The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government, Restaurants, and Utilities.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts. We look forward to your comments, so please join the conversation.

The Coalfire Blog

The PCI SAQ P2PE-HW: Patience, POIs and PIMs

January 15, 2013, Dan Fritsche, Principal, Retail and Financial Services

Bookmark and Share

Dan Fritsche

The new PCI SAQ P2PE-HW (Point to Point Encryption Self-Assessment Questionnaire) was released in July 2012, and many  merchants are excited about the prospect of  a shorter, less arduous compliance validation effort.  After all, it’s significantly shorter than the SAQ-D; instead 12 sections, there are 4, and 284 controls are reduced to 19.



Exciting news, indeed!

And yet, you’d be wise to wait just a bit before banking on those savings. The promise is still out there, but it’s important to understand these key P2PE SAQ eligibility requirements:

  1. P2PE (and the new SAQ) does not “remove PCI”. Every merchant must comply with all of the PCI DSS at all times. How an organization meets each control can most certainly be eased dramatically with a well-planned approach, such as a validated P2PE solution, but you are still responsible for compliance with the PCI DSS.

  2. As of the date of this post, no one meets the eligibility requirements, because there are no PCI-approved P2PE solutions. Surely they are coming, but we all have to be patient until they arrive.

  3. You must be using hardware encryption for your Point of Interaction (POI) devices. This means that the POI must be a PTS 2.x or 3.x validated device, with SRED enabled.

  4. You cannot have any other method for the input of cardholder data other than the POI device listed as part of the P2PE solution. This means no manual PAN input outside of the POI with no legacy data storage or POI devices.

  5. You must implement all the controls in the P2PE Instruction Manual (PIM) as provided by your payment solution provider.

Coalfire is helping some P2PE providers develop their PIMs, and there are a lot of important controls that merchants will need to implement.  Some examples include:

  • Inventory control:  you must track every POI device at all times, including in transit both receiving and returning.
  • Regular inventory review, serial number validation, and transport documentation.
  • Installation inspection procedures prior to POI deployment.
  • Secure locations for POI storage
  • Tamper resistance packaging for POI transport.
  • Procedures to control physical access to all POI devices before deployment, including identifying all authorized personnel, monitoring and restricting POI access and logging of all implementation activity.
  • Appropriate location policies for the deployment of the POI.
  • Secure disposal procedures for POI’s.
  • Encryption failure notification and replacement procedures.
  • Encryption opt-out procedures and policies.
  • Troubleshooting requirements and processes, including notification procedures to the payment service provider.
  • Regular POI inspection, including tamper detection, missing seals and weight comparisons.
  • Unattended POI requirements.
  • Guidance on how to attach any non-PCI components.
  • Requirements restricting any configuration modifications to the POI firmware.

Suffice to say the controls in the PIM may require some work on your end, and especially so if you deploy more than one type of P2PE solution (you must follow the PIM for each one.)  

At Coalfire, we are still excited about the risk and scope reduction promises of P2PE, and we encourage our clients to consider it strongly.  However, we also are trying to keep everyone’s expectations in balance:  the PCI DSS lives on, you have to secure you POI devices and you must adopt the controls in your PIM(s).  Taken together, you validation effort will be smaller than before, but it won’t disappear altogether.

<< Go Back

Blog post currently doesn't have any comments.

Post Topics