The PCI council has updated the Point-to-Point encryption (P2PE) program requirements (PDF). The update impacts merchants, payment applications, point of sale vendors and service providers. As a participating organization of the PCI P2PE task force, providing input into the standard, I wanted to briefly explain how this affects the various PCI ecosystem participants.
The ultimate goal of the P2PE program is to reduce the PCI DSS scope that merchants experience by shifting the burden away from merchants toward solution providers who are providing validated P2PE solutions. Deploying validated P2PE solutions will simplify PCI DSS validation for merchants while reducing the risk of cardholder data breaches.
Download the PCI Council program document here (PDF).
The PCI ecosystem is a robust network of merchants, payment applications, processors and financial institutions. Below you will find which organizations the P2PE update affects and how it affects them:
Combined, these translate to a reduction of PCI compliance related costs and significantly less risk of cardholder data breach costs.
Service Providers (including a processor, acquirer or payment gateway):
You can become listed as a P2PE Solution Provider, in conjunction with your existing ROC, or separately.
Dramatically ease the PCI compliance burden of your Merchants
Consolidate PCI compliance related costs
Reduce risk of cardholder data breaches for Merchants
This translates to a cutting edge solution that reduces your customer’s costs and risks at the same time, making your solution more marketable than ever.
If you produce an application that runs on a POI utilizing P2PE, regardless of whether or not it has access to cardholder account data there are P2PE opportunities and requirements for you as well.
Get your application listed separately, or in combination with a Service Provider P2PE solution.
Utilize a P2PE solution to provide transaction details in a manner that does not bring a POS into scope for a merchant, and still provide functionality beyond payment transactions.
How Coalfire Can Help
At Coalfire, we've reviewed multiple solutions based on existing guidance resulting in whitepapers and readiness to support the first P2PE solutions and applications. In addition, the first wave of certification training for P2PE credentials, granted by the PCI SSC, recently occurred in Denver, Colorado. Coalfire had over 30% represenation in the training class and as a result of passing the exam now has 6 QSA (P2PE) and 4 PA-QSA (P2PE) certified staff. The first to get qualified, and more than any other QSA company.
Get a jump on planning and implementing a P2PE solution that will differentiate you from other solution providers and provide value to your merchant customers by reducing their risk and their PCI DSS scope.