How Coalfire is Helping Increase Access to PCI-listed P2PE Solutions
Use of a PCI-listed P2PE solution offers significant security and compliance benefits. However, merchants and service providers are still challenged to take full advantage of this opportunity. Coalfire has invested in solving the most significant obstacle to adoption of listed P2PE solutions.
PCI P2PE offers a path to reduce merchant’s risk of theft of customers’ sensitive credit card information, which leads to reduction of your PCI DSS compliance efforts. This can lower costs of compliance activities and the annual PCI DSS assessment. More importantly, it reduces risks associated with non-compliance.
So, if P2PE is such a great solution, why have so few merchants deployed PCI P2PE solutions in line with the PCI standards? Why are solution providers so frustrated with their inability to tap into this new market opportunity?
During the hundreds of merchant assessments Coalfire does every year, the answer that we frequently hear is lack of solution availability. There are plenty of non-listed encryption solutions, but there are relatively few PCI SSC-listed P2PE solutions, only 28 as of April 2017. This may force merchants to choose between a listed P2PE solution that doesn’t meet all their needs, or waiting for one that does but is a long way from being listed.
To provide full DSS compliance benefits, the P2PE solution must be listed by PCI Security Standards Council, which requires an extensive and complex assessment by a QSA (P2PE). Furthermore, if a payment application is running on the POI devices, that application must also be assessed by PA-QSA (P2PE).
Successful completion of an assessment often requires technical and process changes for the solution provider and any service providers that they depend upon. Support from qualified resources is needed throughout the process. Service providers need expertise to understand and prepare for this new, complex assessment. And then, of course, they need an assessor to efficiently conduct the extensive assessment. There has been an inadequate supply of qualified resources to address these demands. Without a sufficient number of trained and certified P2PE resources, industry adoption has been hampered from the start.
This lack of QSA (P2PE) and PA-QSA (P2PE) assessors is also affected by the SSC’s strict eligibility criteria. Requirements to attend training and sit for certification include a minimum level of work experience within multiple specialized IT security domains including cryptography, key management, network security, application security, penetration testing, and payment terminal security. This is exacerbated by the complexity of the assessment itself, as P2PE QSAs and PA-QSAs spend a lot more time on a P2PE assessment than other types of PCI assessments. This further reduces the number of resources available to start a P2PE-related project.
The complexity of the assessment and the lack of qualified assessors has significantly limited the number of P2PE-listed solutions in the market and the rate of new assessments.
What’s the impact of scarce assessment resources? Many service providers have shopped around for P2PE advisory and assessment services looking for the fastest path to market. We have heard that proposed start times for their projects are commonly over 4 months out from signing a contract. This is due to the unavailability of P2PE QSAs to start an assessment and when an assessment starts, the solution provider will often have gaps to remediate which further prolongs the assessments.
Coalfire has started to address this problem. As of February, Coalfire has doubled its QSA (P2PE) and PA-QSA (P2PE) capacity and is the largest provider of PCI P2PE services. As of now, this means that Coalfire can start your P2PE project within a few weeks instead of a few months.
Please visit our website to learn more about PCI P2PE and Coalfire’s services.