any significant changes from the previous release. That was what we were hearing from the industry and somewhat confirmed by the feedback results. However, we received a few suggested changes that were minor in the approach to the security requirements of the standard itself, but significant in some of the program changes recommended and organization of requirements within the standard. Changes will focus on modernizing, simplifying, and adding flexibility to the P2PE Program, such as opportunities to add Component Provider Types and flexibility for Solution Providers.
As such, we withdrew our revision for 2018 to address the feedback in a larger program update expected next year. This should not be in anyway disruptive to existing solutions or solutions going through validation to P2PE v2.0 as we anticipate a long transition plan when the next version of the standard is released. We plan on publishing v3.0 of the P2PE Standard in the Q4 2019 to Q1 2020 timeframe.
As part of the update process, PCI SSC will conduct an additional request for comments (RFC) period with PCI SSC stakeholders. PCI SSC will update stakeholders on timing for the RFC and publication of the standard as this initiative progresses.
What do these pending changes mean for merchants seeking to implement a PCI-listed P2PE solution?
Merchants do not need to wait until the publication of P2PE v3.0 in order to obtain or implement a PCI-listed P2PE Solution. Merchants are encouraged to implement a PCI-listed P2PE solution for simpler compliance and greater security of their payment card data.
How will these changes impact merchants already using or in the process of installing a current PCI-listed P2PE solution?
We expect little, if any, impact to merchants already using or installing a current PCI-listed P2PE solution. Solutions which are currently listed on PCI SSC’s website or in the process of becoming listed will continue to be valid and provide a high level of security assurance. The planned changes in P2PE v3 are to assist solution providers with modernizing, simplifying, and added flexibility in developing and enhancing their products.
How will these changes impact providers of current PCI-listed P2PE solutions?
PCI SSC recognizes that the transition period can be a challenge for some payment security stakeholders. Accordingly, a generous transition period will be planned to support solution providers in migrating their products from P2PE v2.0 to P2PE v3.0. It’s important to note that any solution validated under P2PE 2.0 will continue to be valid when P2PE v3.0 is published. We are not anticipating any change to the frequency at which solution providers must have their P2PE Solutions revalidated.