PCI updates encryption standard with addition of testing procedures

The new testing procedures enable PCI to have the full P2PE program
The new testing procedures enable PCI to have the full P2PE program

The initial document, published in the autumn of 2011, provided requirements for vendors, assessors, and merchants looking to build and implement hardware-based P2PE products that support PCI Data Security Standard compliance and offered scope reduction for merchants. Hardware-based P2PE products use secure cryptographic devices for both encryption and decryption, including at the point of the merchant acceptance for encryption and within hardware security modules for decryption.

“P2PE provides the ability of merchants to minimize their exposure of card holder data”, explained Troy Leach, chief technology officer at PCI. For example, P2PE enables the secure transmission of payment card data using a mobile phone and a peripheral device. “It allows for the use of a mobile phone as a payment acceptance device while not exposing the phone or merchant to card holder information”, he added.

The main changes made by the update include a new section to incorporate merchant-focused guidance for use of a validated P2PE product, the scope of assessment for P2PE products, and guidance on scenarios where there are multiple acquirers involved with a single P2PE solution.

“The biggest change is that we know have testing procedures that were added to the document. When we released the document, it included the requirements for control of point-to-point encryption transactions for hardware-to-hardware. In this release, we now have all the testing procedures in order to demonstrate those requirements are being met”, Leach told Infosecurity.

The testing procedures enable PCI to have the full P2PE program, which includes qualifying assessors through training, having assessors able to test for the requirements, and eventually being able to list P2PE products on the PCI website, Leach explained.

In addition, “cosmetic changes” were made to the document based on industry feedback. “We reorganized and restructured the requirements to provide more clarity”, he said.

The next phase of the P2PE program will focus on requirements for products that combine hardware-based encryption and decryption through secure cryptographic devices, with software that may manage transaction-level cryptographic keys for decryption. This phase is expected to be completed this summer, Leach said.

The council also will continue to explore the development of requirements for software solutions that encrypt cardholder data at the point of merchant acceptance, and/or decrypt cardholder data at a host system.

Bob Russo, general manger of the PCI SSC, told Infosecurity that the development of P2PE standards is “probably one of the better examples of industry feedback and collaboration that we’ve got….This is a phased approach. The efforts on this technology are centered on trying to help merchants reduce the scope of their PCI compliance footprint.”

What’s Hot on Infosecurity Magazine?