The PCI P2PE (point-to-point encryption) is a security standard that requires credit card information to be encrypted instantly upon its initial swipe/insert at the payment terminal and then securely transferred directly to the payment processor before it can be decrypted and processed. Point-to-Point Encryption (P2PE) technology makes data unreadable so it has no value to criminals even if stolen in a breach.
A point-to-point encryption solution includes validated hardware, software, and solution provider environment and processes. It may also include validated services from a component provider. All PCI-approved solutions, applications, and components are listed on the Council’s website. Validation is done by a PCI-qualified P2PE assessor.
SC2labs provides P2PE validations as qualified PCI QSA (P2PE) and PA-QSA (P2PE)
accredited by the PCI Security Standards Council
P2PE applies to:
P2PE Solution Providers;
Terminal Payment Application Vendors;
Encryption Management Component Provider;
Decryption Management Component Provider;
Key Injection Facility;
Certification Authority/Registration Authority involved in remote key injection processes
P2PE is a three years program – each year the vendor is required to confirm one's status to PCI SSC.
SC2labs is accredited by PCI SSC as both PCI QSA (P2PE) and PA-QSA (P2PE).
PCI point-to-point encryption requirements (domains):
Domain 1 - Encryption Device and Application Management ( Secure encryption of payment card data at the point of interaction (POI). The secure management of the PCI-approved POI devices and the resident software.
Requirements:
- 1A Account data must be encrypted in equipment that is resistant to physical and logical compromise.
- 1B Logically secure POI devices.
- 1C Use P2PE applications that protect PAN and SAD.
- 1D Implement secure application-management processes.
- 1E Component providers ONLY: report status to solution providers.
Domain 2 - Application Security (P2PE validated application(s) at the point of interaction). The secure development of payment applications designed to have access to clear-text account data intended solely for installation on PCI-approved POI devices.
Requirements:
- 2A Protect PAN and SAD.
- 2B Develop and maintain secure applications.
- 2C Implement secure application-management processes
Domain 3 - P2PE Solution Management (Secure management of encryption and decryption devices). Overall management of the P2PE solution by the solution provider, including third-party relationships, incident response, and the P2PE Instruction Manual (PIM).
Requirements:
- 3A P2PE solution management.
- 3B Third-party management.
- 3C Creation and maintenance of P2PE Instruction Manual for merchants.
Domain 4 – Decryption Environment (Management of the decryption environment and all decrypted account data). The secure management of the environment that receives encrypted account data and decrypts it.
Requirements:
- 4A Use approved decryption devices.
- 4B Secure the decryption environment.
- 4C Monitor the decryption environment and respond to incidents.
- 4D Implement secure, hybrid decryption processes.
- 4E Component providers ONLY: report status to solution providers.
Domain 5– P2PE Cryptographic Key Operations and Device Management (Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage). Establish and administer key-management operations for account-data encryption POI devices and decryption HSMs.
Requirements:
- Control Objective 1 Account data is processed using equipment and methodologies that ensure they are kept secure.
- Control Objective 2 Account data keys and key-management methodologies are created using processes that ensure it is not possible to predict any key or determine that certain keys are more probable than other keys.
- Control Objective 3 Keys are conveyed or transmitted in a secure manner.
- Control Objective 4 Key loading is handled in a secure manner.
- Control Objective 5 Keys are used in a manner that prevents or detects their unauthorized usage.
- Control Objective 6 Keys are administered in a secure manner.
- Control Objective 7 Equipment used to process account data and keys is managed in a secure manner.
- 5A Account data is processed using algorithms and methodologies that ensure they are kept secure.
- 5H For hybrid decryption solutions: Implement secure hybrid-key management.
- 5I Component providers ONLY: report status to solution providers.
Appendix A– Merchant-managed Solutions (Separation between Merchant encryption and Decryption Environments). Separate duties and functions between merchant encryption and decryption environments.
Requirements:
- MM-A Restrict access between the merchant decryption environment and all other networks/systems.
- MM-B Restrict traffic between the encryption environment and any other CDE.
- MM-C Restrict personnel access between the encryption environment and the merchant decryption environment
P2PE Solution:
Consists of point-to-point encryption and decryption environments, their configuration and design, and any P2PE components used with these environments. Within the P2PE solution, account data is always entered directly into a PCI-approved POI device with secure reading and exchange of data (SRED) enabled. This approach minimizes exposure of clear-text account data, and protects against point-of-sale exploits such as “memory scraping” malware.
P2PE Application:
Software or other files with access to clear-text account data, intended to be loaded onto a PCI-approved point of interaction (POI) device and used as part of a P2PE solution.
P2PE Component:
A subset of P2PE services including encryption management, decryption management, and key injection, which are provided by a P2PE component provider and included in the P2PE component listing on the PCI website.
P2PE Solution Provider:
An entity, usually a third-party such as a processor, acquirer (merchant bank), or payment gateway, that designs, implements, and manages the P2PE solution. The solution provider may outsource certain responsibilities, but will always retain overall responsibility for the P2PE solution. With P2PE v2, merchants may also chose to act as their own solution provider by implementing a merchant-managed solution (MMS).
Links:
https://www.pcisecuritystandards.org/document_library
https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions