Application P2PE

Helping to Reduce the Risk of Cardholder Breaches

The Point-to-Point-Encryption Self-Assessment Questionnaire (PCI SAQ P2PE-HW) that was released in 2012 by the PCI Compliance Security Standards Council was intended to simplify the compliance validation process for smaller merchants. By shifting the burden of compliance away from merchants and onto solution providers, validated Point-to-Point-Encryption (P2PE) solutions would ease the PCI DSS validation process for merchants.
However, merchants, payment application vendors, point of sale vendors and service providers still have many questions regarding the compliance validation processes:

  • Do merchants still need to adhere to PCI DSS?

  • Can they use older legacy hardware and remain compliant?

  • How can I benefit from P2PE if there are no listed solutions, or none that fit my needs?

As P2PE guidelines continue to mature and grow, Coalfire can help make compliance and assessment as painless as possible. For example, Coalfire is uniquely qualified to provide strategic guidance and supporting services to address guidance released by PCI DSS on Non-listed Encryption Solution Assessments (NESA).

Choosing the Best in the Industry

There are two types of certified P2PE Qualified Security Assessment companies:

  • Organizations that are certified to perform QSA-P2PE assessments

  • Organizations that are qualified to perform Payment Application P2PE Assessments

In some instances, organizations are qualified to perform both P2PE assessment types. Coalfire is one such company; we have more Point-to-Point-Encryption (P2PE) assessors than any other QSA firm.  But we’re not just the biggest; Coalfire’s consultants have the most experience in helping merchants reduce the scope of their environment using P2PE solutions. Coalfire has been and continues to be an active member in the PCI SSC’s P2PE task force and continues to provide input into developing the standard. Coalfire also has worked with more P2PE vendors and acquiring banks over the last 2 years than any other QSA company.

Who We Can Help

Service Providers (processor, acquirer or payment gateway)

You can become listed as a P2PE Solution Provider either in conjunction with your existing Report on Compliance (ROC) or as a separate assessment.

  • Dramatically ease your merchants’ PCI DSS validation burden

  • Consolidate PCI compliance costs with your exiting ROC

  • Reduce risk of data compromise for merchant population

Application Vendors

If you produce an application that runs on a POI utilizing P2PE, regardless of whether or not it has access to account data there are P2PE opportunities and requirements as well.

  • Get your application listed separately or in combination with a Service Provider P2PE solution

  • Utilize a P2PE solution to provide transaction details that does not bring a POS into scope for a merchant but still provides functionality beyond payment transactions.


  • Reduce risk of cardholder data compromise

  • Reduce PCI scope of validation

  • Reduction of PCI compliance-related costs

So get a jump on planning and implementing a P2PE solution to differentiate you from your competitors. P2PE is the future of payments as it reduces overall risk and PCI DSS scope. Contact Coalfire to understand how you can take advantage!