Updated Point-to-Point Encryption standard now provides more flexibility
The Payment Card Industry Security Standards Council (PCI SSC) published an important update to one of its eight security standards, simplifying the development and use of Point-to-Point Encryption (P2PE) solutions that make payment card data unreadable and less valuable to criminals if stolen in a breach.
The updated standard is documented in PCI Point-to-Point Encryption Solution Requirements and Testing Procedures Version 2.0. It provides more flexibility to solution providers and to companies that provide P2PE components, services that fulfill specific P2PE requirements and can be integrated into P2PE solutions.
In addition to validated P2PE solutions and applications, the PCI Council will now list validated P2PE components, making it easier for a solution provider to create a solution for their merchant customers. Also new with version 2.0, merchants acting as solution providers can implement and manage their own P2PE solutions for their own point-of-sale (POS) locations.
“Malware that captures and steals data at the point-of-sale continues to threaten businesses and their ability to protect consumers’ payment information. As these attacks become more sophisticated, it’s critical to find ways to devalue payment card data,” said PCI Security Standards Council Chief Technology Officer Troy Leach. “PCI Point-to-Point Encryption solutions help merchants do this by encrypting cardholder data at the earliest point of acceptance, making that data less valuable to attackers even if compromised in a breach.”
Use of a PCI-approved P2PE solution can also allow merchants to reduce where and how the PCI Data Security Standard (called the PCI DSS) applies within their retail environment, increasing security of customer data while simplifying compliance with the PCI DSS.
Responding to market feedback from early adopters, now with P2PE v2 merchants have even more options for reducing risk and protecting customer data using encryption. They can manage their own P2PE solutions for their point-of-sale locations, securely separating duties, systems, and functions between merchant encryption (in their retail locations) and decryption environments; or, they can work with a solution provider that will manage a PCI P2PE solution to meet their business needs.