Simplified P2PE may broaden merchant adoption

An updated PCI Point-to-Point Encryption (P2PE) Standard, published Dec. 12, 2019, will simplify P2PE procedures, according to the PCI Security Standards Council (PCI SSC). Positioned as part of the council’s broader effort to evolve standards and validation programs, PCI P2PE version 3.0 is designed to appeal to diverse payments industry stakeholders, workplace environments, technologies and methodologies, PCI SSC representatives stated.

Troy Leach, PCI SSC senior vice president, emphasized the council’s commitment to making its security standards, programs and resources accessible to a wider audience. “It’s important to note that P2PE technology that protects payment data isn’t changing,” he stated. “The changes focus instead on providing the opportunity for new approaches in meeting the standard and will ultimately result in more PCI P2PE Solutions available for merchants to use in protecting payment data and simplifying their PCI DSS efforts.”

Gill Woodcock, PCI SSC vice president and global head of programs, observed that P2PE v.3 enhancements were initially discussed during a recent request for comments (RFC) process. RFC feedback helped to add clarity to P2PE assessments and documentation by resolving ambiguity, eliminating redundancy and improving overall readability.

“Driven by industry feedback given during an extensive [RFC] process, the program changes in version 3.0 will streamline the assessment process and provide more flexibility for component and solution providers,” Woodcock said. These enhancements and other beneficial program changes will make P2PE solutions more widely available to the merchant marketplace, he added.

Minor, modular updates

Leach noted that merchants do not have to wait for P2PE v3.0 to attain validation; currently listed P2PE v2.0 providers offer the same level of security assurance. Only minor changes have been made to security requirements in PCI P2PE version 3.0, he stated, citing the following examples:

• Modular approach: Enhancing a modular approach first introduced in P2PE v2.0 by adding four component provider types.

• Simplified assessments: Streamlining processes used by P2PE Assessors for validating P2PE solutions, components and applications.

• Updated P2PE instruction manual template: Clarifying guidance in the template used by solution providers for creating a P2PE Instruction Manual (PIM) for their solution. The v3.0 template has clearer guidance, especially related to POI device tamper and modification.

• Updated documentation: Updating documentation related to P2PE v3.0 standard and program in the PCI SSC document library.

Why P2PE matters

Ruston Miles, chief strategy officer, executive vice president and founder at Bluefin, has seen growing awareness of P2PE in the merchant community and believes that a more accessible P2PE standard will encourage merchants to cryptographically protect payment data. “Security is the goal and stakeholder involvement is the key to getting there,” he said. “When security standards are more widely used, the entire ecosystem is better for it.”

Miles additionally noted that point-to-point encryption protects account data throughout the payment transaction lifecycle. P2PE makes data unreadable from point of entry to secure point of decryption, devaluing the data in the event of a data security breach, he stated. PCI validated P2PE solutions simplify validation by showing assessors that security controls are in place. Alternatively, assessors must spend more time and due diligence to determine if non-validated solutions meet the same security levels as PCI validated P2PE solutions, he stated.

P2PE solution, application and component providers can use P2PE v.2.0 or P2PE v3.0 for validations until around midyear 2021, when P2PE v3.0 will become mandatory for new assessments and reassessments, PCI SSC representatives stated.

Updated P2PE documents are available at www.pcisecuritystandards.org/document_library?document=p2pe .  

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.