SlideShare uma empresa Scribd logo

P2PE - PCI DSS

Transferir como PPTX, PDF
ControlCase
ControlCase

P2PE and other PCI DSS changes

1 de 33
P2PE AND OTHER PCI DSS CHANGES OCTOBER 19, 2012 1
Agenda • PCI Standards and Typical Card data flow • Data breaches, Threats and existing Mitigation efforts • P2PE overview and Concept • Benefits • Preparing for P2PE • ControlCase P2PE offerings 2
PCI Family of Standards Protection of Cardholder Payment Data Software Developers Merchant & Manufacturers Processors PCI PA – DSS PCI Security PCI PTS PCI DSS Pin Entry Devices Payment Application Data Security & Compliance Vendors Standard 3
Typical Payment Method Encrypted at Communication Layer Encrypted at Communication Layer Encrypted at Communication Layer Acquirer / PG 4
Typical Payment Method May or may not be May or may not be encrypted encrypted CHD CHD Acquirer / PG 5
Data Breaches 6
Industry groups represented by percent of breaches Source: 2012 data breach investigations report by Verizon 7
Top 10 Threat Action Types by number of breaches and records Source: 2012 data breach investigations report by Verizon 8
Where should Mitigation efforts be focused? 9 Source: 2012 data breach investigations report by Verizon
Addition of member in PCI Family Acquires, Payment Software Gateways Merchant & Manufacturers Developers Software Processors PCI PTS PCI PA – DSS Developers, PCI DSS Pin Entry Payment KIFs Data Security Devices Application Vendors PCI Standard P2PE 10
What is PCI P2PE?  It is either a solution or Application.  P2PE Solution A point-to-point encryption solution consists of point-to-point encryption and decryption environments, the configuration and design thereof, and the P2PE Components that are incorporated into, a part of, or interact with such environment.  P2PE Application A software application that is included in a P2PE Solution and assessed per P2PE Domain 2 Requirements, and is intended for use on a PCI-approved point-of- interaction (POI) device or otherwise by a merchant.  P2PE Components Any application or device that stores, processes, or transmits account data as part of payment authorization or settlement, or that performs cryptographic key management functions, and is incorporated into or a part of any P2PE Solution. 11
P2PE Concept Encrypted at POI Encrypted at POI Encrypted at POI POI HSM Encrypts data Decrypted by HSM at immediately after P2PE Solution reading Provider Acquirer / PG 12
P2PE Concept cont.. Encrypted at POI Encrypted at POI Encrypted at POI PTS devices with SRED (secure HS reading and exchange of M FIPS 140-2 Level 3 data) listed as a (or higher) certified “function provided”. or PCI-approved Acquirer / PG 13
Benefits Stakeholders in the payments value chain benefit from these requirements in a variety of ways, including but not limited to the following:  Customers may choose to implement Validated P2PE Solutions in order to reduce the scope of their PCI DSS assessments.  Listed P2PE Solutions have been validated as compliant with the P2PE Standard by P2PE Assessors.  Recognized by all Participating Payment Brands 14
Characteristics for Merchants Eligible for Reduced Scope for PCI DSS via P2PE Solutions  Use validated P2PE solution  Never stores, processes, or transmits clear-text account data within their P2PE environment outside of a PCI-approved POI device.  Physical environment controls for POI terminals, third-party agreements, and relevant merchant policies and procedures are in place.  Followed the P2PE Instruction Manual (PIM), provided to the merchant by the P2PE Solution Provider.  Adequately segmented (isolated) the P2PE environment from any non-P2PE payment channels or confirmed that no other channels exist.  Removed or isolated any legacy cardholder data, or systems that stored, processed, or transmitted cardholder data, from the P2PE environment. 15
P2PE – Key Points  It is OPTIONAL  P2PE scenarios (e.g. hardware-hardware)  Requires the use of SCDs for encryption and decryption of account data and management of cryptographic keys.  POI devices must be PCI SSC approved PTS devices with SRED (secure reading and exchange of data) listed as a “function provided.”  HSMs must be either FIPS 140-2 Level 3 (or higher) certified or PCI-approved (listed on the PCI SSC website, with a valid SSC listing number, as Approved PCI PTS Devices under the approval class “HSM”).  Applications with access to clear-text account data must undergo validation per all P2PE Domain 2 Requirements 16
Relationship between P2PE and other PCI standards (PCI DSS, PA-DSS, PTS, and PIN)  POI devices must meet PIN Transaction Security (PTS) requirements validation.  Cryptographic-key operations for both encryption and decryption environments use key-management practices derived from the PTS PIN Security Standard.  Applications on POI devices meet requirements derived from the Payment Application Data Security Standard (PA-DSS).  The decryption environment is PCI DSS compliant.  P2PE standard does not supersede or replace any requirements in the PCI PIN Security Requirements 17
PA-DSS Applicability to P2PE  Applications used within P2PE Solutions may or may not be eligible for PA-DSS validation.  Both are distinct PCI SSC standards with different requirements  Validation against one of these standards does not guarantee or provide automatic validation against the other standard. 18
