The PCI P2PE (point-to-point encryption) is a security standard that requires credit card information to be encrypted instantly upon its initial swipe/insert at the payment terminal and then securely transferred directly to the payment processor before it can be decrypted and processed. Point-to-Point Encryption (P2PE) technology makes data unreadable so it has no value to criminals even if stolen in a breach.
A point-to-point encryption solution includes validated hardware, software, and solution provider environment and processes. It may also include validated services from a component provider. All PCI-approved solutions, applications, and components are listed on the Council’s website. Validation is done by a PCI-qualified P2PE assessor.
SC2labs provides P2PE validations as qualified PCI QSA (P2PE) and PA-QSA (P2PE)
accredited by the PCI Security Standards Council
P2PE applies to:
P2PE Solution Providers;
Terminal Payment Application Vendors;
Encryption Management Component Provider;
Decryption Management Component Provider;
Key Injection Facility;
Certification Authority/Registration Authority involved in remote key injection processes
P2PE is a three years program – each year the vendor is required to confirm ones status to PCI SSC
Kickoff and Planning
The kickoff is considered the start of the engagement after the agreement is executed. We will discuss the certification process, identify the point of contact from both organizations and timelines for assessment, define a project roadmap and plan next steps.
Preparation Phase
In the preparation phase, we offer tailor – support approach. It can consist of:
P2PE training/workshop - our dedicated to the project P2PE auditors will conduct the training at an early stage and to explain all domains of the P2PE Standard, which will lead to a better understanding of the process and proper preparation for formal validation.
P2PE scoping – to take a closer look at Network Segmentation, inclusion and dependency of any third party/ outsourcing.
Pre-Assessment or full Gap Assessment. Pre-assessment consists of interviews, reviews of documentation and a broadly walk-through to identify gaps and provide recommendations. The GAP Analysis is a more detailed process, we will conduct an “as-is” assessment of your organization to identify gaps in security controls, systems, documentation and the environment against all PCI P2PE compliance domains. The GAP executive summary includes any identified discrepancies and necessary recommendations for action.
Remediation/ Advisory Support. Assistance to provide advisory support for mitigating gaps and collecting evidence software development.
Formal validation
Once all controls are confirmed to be in place, the on-site assessment will begin. It is the formal process in which an accredited auditor will conduct the formal assessment against all domains and controls of P2PE, including a review of the Point of Interaction (POI) device, device management, encryption/decryption environment, third-party applications, inventory management, key management, PCI DSS compliance, cardholder data flows, solution documentation.
As a part of P2PE compliance our auditor checks the following:
Encryption Device Management
Application Security
Encryption Environment
Segmentation between Encryption and Decryption Environment
Decryption Environment and Device Management
P2PE Cryptographic Key Operations
P2PE Instruction manual and guidance
Testing and gathering is the core of compliance engagement. The results of the on-site assessment are documented.
Reporting
The report will be provided within 3 weeks of the last day of successful completion (all required documents are delivered and collected by the P2PE auditor). Then the report is sent to the PCI Council for review. After approval by the PCI Council, you will receive a certificate issued by your Assessor. PCI SSC will list the company on its website as a P2PE validated solution.
The deliverables include:
P2PE Solution RoV – Report of Validation
P2PE Application RoV – Report of Validation
P2PE Components RoV – Report of Validation
P2PE Solution AoC – Attestation on Validation
P2PE Application AoC – Attestation on Validation
P2PE Components AoC – Attestation on Validation
Continual Support
After your successful certification, we provide continual support in the ongoing maintenance of the organization’s compliance - we will provide and discuss changes to the security standard itself, as well as explain and support with emerging issues and questions.