• Skip to primary navigation
  • Skip to main content
  • Skip to footer
ControlCase No Tag LOGO md

ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

  • Company
    • About Us
    • Careers
    • Locations
    • Team
  • Industries
    • Business Process Outsourcing
    • Cloud Service Providers
    • Retail
    • Telecom | Entertainment
    • Managed Service Providers
  • Certifications
    • PCI DSS Certification
    • CSA STAR Certification
    • GDPR Assessment
    • HIPAA Assessment
    • HITRUST Certification
    • ISO 27001 Certification
    • FedRAMP 3PAO Services and NIST 800-53
    • CMMC Certification
    • MARS-E Assessment
    • PCI SSF
    • P2PE Certification
    • SOC2 Report
  • Solutions
    • Continuous Compliance Solution
    • One Audit
    • Card Data Discovery Software
    • Data Security Rating
  • Testing
    • Application Reviews
    • Application Security Training
    • Code Reviews
    • Card Data Discovery
    • External Vulnerability Scans
    • Firewall Security Reviews
    • Internal Vulnerability Scans
    • Log Monitoring
    • Penetration Testing
  • Resources
    • Events
    • News
    • Webinars
    • Courses
    • Blog
    • Tools
    • Become a Partner
  • Contact Us
  • English

P2PE Certification

Request DatasheetRequest QuoteRequest Demo
You are here: Home / Certifications / P2PE Certification

P2PE Services Approach & Methodology

The Payments Security Standards Council (PCI SSC) have released their solutions Requirements and Testing Procedures version 3.1 for Point-to-Point Encryption (P2PE). These services, provided by acquiring processors and payments gateways, utilize PCI POI validated terminals to provide encryption of cardholder data from the retail establishment through to the acquirer. The standard is also applicable to organizations that provide part of the P2PE value chain including Key Injection Facilities, Certificate Authorities and Software Developers that develop software for POI devices. By implementing one of these solutions, a merchant may reduce the scope of their PCI DSS assessments, and significantly reduces risk of compromise of cardholder data.

The first step of a P2PE solution assessment is to accurately determine the scope of the solution. At least annually and prior to each assessment, the solution provider should confirm the accuracy of their solution scope by identifying all devices, P2PE data flows and processes, key-management functions and account-data stores, and ensure they are included in the solution scope.

Phase 1: P2PE Solution Gap Analysis

ControlCase will conduct an initial design analysis of Client controls, documentation and procedures against all applicable domains of the P2PE requirements. ControlCase will do the scope assessment to look for Network Segmentation, Third Parties/Outsourcing, sampling of system components and finally the verification of P2PE domain for the P2PE Solution.

ControlCase prepares gap report which clearly details findings as well as acceptable approaches for remediation.

Deliverables

Gap assessment report in soft copy and within the ControlCase IT GRC Platform (One for each application)

Phase 2: P2PE Remediation Support

ControlCase support client in remediation, including technical architecture, generation of policies and procedures which are customized for the Client environment, as well as training as necessary in secure development, incident response procedures, POI device life cycle, key management and other areas of interest.

ControlCase personnel will be accessible at any time through a published number and will also be available to attend onsite meetings to support remediation efforts.

remediation-1024x455

Phase 3: P2PE Solution Certification

ControlCase will conduct a final assessment against all domains and controls of P2PE. ControlCase will review Network segmentation, Third Parties/Outsourcing, Sampling of System Components, review multiple acquirers (if applicable), review P2PE program guide and generate an appropriate P2PE Report on Validation (P-ROV) for submission to the PCI Security Standards Council for review. Once the solution passes the review of ROV by PCI SSC it will be listed on their website as a validated solution. ControlCase also advises the customer on solution changes, as well as annual revalidation requirements.

Deliverables

  • P2PE Report on Validation (P-ROV)
  • Appropriate documents to the various card brands and PCI Council
  • Controls and evidence captured within the ControlCase IT GRC Platform
  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

Footer

Connect

Corporate Headquarters
3975 FAIR RIDGE DR STE T25S-D
FAIRFAX, VA 22033

Send us a message

Call Us

Search

About Us

ControlCase is a United States based company, headquartered in Fairfax, Virginia with locations in North America, Europe, Latin America, Asia/Pacific, Australia and the Middle East to serve our clients globally.

Quick Links

  • Company
  • Careers
  • Locations
  • Covid-19 Notice

Certifications, Assessments and Reports

  • PCI DSS Certification
  • CSA STAR Certification
  • GDPR Assessment
  • HIPAA Assessment
  • HITRUST Certification
  • ISO 27001 Certification
  • FedRAMP and 3PAO Services
  • MARS-E Assessment
  • PCI SSF
  • P2PE Certification
  • SOC2 Report

© ControlCase LLC 2025 | Privacy Policy | Impartiality Statement | Legal Notices

  • English
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}