P2PE Domains Domain 1 Encryption Device Domain 2 Domain 3 Management Application Security Encryption Environment Use Approved devices and Secure applications in the Secure environments where protect devices from P2PE environment POI devices are present tampering Domain 4 Domain 5 Domain 6 Transmission between Decryption Environment P2PE Cryptographic Key encryption and Decryption and Device Management Operations Environments Secure decryption environments and decryption Use strong cryptographic Secure operations between keys and secure key- encryption and decryption devices environments management functions 19
Domain 1 Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices Domain Characteristics P2PE validation P2PE validation Requirements Responsibility Domain 1: • POI is a PCI- 1A Build PCI-approved P2PE Solution Provider Encryption Device approved POI POI devices. Management device. 1B Securely manage Use secure encryption • POI device managed equipment used to devices and protect by solution provider. encrypt account data. devices from tampering. • Hardware encryption performed by device. 20
Domain 2 Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices Domain Characteristics P2PE validation P2PE validation Requirements Responsibility Domain 2: • Application on a PCI- 2A Protect PAN and Application Vendor Application Security approved POI SAD. device. P2PE Solution Provider Secure applications in 2B Develop and the P2PE • All applications are maintain secure environment. assessed as part of applications. the validated P2PE solution. 2C Implement secure application management processes. 21
Domain 3 Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices Domain Characteristics P2PE P2PE validation validation Responsibility Requirements Domain 3: • No storage of CHD after 3A Secure POI P2PE Solution Provider Encryption transaction processes are devices throughout Environment complete. the • Within the segmented device lifecycle. Secure applications P2PE environment, no in the P2PE CHD stored, processed, or 3B Implement environment. transmitted through secure device channels or methods management external from an approved processes. SCD. • All device-administration 3C Maintain P2PE and cryptographic Instruction Manual operations are managed by for solution provider. merchants. • The P2PE Instruction Manual (PIM) for 22 merchants, with instructions on how to implement and
Domain 4 Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices Domain Characteristics P2PE validation P2PE validation Requirements Responsibility Domain 4: • All decryption Segmentation operations managed between Encryption by solution provider. and Decryption • Merchant has no Environments access to the Domain 4 has no applicable requirements for encryption this hardware/hardware scenario. Segregate duties and environment (within functions between POI device) or encryption and decryption decryption environment. environments. • Merchant has no involvement in encryption or decryption operations. 23
Domain 5 Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices Domain Characteristics P2PE validation P2PE validation Requirements Responsibility Domain 5: • Decryption 5A Use approved P2PE Solution Provider Decryption environment decryption devices. Environment and implemented at and Device Management managed by solution 5B Secure all provider. decryption systems and Secure decryption • Merchant has no devices. environments access to the and decryption decryption 5C Implement secure devices. environment. device management • Decryption processes. environment must be PCI DSS compliant. 5D Maintain secure decryption environment. 24
Domain 6 Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices Domain Characteristics P2PE validation P2PE validation Requirements Responsibility Domain 6: P2PE • All key- 6A Use secure encryption P2PE Solution Provider Cryptographic management methodologies. Key Operations functions implemented and 6B Use secure key generation Use strong managed by methodologies. cryptographic solution provider keys 6C Distribute cryptographic and secure key- • Merchant has no keys in a secure manner. management involvement in key functions. management 6D Load cryptographic keys in operations a secure manner. 6E Ensure secure usage of cryptographic keys. 6F Ensure secure 25 administration of cryptographic keys.
At a Glance – Illustration of a typical P2PE Implementation and Associated Requirements 26
Developing and Validating a P2PE Solution Note: Domain 4 is greyed out in the diagram below as there are no applicable 27 requirements in this Domain for the current phase of P2PE.
Overview of P2PE Solution Validation Processes The P2PE Solution Provider selects a P2PE Assessor The P2PE Solution Provider then provides access to the P2PE Solution to the P2PE Assessor The P2PE Assessor determines the scope and assesses key-injection facilities, Certification Authorities and others, Device, Applications Preparation of P-ROV and P-ROV (if applicable) and submitting to PCI SSC for Review Review of P-ROV and Application P-ROV (if applicable) by PCI SSC 28
How to Prepare for P2PE Assessment Prepare following 1. Be ready with approved POI Devices, HSM 2. List of applications used 3. Detailed cryptographic key matrix 4. P2PE Instruction Manual 5. Implementation Guides for applications assessed against Domain 2 6. Key-management procedures and 7. Change control documentation 29
Revalidation of P2PE  Yearly Interim Assessment (Healthcheck)  Full Re-assessment after 2 years 30
ControlCase P2PE offerings  Guidance on designing P2PE Solutions  Review of P2PE Solution design  Guidance on preparing the P2PE Instruction Manual  Pre-assessment (“gap” analysis) services  Guidance for bringing the P2PE Solution into compliance with the P2PE Standard if gaps or areas of non-compliance are noted during the assessment.  Certifying P2PE solutions and Applications 31
Questions And Answers 32
Thank You 33

