CampusGuard has worked with numerous institutions as they consider implementing a PCI-listed P2PE solution and evaluate how that product might reduce the overall risk to their cardholder data environment. However, deciding if P2PE is right for you can be confusing.
Below are some common questions and things you should be aware of as you move down this path:
What is P2PE?
Point-to-Point Encryption (P2PE) is the term used to specifically identify a solution that encrypts cardholder data at the point of interaction (POI) device and ensures that data remains encrypted through transmission to the final decryption point. The solution is a combination of secure devices, applications, and processes that have been assessed according to the PCI SSC’s P2PE Standard. The solution must be implemented according to the vendor’s P2PE Implementation Manual (PIM).
How is P2PE different from E2EE?
End-to-End Encryption (E2EE) simply refers to the encryption of cardholder data between two points. Through their use of encryption, both P2PE and E2EE effectively reduce the cardholder data to just data. However, the P2PE solution also eliminates the end point (the POI device) from PCI-scope and thereby reduces the PCI burden for your organization.
What does this mean for my PCI compliance efforts?
By implementing a PCI-listed P2PE solution, you are able to complete the much smaller SAQ P2PE (33 questions) versus the otherwise required SAQ C (160 questions) or SAQ D (329 questions). You will see a complete reduction in scope for nine of the twelve PCI DSS Requirements and a dramatic reduction in the remaining three. While you are always ultimately responsible for the entire PCI DSS, your compliance efforts will now focus on physical access controls, document management, information security policy, and other non-technical requirements.
How does it work?
A PCI-listed P2PE solution immediately converts cardholder data into indecipherable data at the point of interaction device. This keeps all associated network and computer systems out of PCI scope and protects your organization from accidentally exposing payment card data. Data in this format is of no value to anyone without the decryption key so it is of little interest to hackers.
What questions do I need to ask potential vendors?
- Has your solution been validated by the PCI Security Standards Council? You can easily check the list of validated P2PE solutions here.
- NOTE: In order to be a PCI-listed / validated P2PE product, the solution being considered must be listed on its own and not just an individual piece, e.g. an encrypted terminal. If the P2PE product being sold was developed by the Company that is listed, then you can feel confident in your selection.
- If it is not a PCI-validated solution, can the vendor provide an opinion paper from a P2PE QSA stating that they have reviewed the solution and confirmed the reduction in the applicability of specific PCI DSS controls?
- NOTE: If the product is not listed, it may still be a compliant solution but you may not see the full benefit nor will you be eligible to use the smaller SAQ P2PE to attest your compliance.
- Does the solution integrate with multiple processors and/or commonly used software solutions?
- NOTE: Switching to another bank or another product is time consuming and expensive, so finding a vendor that is already integrated with systems in use by your merchants will make for an easier implementation.
Okay, I’m sold. Now what?
Implementing any new solution can be a major project and, in order to make the best decision for your organization, you have to weigh the costs of a P2PE solution against the costs of alternate solutions, e.g. segmentation, restricting merchant options, etc. In many cases, the return on investment is there but you may need some assistance determining what the actual costs are. CampusGuard can work with you to evaluate your environment and help you make the best decision for your campus. Your CRM can share our Cost Analysis template with you and your Security Advisor can participate on vendor calls to ensure the right questions are being asked.