Encryption helps to secure sensitive data. Technology that uses encryption at the point of payment card acceptance to the point of payment processing is affectionately known as point-to-point encryption (P2PE).
P2PE technology may assist merchants in reducing the scope of their cardholder data environment and their PCI DSS requirements, ultimately saving them time, effort and costs during their annual assessments and better protecting cardholder data (CHD) for all parties involved.
As implementations of these technologies increase, the PCI Security Standards Council (PCI SSC) has developed guidelines to build, test and deploy solutions that provide strong support for PCI DSS compliance.
The P2PE requirements offer a method for P2PE solutions providers to validate their solutions and for merchants to reduce the scope of their PCI DSS assessments when using a validated P2PE solution for payment card acceptance and processing.
The validation requirements and testing procedures are currently focused on hardware-based encryption and decryption solutions, also called "hardware/hardware." Hardware/hardware solutions utilize secure cryptographic devices for both encryption and decryption, including at the point of merchant acceptance for encryption and within hardware security modules (HSMs) for decryption.
The P2PE solution provider is a third-party entity (e.g., a processor, acquirer or payment gateway) that has the overall responsibility for the design and implementation of a specific P2PE solution. The solution provider (either directly or indirectly through outsourcing) also manages P2PE solutions, or has corresponding responsibilities, for its customers.
The solution provider needs to make sure all P2PE requirements are met, including making sure that P2PE requirements are met by any third-party organizations that perform P2PE functions on behalf of the solution provider, such as certification authorities (CA) and key-injection facilities.
In addition to a P2PE solution provider, the new hardware solution requirements and testing procedures can also impact point of interaction (POI) manufacturers, application developers, third parties, merchants, resellers and integrators.
403 Labs provides P2PE consulting and validation services for organizations seeking formal listing with the PCI SSC for their solution or application.
As a P2PE solution provider, 403 Labs assists you in developing the appropriate procedures and provides guidance for implementing an effective solution for your merchant customers to reduce the scope of their PCI DSS assessment.
We work together to determine the scope of the review including:
As part of our collaborative project, we:
As a P2PE application developer, 403 Labs reviews your payment application on all relevant PCI PIN Transaction Security (PCI PTS)-approved devices to determine if it is suitable to be used within a P2PE solution provider's offering.
During your review, we:
Once your P2PE solution or application meets all of the P2PE requirements, 403 Labs generates a corresponding solution P2PE Report on Validation (P-ROV), documenting your compliance with the P2PE requirements. After your organization reviews and approves the report, 403 Labs submits your P-ROV to the PCI SSC, along with your Attestation of Validation (AOV) and your signed P2PE Vendor Release Agreement (VRA).
For organizations offering third-party services to P2PE solution providers, such as key injection or certification authority (CA), 403 Labs reviews your offering against the relevant P2PE requirements and prepares a P-ROV with the appropriate elements completed, detailing how your offering supports the P2PE solution. You are able to provide this P-ROV to your P2PE solution provider customers or business partners.
Per the PCI SSC's directives, as a QSA (P2PE) and a PA-QSA (P2PE), 403 Labs is unable to submit P-ROVs for third-party services (i.e., not complete P2PE solutions or applications) to the PCI SSC for listing, as the PCI SSC will not accept these reports.
A few weeks ago, the Payment Card Industry Security Standards Council (PCI SSC) released version 1.1 of the P2PE Hardware Solution Requirements and Testing Procedures. Shortly thereafter, the PCI SSC held its first training session for assessors.
403 Labs attended and we are now officially certified as a Qualified Security Assessor for Point-to-Point Encryption (QSA (P2PE)) and Payment Application Qualified Security Assessor for Point-to-Point Encryption (PA-QSA (P2PE)) by the PCI SSC.
Like much of the industry, we've waited for P2PE like kids waiting for Christmas, and though it's finally here, it has some complexities and challenges worth discussing. Read more »
All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.