You are here:

PCI P2PE validation

The PCI P2PE (point-to-point encryption) is a security standard that requires credit card information to be encrypted instantly upon its initial swipe/insert at the payment terminal and then securely transferred directly to the payment processor before it can be decrypted and processed. Point-to-Point Encryption (P2PE) technology makes data unreadable so it has no value to criminals even if stolen in a breach.

A point-to-point encryption solution includes validated hardware, software, and solution provider environment and processes. It may also include validated services from a component provider. All PCI-approved solutions, applications, and components are listed on the Council’s website. Validation is done by a PCI-qualified P2PE assessor.

 SC2labs provides P2PE validations as qualified  PCI QSA (P2PE) and PA-QSA (P2PE)

accredited  by the PCI Security Standards Council

P2PE applies to:

  • P2PE Solution Providers;

  • Terminal Payment Application Vendors;

  • Encryption Management Component Provider;

  • Decryption Management Component Provider;

  • Key Injection Facility;

  • Certification Authority/Registration Authority involved in remote key injection processes

P2PE is a three years program – each year the vendor is required to confirm ones status to PCI SSC

Kickoff  and Planning
The kickoff is considered the start of the engagement after the agreement is executed. We will discuss the certification process,  identify the point of contact from both organizations and timelines for assessment,  define a project roadmap and plan next steps.
Preparation Phase
In the preparation  phase, we offer tailor – support approach. It can consist of:

  • P2PE  training/workshop  - our dedicated to the project P2PE  auditors will conduct the training at an early stage and to explain all domains of the  P2PE Standard, which will lead to a better understanding of the process and proper preparation for formal validation.

  • P2PE  scoping –  to take a closer look at Network Segmentation, inclusion and dependency of any third party/ outsourcing.

  • Pre-Assessment or full Gap Assessment. Pre-assessment consists of  interviews, reviews of documentation and a broadly walk-through to identify gaps and provide recommendations. The GAP Analysis  is a more detailed process, we will  conduct an “as-is” assessment  of your organization to identify gaps in security controls, systems, documentation  and the environment against  all PCI P2PE compliance domains. The GAP executive summary includes any identified discrepancies and  necessary recommendations for action.

  • Remediation/ Advisory Support. Assistance  to provide advisory support for mitigating gaps and collecting evidence software development.

Formal validation

Once all controls are confirmed to be in place, the on-site assessment  will begin. It is the formal process in which an accredited auditor will conduct the formal assessment against all domains and controls of P2PE, including a review of the Point of Interaction (POI) device, device management, encryption/decryption environment, third-party applications, inventory management, key management, PCI DSS compliance, cardholder data flows, solution documentation.

As a part of P2PE compliance our auditor checks the following:

  • Encryption Device Management

  • Application Security

  • Encryption Environment

  • Segmentation between Encryption and Decryption Environment

  • Decryption Environment and Device Management

  • P2PE Cryptographic Key Operations

  • P2PE Instruction manual and guidance

  • Testing and gathering is the core of compliance engagement. The results of the on-site assessment are documented.


The report will be provided within 3 weeks of the last day of successful completion (all required documents are delivered and  collected by the P2PE auditor).  Then  the report is sent to the PCI Council for review. After approval by the PCI Council, you will receive a certificate issued by your Assessor. PCI SSC will list the company on  its website as a P2PE validated solution.

The deliverables include:

P2PE Solution RoV – Report of Validation
P2PE Application RoV – Report of Validation
P2PE Components RoV – Report of Validation
P2PE Solution AoC – Attestation on Validation
P2PE Application AoC – Attestation on Validation
P2PE Components AoC – Attestation on Validation

Continual Support

After your successful certification, we provide continual  support  in the ongoing maintenance of the organization’s compliance - we will provide and discuss changes to the security standard itself, as well as explain and  support  with emerging issues and questions.