Recomendados

PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Key management
Key managementKey management
Key managementBrandon Byungyong Jo
 
Chapter 4
Chapter 4Chapter 4
Chapter 4Amy McMullin
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
Wireless security using wpa2
Wireless security using wpa2Wireless security using wpa2
Wireless security using wpa2Tushar Anand
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 

Recomendados

PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Key management
Key managementKey management
Key managementBrandon Byungyong Jo
 
Chapter 4
Chapter 4Chapter 4
Chapter 4Amy McMullin
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
Wireless security using wpa2
Wireless security using wpa2Wireless security using wpa2
Wireless security using wpa2Tushar Anand
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Security and management
Security and managementSecurity and management
Security and managementArtiSolanki5
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA AlgorithmJoon Young Park
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
The rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongThe rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongInformation Security Awareness Group
 
SSH.ppt
SSH.pptSSH.ppt
SSH.pptjoekr1
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Fábio Afonso
 
Chapter 3 access control fundamental i
Chapter 3 access control fundamental iChapter 3 access control fundamental i
Chapter 3 access control fundamental iSyaiful Ahdan
 
Ch01
Ch01Ch01
Ch01n C
 
Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0SureCloud
 
SSH
SSHSSH
SSHZach Dennis
 
Petit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirPetit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirLionelTopotam
 
Rsa Crptosystem
Rsa CrptosystemRsa Crptosystem
Rsa CrptosystemAmlan Patel
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authenticationSuraj Singh
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 
WPA 3
WPA 3WPA 3
WPA 3diggu22
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsKarthikeyan Dhayalan
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
Understanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEUnderstanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEGreg Stone
 
