Monday, August 22, 2011

PCI DSS Point-to-Point Encryption Guidance Soon?

Like many of you, I am looking forward to the PCI Council's guidance on point-to-point encryption. A lot of schools are talking to vendors about POS devices that promise to take their systems out of scope. Some schools are buying these terminals, and I have to admit they seem attractive. Before you go too far, though, I recommend you take a look at what the Council is saying, and what they might say, about how P2PE (the unfortunate acronym) can reduce your PCI scope.

The place to begin is to download the excellent "Initial Roadmap: Point-to Point Encryption Technology and PCI DSS Compliance v 1.0." This document came out last October. It lays out a lot of the details and what to look for in a P2PE system. What we are all eagerly awaiting, though, is the follow-on document promised before the end of this year: the actual "Validation Requirements for Point-to-Point Encryption." The Council promises:

It [the Validation Requirements] will define requirements and the process for validating effective P2PE solutions. Its intended audience is vendors, assessors, and labs that may evaluate the testing procedures associated with key management, segregation of duties, access controls, and other necessary criteria.

Here are some things to keep in mind as you look at solutions in the market today.

First, please understand P2PE only affects the transmission of cardholder data. It says nothing about storage or processing. The Roadmap document makes this clear in several places. Second, keep in mind that this is an integrated hardware-software-provider solution, and all three parts have to work for it to be effective.

Then look at the advice on how to implement the system:

  • Encryption is performed immediately after reading the data through contact-based (EMV), magnetic stripe, contactless, PAN key entry or Near Field Communication [NFC] methods.
  • The portions of the merchant environment that no longer require validation have no access to: plaintext CHD, cryptographic keys, or a decryption function that would allow encrypted data to be decrypted.
  • CHD (including any sensitive authentication data) cannot be decrypted until received by a validated decryption point such as a segmented portion of the merchant network or processor/acquirer network.
  • P2PE solutions including devices, key management practices, and encryption and decryption environments are independently validated.

The Roadmap has four conclusions: the technology is immature (meaning don't necessarily believe everything you might be promised); P2PE can move only the transmission part of your transactions out of scope (if properly implemented and validated, of course), meaning your payment application may still be in scope depending on where the two "points" are; P2PE does not make PCI DSS compliance go away (i.e., silver bullets are still outlawed); and you need independent validation of the P2PE solution, particularly the encryption/decryption process.

It is this last part where I expect to see the Council announce a program modeled on PCI PTS. That is, there will be independent testing labs that will validate devices (and their underlying software) for compliance, much like they test encrypting PIN devices today. This will give vendors a clear path to get their devices approved, and it will give you confidence that what you buy and install will reduce your PCI scope.

Let me make it clear I have no inside information. I am not part of the task force, and I have no insights into the Council's deliberations. However I do expect a guidance document to be issued soon (it is getting late in 2011, after all).

P2PE is an exciting and promising technology to reduce PCI scope for many merchants operating in a card-present environment. Like tokenization, there will be lots of issues to address in any implementation. In the meantime, if you have any interest in point-to-point encryption (and I expect almost all of you dear readers will), download the Roadmap and read it carefully. It may help you with your intermediate decisions, and it will help you understand the final guidance document when it comes out.


  1. I'm just curious, one a high level does it mean that if I employ a 'proper' point-to-point encryption, where the encryption methodology and the encryption/decryption devices have been properly audited and meet requirements....does that mean that any system in between that doesn't have the ability to decrypt the CHD and SAD would be out-of-scope of PCI-DSS?

  2. Thanks for your comment. Yes, the promise of P2PE is that all the merchant's back office and POS systems SHOULD be out of scope if P2PE is properly implemented and if that is the only transaction data they can see. As you note, however, the difference between the promise and what is actually delivered is the critical element to consider.