PCI SSC releases new encryption requirements

The PCI Security Standards Council (PCI SSC) released point-to-point encryption (P2PE) requirements for hardware-based solutions; it also promised more encryption information to come. The 96-page PCI Point-to-Point Encryption Solution Requirements document provides the payments industry with its first requirements for hardware-based P2PE solutions that offer Payment Card Industry (PCI) Data Security Standard (DSS) compliance. The PCI SSC said when P2PE is used properly the scope of compliance is reduced, saving merchants compliance costs.

The new requirements include information on:

• The merchant and vendor roles and responsibilities for P2PE hardware validation, implementation and solutions
• P2PE hardware domains: encryption device and environment, application security, transmission, decryption and key management
• The required steps for P2PE creation and validation
• Pictures of how encryption hardware is implemented
• The relationship between the P2PE validation requirements and other PCI standards

A starting point

PCI SSC General Manager Bob Russo said the new P2PE hardware requirements are just the beginning of what is expected to be an extensive list of P2PE requirements and programs. Russo said the PCI SSC will release testing requirements for hardware and introduce security assessment training for encryption hardware in the coming months.

P2PE solutions use secure cryptographic devices installed in POS terminals for encrypting. P2PE is also used in the hardware security modules for decrypting information securely.

In Russo's view encrypting data makes sense, but the PCI SSC does not require encryption. "It's important to emphasize this is an optional program for the merchant and vendor," Russo told The Green Sheet. "There is no mandate. Encryption is a good idea that adds another layer of security with the possibility of cutting down the scope of compliance."

More to come

In addition, the PCI SSC will soon be looking at encryption in hybrid hardware/software devices, as well as standards for pure software encryption solutions. But Russo said much of what is in the new regulations is not new. "Some of the components in these regulations are already covered in the PCI security requirements for PIN pad and POS devices," he said.

Russo noted that using encrypted hardware does not in itself make an organization PCI DSS compliant. "All pieces of the DSS still apply," he said. "These new regulations are not a get-out-of-jail-free card. You still have to protect the data." In addition, compliance still requires demonstrated proficiency in education, account security, third-party relationships and the physical security of the hardware device.

The PCI SSC will release a list of validated P2PE solutions in 2012. "There are many solutions that exist and merchants are looking to us for guidance," Russo said. He believes it is important that the PCI SSC lets merchants know which secure options will also support compliance with the PCI DSS so merchants can make good security decisions.

"This is a solid first step in recognizing one popular type of deployment of P2PE solutions," Russo said. "If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant's card data environment, mitigate potential breaches and simplify PCI DSS validation efforts."

The PCI Point-to-Point Encryption Solution Requirements can be found at www.pcisecuritystandards.org/documents/nb59Y8Qqv/P2PE_Hardware_Solution_%20Requirements_Initial_Release.pdf .

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.