P2PE Services Approach & Methodology
The Payments Security Standards Council (PCI SSC) have released their solutions Requirements and Testing Procedures version 3.1 for Point-to-Point Encryption (P2PE). These services, provided by acquiring processors and payments gateways, utilize PCI POI validated terminals to provide encryption of cardholder data from the retail establishment through to the acquirer. The standard is also applicable to organizations that provide part of the P2PE value chain including Key Injection Facilities, Certificate Authorities and Software Developers that develop software for POI devices. By implementing one of these solutions, a merchant may reduce the scope of their PCI DSS assessments, and significantly reduces risk of compromise of cardholder data.
The first step of a P2PE solution assessment is to accurately determine the scope of the solution. At least annually and prior to each assessment, the solution provider should confirm the accuracy of their solution scope by identifying all devices, P2PE data flows and processes, key-management functions and account-data stores, and ensure they are included in the solution scope.
Phase 1: P2PE Solution Gap Analysis
ControlCase will conduct an initial design analysis of Client controls, documentation and procedures against all applicable domains of the P2PE requirements. ControlCase will do the scope assessment to look for Network Segmentation, Third Parties/Outsourcing, sampling of system components and finally the verification of P2PE domain for the P2PE Solution.
ControlCase prepares gap report which clearly details findings as well as acceptable approaches for remediation.
Gap assessment report in soft copy and within the ControlCase IT GRC Platform (One for each application)
Phase 2: P2PE Remediation Support
ControlCase support client in remediation, including technical architecture, generation of policies and procedures which are customized for the Client environment, as well as training as necessary in secure development, incident response procedures, POI device life cycle, key management and other areas of interest.
ControlCase personnel will be accessible at any time through a published number and will also be available to attend onsite meetings to support remediation efforts.
Phase 3: P2PE Solution Certification
ControlCase will conduct a final assessment against all domains and controls of P2PE. ControlCase will review Network segmentation, Third Parties/Outsourcing, Sampling of System Components, review multiple acquirers (if applicable), review P2PE program guide and generate an appropriate P2PE Report on Validation (P-ROV) for submission to the PCI Security Standards Council for review. Once the solution passes the review of ROV by PCI SSC it will be listed on their website as a validated solution. ControlCase also advises the customer on solution changes, as well as annual revalidation requirements.
- P2PE Report on Validation (P-ROV)
- Appropriate documents to the various card brands and PCI Council
- Controls and evidence captured within the ControlCase IT GRC Platform