PCI Compliance in Cloud
PCI Compliance in CloudPCI Compliance in Cloud
PCI Compliance in CloudControlCase
 

Mais conteúdo relacionado

Mais procurados

Security and management
Security and managementSecurity and management
Security and managementArtiSolanki5
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI TechnologySylvain Maret
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
SSH.ppt
SSH.pptSSH.ppt
SSH.pptjoekr1
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Fábio Afonso
 
Chapter 3 access control fundamental i
Chapter 3 access control fundamental iChapter 3 access control fundamental i
Chapter 3 access control fundamental iSyaiful Ahdan
 
Ch01
Ch01Ch01
Ch01n C
 
Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0SureCloud
 
Petit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirPetit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirLionelTopotam
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authenticationSuraj Singh
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsKarthikeyan Dhayalan
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 

Mais procurados (20)

Security and management
Security and managementSecurity and management
Security and management
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
The rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongThe rsa algorithm JooSeok Song
The rsa algorithm JooSeok Song
 
SSH.ppt
SSH.pptSSH.ppt
SSH.ppt
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2
 
Chapter 3 access control fundamental i
Chapter 3 access control fundamental iChapter 3 access control fundamental i
Chapter 3 access control fundamental i
 
Ch01
Ch01Ch01
Ch01
 
Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0
 
SSH
SSHSSH
SSH
 
Petit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirPetit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossir
 
Rsa Crptosystem
Rsa CrptosystemRsa Crptosystem
Rsa Crptosystem
 
Server hardening
Server hardeningServer hardening
Server hardening
 
Kerberos authentication
Kerberos authenticationKerberos authentication
Kerberos authentication
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
WPA 3
WPA 3WPA 3
WPA 3
 
CISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranetsCISSP - Chapter 4 - Intranet and extranets
CISSP - Chapter 4 - Intranet and extranets
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP Certification
 

Destaque

Understanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEUnderstanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEGreg Stone
 
PCI Compliance in Cloud
PCI Compliance in CloudPCI Compliance in Cloud
PCI Compliance in CloudControlCase
 
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001ControlCase
 
EMV and P2PE: What Does it Mean to Me? (Presenter: Matt Murdough from Element...
EMV and P2PE: What Does it Mean to Me? (Presenter: Matt Murdough from Element...EMV and P2PE: What Does it Mean to Me? (Presenter: Matt Murdough from Element...
EMV and P2PE: What Does it Mean to Me? (Presenter: Matt Murdough from Element...Millennium Systems International
 
Point to Point Encryption (P2PE) and Your Bottom Line
Point to Point Encryption (P2PE) and Your Bottom LinePoint to Point Encryption (P2PE) and Your Bottom Line
Point to Point Encryption (P2PE) and Your Bottom LineCreditcall
 
Point-to-point Encryption
Point-to-point EncryptionPoint-to-point Encryption
Point-to-point EncryptionUnitedThinkers
 
Vormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rulesVormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rulesVormetric Inc
 
PA DSS solution
PA DSS solutionPA DSS solution
PA DSS solutionrory obr
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSSControlCase
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 
Futurex Secure Key Injection Solution
Futurex Secure Key Injection SolutionFuturex Secure Key Injection Solution
Futurex Secure Key Injection SolutionGreg Stone
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0ControlCase
 

Destaque (20)

Understanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEUnderstanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PE
 
PCI Compliance in Cloud
PCI Compliance in CloudPCI Compliance in Cloud
PCI Compliance in Cloud
 
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
 
EMV and P2PE: What Does it Mean to Me? (Presenter: Matt Murdough from Element...
EMV and P2PE: What Does it Mean to Me? (Presenter: Matt Murdough from Element...EMV and P2PE: What Does it Mean to Me? (Presenter: Matt Murdough from Element...
EMV and P2PE: What Does it Mean to Me? (Presenter: Matt Murdough from Element...
 
