We've merged with Sikich to better serve our clients. See what the future holds.

A validated P2PE solution can drive your profitability.

Encryption helps to secure sensitive data. Technology that uses encryption at the point of payment card acceptance to the point of payment processing is affectionately known as point-to-point encryption (P2PE).

P2PE technology may assist merchants in reducing the scope of their cardholder data environment and their PCI DSS requirements, ultimately saving them time, effort and costs during their annual assessments and better protecting cardholder data (CHD) for all parties involved.

As implementations of these technologies increase, the PCI Security Standards Council (PCI SSC) has developed guidelines to build, test and deploy solutions that provide strong support for PCI DSS compliance.

Who Needs It

The P2PE requirements offer a method for P2PE solutions providers to validate their solutions and for merchants to reduce the scope of their PCI DSS assessments when using a validated P2PE solution for payment card acceptance and processing.

Hardware/Hardware Solutions

The validation requirements and testing procedures are currently focused on hardware-based encryption and decryption solutions, also called "hardware/hardware." Hardware/hardware solutions utilize secure cryptographic devices for both encryption and decryption, including at the point of merchant acceptance for encryption and within hardware security modules (HSMs) for decryption.

P2PE Solution Providers

The P2PE solution provider is a third-party entity (e.g., a processor, acquirer or payment gateway) that has the overall responsibility for the design and implementation of a specific P2PE solution. The solution provider (either directly or indirectly through outsourcing) also manages P2PE solutions, or has corresponding responsibilities, for its customers.

Responsibilities

The solution provider needs to make sure all P2PE requirements are met, including making sure that P2PE requirements are met by any third-party organizations that perform P2PE functions on behalf of the solution provider, such as certification authorities (CA) and key-injection facilities.

In addition to a P2PE solution provider, the new hardware solution requirements and testing procedures can also impact point of interaction (POI) manufacturers, application developers, third parties, merchants, resellers and integrators.

What We Do

403 Labs provides P2PE consulting and validation services for organizations seeking formal listing with the PCI SSC for their solution or application.

For P2PE Solution Providers

As a P2PE solution provider, 403 Labs assists you in developing the appropriate procedures and provides guidance for implementing an effective solution for your merchant customers to reduce the scope of their PCI DSS assessment.

We work together to determine the scope of the review including:

  • Third-party service providers to be assessed (e.g., key-injection facilities, certification authorities (CA) or the like)
  • Devices and applications used in the P2PE solution
  • The decryption environment, including all hardware security modules (HSMs)
  • Operational controls for key loading, device storage and maintenance
  • PCI DSS compliance of the secure decryption environment

As part of our collaborative project, we:

  • Identify and evaluate compliance for all relevant third parties.
  • Review the physical and operational security controls for each of your relevant locations.
  • Assess the payment applications and devices that comprise the solution, including your implementation of the payment application according to its Implementation Guide (IG).
  • Evaluate, and where appropriate, assist in developing policies and procedures for all relevant functions, including device management, key management, incident response, contact escalation and interactions with third parties.
  • Review the contents, update procedures and distribution practices of your P2PE Instruction Manual (PIM) to your customers.
  • Complete all other required documentation, including executing your P2PE Vendor Release Agreement (VRA).

For P2PE Application Developers

As a P2PE application developer, 403 Labs reviews your payment application on all relevant PCI PIN Transaction Security (PCI PTS)-approved devices to determine if it is suitable to be used within a P2PE solution provider's offering.

During your review, we:

  • Examine the PTS approval and manufacturer's recommendations for each device on which your application operates.
  • Evaluate your software development process per the P2PE requirements.
  • Test the functionality of your application and review the source code per P2PE requirements.
  • Review your P2PE Instruction Manual (PIM) for use by solution providers implementing your application.

Validation and Reporting

Once your P2PE solution or application meets all of the P2PE requirements, 403 Labs generates a corresponding solution P2PE Report on Validation (P-ROV), documenting your compliance with the P2PE requirements. After your organization reviews and approves the report, 403 Labs submits your P-ROV to the PCI SSC, along with your Attestation of Validation (AOV) and your signed P2PE Vendor Release Agreement (VRA).

For Third-Party Providers

For organizations offering third-party services to P2PE solution providers, such as key injection or certification authority (CA), 403 Labs reviews your offering against the relevant P2PE requirements and prepares a P-ROV with the appropriate elements completed, detailing how your offering supports the P2PE solution. You are able to provide this P-ROV to your P2PE solution provider customers or business partners.

Per the PCI SSC's directives, as a QSA (P2PE) and a PA-QSA (P2PE), 403 Labs is unable to submit P-ROVs for third-party services (i.e., not complete P2PE solutions or applications) to the PCI SSC for listing, as the PCI SSC will not accept these reports.

Blog Post: P2PE Requirements and Testing Procedures

A few weeks ago, the Payment Card Industry Security Standards Council (PCI SSC) released version 1.1 of the P2PE Hardware Solution Requirements and Testing Procedures. Shortly thereafter, the PCI SSC held its first training session for assessors.

403 Labs attended and we are now officially certified as a Qualified Security Assessor for Point-to-Point Encryption (QSA (P2PE)) and Payment Application Qualified Security Assessor for Point-to-Point Encryption (PA-QSA (P2PE)) by the PCI SSC.

Like much of the industry, we've waited for P2PE like kids waiting for Christmas, and though it's finally here, it has some complexities and challenges worth discussing. Read more »

Get your solution validated with help from the experts.

All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.