New PCI P2PE Rules Drop Compliance Requirements To 2
Written by Walter ConwayLast week’s 96-page PCI Point-to-Point Encryption (P2PE) validation requirements document from the PCI Council offered retailers a non-trivial compliance carrot: Implement P2PE according to the Council’s specs and see your PCI scope drop from 12 requirements to just two.
To be clear, P2PE is not a silver bullet that makes PCI go away. It can, however, shrink a retailer’s PCI scope. If retailers read nothing else, they need to look at Appendix A (page 81). There are a couple of new attestations, but these are not much more than elaborate versions of the Confirmation of Compliance Status boxes already in the Self-Assessment Questionnaire (SAQ).
The big news is where the Council says in the report that “it is expected that PCI DSS controls that will be applicable to a merchant’s validation will include (but will not be limited to): Protection of media and devices; Maintaining information security policies and training for personnel; Processes for management of third-party providers (including P2PE provider); Incident response and escalation procedures.”
(Related story: The PCI SAQ Problem: Versions Are Much Too Incomplete)
That means a retailer implementing approved P2PE might reduce its PCI compliance to just requirements 9 and 12 (and maybe 11.1). The Council’s words “will include (but not be limited to)” are important. Retailers still need to validate PCI compliance, and, as with anything dealing with PCI and payments, retailers need to consider their own unique environment. Nevertheless, the promise of reduced scope seems significant for a POS environment.
Retailers will need to individually assess any scope reduction that might apply to their call centers, Web transactions or payment applications that require a primary account number (PAN).
We have, effectively, a new PCI standard with the accompanying infrastructure. I am still trying to understand why the Council could address tokenization in 39 pages while the full P2PE description requires 96 pages—roughly 2.5 times as long—of detailed hardware and software specifications, an independent P2PE validation process and two new flavors of specialized QSAs.
The Council breaks the P2PE validation into six domains. Each domain is, in effect, a P2PE requirement with further sub-requirements vendors need to meet. The Council seems to have introduced a P2P DSS (or PCI P2P) standard without calling it that, modeling it on PCI PTS and PA-DSS.
-Marc
September 22nd, 2011 at 9:48 am
Thank you PCI SSC for finally publishing this guidance. Perhaps we’ll now see some larger merchants take a real look at the value proposition of P2PE, since they can build a scope reduction ROI model. Two problems remain. First, the two viable P2PE solutions on the market do not meet the requirements of this guidance. They use format preserving encryption and not a required ISO or ANSI standard one. This was brought up in a Community Meeting QA session where the panel left the door open to FPE in future updates. Second, given Visa’s recent Chip/NFC announcement, I expect most merchants will want their strategy to incorporate that before making big investments.
The ideal solution for merchants in the US, given what’s available today, would be one that combines P2PE and Chip. Merchants are then protected from losing card data and from accepting fraudlent cards.
Unfortunately, we have to wait longer for this to sort out.
September 28th, 2011 at 8:36 pm
No fear Ernie – FFX mode AES is in the standards process – aka Format Preserving Encryption. NIST has already announced intent to move to a standard back in June – check the NIST website for the specifics.