The PCI Council just released version 2.0 of the P2PE (Point-to-Point Encryption) Solution Requirements and Testing Procedures.
Quick background: P2PE is the process of encrypting a card number in the hardware at the time of the swipe and keeping it encrypted all the way to the card processor. The Council has a list of Validated P2PE Solutions. If your business uses one of these validated solutions, you can qualify for a reduced SAQ (35 questions) with no scanning or penetration testing.
- The Council will now list validated P2PE Components on the Council website. They already list validated Solutions (whole systems, that when used reduce scope of SAQ) and validated Applications (just the software system part of the solution). This additional list will make it easier for those wanting to build a validated P2PE Solution to find components.
- The Council now allows large merchants to build their own P2PE Solutions for use in their own locations. This will make it easier for large merchants to put together the pieces of a solution, which a Qualified Security Assessor (QSA) must then validate.
In summary, while the requirements themselves have not changed dramatically, these changes make it easier for more merchants to ultimately move to P2PE. This is a very good thing given that P2PE drastically reduces scope of compliance, if implemented correctly.
Documents can be found here: