Friday, December 13, 2019
Troy Leach, PCI SSC senior vice president, emphasized the council’s commitment to making its security standards, programs and resources accessible to a wider audience. “It’s important to note that P2PE technology that protects payment data isn’t changing,” he stated. “The changes focus instead on providing the opportunity for new approaches in meeting the standard and will ultimately result in more PCI P2PE Solutions available for merchants to use in protecting payment data and simplifying their PCI DSS efforts.”
Gill Woodcock, PCI SSC vice president and global head of programs, observed that P2PE v.3 enhancements were initially discussed during a recent request for comments (RFC) process. RFC feedback helped to add clarity to P2PE assessments and documentation by resolving ambiguity, eliminating redundancy and improving overall readability.
“Driven by industry feedback given during an extensive [RFC] process, the program changes in version 3.0 will streamline the assessment process and provide more flexibility for component and solution providers,” Woodcock said. These enhancements and other beneficial program changes will make P2PE solutions more widely available to the merchant marketplace, he added.
Leach noted that merchants do not have to wait for P2PE v3.0 to attain validation; currently listed P2PE v2.0 providers offer the same level of security assurance. Only minor changes have been made to security requirements in PCI P2PE version 3.0, he stated, citing the following examples:
Ruston Miles, chief strategy officer, executive vice president and founder at Bluefin, has seen growing awareness of P2PE in the merchant community and believes that a more accessible P2PE standard will encourage merchants to cryptographically protect payment data. “Security is the goal and stakeholder involvement is the key to getting there,” he said. “When security standards are more widely used, the entire ecosystem is better for it.”
Miles additionally noted that point-to-point encryption protects account data throughout the payment transaction lifecycle. P2PE makes data unreadable from point of entry to secure point of decryption, devaluing the data in the event of a data security breach, he stated. PCI validated P2PE solutions simplify validation by showing assessors that security controls are in place. Alternatively, assessors must spend more time and due diligence to determine if non-validated solutions meet the same security levels as PCI validated P2PE solutions, he stated.
P2PE solution, application and component providers can use P2PE v.2.0 or P2PE v3.0 for validations until around midyear 2021, when P2PE v3.0 will become mandatory for new assessments and reassessments, PCI SSC representatives stated.
Updated P2PE documents are available at www.pcisecuritystandards.org/document_library?document=p2pe .
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
