P2P Encryption Program now available from PCI Council

May 25, 2012, Mike Weber, Vice President, Coalfire Labs

The PCI council has updated the Point-to-Point encryption (P2PE) program requirements (PDF). The update impacts merchants, payment applications, point of sale vendors and service providers. As a participating organization of the PCI P2PE task force, providing input into the standard, I wanted to briefly explain how this affects the various PCI ecosystem participants.

The ultimate goal of the P2PE program is to reduce the PCI DSS scope that merchants experience by shifting the burden away from merchants toward solution providers who are providing validated P2PE solutions. Deploying validated P2PE solutions will simplify PCI DSS validation for merchants while reducing the risk of cardholder data breaches.

Download the PCI Council program document here (PDF).

The PCI ecosystem is a robust network of merchants, payment applications, processors and financial institutions. Below you will find which organizations the P2PE update affects and how it affects them:


  • Reduction of Risk

  • Reduction of PCI DSS Scope

Combined, these translate to a reduction of PCI compliance related costs and significantly less risk of cardholder data breach costs.

Service Providers (including a processor, acquirer or payment gateway):
You can become listed as a P2PE Solution Provider, in conjunction with your existing ROC, or separately.

  • Dramatically ease the PCI compliance burden of your Merchants

  • Consolidate PCI compliance related costs

  • Reduce risk of cardholder data breaches for Merchants

This translates to a cutting edge solution that reduces your customer’s costs and risks at the same time, making your solution more marketable than ever.

Application Vendors:
If you produce an application that runs on a POI utilizing P2PE, regardless of whether or not it has access to cardholder account data there are P2PE opportunities and requirements for you as well.

  • Get your application listed separately, or in combination with a Service Provider P2PE solution.

  • Utilize a P2PE solution to provide transaction details in a manner that does not bring a POS into scope for a merchant, and still provide functionality beyond payment transactions.

How Coalfire Can Help
At Coalfire, we've reviewed multiple solutions based on existing guidance resulting in whitepapers and readiness to support the first P2PE solutions and applications. In addition, the first wave of certification training for P2PE credentials, granted by the PCI SSC, recently occurred in Denver, Colorado. Coalfire had over 30% represenation in the training class and as a result of passing the exam now has 6 QSA (P2PE) and 4 PA-QSA (P2PE) certified staff. The first to get qualified, and more than any other QSA company.

Get a jump on planning and implementing a P2PE solution that will differentiate you from other solution providers and provide value to your merchant customers by reducing their risk and their PCI DSS scope.

Mike Weber


Mike Weber — Vice President, Coalfire Labs

Recent Posts

Post Topics