PCI’s New P2PE Rules Won’t Kick In Until Spring 2012 Or Later
Written by Evan SchumanThe PCI Council on Thursday (Sept. 15) will detail its initial guidelines for point-to-point encryption (P2PE), but retailers need not—and should not—take any near-term action. Nor should they sign any imminent contracts involving P2PE. Why? The Council will stress that the document—a 96-page detailed description of various P2P approaches and common-sense security processes for each—is only “the first set of validation requirements” and that key parts of the program won’t even be in place for six to eight months and might be delayed even further.
Why such delays? First, the Council wants retailers to contract only for P2PE applications that appear on a Council list of applications validated to be PCI compliant. The problem? That list doesn’t yet exist, and the list’s creation is “targeted for Spring 2012,” according to a draft copy of the Council’s document.
A second reason for the delay is PCI training of assessors. The Council isn’t promising to identify the testing procedures until “the end of 2011” and “training opportunities” (which we assume means classes) won’t be detailed until “Spring 2012.”
The report will say that the guidelines—even if perfectly followed—won’t offer a path for a retailer to be considered out-of-scope. The best that a chain can hope for, according to the document, will be “reduced scope.” But nowhere does the document say what exactly that would and wouldn’t include. Even a 10-page glossary in the document doesn’t define “reduced scope,” although it does take the time to define “authorization,” “clear text” (we kid you not. Its full definition is “See Plain Text.”), “password” and “software.” But reduced scope? Everyone obviously knows exactly what the Council meant by that.
The document will also bring new levels of bureaucracy, including creating special P2PE QSAs. “Not all QSAs are P2PE QSAs—there are additional qualification requirements that must be met for a QSA to become a P2PE QSA,” the report said, although it doesn’t list what those additional requirements will be. Presumably, that is part of next year’s training plans.
The guidelines—a copy should be available here on the PCI Council Web site—only deal with “Encryption, Decryption and Key Management within Secure Cryptographic Devices (Hardware/Hardware),” which is also the catchy name of the report.
-Marc
September 15th, 2011 at 1:03 pm
Someone should pull the plug on the PCI Council before they do any more harm to retailers and the card industry itself. Even a poorly designed P2PE solution will significantly reduce availability and access to sensitive card data, and all the solutions currently available are excellent, being continuously reviewed and vetted by security experts including the merchants’ QSAs. So what’s not to like? Why are they putting the brakes on something that can only reduce the size of the security problems the card industry is facing? I have to wonder if this latest brainless move was actually motivated by “job security” rather than data security.
September 16th, 2011 at 1:42 am
Page 84 of the standard provides some insight into the reduced validation necessary for merchants compliant with this program. I would expect that a hard and fast list is difficult for PCI to produce as this may well be more the purview of the card schemes who are obliged to set their own requirements for compliance validation.
September 16th, 2011 at 7:54 am
Such a list is difficult to create. But the open question is more fundamental, which is the benefit of this reduced scope. How much is it reduced? We were hoping for something such as “If a merchant is fully compliant with this effort, they would no longer have to XXXXX or some other concrete change.” That, too, is likely difficult to articulate for the reason you cite, among others, but without it, the impact of this guidance is sharply muted.
In case someone reading this doesn’t happen to have Page 84 memorized (shame on you!), here is the full text of that particular page:
Appendix A: PCI DSS Validation for P2PE Merchants
This appendix outlines the proposed validation that P2PE merchants with validated hardware/hardware P2PE solutions may be eligible to complete. PCI DSS validation requirements are determined by the individual payment card brands. The information in this appendix is provided for illustrative purposes only and should not be used for PCI DSS validation. Entities should consult with their acquirer (merchant bank), and/or the individual payment brands directly to verify their PCI DSS compliance validation requirements.
PCI DSS Scoping and Assessment Considerations
Considerations for PCI DSS scoping and assessment requirements for merchants using a validated P2PE solution include the following:
Is all account data within the P2PE environment accepted using a secure POI device that is listed on the PCI PTS Approval List, and does this listing show that it provides SRED functionality?
Have all other payment channels within the merchant environment been adequately segmented (isolated) from the P2PE environment?
Is the POI provided by an external solution provider—such as a payment gateway, processor, or acquirer—that manages all applicable POI functions, including management and loading of the cryptographic keys, installation, and any on-going maintenance?
Is the P2PE solution listed by PCI SSC as an approved P2PE solution?
Is there other account data not protected by the P2PE solution?
Note that the P2PE solution and any resulting PCI DSS scope reduction is only applicable to account data that is protected by the P2PE solution; PCI DSS is applicable to any other channels or sources of clear-text account data.
Reduced PCI DSS Validation
Reduced PCI DSS validation for P2PE merchants is expected to consist of the following:
Merchant completion of self-assessment or onsite assessment by a QSA
Assessment-validation reporting according to payment brand compliance program—for example, completion of Self-Assessment Questionnaire (SAQ), Report on Compliance (ROC), and/or Attestation of Compliance (AOC).
Merchant attestation of Eligibility to Complete Reduced PCI DSS Validation for P2PE Merchants using Hardware/Hardware P2PE Solutions
Merchant attestation of adherence to P2PE Instruction Manual
Merchant attestation of compliance to applicable PCI DSS requirements
Merchant attestation of accuracy of PCI DSS compliance validation, including:
o PCI DSS validation and attestation of compliance was completed according to applicable instructions.
o All information in the attestation fairly represents the results of the PCI DSS assessment in all material respects.
o No evidence of magnetic-stripe (track) data, CAV2, CVC2, CID, or CVV2 data, or PIN or PIN-block data storage after transaction authorization was found on ANY systems reviewed during the assessment.
NOTE: There are actually TWO Page 84s in the document, as a colleague just pointed out. One is the Page 84 in the PDF file (GOTO Page 84) and then there are the printed pages of the document. Here is the other Page 84:
Proposed Merchant Validation of Compliance to Applicable PCI DSS Requirements
Eligible merchants using PCI SSC-validated P2PE solutions will be able to validate to a reduced set of PCI DSS requirements. The particular PCI DSS requirements that will apply to eligible merchants will be included with the release of the P2PE validation program in 2012.
It is expected that PCI DSS controls that will be applicable to a merchant‘s validation will include (but may not be limited to):
Protection of media and devices
Maintaining information security policies and training for personnel
Processes for management of third-party providers (including P2PE provider)
Incident response and escalation procedures