News Feature | August 13, 2015

What New P2PE Guidelines Mean For Merchants And POS Providers

Christine Kern

By Christine Kern, contributing writer

What New P2PE Guidelines Mean For Merchants And POS Providers

The PCI Council recently released version 2.0 of the P2PE (point-to -point encryption) solution requirements and testing procedures, including more flexible requirements for encryption products to facilitate protection of payment card data and reduce risk of data theft.

The changes are outlined in the document, PCI Point-to-Point Encryption Solution Requirements and Testing Procedures Version 2.0. The PCI Council also will now list validated P2PE components in order to facilitate the creation of solutions by providers for merchant customers.

Troy Leach, PCI Security Standards Council CTO explains in the press release that malware attacks at the point of sale (POS) are becoming more sophisticated and it’s necessary to find ways to make payment card data unusable to criminals. “PCI point-to-point encryption solutions help merchants do this by encrypting cardholder data at the earliest point of acceptance, making the data less valuable to attackers, even if compromised in a breach,” Leach says.

The 2.0 version of the standard states:

  • The new guidelines allow for a modular approach to P2PE. While the previous guidelines required that all components and domains be validated together as part of a total solution, the new guidelines remove the need for revalidation when one component is changed. Merchants will now be able to mix and match components without requiring revalidation when one single component changes.
  • Merchants are no longer required to use a third-party P2PE solution provider. They can build and manage their own P2PE solution, as long as they meet certain conditions, and the solutions remain subject to PCI validation.
  • Merchants who were already validated under the 1.0 or 1.1 standards do not need to revalidate.

Leach stated, “With version 2.0 the Payment Card Industry Council is responding to market feedback to provide a simpler approach to validating solutions, while still maintaining a strong level of integrity in the validation process that will result in the most secure options for merchants.”

Visit the PCI SSC website for solution requirements and testing procedures, including a summary of changes, the P2PE Instruction Manual (PIM) template and glossary of terms, abbreviations and acronyms.

For PCI P2PE validated listings visit: https://www.pcisecuritystandards.org/approved_companies_providers/validated_p2pe_solutions.php