Friday, June 29, 2012

P2PE Self-Assessment Questionnaire and Program Guide Available

The PCI Council released the latest SAQ for merchants using Point-to-Point Encryption (P2PE).  That SAQ together with the P2PE Program Guide are now on the Council's Documents Library.  You have to spin about half-way down to get to the PCI Point-to-Point Encryption section, but there you'll find both docs and the new AOC.

Before you leap to buy a P2PE solution and complete the SAQ P2PE-HW (no kidding, that's what it is called), make sure you will qualify.  As I forecast (guessed?) this latest SAQ is brief with only 18 questions or control requirements to address.  It focuses on Requirements 9 and 12, but the Council also tossed in parts of Requirement 3 (Protect Cardholder Data) for those who insist on retaining paper forms with PAN data and one part of Requirement 4 so you don't go emailing or texting cleartext PANs.  Actually, as forecast, it is pretty short and sweet.

That SAQ has some pretty strict requirements, though.  Specifically:

  • You ONLY process cards using your approved P2PE solution
  • You affirm that you are using a solution listed on the Council's website
  • You have found and removed any legacy cardholder data from all your systems 
  • You implemented the solution per the provider's P2PE Implementation Manual (PIM).
It is that first requirement that may cause some heartburn for merchants who process payments by a number of channels or use different vendors.  My guess is that you will need some decision from your Acquirer on that one.

As everyone knows (or should know), only approved P2PE solutions listed by the Council will count, for this SAQ and for everything.  Right now there are (is?) precisely zero approved solutions.  We can expect to see the first ones later this year and into 2013, so don't go jumping to sign a bunch of contract too soon.

In the meantime, keep monitoring P2PE developments.  This technology has the promise of reducing many merchants' PCI scope and risk (!).  It won't be free, but it could be a good deal in the long run.

No comments:

Post a Comment