Point to Point Encryption (P2PE) and Your Bottom Line
Point to Point Encryption (P2PE) and Your Bottom LinePoint to Point Encryption (P2PE) and Your Bottom Line
Point to Point Encryption (P2PE) and Your Bottom Line
 
Point-to-point Encryption
Point-to-point EncryptionPoint-to-point Encryption
Point-to-point Encryption
 
Vormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rulesVormetric data security complying with pci dss encryption rules
Vormetric data security complying with pci dss encryption rules
 
PA DSS solution
PA DSS solutionPA DSS solution
PA DSS solution
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSS
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
Futurex Secure Key Injection Solution
Futurex Secure Key Injection SolutionFuturex Secure Key Injection Solution
Futurex Secure Key Injection Solution
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
 

Semelhante a P2PE - PCI DSS

Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdateMerchant Link
 
AxiaMed_6 facts about P2PE
AxiaMed_6 facts about P2PEAxiaMed_6 facts about P2PE
AxiaMed_6 facts about P2PEcklacking
 
6 Facts About P2PE That You Need To Know
6 Facts About P2PE That You Need To Know6 Facts About P2PE That You Need To Know
6 Facts About P2PE That You Need To Knowcklacking
 
Hpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentHpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentat MicroFocus Italy ❖✔
 
Pymnts BlueFin Webinar
Pymnts BlueFin WebinarPymnts BlueFin Webinar
Pymnts BlueFin WebinarRomana Hai
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesControlCase
 
Mobile payments and PCI DSS
Mobile payments and PCI DSSMobile payments and PCI DSS
Mobile payments and PCI DSSManish Mahapatra
 
Webinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementWebinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementVISTA InfoSec
 
FreedomPay_Whitepaper_Solutions_For_Hospitality
FreedomPay_Whitepaper_Solutions_For_HospitalityFreedomPay_Whitepaper_Solutions_For_Hospitality
FreedomPay_Whitepaper_Solutions_For_HospitalityJeff Vogel
 
Acertigo AG on SBS Talk 2011
Acertigo AG on SBS Talk 2011Acertigo AG on SBS Talk 2011
Acertigo AG on SBS Talk 2011Acertigo
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsUlf Mattsson
 
Simplifying PCI on a PaaS Environment
Simplifying PCI on a PaaS EnvironmentSimplifying PCI on a PaaS Environment
Simplifying PCI on a PaaS EnvironmentEngine Yard
 
CIP for PCI 4.0 Solution Guide for ArcSight Logger
CIP for PCI 4.0 Solution Guide for ArcSight LoggerCIP for PCI 4.0 Solution Guide for ArcSight Logger
CIP for PCI 4.0 Solution Guide for ArcSight Loggerprotect724rkeer
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesCloudPassage
 

Semelhante a P2PE - PCI DSS (20)

Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance Update
 
Straight Talk on Data Tokenization for PCI & Cloud
Straight Talk on Data Tokenization for PCI & CloudStraight Talk on Data Tokenization for PCI & Cloud
Straight Talk on Data Tokenization for PCI & Cloud
 
AxiaMed_6 facts about P2PE
AxiaMed_6 facts about P2PEAxiaMed_6 facts about P2PE
AxiaMed_6 facts about P2PE
 
6 Facts About P2PE That You Need To Know
6 Facts About P2PE That You Need To Know6 Facts About P2PE That You Need To Know
6 Facts About P2PE That You Need To Know
 
Hpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentHpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessment
 
Pymnts BlueFin Webinar
Pymnts BlueFin WebinarPymnts BlueFin Webinar
Pymnts BlueFin Webinar
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related Updates
 
