P2P Encryption Program now available from PCI Council

Mike Weber, Vice President, Coalfire Labs

The PCI council has updated the Point-to-Point encryption (P2PE) program requirements (PDF). The update impacts merchants, payment applications, point of sale vendors and service providers. As a participating organization of the PCI P2PE task force, providing input into the standard, I wanted to briefly explain how this affects the various PCI ecosystem participants.

The ultimate goal of the P2PE program is to reduce the PCI DSS scope that merchants experience by shifting the burden away from merchants toward solution providers who are providing validated P2PE solutions. Deploying validated P2PE solutions will simplify PCI DSS validation for merchants while reducing the risk of cardholder data breaches.

Download the PCI Council program document here (PDF).

The PCI ecosystem is a robust network of merchants, payment applications, processors and financial institutions. Below you will find which organizations the P2PE update affects and how it affects them:


  • Reduction of Risk

  • Reduction of PCI DSS Scope

Combined, these translate to a reduction of PCI compliance related costs and significantly less risk of cardholder data breach costs.

Service Providers (including a processor, acquirer or payment gateway):
You can become listed as a P2PE Solution Provider, in conjunction with your existing ROC, or separately.

  • Dramatically ease the PCI compliance burden of your Merchants

  • Consolidate PCI compliance related costs

  • Reduce risk of cardholder data breaches for Merchants

This translates to a cutting edge solution that reduces your customer’s costs and risks at the same time, making your solution more marketable than ever.

Application Vendors:
If you produce an application that runs on a POI utilizing P2PE, regardless of whether or not it has access to cardholder account data there are P2PE opportunities and requirements for you as well.

  • Get your application listed separately, or in combination with a Service Provider P2PE solution.

  • Utilize a P2PE solution to provide transaction details in a manner that does not bring a POS into scope for a merchant, and still provide functionality beyond payment transactions.

How Coalfire Can Help
At Coalfire, we've reviewed multiple solutions based on existing guidance resulting in whitepapers and readiness to support the first P2PE solutions and applications. In addition, the first wave of certification training for P2PE credentials, granted by the PCI SSC, recently occurred in Denver, Colorado. Coalfire had over 30% represenation in the training class and as a result of passing the exam now has 6 QSA (P2PE) and 4 PA-QSA (P2PE) certified staff. The first to get qualified, and more than any other QSA company.

Get a jump on planning and implementing a P2PE solution that will differentiate you from other solution providers and provide value to your merchant customers by reducing their risk and their PCI DSS scope.

Mike Weber


Mike Weber — Vice President, Coalfire Labs

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS