The PCI Security Standards Council (PCI SSC) recently released point-to-point encryption (P2PE) requirements for hardware-based solutions in its PCI Point-to-Point Encryption Solution Requirements. The 96-page document provides the first requirements for hardware-based P2PE solutions that offer Payment Card Industry (PCI) Data Security Standard (DSS) compliance.
The new requirements include information on:
PCI SSC General Manager Bob Russo said the new P2PE hardware requirements are the beginning of what is expected to be an extensive list of P2PE requirements and programs. He said the PCI SSC will release testing requirements for hardware and introduce security assessment training for encryption hardware in the coming months.
P2PE solutions use secure cryptographic devices installed in POS terminals for encrypting. P2PE is also used in the hardware security modules for decrypting information securely.
"It's important to emphasize this is an optional program for the merchant and vendor," Russo told The Green Sheet. "There is no mandate. Encryption is a good idea that adds another layer of security with the possibility of cutting down the scope of compliance."
In addition, the PCI SSC will soon be looking at encryption in hybrid hardware/software devices, as well as standards for pure software encryption solutions. However, Russo said, "Some of the components in these regulations are already covered in the PCI security requirements for PIN pad and POS devices."
Russo added that all pieces of the PCI DSS still apply. "These new regulations are not a get-out-of-jail-free card," he said. "You still have to protect the data."
The PCI SSC will release a list of validated P2PE solutions in 2012. "There are many solutions that exist and merchants are looking to us for guidance," Russo said. "This is a solid first step in recognizing one popular type of deployment of P2PE solutions. If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant's card data environment, mitigate potential breaches and simplify PCI DSS validation efforts."
The PCI Point-to-Point Encryption Solution Requirements can be found at www.pcisecuritystandards.org/documents/nb59Y8Qqv/P2PE_Hardware_Solution_%20Requirements_Initial_Release.pdf.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next