P2PE v3.0 – Why organizations should prepare now

Andrey Sazonov, Senior Consultant, Application Validation, Coalfire

The Payment Card Industry Security Standards Council (PCI SSC) published version 3.0 of the Point-To-Point Encryption (P2PE) standard back in December 2019. The new version simplifies and adds flexibility to the process for component and solution providers to validate their P2PE products for cardholder data protection efforts and will ultimately result in more PCI P2PE solutions available in the market. Organizations should prepare now for moving to the new standard.

This blog post details why organizations should consider certification against P2PE v3.0, provides information about the version changes, and discusses the timeframe and deadlines associated with the new version.

About PCI P2PE solutions
A PCI P2PE solution protects card data from the card reader terminal, where the payment card is accepted, all the way to the secure decryption environment. By using P2PE, account data is securely encrypted using strong cryptography, making data theft significantly more difficult. P2PE standards were put in place in 2012 and have been through multiple iterations. P2PE v3.0 is the most recent update to the standard.

Impact of P2PE v2.0 to v3.0 transition
PCI P2PE v3.0 uses the same core security requirements as v2.0 and it's important to note that most of the standard has not changed with the release of v3.0. The most relevant changes affect new component types, and rearranges and simplifies P2PE domains to align with the PCI PIN standard. At a high level, P2PE v3.0 allows for a more streamlined P2PE solution and components validation process with the ability to plug and play components.

New component types are as follows:

Component Type
(P2PE v2.0 and v3.0)

New subtype added
in P2PE v3.0


Encryption Management Component Provider (EMCP)

POI Deployment Component Provider (PDCP)

Deploys POI devices to include steps on software configuration.

POI Management Component Provider (PMCP)

Manages POI devices and software configuration after deployment.

Key Injection Facility (KIF)

Key Management Component Provider

Manages key generation and distribution for SCDs.

Key Loading Component Provider

Manages key loading on SCDs.

It is important to note that existing validated P2PE v2.0 components can still be used in a P2PE v3.0 solution and all new P2PE v2.0 submissions will be accepted until the end of June 2021. This means that existing component providers can adhere to their three-year cycle and allow time to re-certify with the P2PE v3.0 standard. It’s beneficial to start considering validation efforts ahead of time to avoid missing the deadline or the risk of listing expiration.

In summary
The P2PE v3.0 standard doesn’t impact the security already in place with the previous iterations of the standard. However, changes do provide additional flexibility for component providers and merchants. The validation process is well-established and it's now easier to obtain certification for P2PE components, solutions, and applications.

At Coalfire we provide several tools to meet the controls of the new P2PE v3.0 standard. For example, our recently updated CoalfireOne platform presents the P2PE requirements in a way that is easily digestible and allows organizations to perform full or gap assessments to quickly confirm compliance with the P2PE standard. We recommend reaching out to our team for additional details about specific changes and how they may impact your organization.

You can visit our web site here for details about our P2PE solutions; and read these blogs from the PCI SSC for even more information:

P2PE v3.0: What Merchants Need to Know

P2PE v3.0: What Vendors and Assessors Need to Know

Andrey Sazonov


Andrey Sazonov — Senior Consultant, Application Validation, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS