The Point-to-Point Encryption (P2PE) standard defines a PCI DSS compliant implementation for merchant environments where Card Present transactions are performed with credit cards.

In the implementation described, payments are made exclusively via PCI PTS certified POS terminals. All critical transaction data is encrypted directly in the terminal and only decrypted again in a special backend system. The terminal infrastructure is provided by the P2PE solution provider, which also operates the PCI DSS validated backend system. In this scenario, the merchant itself has no access to the critical transaction data. If the merchant joins the solution of a validated P2PE solution provider, the merchant is still fundamentally subject to PCI DSS, but it no longer needs to be implemented for its POS and business infrastructure.

In addition to a complete solution provider certification, the PCI P2PE also allows an independent certification of payment applications on the POS terminal according to Domain 2 of the PCI P2PE as well as a modular certification for individual domains, the so-called P2PE Components. The P2PE v3 defines, among others, the following P2PE Components, for each of which a separate validation can be performed, as well as an official listing by the PCI Security Standards Council (PCI SSC):

• Encryption-management services (validated according to domains 1 and 5)
• Decryption-management services (validated according to domains 4 and 5).
• Key-Injection Facility services (validated according to Domain 5).
• Certification Authority/Registration Authority services (validated according to Domain 5).

SRC services

SRC provides consulting and expertise in the implementation of the P2PE standard as well as in the design, implementation and evaluation of P2PE Applications, P2PE Solutions and P2PE Components.
SRC’s P2PE offering covers the complete P2PE lifecycle, including the following services:

• Introductory workshop P2PE: Presentation of the basic ideas, introduction to the requirements of the P2PE standard as well as the P2PE program, delimitations to PCI DSS etc.
• P2PE Scoping Workshop: Analysis of all terminal applications according to the need for P2PE Domain 2 validation, differentiation from the third-party service providers used, documentation of relevant P2PE requirements, etc.
• Development of a certification strategy for P2PE Solution Providers: Which markets should the P2PE Solution serve? Which services should be offered to third parties? Which parts (P2PE Applications and/or P2PE Components) need to be listed separately with the PCI SSC for this purpose?
• Gap Analysis Workshops: Preliminary review of individual parts of a P2PE Solution or P2PE Component to identify deviations from the P2PE. The procedure for creating the gap analysis is identical to the procedure for a real audit. As a result, the customer receives a detailed list of identified deviations from the PCI P2PE standard.
• Validation of P2PE Applications, P2PE Solutions and P2PE Components.
• Review and support changes to a validated P2PE Application, P2PE Solution and P2PE Component. Depending on the type of change, these must be retested by the P2PE Assessor and officially communicated to the PCI SSC.
• Assist with annual Interim Assessments, the results of which must also be reported to the PCI SSC.

SRC is approved by the PCI SSC as a P2PE Assessor Company and has qualified staff with experience in both the Payment Card Industry (PCI) standards environment and the POS terminal environment. These staff members are approved to perform both Solution Assessments (P2PE Assessor) and Application Assessments (P2PE Application Assessor).

Furthermore, SRC is one of only a few companies worldwide that has PCI SSC approval for evaluations according to PCI PTS and according to PCI P2PE. Since POS terminals play a central role in any P2PE solution, SRC can provide comprehensive support and advice from the approval of POS terminals to the deployment of the terminal in P2PE solutions and the management of the terminals.