Point to Point Encryption

Latest press release from the PCI Security Standards Council – June 28, 2012:

The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) requirements and the Payment Application Data Security Standard (PA-DSS), today announced availability of the Point-to-Point Encryption (P2PE) Program Guide and Self-Assessment Questionnaire (SAQ) to support implementation of hardware-based point-to-point encryption (P2PE) solutions.

The resources follow the Council’s release of updated Solution Requirements and Testing Procedures for hardware-based P2PE solutions in April, which provide a method for vendors to validate their P2PE solutions and for merchants to reduce the scope of their PCI DSS assessments by using a validated P2PE solution for accepting and processing payment card data.

Eligible merchants using these P2PE hardware solutions may be able to reduce the scope of their PCI DSS assessments and validate to a reduced set of PCI DSS requirements. To help with this validation process, the Council has developed a new Self-Assessment Questionnaire (SAQ P2PE-HW).

SAQ P2PE-HW is for merchants who process cardholder data via hardware terminals included in a validated P2PE solution and consists of the following components:

  • Merchant eligibility criteria
  • SAQ completion steps
  • Self-Assessment Questionnaire (validation of PCI DSS Requirements)
  • Attestation of Compliance, including Attestation of PIM Implementation

 

Merchants should refer to their acquirer and/or payment brand to determine if they are eligible to use this new SAQ.

 

The Council has also updated the PCI DSS SAQ Instructions and Guidelines document to provide additional guidance on use of the SAQ P2PE-HW.

 

The PCI P2PE Program Guide is designed to help solution providers, application vendors, and P2PE assessors understand how to complete a P2PE assessment and submit it to the Council for acceptance and listing on the PCI SSC website. The document includes:

  • Overview of P2PE solution validation processes
  • Considerations for P2PE Solution providers preparing for assessment
  • Reporting considerations for P2PE assessors
  • Considerations for managing validated P2PE Solutions
  • Listing of applications used in P2PE solutions

 

Solution providers, application vendors, and P2PE assessors can use this document immediately to plan for their P2PE assessments.

In the coming weeks, the Council will provide templates and Reporting Instructions for P2PE validation reports, as well as new Attestations of Validation (AOVs) and vendor release agreement (VRA). P2PE assessors, solution providers and application vendors can then complete their assessments of P2PE Solutions and applications and submit their reports and validation documentation to the Council for acceptance and listing. The Council will list the validated solutions on the PCI SSC website for merchants to use.

“These resources are a critical part of rolling out this program,” said Bob Russo, general manager, PCI Security Standards Council. “The program guide outlines the submission and listing process for P2PE solution providers and application vendors who want to validate their products, while the SAQ will help simplify PCI DSS validation efforts for merchants taking advantage of this process to minimize the amount of cardholder data in their environments.”

Nancy Sykora
Sr. Account Executive

 

PCI DSS Requirements

PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel. 

Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1

Unpacking the New PCI DSS Password Standards

Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?

What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?

What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?

PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1

The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2

How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2

Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?

How to Analyze An Attestation of Compliance (AOC)

PCI Compliance New Requirements and Targeted Risk Analysis (TRA)

 

RESOURCES & NEWS

Learn more about Penetration Testing and new exploits in HALOCK’s Exploit Insider.

The Dangers of Legacy Protocols

Exploiting API Endpoints

Abusing Default Credentials

Weaponizing Legacy Software

 

PCI Targeted Risk Analysis & DoCRA

https://www.halock.com/pci-compliance-new-requirements-and-targeted-risk-analysis/

 

HIPAA & Penetration Testing & Incident Response Plans

https://www.halock.com/are-you-ready-for-the-enhanced-hipaa-requirements-for-penetration-testing-and-more/

 

Top Threats in Healthcare

https://www.halock.com/top-cyber-threats-in-healthcare/

 

Cloud Security Risk Management

https://www.halock.com/prioritized-findings-and-remediation-in-cloud-security-reporting/

 

Penetration Testing Reports to Manage and Prioritize Risk

https://www.halock.com/a-threat-based-approach-to-penetration-test-reporting/