Mobile payments and PCI DSS
Mobile payments and PCI DSSMobile payments and PCI DSS
Mobile payments and PCI DSS
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
Webinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementWebinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key management
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
FreedomPay_Whitepaper_Solutions_For_Hospitality
FreedomPay_Whitepaper_Solutions_For_HospitalityFreedomPay_Whitepaper_Solutions_For_Hospitality
FreedomPay_Whitepaper_Solutions_For_Hospitality
 
Acertigo AG on SBS Talk 2011
Acertigo AG on SBS Talk 2011Acertigo AG on SBS Talk 2011
Acertigo AG on SBS Talk 2011
 
Data protection on premises, and in public and private clouds
Data protection on premises, and in public and private cloudsData protection on premises, and in public and private clouds
Data protection on premises, and in public and private clouds
 
Simplifying PCI on a PaaS Environment
Simplifying PCI on a PaaS EnvironmentSimplifying PCI on a PaaS Environment
Simplifying PCI on a PaaS Environment
 
CIP for PCI 4.0 Solution Guide for ArcSight Logger
CIP for PCI 4.0 Solution Guide for ArcSight LoggerCIP for PCI 4.0 Solution Guide for ArcSight Logger
CIP for PCI 4.0 Solution Guide for ArcSight Logger
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
 
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud Guidelines
 

Mais de ControlCase

Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxControlCase
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdfControlCase
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfControlCase
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdfControlCase
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxControlCase
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxControlCase
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST CertificationControlCase
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 

Mais de ControlCase (20)

Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptx
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdf
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptx
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 

