P2PE: No Cakewalk for Merchants, But There May Be No Alternative For Reducing Scope
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
When the PCI Council released version 1.1 of its Point-to-Point Encryption (P2PE) Testing Procedures late last month (April 27), it forced an interesting question: Will P2PE be the only way to remove encrypted data from a merchant’s PCI scope?
Current PCI Council guidance (FAQ 10359) holds that encrypted data can be out of a merchant’s PCI scope “if, and only if, it has been validated that the entity that possesses encrypted cardholder data does not have the means to decrypt it.” The important word here is “entity.” That is, the ability to decrypt the data must rest with some unrelated third party. With the emergence of P2PE, could this scoping guidance be revised to where the only appropriate “entity” is an approved P2PE provider?
Although I have no inside information on this point, it seems to me and other QSAs that this FAQ has been applied far beyond its original context. Now that we have a P2PE program emerging and approved methods just around the corner, is there really any justification for the PCI Council to keep that FAQ in its present form?
Either way, it’s another reason merchants may want to implement P2PE. That may be the only way to keep their encrypted data out of scope in the future. If that is the case, a lot of merchants (and PCI service providers) could find their PCI world changed by the end of this year.
Therefore, whether merchants are evaluating P2PE or not, it may make sense to start paying attention to the detailed guidance coming from the PCI Council.
P2PE is an exciting development that promises to save merchants a bundle of money in PCI compliance costs by reducing their PCI scope dramatically. What has not been clear until now is just how much work merchants may have to do to get the full benefits of it. Looking at the updated Testing Procedures, it looks like implementing P2PE properly will not be the walk in the Xerox PARC that many merchants seem to think it will be.
The first thing merchants need to know is that they must implement an “approved” approach; that is, a P2PE package accepted by the PCI Council. Approved suites will be listed—likely starting in the third or fourth quarter of this year—on the Council’s Web site.
To get the full benefit of scope reduction, merchants must do three things:
- Use a PCI PTS approved point of interaction (POI) device that is segmented from the rest of the merchant’s network.
- Use that POI device for entering all card transactions.
- Have the approved vendor manage all transaction operations.
Then, so long as the merchant follows the instructions in the P2PE Instruction Manual (PIM), that will be part of every approved approach. Everything should be fine, and the merchant can expect to reap the benefits of a greatly reduced PCI scope.
Merchants evaluating P2PE packages and even implementing encrypting POS devices in anticipation of P2PE may be under the impression that is all they need to do. Unfortunately, the PIM details a lot of actions for merchants, mostly revolving around securing and maintaining the POI devices.
Most of the merchant responsibilities are contained in Domain 3 (there are six Domains in the P2PE Requirements and Testing Procedures), which covers more than 30 pages of the updated document. What follows is a partial list.
Domain 3A addresses physically securing the POI devices throughout their lifecycle. Some of the more important requirements for merchants are:
- Maintain inventory control and monitoring procedures to identify and locate all devices, including those deployed, awaiting deployment or in transit.
- As part of the inventory, track 11 device characteristics, including model and serial numbers, location and firmware version.
- Physically secure all devices in storage.
- Secure the devices in transit; for example, between store locations.
- Have procedures for detecting unauthorized or substitute devices.
- Be able to detect any unauthorized or replacement device prior to installation.
Naturally, merchants will need to log all this activity and produce and audit trail.
Domain 3B deals with secure device management and addresses. Merchant requirements include things such as procedures for removing POI devices for maintenance or repair and provisions for merchants to physically inspect the devices on a regular basis. This section also details the merchant opt-out procedure (required in all approved offerings), should a merchant change its mind.
Domain 3C specifies the contents of the PIM. (Readers interested in the highlights can go directly to page 98 and see all the details.)
The PCI Council is making rapid progress on its P2PE program. Any merchant seriously considering this technology should download the v1.1 documentation and spend some quality time (preferably not just before bedtime) reading it and digesting its implications. The first steps to realizing P2PE are under way. The POI devices can be tested by PCI PTS labs, and the specialized P2PE QSA and PA-QSA training is this month. Soon, these P2PE PA-QSAs will be preparing Reports on Validation and submitting them to the PCI Council for approval and listing.
Smart vendors are already working on all fronts to be among the earliest to get approval. They believe they will have a competitive advantage with the PCI Council’s stamp of approval, and they might be right. After all, merchants will have to implement approved approaches or they won’t be able to qualify for the P2PE scope reduction very easily.
What do you think? Have you looked at P2PE packages or even committed to one? Did you, like me, spend a large part of your weekend digesting the updated P2PE document? As a merchant, are you prepared for the POI device management and tracking requirements? Or are you relying on the PCI Council’s FAQ 10359 to remove your encrypted data from scope? I’d like to hear your thoughts. Either leave a comment or E-mail me.
May 14th, 2012 at 2:05 pm
Walt, what are your thoughts on the applicability of P2PE to merchants who process using a mobile phone application with a swiper? I’ve asked a few QSA’s this question and feeling seems to vary on whether a compliant POI device connected through the phone to a compliant gateway, etc. would allow the merchant to qualify. The crux of the conflict seems to be whether the phone remains in scope as part of the processing environment, or if it can be considered removed because the data is encrypted while being passed to the gateway through an app or the browser.
May 19th, 2012 at 9:49 pm
Hi Jamie,
If the swipe device is PCI PTS certified, AND also compliant tot the SRED requirements of that standard, then it should be possible for the phone to be out of scope. This is basically the crux of the new PCI guidance on mobile payment acceptance, and the whole point of the SRED module (ie to help secure data through encryption to assist with scope reduction).