Monetizing Security - How to Build a Listed P2PE Payment Solution
During the height of many major retailer breaches in 2013 and 2014, merchants were advised by the major card brands to upgrade their point-of-sale (POS) systems to include more advanced software security solutions, such as installing point-to-point encryption (P2PE) at the card swipe or point of interaction. However, despite the Payment Card Industry Security Standards Council (PCI SSC) having a P2PE standard in place, less than a handful of solutions met all of the requirements for listing with the PCI SSC.
In June 2015, the PCI SSC published an updated P2PE v2.0 Standard, reflecting major restructuring and refinements. The updated version streamlines validation efforts, which will ultimately provide merchants with additional choices in P2PE-listed solutions and an easier path to utilizing these solutions. Two of the major changes include a new modular approach to the domains, as well as the addition of domain 4, which allows merchants to manage their own decryption environment. The modular approach means that P2PE solution providers can rely on PCI-validated component service providers that provide POI terminal applications, encryption, decryption, or key management services. This also creates an opportunity for solution providers that specialize in these areas to be validated once and provide service for multiple P2PE solutions.
A limited number of P2PE solution providers are currently designated as PCI-listed P2PE solutions, but more are expected to enter the marketplace with the new P2PE v2.0 Standard. It takes an average of eight months to go through the certification process to obtain validation and earn a PCI P2PE listing. Those looking to create a differentiated merchant payment product by offering a listed P2PE solution should begin planning validation efforts early to avoid delays in bringing products to market.
By working with a certified P2PE Qualified Security Assessor (QSA) to validate their P2PE solutions or components, payment service providers can show a significant reduction in their overall corporate risk, as well as provide a more secure payment solution that merchants demand.
This document requires registration. Please fill out the registration form to receive access.