05 Nov Assessor Viewpoint: On PCI Point-to-Point Encryption (P2PE) Solutions
By Dr. Stephan Engelke, Chief Operation Officer, Adsigo
Many merchants face issues in becoming PCI Data Security Standard (DSS) compliant and maintaining this status. One of the issues these merchants face are that there are many facilities in which cardholder data is stored, processed or transmitted, most often in plain text. The goal of Point-to-Point Encryption (P2PE) solutions is to encrypt the cardholder data and sensitive authentication data at the point where it is entered, e.g. the hardware terminal in a store, and decrypt the data at the solution provider’s decryption environment. The fact that the data is encrypted with keys unknown and not managed by the merchant unit results in the possibility of removing all components between the Point-of-Interaction (POI) and the solution provider’s environment from the merchant’s PCI DSS scope. This means the merchant may be allowed to complete a relatively short Self-Assessment Questionnaire (SAQ) as opposed to undergoing a full onsite assessment, or that the merchant may just be able to undergo a much simpler onsite assessment, based on the card scheme compliance programs.
“Experience shows that an initial PCI P2PE validation will most likely take longer than an initial PCI DSS validation since the requirements are a lot more complex. Also the coordination of involved component providers and vendors take time. Communication with merchants also shows that the end result is greatly appreciated by the merchants, making the long way well worth it.”
Many large merchants will find it a lot easier to reach and maintain PCI DSS compliance under these circumstances. Smaller merchants also benefit from the defined scope reduction and may for the first time really look at their cardholder data security, because securing the data has become a lot easier to accomplish.
Getting a solution validated and listed by the PCI SSC has not been without challenges in the past. Version 1.1 of the P2PE requirements implicitly assumes that a single vendor will perform all tasks. Unfortunately the reality is often different, with key activities being outsourced to different companies. Examples include initial key loading in key injection facilities, field services or device maintenance.
With the release of version 2 of the P2PE requirements and of the associated program guide, the use of service providers (“component providers”) has become a lot easier, since each component provider can undergo an independent assessment by a P2PE assessor company of their own choice. This should result in a number of often used components, such as terminal vendor KIFs, to be validated and listed and consequently be accessible as building blocks for other P2PE solutions. This will allow an interested party to assemble a solution with relative ease and join this emerging market.
How to approach a P2PE validation
The crucial steps for a P2PE project at a solution provider typically include a review of the applicable standards which are at minimum PCI DSS and P2PE v2.
The following activities have proven to be helpful when starting a project to list a P2PE solution:
- Produce a data flow diagram including all involved component providers.
- Compile a list of all involved components providers and other service providers involved in the solution.
- Compile a list of your POIs, HSMs and other SCDs to be used in the solution. Obtain the applicable approval numbers early on to ensure that the devices can actually be used.
- Compile the key matrix which will show all keys involved in the solution.
- Compile a key management diagram that will show the keys used in the solution and how they are stored, transferred, loaded and destroyed.
- Compile a list of all applications which are to be used in the solution and identify if they have access to plain text cardholder data or not.
Without this basic information to describe your solution, all future efforts will involve a lot of guesswork and possibly many false starts.
This is also the best time to get a QSA (P2PE)-company involved since they are in the best position to guide an aspiring solution provider through the project and the actual validation.
The typical project approach, as with any compliance project, that has proven to be helpful has been to start by understanding the requirements (possibly with the help of a P2PE-QSA), inform and educate all involved stakeholders, perform a gap analysis, remediate any issues and then start the actual validation.
Experience shows that an initial PCI P2PE validation will most likely take longer than an initial PCI DSS validation since the requirements are a lot more complex. Also the coordination of involved component providers and vendors take time. Communication with merchants also shows that the end result is greatly appreciated by the merchants, making the long way well worth it.
For more information on PCI Point-to-Point Encryption, check out these educational resources from the Council.