The Payments Security Standards Council (PCI SSC) have released their solutions Requirements and Testing Procedures version 1.1 for Point-to-Point Encryption (P2PE).

The press release can be found here.

The main document is 210 pages long but for those who have looked into this before there is a short four page summary of changes from version 1.0 to version 1.1 here.

The document covers many things but the five main scope assessments for P2PE Solutions are

  1. Network Segmentation
  2. Third Parties/Outsourcing
  3. Sampling of System Components
  4. Multiple Acquirers
  5. P2PE Program Guide

Scope of Assessment for P2PE Solutions

The first step of a P2PE solution assessment is to accurately determine the scope of the solution. At least annually and prior to each assessment, the solution provider should confirm the accuracy of their solution scope by identifying all devices, P2PE data flows and processes, key-management functions and account-data stores, and ensure they are included in the solution scope. To ensure the accuracy of the solution scope is maintained on an on going basis, the solution provider must have processes in place that ensure the following:

  • Any changes are implemented in a manner that ensures continued adherence to P2PE requirements for the entire solution.
  • Any new rollouts/additions adhere to all P2PE solution requirements.
  • Any new rollouts/additions are included in the next P2PE assessment.

Network Segmentation

The solution provider must ensure that network segmentation is in place between any systems owned or managed by the solution provider that are used in the P2PE solution, and any that are not included in their PCI DSS compliant environment. The QSA (P2PE) must validate that the network segmentation is adequate to isolate the P2PE environment from out-of-scope networks and systems.

Third Parties/Outsourcing

A given P2PE solution may be entirely performed and managed by a single solution provider, or the solution provider may outsource certain functions (for example, loading keys into POIs) to third parties who perform these functions on behalf of the solution provider. All third parties that perform P2PE functions on behalf of the assessed P2PE solution provider, including POI vendors, KIFs, CAs, etc., must be validated per P2PE solution requirements.

There are two options for third-party entities performing functions on behalf of solution providers to validate compliance:

  1. They can undergo a P2PE assessment of relevant P2PE requirements on their own and provide evidence to their customers to demonstrate their compliance; or
  2. If they do not undergo their own P2PE assessment, they will need to have their services reviewed during the course of each of their solution provider customers’ P2PE assessments.

Multiple Acquirers

The P2PE standard outlines the technology and processes needed to ensure the security of a solution that protects account data from the point of interaction to the solution provider. In some instances, multiple acquirers or multiple solution providers may manage one or more P2PE solutions on the same merchant POI device. P2PE does not preclude these scenarios, as the business processes which govern this shared environment are outside the responsibility of the PCI SSC.

P2PE Program Guide

Please refer to the P2PE Program Guide for information about the P2PE program, including the following topics:

  • P2PE Report on Validation submission and acceptance processes
  • Annual renewal process for solutions included on the list of Validated P2PE Solutions
  • Notification responsibilities in the event a listed P2PE solution is determined to be at fault in a compromise

Third Parties/Outsourcing

A given P2PE solution may be entirely performed and managed by a single solution provider, or the solution provider may outsource certain functions (for example, loading keys into POIs) to third parties who perform these functions on behalf of the solution provider. All third parties that perform P2PE functions on behalf of the assessed P2PE solution provider, including POI vendors, KIFs, CAs, etc., must be validated per P2PE solution requirements.

There are two options for third-party entities performing functions on behalf of solution providers to validate compliance:

  1. They can undergo a P2PE assessment of relevant P2PE requirements on their own and provide evidence to their customers to demonstrate their compliance; or
  2. If they do not undergo their own P2PE assessment, they will need to have their services reviewed during the course of each of their solution provider customers’ P2PE assessments.

At-a-Glance – Steps Required to Create and Validate a P2PE Solution

The process for developing and validating a P2PE solution that uses SCDs for encryption, decryption, and cryptographic key management is provided below. This flow chart and the following table illustrate the parties responsible for implementing requirements and validating compliance with each domain, the high-level purpose of controls for each domain, and how validation of each domain can ultimately lead to a P2PE solution validation.

Like a lot of people I shall be looking into the details to see where existing and planned solutions meet the standard. The full 210 page document can be found here.

.

Advertisements