Excerpted from the ControlScan white paper, “Terminal Encryption for Security and PCI Compliance.”
When the PCI Security Standards Council (SSC) released the first version of the PCI Point-to-Point Encryption (P2PE) standard in 2011, its goal was to help merchants obtain a path to compliance that would be simpler than meeting all the requirements of PCI DSS. This was to be accomplished by ensuring that a third party, called a P2PE Solution Provider, would be responsible for providing the merchant with a turnkey, terminal-based encryption solution. Such a solution must meet a slew of specific requirements, be audited by a special assessor called a QSA(P2PE), and be listed as a validated solution provider on the PCI website.
A significant number of security controls are required to provide the necessary confidence that the encryption safely protects the cardholder data from the point of encryption (e.g., the POI device in a retail store) to the point of decryption (e.g., the processor’s decryption environment, safely outside the merchant’s realm of influence). This encryption must be so strong that it is no longer necessary for the merchant to meet the PCI DSS requirements for devices that touch encrypted data, since these data would be of no value to any attacker (we call this “devalued” data).
P2PE Ecosystem and Domains
To provide this level of security, several protections must be put in place by P2PE Solution Providers. The P2PE Solution Provider works directly with the merchant to coordinate the ordering, key injection, and shipment of terminal devices, and also orchestrates the decryption process (which is generally done in conjunction with payment authorization itself, and often accompanied by tokenization, although this is not required).
The first iteration of P2PE, version 1.1, contained over 900 requirements that must all be met by a single entity—the P2PE Solution Provider—before a merchant could purchase the solution and be eligible for the scope reduction from P2PE. Some solution providers went through this process, but it was clear that the program was not gaining enough traction.
In 2015, version 2.0 of the P2PE standard was released, allowing companies that played unique roles in this new ecosystem—namely, P2PE component providers—to be assessed independently. This version of the standard gained rapid adoption, as a P2PE solution provider could essentially “plug and play” the various services of other companies, such as a key-injection facility (KIF), certification/registration authority (CA/RA), encryption management service (EMS), and/or decryption management service (DMS).
Now, with the release of P2PE version 3.0 in 2019, four new component provider types have been added: POI Deployment Component Provider (PDCP), POI Management Component Provider (PMCP), Key Management Component Provider (KMCP), and Key Loading Component Provider (KLCP).
P2PE Solution Providers may choose from the published list of validated component providers based on devices and software supported, in order to build their solution. For the solution provider, this ability to select from numerous component providers translates into being able to better focus on their core service, usually the point-of-sale software, gateway service, or merchant acquiring service which is enhanced by the addition of terminal-based encryption.
Each of these component entities fills a specific role within the five domains of the P2PE v3.0 standard, as detailed below, and each performs a subset of the P2PE control requirements.
Benefits of P2PE
For merchants that select a P2PE solution from PCI’s approved list, the advantages can be significant. Below are a few of these benefits.
Fewer Applicable Requirements
At only 33 questions, the SAQ P2PE is much smaller than any of the other card-present SAQs—over 90% reduction in applicable controls. And, for larger merchants that must receive a ROC assessment, a similar list of requirements would apply (all things being equal). In both cases, the types of requirements that must be met are much less technical.
Scope is, simply put, the systems that we must examine thoroughly (think: under a microscope). So, less scope means fewer systems that have to be examined. Any system that can only see P2PE-encrypted account data may be deemed “out of scope.” For larger retailers with a distributed retail network, this could mean thousands of POS workstations, network devices, people, and physical environments would fall outside the cardholder data environment.
This removal of systems or networks from scope is one of the most valuable benefits of P2PE, as it may result in significant savings of both cost and effort. Depending on your tolerance for other (read: non-credit-card-related) risks, these systems can be maintained under a separate security policy, and thus be monitored less frequently or protected by less expensive monitoring tools. De-scoping these systems from the annual assessment can also result in appreciable savings, as protections for entire software products, technologies and networks can be omitted from the assessment, and assessor travel to certain locations can be avoided altogether.
It is worth noting, however, that this level of disregard is only possible because these systems represent absolutely no threat to account data. This is only because there is no feasible way for a bad actor to decrypt the credit card data passing through these environments or doing so would be so costly as to provide no financial value. In other words, to treat a system as out-of-scope, you should be able to assume that it is already under the complete control of an attacker—yet it can still be trusted to perform its duty without risking compromise of credit card information.
Originally launched in 2011 to encourage adoption of EMV chip cards (named for Europay, Mastercard and Visa), the Visa Technology Innovation Program (TIP) was expanded in 2015 to offer a significant bonus for merchants who use PCI-validated P2PE. Merchants who accept over 75% of their transactions using one or more of these technologies, and are accepted into the program, may forego their annual PCI assessment altogether!
Note, however, that the fine print in this program dictates that while the assessment may be skipped, the merchant is still responsible for being compliant to all the applicable controls, so while this could save time on assessment, it does not reduce the compliance requirement. And, arguably, skipping this once-a-year assessment is almost a guaranteed way to ensure your organization is not meeting those remaining controls (my favorite expression is “you can’t expect what you don’t inspect”). But for organizations with mature information security programs where the PCI audit is superfluous, this can be a nice benefit. For more information on the Visa TIP program, contact your acquirer, as they are responsible for handling applications for acceptance into this program.
In addition to the benefits above, most P2PE Solution Providers offer their service in conjunction with a turnkey payment solution, such as a POS, gateway or smart-terminal device. As a general rule, the solutions you see on the PCI P2PE solution listing are the latest devices, offered with the latest features (primarily due to the fact that it’s not cost-effective for providers to prepare legacy systems for validation to P2PE). So, selecting a listed solution is a great strategy for increased security, fewer compliance issues, and the latest technology. This gets you back to work serving your customers, not struggling with outdated devices or filling out security questionnaires.
If your business is working to implement PCI point-to-point encryption, check out the complete P2PE for Retail white paper, “Terminal Encryption for Security and PCI Compliance: What Every Retailer Must Know about P2PE.” In it you will learn the basics of P2PE for PCI compliance, how to get up and running with a P2PE solution provider, and more.