P2PE - PCI DSS

  • 1. P2PE AND OTHER PCI DSS CHANGES OCTOBER 19, 2012 1
  • 2. Agenda • PCI Standards and Typical Card data flow • Data breaches, Threats and existing Mitigation efforts • P2PE overview and Concept • Benefits • Preparing for P2PE • ControlCase P2PE offerings 2
  • 3. PCI Family of Standards Protection of Cardholder Payment Data Software Developers Merchant & Manufacturers Processors PCI PA – DSS PCI Security PCI PTS PCI DSS Pin Entry Devices Payment Application Data Security & Compliance Vendors Standard 3
  • 4. Typical Payment Method Encrypted at Communication Layer Encrypted at Communication Layer Encrypted at Communication Layer Acquirer / PG 4
  • 5. Typical Payment Method May or may not be May or may not be encrypted encrypted CHD CHD Acquirer / PG 5
  • 7. Industry groups represented by percent of breaches Source: 2012 data breach investigations report by Verizon 7
  • 8. Top 10 Threat Action Types by number of breaches and records Source: 2012 data breach investigations report by Verizon 8
  • 9. Where should Mitigation efforts be focused? 9 Source: 2012 data breach investigations report by Verizon
  • 10. Addition of member in PCI Family Acquires, Payment Software Gateways Merchant & Manufacturers Developers Software Processors PCI PTS PCI PA – DSS Developers, PCI DSS Pin Entry Payment KIFs Data Security Devices Application Vendors PCI Standard P2PE 10
  • 11. What is PCI P2PE?  It is either a solution or Application.  P2PE Solution A point-to-point encryption solution consists of point-to-point encryption and decryption environments, the configuration and design thereof, and the P2PE Components that are incorporated into, a part of, or interact with such environment.  P2PE Application A software application that is included in a P2PE Solution and assessed per P2PE Domain 2 Requirements, and is intended for use on a PCI-approved point-of- interaction (POI) device or otherwise by a merchant.  P2PE Components Any application or device that stores, processes, or transmits account data as part of payment authorization or settlement, or that performs cryptographic key management functions, and is incorporated into or a part of any P2PE Solution. 11
  • 12. P2PE Concept Encrypted at POI Encrypted at POI Encrypted at POI POI HSM Encrypts data Decrypted by HSM at immediately after P2PE Solution reading Provider Acquirer / PG 12
  • 13. P2PE Concept cont.. Encrypted at POI Encrypted at POI Encrypted at POI PTS devices with SRED (secure HS reading and exchange of M FIPS 140-2 Level 3 data) listed as a (or higher) certified “function provided”. or PCI-approved Acquirer / PG 13
  • 14. Benefits Stakeholders in the payments value chain benefit from these requirements in a variety of ways, including but not limited to the following:  Customers may choose to implement Validated P2PE Solutions in order to reduce the scope of their PCI DSS assessments.  Listed P2PE Solutions have been validated as compliant with the P2PE Standard by P2PE Assessors.  Recognized by all Participating Payment Brands 14
  • 15. Characteristics for Merchants Eligible for Reduced Scope for PCI DSS via P2PE Solutions  Use validated P2PE solution  Never stores, processes, or transmits clear-text account data within their P2PE environment outside of a PCI-approved POI device.  Physical environment controls for POI terminals, third-party agreements, and relevant merchant policies and procedures are in place.  Followed the P2PE Instruction Manual (PIM), provided to the merchant by the P2PE Solution Provider.  Adequately segmented (isolated) the P2PE environment from any non-P2PE payment channels or confirmed that no other channels exist.  Removed or isolated any legacy cardholder data, or systems that stored, processed, or transmitted cardholder data, from the P2PE environment. 15
  • 16. P2PE – Key Points  It is OPTIONAL  P2PE scenarios (e.g. hardware-hardware)  Requires the use of SCDs for encryption and decryption of account data and management of cryptographic keys.  POI devices must be PCI SSC approved PTS devices with SRED (secure reading and exchange of data) listed as a “function provided.”  HSMs must be either FIPS 140-2 Level 3 (or higher) certified or PCI-approved (listed on the PCI SSC website, with a valid SSC listing number, as Approved PCI PTS Devices under the approval class “HSM”).  Applications with access to clear-text account data must undergo validation per all P2PE Domain 2 Requirements 16
  • 17. Relationship between P2PE and other PCI standards (PCI DSS, PA-DSS, PTS, and PIN)  POI devices must meet PIN Transaction Security (PTS) requirements validation.  Cryptographic-key operations for both encryption and decryption environments use key-management practices derived from the PTS PIN Security Standard.  Applications on POI devices meet requirements derived from the Payment Application Data Security Standard (PA-DSS).  The decryption environment is PCI DSS compliant.  P2PE standard does not supersede or replace any requirements in the PCI PIN Security Requirements 17
  • 18. PA-DSS Applicability to P2PE  Applications used within P2PE Solutions may or may not be eligible for PA-DSS validation.  Both are distinct PCI SSC standards with different requirements  Validation against one of these standards does not guarantee or provide automatic validation against the other standard. 18
  • 19. P2PE Domains Domain 1 Encryption Device Domain 2 Domain 3 Management Application Security Encryption Environment Use Approved devices and Secure applications in the Secure environments where protect devices from P2PE environment POI devices are present tampering Domain 4 Domain 5 Domain 6 Transmission between Decryption Environment P2PE Cryptographic Key encryption and Decryption and Device Management Operations Environments Secure decryption environments and decryption Use strong cryptographic Secure operations between keys and secure key- encryption and decryption devices environments management functions 19
