P2PE PCI Compliance Services

Nettitude is one of only a handful of P2PE certified QSA companies in the world.

Our Qualified Security Assessors are able to help payment providers build solutions that will fit with the P2PE Hardware /Hybrid requirements.  In addition, Nettitude can assist merchants that are reviewing the P2PE landscape, to ensure that their procurement decisions will fit with the P2PE guidance.

Partner for P2PE Compliance

What is P2PE?

Point to Point Encryption or P2PE is an encryption/decryption framework devised by the PCI Security Council in 2012.  The buzzword has been used for a number of years interchangeably with End to End Encryption (E2EE) and is used to describe a series of technologies and procedures required to protect both card data at rest and in transit.  Although no formal P2PE standard existed until Q3 2012, many organisations built their own solutions that utilized P2PE type technology.  The underlying intent of these solutions was to improve security and reduce PCI DSS burdens for organisations that interact with card data.

How can Nettitude help me with PCI for P2PE?

Many organisations involved in payment processing had hoped that P2PE could provide a silver bullet for merchant environments.  However, at the beginning of 2013, the reality is far away from this perceived panacea.  Although a number of solutions are advertised as being P2PE compliant, on January 1st 2013, no solutions have been formally approved by the PCI Security Council.

P2PE standard

The P2PE standard has some highly rigorous requirements, that mandate certain types of functionality within PTS approved devices.  Encryption and decryption must be conducted in hardware, and all account data, (including the Name, PAN, expiry, SAD) must be encrypted.  It is not sufficient for the P2PE solution to encrypt the PAN and SAD only.  The key management techniques required for P2PE solutions are again rigorous, and the logistics associated with the supply of Pin Entry Devices (PEDs) requires many payment providers to review their whole supply chain.  As a consequence P2PE solutions that will comprehensively descope merchants PCI DSS requirements are yet to be available for general sale or subscription.

P2PE Compliance Services for Merchants

Payment card security is not black and white. The same goes for P2PE solution selection. Although there are no P2PE solutions that are available in January 2013, it is likely that a number of solutions will be P2PE assessed during 2013. Similarly, there are P2PE ‘like’ solutions that are available today. Although these may not be formally recognised by the PCI SSC, they do go some way to mitigate against the risk present in traditional retail environments.

The full PCI DSS has 280+ security controls, whereas the P2PE guidance consists of less than 20 controls. P2PE solutions that have not been assessed against P2PE cannot fully reduce a merchant’s PCI DSS requirements from 280 down to 20, however there is almost certainly an element of middle ground. Nettitude is ideally placed to work with merchants to understand what this middle ground is. Nettitude utilises a pragmatic, risk based approach to review the merchant’s environment and identify where current P2PE solutions may assist. In addition, Nettitude has a detailed perspective of the P2PE landscape and can offer best of breed consulting to help merchants choose their Payment application solution.

P2PE Compliance for Service Providers

Many Payment Providers recognise that Point to Point Encryption (P2PE) could provide them with a new approach to payment processing. For their applications to fit with the P2PE standard, they need to be designed from the ground up. Cryptography and key management techniques need to be rigorously defined, and implemented in a manner that provides both strong security as well as scalability and fault tolerance. Similarly, many of the logistical requirements of P2PE require that payment providers define new policies and procedures for dealing with their supply chain. The combination of detailed technical requirements and comprehensive logistical requirements means that P2PE application enablement requires considerable investment in time and effort.

As one of only a handful of QSA companies that is both a QSA, PA-QSA and P2PE QSA, Nettitude is ideally placed to help payment service providers define, architect and audit their P2PE processing solutions. Nettitude works closely with the PCI SSC and has active engagements underway across many sectors in many geographies.

How can Nettitude help?

Nettitude has been working with payment providers, solution providers, acquirers and merchants as part of a multi-requirement approach to P2PE. Wherever you are in the P2PE journey, Nettitude’s consultants are able to offer pragmatic and tailored guidance.
If you are starting the journey, Nettitude can provide details on how to architect a solution, how to procure a solution and how to deploy and manage a P2PE solution.
If you are midway through deployment, Nettitude can provide strategic guidance to both payment providers and retailers alike to ensure that the solution meets both P2PE and PCI DSS requirements.
If you have completed a P2PE rollout, Nettitude can work with you and your acquiring bank to ensure that it is assessed accordingly, and your compliance is fed back correctly to the acquirer, card brands and the PCI SSC.

Intelligent Cyber Security and Risk Management   0345 5200 085    solutions@nettitude.co.uk