What the PCI Council’s Point-to-Point-Encryption (P2PE) Update Means for You

Tim Winston, Principal, P2PE/Payment Processors

Last week, the PCI Security Standards Council (PCI SSC) published the updated P2PE v2.0 standard. The Summary of Changes from v1.1 to v2.0, the updated P2PE Glossary and the PIM template are available in the PCI SSC  documents library. According to the announcement, the highlights of the new version are:

  • Restructured domains to focus on specific functions, to help ease compliance, assessment, and individual P2PE component validation (where applicable). 

  • Reduction of redundancy where possible. Increased clarity and explanation of intent.

  • Merging of the current hardware/hardware and hardware/hybrid standards into a single document.

  • Introduction of a new domain (Domain 4) for merchant-managed solutions, for large merchants that manage the encryption/decryption functions for their environments.

  • Creation of a new PIM (P2PE Instruction Manual) Template and removal of all PIM requirements related to specific PIM instructions from the standard, simplifying the preparation process for solution providers and enhancing PIM understanding and readability for merchants.

  • Addition of domain scenario applicability matrices to assist P2PE assessors, and solution/ service providers when determining P2PE domain applicability for a given solution, whether it is performed solely by the solution provider, outsourced to P2PE component providers, or to other third parties.

This major restructure and refining of the P2PE standard will ultimately make more P2PE solutions available to merchants, which has the potential to greatly reduce the risk of breaches and simplify compliance efforts.

It will take a significant amount of time for solutions to obtain validation and PCI P2PE listing. How then should industry members react to the new version of the P2PE standard?

What P2PE v 2.0 Means for Merchants  

The new 2.0 P2PE standard clearly intends to help bring the security and compliance benefits to more merchants. Coalfire recommends that all merchants work to understand the value an encryption solution can provide, whether it is listed with PCI or not. Properly implemented encryption solutions significantly reduce the risk of a breach. Even non-PCI P2PE listed solutions can greatly reduce the effort and expense to attain compliance (with prior approval from your acquirer).  If one of the current PCI P2PE solutions fits your business needs, the use of a listed P2PE solution, along with EMV and tokenization is one of best approaches to securing your cardholder data environment. However, if these solutions do not fit your current business model, you may choose to utilize a non-listed encryption solution.  Regardless, you should work with your P2PE QSA and your acquiring bank to understand the impact and benefit of the solution that fits you best.  

Merchants Considering Managing Their Own P2PE

The new Domain 4 of P2PE v2.0 allows merchants to implement their own solution and reduce the scope of PCI DSS controls that are applicable to their retail environment. This new Domain is quite extensive due to the additional controls needed to assure encryption keys are never available outside of the defined encryption points and decryption environment. Careful planning is required to determine all of the costs of implementing and maintaining merchant-managed solutions. Coalfire recommends engaging a P2PE QSA throughout the planning and implementation of these solutions.

Merchants Currently Using PCI P2PE Solutions

Validated P2PE v1.1 solutions will be treated exactly as they have been. There is no difference in determining scope of applicable DSS controls between P2PE v1.1 and V2.0 validated solutions. Solutions that are currently listed must be revalidated every two years and will be revalidated under the most current version of the requirement.

The major risk reduction benefits from P2PE will eventually make it the standard for retail, card present transactions; however, that paradigm shift will require substantial changes to payment terminals, point-of-sale systems, and payment services. Now is the time to plan for your transition, by discussing options with your services providers and your QSA.

Tim Winston


Tim Winston — Principal, P2PE/Payment Processors

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS