New PCI NESA Guidance is Good News for Non-Listed Encryption Solutions

December 06, 2016, Sam Pfanstiel, Solution Principal, PCI, Coalfire

While PCI P2PE is still the most secure approach, solution providers, who are not yet validated, can now offer additional clarity to merchants, QSAs, and acquirers

On November 22nd, the Payment Card Industry Security Standards Council (PCI SSC) released official guidance for merchants, encryption solution providers, and qualified security assessors (QSAs), and acquirers, answering an important question that has affected numerous merchants for years – how exactly does a merchant go about assessing their PCI DSS compliance if they are using an encryption solution that has not been validated to the new P2PE standard?

First a little history:  For over a decade, acquirers, gateways, and other service providers have offered terminal-based encryption sometimes called end-to-end encryption (E2EE), point-to-point encryption (P2PE), or data field encryption (DFE).  These services provided a valuable security service, by encrypting credit card data as it first enters the terminal, and not decrypting it until after it passes safely out of the merchant’s environment.  Such an approach, properly implemented, should theoretically address many of the core intents of the PCI Data Security Standard (PCI DSS), because the encrypted card data is of no value to hackers, and thus less likely to be stolen.

In 2011, the PCI SSC began offering the optional P2PE program to provide a specific set of requirements for P2PE solution providers to meet in order for their merchants to receive a significant PCI DSS scope reduction for both the scope of their cardholder data environment and the list of security controls they need to validate on an annual basis.  The idea being that, if the solution provider could meet this high standard of security surrounding the devices, terminal software, encryption, decryption, key management, and operations, there would be very little left over for the merchant to do in order to protect the card data.  To qualify to be a “validated” or “listed” P2PE solution provider, the solution would need to be assessed to the P2PE standard by a special qualified security assessor called a QSA (P2PE).  Merchants of any size that use these solutions and meet the eligibility criteria can either complete the specialized SAQ P2PE, or receive a comparable scope reduction on their report on compliance (ROC).

Since that time, Coalfire’s QSA (P2PE) team has conducted over 50 workshops, gap analyses, white papers, advisory engagements, and P2PE assessments for hardware, software, and service providers that are in the process of adapting to this rigorous security standard.

Unfortunately, there are many encryption providers who are still not listed because they cannot currently meet the requirements of the standard, due to device limitations, software requirements, operational gaps, or technical constraints.   Meanwhile, there are many merchants who have adopted these encryption solutions, but are not eligible for this straightforward PCI DSS scope reduction.  Each year it can be a challenge for merchants to reach agreement with their QSA on the appropriate subset of controls, and then to confirm with their acquirer whether they will accept their SAQ or ROC based on these controls.

Fortunately, the release of Assessment Guidance for Non-listed Encryption Solutions finally provides a path forward for these merchants, QSAs, and solution providers.  This document outlines a practical approach for solution providers that meet certain criteria:

  • First, the non-listed solution must be an existing service, and be making strides towards full P2PE compliance at some point in the future.
     
  • Second, the solution must perform encryption using PCI PTS (PIN Transaction Security) version 2 or higher devices.
     
  • Third, the merchant must never be able to access the encryption/decryption keys or otherwise access clear-text credit card account data.

If these criteria are met, the solution provider can engage a P2PE QSA to perform a special assessment called a Non-listed Encryption Solution Assessment (NESA).  This assessment comprises a review of the scope of the solution, a summary of how their encryption solution stacks up against the PCI-P2PE standard, and a qualified recommendation for which merchant PCI DSS controls may be reduced based on the proper use of the solution.  The intent of this document is to provide a better understanding of which security controls the P2PE QSA feels should still be applicable for the merchant, due to incomplete compliance within the provider’s solution against the P2PE standard (see Figure 1).

Once complete, this summary document can then be provided by the solution provider to their merchant, and in turn to their QSA or acquirer, and serve as both a review of the P2PE solution’s scope and compliance, as well as recommendations for merchant compliance.  Ultimately, the acquirer still must approve the recommended approach, but armed with a NESA, a solution provider and the merchant can provide objective documentation based on PCI guidance.

Prior to this official method for assessing non-listed solutions and attesting compliance for merchants using those solutions, Coalfire had produced many similar documents, in the form of white papers containing detailed mappings of compliance controls, to show our recommendations for the merchant’s remaining compliance requirements.  Countless merchants have already utilized these white papers to guide their own compliance programs and provide support to their acquirers for the reduction of applicable controls.   Under the NESA program, previous assessments like these may be updated to reflect the new recommended and standardized format, and thus be even more valuable for simplifying the merchant’s annual attestation process.

Coalfire believes this new guidance offers a reasonable and standardized approach by the PCI SSC to a challenging problem.  This practical approach can provide greater clarity to the annual compliance process, and help to bridge the gap for non-listed solutions as the market continues to move towards adoption of the rigorous PCI-P2PE standard.  Furthermore, the NESA assessment process can facilitate a full P2PE gap analysis that non-listed solution providers can work from to remediate identified gaps and ultimately become a fully validated and listed PCI-P2PE solution.

Merchants or solution providers interested in demystifying this process through the use of a NESA should contact Coalfire for more information at 877-224-8077 or +44 161 464 6302 in the UK/EMEA, or visit www.coalfire.com.

 

Figure 1.  Illustrative example of PCI P2PE requirements met vs. PCI DSS validation effort.
Source:  Assessment Guidance for Non-listed Encryption Solutions, PCI SSC, 2016

Sam Pfanstiel

Author

Sam Pfanstiel — Solution Principal, PCI, Coalfire

Recent Posts

Post Topics

Archives

Tags