P2PE 3.0: How the latest evolution in the point-to-point encryption standard will affect you

December 18, 2019 • Published Categories Industry Topics Tags , ,

Since 2011, the PCI Point-to-Point Encryption (P2PE) Standard has provided a clear path to security and compliance for card-present and mail order/telephone order (MOTO) merchants. The P2PE standard is based on secure encryption and decryption of account data at each end of the transaction, rather than relying on numerous security controls all along the processing path.

Last Thursday, almost five years since the previous release, and representing nearly two years of review by stakeholders throughout the industry, P2PE version 3.0 was released by the Payment Card Industry Security Standards Council (PCI SSC).

As a PCI Qualified Security Assessor (QSA) for P2PE, an active participant in the P2PE Request for Comments (RFC) process, and an inaugural member of the PCI Encryption Task Force (ETF), ControlScan has been actively contributing to and monitoring this major release. In this post I’ve compiled the most impactful changes.

What’s new in P2PE 3.0?

The changes reflected in P2PE 3.0 consist of significant updates to the standard, program guide, templates, and supporting documentation. The 16 documents found in the PCI SSC Document Library represent revisions to the way P2PE assessors approach validation of solutions, components and applications, and aid these entities in working together to meet the objectives of the P2PE program. These objectives are increased security and brand-authorized scope reduction for qualifying merchants.

Without further ado, here are the changes you should be aware of.

New Component Types Offer Flexibility for POI Lifecycle Support
The biggest change in the program is the introduction of four new component types to offer improved flexibility for supporting the full lifecycle of point of interaction (POI) devices. These new components are especially useful where a vendor only provides a small subset of services related to POI supply chain and management, and thus does not qualify to be validated as either a Key Injection Facility (KIF) or an Encryption Management Component Provider (ECMP). Furthermore, a KIF or ECMP may also leverage these third-party vendors as sub-components to help them meet their own compliance requirements.

Thankfully, none of the version 2.0 components are going away, and 2.0 and 3.0 components and solutions are largely interchangeable. The only exception to this are entities that wish to leverage one of the new version 3.0 component types must themselves also validate against version 3.0. These four new component types are detailed in the table below.

P2PE 3.0: Detail of New Component Types

Component Type New Subtype Added in 3.0 Summary
Encryption Management Component Provider (EMCP) POI Deployment Component Provider (PDCP) Prepares and deploys POI devices including software and configuration.
POI Management CP (PMCP) Manages POI devices, software, and configuration once deployed.
Key Injection Facility (KIF) Key Management CP (KMCP) Manages key generation and conveyance for POIs and HSMs.
Key Loading CP (KLCP) Manages key loading for POIs and HSMs.

Alignment with PCI PIN
Entities being assessed to both PCI P2PE and PCI PIN will be relieved to hear that the requirements for all key management functions have been aligned. By sharing common control objectives and requirement numbering schemes, it is more efficient to have a single consolidated audit performed, although any such auditor must be certified as both a QSA(P2PE) and Qualified PIN Assessor (QPA).

Modifications to Structure and the Assessment Process
The requirements structure and assessment mechanics for P2PE 3.0 have been modified significantly. While these changes have no effect on merchants, the impact for P2PE assessors and assessed entities will be dramatic, namely:

  • Domain 4 has been moved to Appendix A.
  • Domains 5 and 6 have been moved to Domains 4 and 5, respectively.
  • Domain 5 now contains the full content of Domain 6 as well as Domain 6 Annex A1, A2, and B.
  • There are now six separate reporting templates, corresponding to each of the major entity types: solution providers, merchants-as-solution-providers, applications, encryption management, decryption management, and key management providers. These specialized reporting templates are also publicly available from the PCI Document Library, making it much easier for assessed entities to review and prepare for their upcoming P2PE audit.
  • The term “Designated Changes” will no longer be used, opting instead for the more common term “Delta Change” already in use by other PCI programs.

Relaxing of Several Requirements
Several difficult-to-meet or difficult-to-test requirements have been removed or softened for encryption management entities, including the requirement for vulnerability assessments for all POI system builds (1B-3.2.c); configuring application to use approved external communication methods (1C-1.1); testing for cryptographic authentication of applications (1D-1.2.1); and integration with shared resources (1D-1.3).

On the key management side there is now a conditional allowance for KIFs to use cages as secure rooms (32-9.1), and the minimum password change interval for CA/RAs has been increased from 30 days to 90 days (25-8.3).

In our experience, many organizations have had difficulty performing these tasks, so relaxing these requirements may make P2PE compliance easier for some entities to attain.

Additional Changes of Note

  • Some requirements have become stricter, including the requirement that printers used for printing component mailers be non-networked, managed under dual-control, and housed within a physically secure room (6-3). Other strengthened requirements include specific logging requirements (7-2, 26-1, 29-1.1.1), explicit requirement for use of double-length TDEA key encrypting keys or master file keys (10-1, 12-5), and requirement to retain a signed/dated copy of the HSM configuration checklist (29-4.2.f).
  • The P2PE standard now explicitly supports AES DUKPT, a recent standard that was released by ANSI x9.27-3 in 2017, which reflects the general industry push away from TDES. (12-7)
  • Neither multi-purpose computing devices, nor loading keys with uncertified modified PEDs, nor clear-text cable injections will be allowed for KIFs after January 2021. Non-KIF entities that perform key injection must deprecate these processes by January 2023. (13-9, 14-2)
  • In alignment with sunrise dates specified in PCI PIN version 3.0, P2PE version 3.0 now also requires the use of key blocks for storage or transmission of all symmetric keys. Key blocks are structures that bind the usage of a key (e.g., key encryption vs. data encryption) to the key itself, to avoid potential abuse or compromise. (18-3)
  • A new testing requirement in 12-2 now requires explanation for any break in the package-number chain. This may require key management entities to track all use of serialized tamper bags, even those which were damaged and/or discarded.
  • All KIFs must now securely retain CCTV images for at least 45 days. This control was previously only required for KIFs using PC-based key-loading software, CA/RAs, and decryption entities. (32-9.12)
  • For listed solutions and component, the hardware security modules (HSMs) used will now be displayed with their listing on the PCI website. This change will allow for better transparency into the underlying key management and storage technologies, and alert stakeholders to any PCI or FIPS (Federal Information Processing Standard) expirations.

What’s the timeline for adoption?

It should be noted that P2PE 2.0 is not going away any time soon. Solutions may continue to be validated to 2.0 through June of 2021, and any version 2.0 solution can continue to be used with confidence, providing the same compliance benefits through its expiration date. In fact, P2PE 3.0 solutions, when they begin to arrive in mid-2020, will carry no increased compliance benefit to merchants, although the usage of the new component types may provide business advantages.

For more information on PCI P2PE 3.0, please review the recent PCI SSC blog postings and Summary of Significant Changes. Need more information on how these changes affect your organization and how you can best prepare? Give ControlScan a call at 800-825-3301, ext. 2. We’re happy to help.