Point to Point Encryption
Point to Point Encryption (P2PE compliance) is a compliance mandate from the PCI-SSC to ensure the scope of the cardholder data is reduced so as to ease the entire process of PCI DSS compliance. The initial release of the entire document has outlined the requirements, which are in tandem with the requirements of the PCI DSS compliance and the PA DSS compliance. The standard introduces the requirement for using Secure Cryptographic Devices (SCD) which should be used for encryption and decryption of payment card data. The SCD should also be capable of secure storage and management of cryptographic keys.
Requirements of the standard
The standard has been structured to consist of 6 domains and 18 requirements in total. All the security practices for securing the Point of interaction devices, applications, which are used by the POI devices, environments in which the devices are present (both encryption and decryption of the cardholder data) and key management are dealt with in the standard.
- The POS application developer has a mandatory requirement to be PCI-P2PE listed.
- The Solution Provider also needs to be PCI-P2PE listed. This includes solution providers who manage POI devices.
P2PE Compliance with SISA
SISA has a solid background in securing communications involving payment card data in all of its assessments and certifications for PCI-DSS and PA-DSS long before the P2PE standard was released. The release of the standard by the PCI council has been very gladly appreciated by SISA. The PCI-SSC has mandated requirements to P2PE QSA companies like SISA for specific assessment and evaluation techniques.
- The standard has mandated the P2PE QSA's to perform an assessment and to opine on the P2PE Solution environment to meet the P2PE requirements.
- The QSA should approve of the P2PE instruction manual to be in line with the actual setup and provide the vendors/resellers with sufficient guidance.
- Requirements for PCI PTS labs to evaluate and submit a PCI PTS compliance report to the PCI SSC for approval and listing. This is required for all payment device vendors.
- Coagulate all the findings in a report and submit the report to the PCI-SSC along with the Attestation of Validation document.
- Maintain a strict quality assurance technique for P2PE QSA efforts.
SISA's P2PE QSA's and P2PE PA-QSA's have extensive experiences in deploying secure applications and the requirements of the P2PE standards will only catapult the efforts. The security is thus not only in architecture of the application but also in the entire P2PE environment.