July 10, 2015, Tim Winston, Principal, P2PE/Payment Processors
Last week, the PCI Security Standards Council (PCI SSC) published the updated P2PE v2.0 standard. The Summary of Changes from v1.1 to v2.0, the updated P2PE Glossary and the PIM template are available in the PCI SSC documents library. According to the announcement, the highlights of the new version are:
Restructured domains to focus on specific functions, to help ease compliance, assessment, and individual P2PE component validation (where applicable).
Reduction of redundancy where possible. Increased clarity and explanation of intent.
Merging of the current hardware/hardware and hardware/hybrid standards into a single document.
Introduction of a new domain (Domain 4) for merchant-managed solutions, for large merchants that manage the encryption/decryption functions for their environments.
Creation of a new PIM (P2PE Instruction Manual) Template and removal of all PIM requirements related to specific PIM instructions from the standard, simplifying the preparation process for solution providers and enhancing PIM understanding and readability for merchants.
Addition of domain scenario applicability matrices to assist P2PE assessors, and solution/ service providers when determining P2PE domain applicability for a given solution, whether it is performed solely by the solution provider, outsourced to P2PE component providers, or to other third parties.
This major restructure and refining of the P2PE standard will ultimately make more P2PE solutions available to merchants, which has the potential to greatly reduce the risk of breaches and simplify compliance efforts.
It will take a significant amount of time for solutions to obtain validation and PCI P2PE listing. How then should industry members react to the new version of the P2PE standard?
What P2PE v 2.0 Means for Merchants
The new 2.0 P2PE standard clearly intends to help bring the security and compliance benefits to more merchants. Coalfire recommends that all merchants work to understand the value an encryption solution can provide, whether it is listed with PCI or not. Properly implemented encryption solutions significantly reduce the risk of a breach. Even non-PCI P2PE listed solutions can greatly reduce the effort and expense to attain compliance (with prior approval from your acquirer). If one of the current PCI P2PE solutions fits your business needs, the use of a listed P2PE solution, along with EMV and tokenization is one of best approaches to securing your cardholder data environment. However, if these solutions do not fit your current business model, you may choose to utilize a non-listed encryption solution. Regardless, you should work with your P2PE QSA and your acquiring bank to understand the impact and benefit of the solution that fits you best.
Merchants Considering Managing Their Own P2PE
The new Domain 4 of P2PE v2.0 allows merchants to implement their own solution and reduce the scope of PCI DSS controls that are applicable to their retail environment. This new Domain is quite extensive due to the additional controls needed to assure encryption keys are never available outside of the defined encryption points and decryption environment. Careful planning is required to determine all of the costs of implementing and maintaining merchant-managed solutions. Coalfire recommends engaging a P2PE QSA throughout the planning and implementation of these solutions.
Merchants Currently Using PCI P2PE Solutions
Validated P2PE v1.1 solutions will be treated exactly as they have been. There is no difference in determining scope of applicable DSS controls between P2PE v1.1 and V2.0 validated solutions. Solutions that are currently listed must be revalidated every two years and will be revalidated under the most current version of the requirement.
The major risk reduction benefits from P2PE will eventually make it the standard for retail, card present transactions; however, that paradigm shift will require substantial changes to payment terminals, point-of-sale systems, and payment services. Now is the time to plan for your transition, by discussing options with your services providers and your QSA.
Tim Winston — Principal, P2PE/Payment Processors
Coalfire started in 2001 with a simple idea – cyber threats are increasing, compliance mandates are getting more complicated, and a well-designed cybersecurity program can help fuel your overall success.
Coalfire helps organizations comply with global financial, government, industry and healthcare mandates while helping build the IT infrastructure and security systems that will protect their business from security breaches and data theft. The company is a leading provider of IT advisory services for security in retail, payments, healthcare, financial services, higher education, hospitality, government and utilities.
The Coalfire Board of Directors provides invaluable guidance for the organization and reflects Coalfire’s dedication to achieving success for our customers.
Coalfire’s executive leadership team comprises some of the most knowledgeable professionals in cybersecurity, representing many decades of experience leading and developing teams to outperform in meeting the security challenges of commercial and government clients. With diverse backgrounds in IT systems security, governmental security, compliance, and reducing risk while implementing the latest enabling technologies (such as the Cloud and IoT), our leaders understand the challenges customers face.
With a passion for quality, Coalfire uses a process-driven quality approach to improve the customer experience and deliver unparalleled results.
Created in honor of the late co-founder of Coalfire, the Richard E. Dakin Fund at The Denver Foundation is supporting scholarship programs at several universities for promising college students studying cybersecurity and related fields.
