P2PE v3.0 – Why organizations should prepare now

Andrey Sazonov, Senior Consultant, Application Validation, Coalfire

The Payment Card Industry Security Standards Council (PCI SSC) published version 3.0 of the Point-To-Point Encryption (P2PE) standard back in December 2019. The new version simplifies and adds flexibility to the process for component and solution providers to validate their P2PE products for cardholder data protection efforts and will ultimately result in more PCI P2PE solutions available in the market. Organizations should prepare now for moving to the new standard.

This blog post details why organizations should consider certification against P2PE v3.0, provides information about the version changes, and discusses the timeframe and deadlines associated with the new version.

About PCI P2PE solutions
A PCI P2PE solution protects card data from the card reader terminal, where the payment card is accepted, all the way to the secure decryption environment. By using P2PE, account data is securely encrypted using strong cryptography, making data theft significantly more difficult. P2PE standards were put in place in 2012 and have been through multiple iterations. P2PE v3.0 is the most recent update to the standard.

Impact of P2PE v2.0 to v3.0 transition
PCI P2PE v3.0 uses the same core security requirements as v2.0 and it's important to note that most of the standard has not changed with the release of v3.0. The most relevant changes affect new component types, and rearranges and simplifies P2PE domains to align with the PCI PIN standard. At a high level, P2PE v3.0 allows for a more streamlined P2PE solution and components validation process with the ability to plug and play components.

New component types are as follows:

Component Type
(P2PE v2.0 and v3.0)

New subtype added
in P2PE v3.0

Description

Encryption Management Component Provider (EMCP)

POI Deployment Component Provider (PDCP)

Deploys POI devices to include steps on software configuration.

POI Management Component Provider (PMCP)

Manages POI devices and software configuration after deployment.

Key Injection Facility (KIF)

Key Management Component Provider

Manages key generation and distribution for SCDs.

Key Loading Component Provider

Manages key loading on SCDs.


It is important to note that existing validated P2PE v2.0 components can still be used in a P2PE v3.0 solution and all new P2PE v2.0 submissions will be accepted until the end of June 2021. This means that existing component providers can adhere to their three-year cycle and allow time to re-certify with the P2PE v3.0 standard. It’s beneficial to start considering validation efforts ahead of time to avoid missing the deadline or the risk of listing expiration.

In summary
The P2PE v3.0 standard doesn’t impact the security already in place with the previous iterations of the standard. However, changes do provide additional flexibility for component providers and merchants. The validation process is well-established and it's now easier to obtain certification for P2PE components, solutions, and applications.

At Coalfire we provide several tools to meet the controls of the new P2PE v3.0 standard. For example, our recently updated CoalfireOne platform presents the P2PE requirements in a way that is easily digestible and allows organizations to perform full or gap assessments to quickly confirm compliance with the P2PE standard. We recommend reaching out to our team for additional details about specific changes and how they may impact your organization.

You can visit our web site here for details about our P2PE solutions; and read these blogs from the PCI SSC for even more information:

P2PE v3.0: What Merchants Need to Know

P2PE v3.0: What Vendors and Assessors Need to Know

Andrey Sazonov

Author

Andrey Sazonov — Senior Consultant, Application Validation, Coalfire

Top