The Point-to-Point Encryption (P2PE) standard defines a PCI DSS-compliant imple­men­tation for merchant environ­ments in which card present trans­ac­tions are carried out with credit cards.
In the described imple­men­tation, payments are made exclu­sively via PCI PTS certified POS terminals. All critical trans­action data is encrypted directly in the terminal and only decrypted again in a special backend system. The terminal infra­structure is provided by the so-called P2PE solution provider, which also operates the PCI DSS validated backend system. In this scenario, the merchant does not have access to the critical trans­action data. If the merchant joins the solution of a validated P2PE solution provider, it is still basically subject to PCI DSS, but it no longer has to be imple­mented for its POS and business infrastructure.
In addition to a complete solution provider certi­fi­cation, the PCI P2PE also allows an independent certi­fi­cation of payment appli­ca­tions on the POS terminal according to domain 2 of the PCI P2PE as well as a modular certi­fi­cation for individual domains, the so-called P2PE compo­nents. P2PE v2 defines the following P2PE compo­nents, for each of which a separate validation can be performed, and an official listing by the PCI Security Standards Council (PCI SSC):

• Encryption-management services (validated according to Domains 1 and 6 and Domain 6 Annex A, if relevant)
• Decryption-management services (validated according to Domains 5 and 6 and Domain 6 Annex A, if relevant).
• Key-Injection Facility services (validated according to Domain 6 Annex B and Domain 6 Annex A, if relevant).
• Certi­fi­cation Authority/Registration Authority services (validated according to Domain 6 Annex A, Part A2, and Part A1, if relevant).

Services of SRC

SRC offers consulting and know-how regarding the imple­men­tation of the P2PE standard as well as the design, imple­men­tation and evalu­ation of P2PE appli­ca­tions, P2PE solutions and P2PE components.
SRC’s P2PE services cover the complete P2PE life cycle, including the following services:

• Intro­ductory workshop P2PE: Intro­duction of the basic ideas, intro­duction to the require­ments of the P2PE standard as well as the P2PE program, differ­ences to PCI DSS etc.
• P2PE Scoping Workshop: Analysis of all terminal appli­ca­tions for the necessity of a P2PE domain 2 validation, differ­en­ti­ation from the third-party service providers used, documen­tation of the relevant P2PE require­ments, etc.
• Devel­opment of a certi­fi­cation strategy for P2PE solution providers: Which markets should the P2PE solution serve? Which services should be offered to third parties? Which parts (P2PE appli­ca­tions and/or P2PE compo­nents) must be listed separately at the PCI SSC?
• Gap Analysis Workshops: Pre-testing individual parts of a P2PE Solution or P2PE Component to determine devia­tions from P2PE. The procedure for creating the gap analysis is identical to the procedure of a real audit. As a result, the customer receives a detailed list of identified devia­tions from the PCI P2PE standard.
• Validation of P2PE appli­ca­tions, P2PE solutions and P2PE components.
• Testing and support in the event of changes to a validated P2PE appli­cation, P2PE Solution and P2PE Component. Depending on the type of change, these must be retested by the QSA (P2PE) and officially commu­ni­cated to the PCI SSC.
• Support with the annual interim assess­ments, the results of which must also be reported to the PCI SSC.

SRC is approved by the PCI SSC as Qualified Security Assessor Point to Point Encryption (QSA(P2PE)) and has a team of qualified employees with experience in both the payment card industry (PCI) standards and the POS terminal environment. These employees are autho­rized to conduct solution assess­ments (QSA(P2PE)) and appli­cation assess­ments (PA-QSA(P2PE)).
Furthermore, SRC is one of the few companies worldwide to have PCI SSC approval for evalu­a­tions according to PCI PTS and PCI P2PE. As POS terminals play a central role in every P2PE solution, SRC can provide compre­hensive support and advice from the approval of POS terminals to the use of the terminal in P2PE solutions and the management of the terminals.