In 2012, the PCI Council released a standard for point-to-point encryption, known as PCI Validated P2PE or PCI P2PE, due to the increasing number of “security” solutions in the market. Most providers were claiming that their security solution, usually P2PE or E2EE with a splash of tokenization, provided the most significant amount of PCI DSS scope reduction. As a result, the PCI Council felt it was time to standardized security solutions in and effort to provide clarity to merchants, and built the standard for PCI Validated Point-to-Point Encryption (P2PE)/PCI Validated P2PE/PCI P2PE.
P2PE/E2EE/Encryption is not EMV
The believe that EMV is an encryption solution has been a pervasive belief since data breaches began taking over new headlines in 2014. EMV does not encrypt or protect a consumers credit card data, in any way, within your point of sale or other systems. The purposes of EMV is purely an identity solution; that is, to identify that I’m Mr. Smith and I’m using Mr. Smith’s credit card, through real-time negotiation between the chip card, terminal and back-end issuer of the card. Now, we can discuss the type of chip authentication currently used in the US, which is signature instead of PIN, but that is a topic for another post (hint: signature is a useless form of authentication). For more information on EMV vs. P2PE, check out the following article: EMV isn’t a Security Solution.
PCI Validated P2PE
When the PCI Council released the first version of the PCI Validated P2PE standard, industry experts proclaimed the impossibility of any company attaining the coveted PCI P2PE certification. Although it took over 2 years for a U.S.-based PCI P2PE solution to come to market, the battle wasn’t over due to the misunderstandings and misdirection in the marketplace, as well as the continued confusion of merchants on PCI compliance. Following the certification of the first North American PCI P2PE solution in March 2014, it was nearly two years before merchants began to truly understand the value of the PCI P2PE validation. With a significant push by both the PCI SSC and (educated) QSAs, merchants are finally understanding the significant, objectively scope reduction granted by the PCI Validated P2PE standard and validation with the SAQ P2PE. The full listing of PCI Validated P2PE solution providers can be found here:
PCI P2PE vs. P2PE
Thousands of payment solution providers (PSPs) offer encryption solutions to merchants, and have been doing so for many years. The PCI standard for PCI P2PE allowed the PCI Council to standardize encryption solutions in the marketplace, by having solution providers prove that the solution met the standards set forth by the PCI Council through an independent Quality Security Assessor (QSA). The benefit to the merchant is that a properly implemented PCI Validated P2PE solution has already independently proven that no credit card data will enter a merchant’s environment, and therefore merchant’s are no longer responsible for including their front-end payment systems (e.g. POS, PMS, ERP, etc.), network and supporting infrastructure in their annual PCI DSS audit. This reduction in PCI DSS Scope results in a drop from approximately 350 controls down to ~30 controls, as merchants who have implemented a PCI P2PE solution qualify for the SAQ P2PE (April 2015). SAQ_P2PE_v3-1
As of April 2016, Version 3.1 is the most updated version of the SAQ P2PE. It’s important to note, that the former SAQ P2PE HW, which was specific to hardware-to-hardware solutions, no longer applies to any solution, as all PCI P2PE solutions will now utilize the SAQ P2PE, which represents both hardware-to-hardware as well as hybrid solutions. The full revision changes are as follows:
|May 2012||2.0||To create SAQ P2PE-HW for merchants using only hardware terminals as part of a validated P2PE solution listed by PCI SSC. This SAQ is for use with PCI DSS v2.0.|
|February 2014||3.0||To align content with PCI DSS v3.0 requirements and testing procedures and incorporate additional response options|
|April 2015||3.1||Updated to align with PCI DSS v3.1. For details of PCI DSS changes, see PCI DSS – Summary of Changes from PCI DSS Version 3.0 to 3.1. Removed “HW” from SAQ title, as may be used by merchants using either a HW/HW or HW/Hybrid P2PE solution.|
Many merchants ask, “Are validated solutions more secure than non-validated P2PE solutions?” The short answer is, probably not. The major benefit of utilizing a PCI Validated P2PE solution over just any P2PE or E2EE solution is that the reduction in a merchant’s scope reduction is objective (i.e. automatic opt-in to SAQ P2PE), where non-validated solutions will result in a subjective scope reduction. In other words, a QSA will still need to perform an analysis on the implementation of any non-validated P2PE solution and the merchant will not qualify for the SAQ P2PE, as this is only for merchants who implement a PCI Validated P2PE solution.
P2PE Instruction Manual (PIM)
Every PCI Validated P2PE solution must have what’s known as a P2PE Instruction Manual or, the PIM. The P2PE Instruction Manual serves as a roadmap document for merchants who have implemented, or are planning to implement, a PCI Validated P2PE solution. For those PCI P2PE solution providers who have certified to the PCI P2PE Version 1.x standard, the PIM may differ significantly on both the content and implementation approach. PCI P2PE 2.x however, has “templatized” the PIM, and as solution providers certify to the new standard the differing PIMs will become much more generic.
For more information on the P2PE Instruction Manual, visit our post: Understanding the P2PE Instruction Manual (PIM)