Partner for P2PE Compliance
What is P2PE?
Point to Point Encryption or P2PE is an encryption/decryption framework devised by the PCI Security Council in 2012. The buzzword has been used for a number of years interchangeably with End to End Encryption (E2EE) and is used to describe a series of technologies and procedures required to protect both card data at rest and in transit. Although no formal P2PE standard existed until Q3 2012, many organisations built their own solutions that utilized P2PE type technology. The underlying intent of these solutions was to improve security and reduce PCI DSS burdens for organisations that interact with card data.
Payment card security is not black and white. The same goes for P2PE solution selection. Although there are no P2PE solutions that are available in January 2013, it is likely that a number of solutions will be P2PE assessed during 2013. Similarly, there are P2PE ‘like’ solutions that are available today. Although these may not be formally recognised by the PCI SSC, they do go some way to mitigate against the risk present in traditional retail environments.
The full PCI DSS has 280+ security controls, whereas the P2PE guidance consists of less than 20 controls. P2PE solutions that have not been assessed against P2PE cannot fully reduce a merchant’s PCI DSS requirements from 280 down to 20, however there is almost certainly an element of middle ground. Nettitude is ideally placed to work with merchants to understand what this middle ground is. Nettitude utilises a pragmatic, risk based approach to review the merchant’s environment and identify where current P2PE solutions may assist. In addition, Nettitude has a detailed perspective of the P2PE landscape and can offer best of breed consulting to help merchants choose their Payment application solution.
Many Payment Providers recognise that Point to Point Encryption (P2PE) could provide them with a new approach to payment processing. For their applications to fit with the P2PE standard, they need to be designed from the ground up. Cryptography and key management techniques need to be rigorously defined, and implemented in a manner that provides both strong security as well as scalability and fault tolerance. Similarly, many of the logistical requirements of P2PE require that payment providers define new policies and procedures for dealing with their supply chain. The combination of detailed technical requirements and comprehensive logistical requirements means that P2PE application enablement requires considerable investment in time and effort.
As one of only a handful of QSA companies that is both a QSA, PA-QSA and P2PE QSA, Nettitude is ideally placed to help payment service providers define, architect and audit their P2PE processing solutions. Nettitude works closely with the PCI SSC and has active engagements underway across many sectors in many geographies.