The Green Sheet Online Edition
August 10, 2015 • Issue 15:08:01
PCI SSC revamps P2PE, device standards
After thorough review and input from payments industry stakeholders, the PCI Security Standards Council (PCI SSC) recently released a comprehensive update to its encryption standard as documented in PCI Point-to-Point Encryption Solution Requirements and Testing Procedures Version 2.0. The updated standard provides greater flexibility to solutions providers and to entities offering components that can be integrated into P2PE-validated solutions. The PCI SSC categorizes elements within the latest standard by P2PE solutions, software applications, component providers and solution providers.
The PCI SSC acknowledged the natural learning curve that took place after introducing the original standard. "What we didn't consider in version 1 is that we were thinking that the solutions provider would also be the entity or the organization that would decrypt," said Troy Leach, Chief Technology Officer at the PCI SSC. "What we've learned over the course of several years is that there are scenarios where you would have a service provider that is only responsible for decrypting cardholder information."
With P2PE v2, merchants also have greater control over encryption programs. According to the PCI SSC, large merchants can now implement and manage their own P2PE solutions for various POS locations, securely separating duties, systems and functions between the merchant encryption and decryption environments. Or merchants can work with a third party to manage PCI P2PE solutions for them.
Ruston Miles, founder and Chief Innovation Officer at Bluefin Payment Systems, one of the first companies to receive P2PE validation, said, "With version 2.0, PCI has made the development and implementation of P2PE solutions easier. Now solutions providers and merchants can simply choose from individually validated components to build and manage their own P2PE solutions." Another benefit is that it creates a new market for vendors.
Bluefin Chief Executive Officer John Perry noted the standard is "recognition of P2PE's critical role in a 'secure-all-channels' approach to data security," and in conjunction with Europay, MasterCard and Visa chip card and tokenization technology, P2PE offers "the protection that American consumers deserve."
Devices get security boost
The PCI SSC also released an updated version of the PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements. This standard applies to POI device manufacturers; the devices include ATMs, unattended kiosks, mobile dongles and POS devices.
"As we see increasing attacks on ATMs and at the POS, it's critical to ensure the highest level of security at the device level," said the PCI SSC's Leach. Changes introduced in PTS POI version 4.1 include the addition of a new Core Module section that addresses configuration and maintenance procedures, as well as the addition of testing requirements to validate compliance.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.