The Point-to-Point Encryption (P2PE) standard defines a PCI DSS-compliant implementation for merchant environments in which card present transactions are carried out with credit cards.
In the described implementation, payments are made exclusively via PCI PTS certified POS terminals. All critical transaction data is encrypted directly in the terminal and only decrypted again in a special backend system. The terminal infrastructure is provided by the so-called P2PE solution provider, which also operates the PCI DSS validated backend system. In this scenario, the merchant does not have access to the critical transaction data. If the merchant joins the solution of a validated P2PE solution provider, it is still basically subject to PCI DSS, but it no longer has to be implemented for its POS and business infrastructure.
In addition to a complete solution provider certification, the PCI P2PE also allows an independent certification of payment applications on the POS terminal according to domain 2 of the PCI P2PE as well as a modular certification for individual domains, the so-called P2PE components. P2PE v3 defines among others the following P2PE components, for each of which a separate validation can be performed, and an official listing by the PCI Security Standards Council (PCI SSC):
• Encryption-management services (validated according to Domains 1 and 5)
• Decryption-management services (validated according to Domains 4 and 5).
• Key-Injection Facility services (validated according to Domain 5).
• Certification Authority/Registration Authority services (validated according to Domain 5).
Services of SRC
SRC offers consulting and know-how regarding the implementation of the P2PE standard as well as the design, implementation and evaluation of P2PE applications, P2PE solutions and P2PE components.
SRC’s P2PE services cover the complete P2PE life cycle, including the following services:
• Introductory workshop P2PE: Introduction of the basic ideas, introduction to the requirements of the P2PE standard as well as the P2PE program, differences to PCI DSS etc.
• P2PE Scoping Workshop: Analysis of all terminal applications for the necessity of a P2PE domain 2 validation, differentiation from the third-party service providers used, documentation of the relevant P2PE requirements, etc.
• Development of a certification strategy for P2PE solution providers: Which markets should the P2PE solution serve? Which services should be offered to third parties? Which parts (P2PE applications and/or P2PE components) must be listed separately at the PCI SSC?
• Gap Analysis Workshops: Pre-testing individual parts of a P2PE Solution or P2PE Component to determine deviations from P2PE. The procedure for creating the gap analysis is identical to the procedure of a real audit. As a result, the customer receives a detailed list of identified deviations from the PCI P2PE standard.
• Validation of P2PE applications, P2PE solutions and P2PE components.
• Testing and support in the event of changes to a validated P2PE application, P2PE Solution and P2PE Component. Depending on the type of change, these must be retested by the P2PE Assessor and officially communicated to the PCI SSC.
• Support with the annual interim assessments, the results of which must also be reported to the PCI SSC.
SRC is approved by the PCI SSC as a P2PE Assessor Company and has a team of qualified employees with experience in both the payment card industry (PCI) standards and the POS terminal environment. These employees are authorized to conduct solution assessments (P2PE Assessor) and application assessments (P2PE Application Assessor).
Furthermore, SRC is one of the few companies worldwide to have PCI SSC approval for evaluations according to PCI PTS and PCI P2PE. As POS terminals play a central role in every P2PE solution, SRC can provide comprehensive support and advice from the approval of POS terminals to the use of the terminal in P2PE solutions and the management of the terminals.