  • 20. Domain 1 Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices Domain Characteristics P2PE validation P2PE validation Requirements Responsibility Domain 1: • POI is a PCI- 1A Build PCI-approved P2PE Solution Provider Encryption Device approved POI POI devices. Management device. 1B Securely manage Use secure encryption • POI device managed equipment used to devices and protect by solution provider. encrypt account data. devices from tampering. • Hardware encryption performed by device. 20
  • 21. Domain 2 Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices Domain Characteristics P2PE validation P2PE validation Requirements Responsibility Domain 2: • Application on a PCI- 2A Protect PAN and Application Vendor Application Security approved POI SAD. device. P2PE Solution Provider Secure applications in 2B Develop and the P2PE • All applications are maintain secure environment. assessed as part of applications. the validated P2PE solution. 2C Implement secure application management processes. 21
  • 22. Domain 3 Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices Domain Characteristics P2PE P2PE validation validation Responsibility Requirements Domain 3: • No storage of CHD after 3A Secure POI P2PE Solution Provider Encryption transaction processes are devices throughout Environment complete. the • Within the segmented device lifecycle. Secure applications P2PE environment, no in the P2PE CHD stored, processed, or 3B Implement environment. transmitted through secure device channels or methods management external from an approved processes. SCD. • All device-administration 3C Maintain P2PE and cryptographic Instruction Manual operations are managed by for solution provider. merchants. • The P2PE Instruction Manual (PIM) for 22 merchants, with instructions on how to implement and
  • 23. Domain 4 Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices Domain Characteristics P2PE validation P2PE validation Requirements Responsibility Domain 4: • All decryption Segmentation operations managed between Encryption by solution provider. and Decryption • Merchant has no Environments access to the Domain 4 has no applicable requirements for encryption this hardware/hardware scenario. Segregate duties and environment (within functions between POI device) or encryption and decryption decryption environment. environments. • Merchant has no involvement in encryption or decryption operations. 23
  • 24. Domain 5 Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices Domain Characteristics P2PE validation P2PE validation Requirements Responsibility Domain 5: • Decryption 5A Use approved P2PE Solution Provider Decryption environment decryption devices. Environment and implemented at and Device Management managed by solution 5B Secure all provider. decryption systems and Secure decryption • Merchant has no devices. environments access to the and decryption decryption 5C Implement secure devices. environment. device management • Decryption processes. environment must be PCI DSS compliant. 5D Maintain secure decryption environment. 24
  • 25. Domain 6 Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices Domain Characteristics P2PE validation P2PE validation Requirements Responsibility Domain 6: P2PE • All key- 6A Use secure encryption P2PE Solution Provider Cryptographic management methodologies. Key Operations functions implemented and 6B Use secure key generation Use strong managed by methodologies. cryptographic solution provider keys 6C Distribute cryptographic and secure key- • Merchant has no keys in a secure manner. management involvement in key functions. management 6D Load cryptographic keys in operations a secure manner. 6E Ensure secure usage of cryptographic keys. 6F Ensure secure 25 administration of cryptographic keys.
  • 26. At a Glance – Illustration of a typical P2PE Implementation and Associated Requirements 26
  • 27. Developing and Validating a P2PE Solution Note: Domain 4 is greyed out in the diagram below as there are no applicable 27 requirements in this Domain for the current phase of P2PE.
  • 28. Overview of P2PE Solution Validation Processes The P2PE Solution Provider selects a P2PE Assessor The P2PE Solution Provider then provides access to the P2PE Solution to the P2PE Assessor The P2PE Assessor determines the scope and assesses key-injection facilities, Certification Authorities and others, Device, Applications Preparation of P-ROV and P-ROV (if applicable) and submitting to PCI SSC for Review Review of P-ROV and Application P-ROV (if applicable) by PCI SSC 28
  • 29. How to Prepare for P2PE Assessment Prepare following 1. Be ready with approved POI Devices, HSM 2. List of applications used 3. Detailed cryptographic key matrix 4. P2PE Instruction Manual 5. Implementation Guides for applications assessed against Domain 2 6. Key-management procedures and 7. Change control documentation 29
  • 30. Revalidation of P2PE  Yearly Interim Assessment (Healthcheck)  Full Re-assessment after 2 years 30
  • 31. ControlCase P2PE offerings  Guidance on designing P2PE Solutions  Review of P2PE Solution design  Guidance on preparing the P2PE Instruction Manual  Pre-assessment (“gap” analysis) services  Guidance for bringing the P2PE Solution into compliance with the P2PE Standard if gaps or areas of non-compliance are noted during the assessment.  Certifying P2PE solutions and Applications 31