Security is a team game. If your organization values both independence and security, perhaps we should become partners.
The increased need for cyber security has become a common enterprise priority across the globe. However, industry requirements for effective cyber risk management are as distinct as the individual entities under fire. Enterprises and government organizations need more than an off-the-shelf audit to provide an effective threat assessment. They need industry- and organization-specific insights, tools and processes to protect digital assets and ensure compliance.
Coalfire can help cloud service providers prioritize the cyber risks to the company, and find the right cyber risk management and compliance efforts that keeps customer data secure, and helps differentiate products.
“Success” at a government entity looks different than at a commercial organization. Create cybersecurity solutions to support your mission goals with a team that understands your unique requirements.
The financial services industry was built upon security and privacy. As cyber-attacks become more sophisticated, a strong vault and a guard at the door won’t offer any protection against phishing, DDoS attacks and IT infrastructure breaches.
The continuum of care is a concept involving an integrated system of care that guides and tracks patients over time through a comprehensive array of health services spanning all levels of care. Interoperability is the central idea to this care continuum making it possible to have the right information at the right time for the right people to make the right decisions.
Maintaining network and data security in any large organization is a major challenge for information systems departments. However, in the higher education environment, the protection of IT assets and sensitive information must be balanced with the need for ‘openness’ and academic freedom; making this a more difficult and complex task.
When it comes to cyber threats, the hospitality industry is not a friendly place. Hotels and resorts have proven to be a favorite target for cyber criminals who are looking for high transaction volume, large databases and low barriers to entry.
The payments industry is undergoing rapid changes and unfortunately, an increasing risk for data breaches. Cyber criminals are growing increasingly businesslike, and payments leaders need to move quickly to cover their cyber risk.
The food and beverage industry is under attack from cyber criminals intent on stealing payment information. The food and beverage industry makes up the highest percentage of breach investigations, at nearly 73 percent, according to Visa.
The global retail industry has become the top target for cyber terrorists, and the impact of this onslaught has been staggering to merchants. To secure the complex IT infrastructure of a retail environment, merchants must embrace enterprise-wide cyber risk management practices that reduces risk, minimizes costs and provides security to their customers and their bottom line.
Private enterprises serving government and state agencies need to be upheld to the same information management practices and standards as the organizations they serve. Coalfire has over 16 years of experience helping companies navigate increasing complex governance and risk standards for public institutions and their IT vendors.
Technology innovations are enabling new methods for corporations and governments to operate and driving changes in consumer behavior. The companies delivering these technology products are facilitating business transformation that provides new operating models, increased efficiency and engagement with consumers as businesses seek a competitive advantage.
Cybersecurity has entered the list of the top five concerns for U.S. electric utilities, and with good reason. According to the Department of Homeland Security, attacks on the utilities industry are rising "at an alarming rate."
Cyber risk management, advisory, technology and compliance services. Manage risk and maximize return on investment to prevent data breaches and theft. Coalfire’s solutions are led by a team of industry experts that help enterprise organizations understand a wide range of compliance and risk management initiatives, which enables a consistent cybersecurity framework across the organization.
Expert assessments that provide an accurate understanding of what you are trying to protect, the inherent and residual cyber risk to your enterprise and the maturity of the your security program and underlying controls
Customized services to help CISOs and Senior Management develop cybersecurity strategy, implement controls, and govern a security program
Adopt a proactive approach to cybersecurity
Make more informed security-related decisions
Design, engineer, and scale with confidence
Certification and Accreditation (C&A) process for DoD
Get FedRAMP authorized with the leading 3PAO
Reducing Financial IT Security Risk
Meet your FISMA authorization needs
General Data Protection Regulation
Health data protection for all shapes and sizes
The most rigorous approach to meeting HIPAA requirements
An internationally recognized approach to information security
ITAR, EAR, and DFARS Advisory and Assessment
Cyber security for electric grid critical infrastructure
Protect Controlled Unclassified Information for Nonfederal
Payment Application Security Validation
PCI Data Security Standard Compliance
Establish and report controls to differentiate your organization
Demonstrate your commitment to cybersecurity
Malware and Vulnerability Research, Open Source Tools, and Opinions
Understand vulnerabilities and implement remediation before they’re exploited
Obtain, preserve, and examine digital evidence
Protect sensitive information systems with regular check ups
Secure the design, development, and deployment of your applications
Test your organization’s defense against a simulated real-world attack
Employ solutions for prevention and recovery
Secure physical and digital IoT solutions with advisory, assessment and technical testing for makers, operators and users to empower the way we live and work.
Control your Compliance
Easily identify IT vulnerabilities