Not all encryption solutions are created equal. If you’re looking for the best way to protect your organization’s data against hackers and breaches, you may be wondering, what are the differences between PCI-validated P2PE and non-validated P2PE?
PCI validation can make or break your organization in the event of a data breach. Read on to find out why it’s important to invest in encryption that’s PCI compliant, and for more information on the impact of PCI-validated P2PE, download our whitepaper.
Key Takeaways
- Not all encryption solutions marketed as “P2PE” are equal. The key difference between non-validated encryption solutions and PCI-validated P2PE is formal assessment and listing by the PCI Security Standards Council (PCI SSC), verifying that required technical and operational controls are in place across the solution.
- PCI-validated P2PE significantly reduces PCI DSS scope. Merchants using validated solutions may qualify for SAQ P2PE, cutting assessment requirements by up to 90%.
- Unlisted encryption solutions do not guarantee scope reduction. Unlisted P2PE or E2EE solutions may still require merchants to complete SAQ D and remain responsible for a broader set of PCI DSS controls.
- PCI-validated P2PE enables card brand incentives and compliance flexibility. Certain Visa programs may provide compliance benefits to eligible merchants using listed P2PE solutions.
- PCI-validated P2PE is particularly valuable in complex environments – including mobile acceptance, shared networks, and distributed retail environments – where encryption that meets the PCI validation standard isolates cardholder data from internal systems to reduce risk and compliance burden.
How the PCI-Validated P2PE Standard Applies to PCI DSS Compliance
Before considering the specific impact of P2PE on a merchant’s business, it’s important to understand how encryption fits into the larger context of a merchant’s compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Since its initial release in 2004, the PCI DSS has established a comprehensive security framework designed to protect cardholder data within a merchant environment. The standard defines a set of technical and operational security controls intended to address threats that could compromise credit card data.
Within the PCI DSS, encryption is required in certain scenarios and must be implemented alongside other technical, physical, and procedural controls within the cardholder data environment (CDE). The PCI-Validated P2PE Standard builds upon these requirements by defining additional controls for securely encrypting payment card data at the point of interaction and protecting it throughout the payment process.
The Purpose Behind the PCI-Validated P2PE Standard
Recognizing the presence of existing encryption solutions and the growing need for guidance on their proper implementation, the PCI SSC developed the PCI P2PE Standard to define how transaction encryption could be implemented in a way that supports PCI DSS scope reduction. Rather than automatically granting reduced scope, the PCI SSC established a formal validation and listing process for approved P2PE solutions that meet strict technical and operational requirements.
To support this framework, the PCI SSC sought to clearly define which risks could be effectively addressed through validated encryption and which PCI DSS controls might no longer apply when cardholder data is removed from a merchant’s cardholder data environment (CDE).
Key questions addressed by the PCI P2PE Standard include:
- How strong must the encryption be to safely courier data without being vulnerable to brute-force decryption?
- What key management practices are adequate to protect the private key from compromise?
- What controls are necessary at the point of encryption to protect sensitive cryptographic material?
- How is the decryption environment secured to ensure its integrity and resistance to vulnerabilities?
In 2012, the PCI SSC released the first version of the PCI P2PE Standard, along with the P2PE Program Guide and the dedicated SAQ P2PE for eligible merchants using listed solutions. Since then, the standard has continued to evolve to address emerging threats and provide organizations with greater implementation flexibility while maintaining strong security controls. PCI SSC is currently developing P2PE v4.0 as the next major evolution of the standard.
What Is Non-Validated P2PE and How Does It Differ from PCI-Validated P2PE?
Encryption solutions that have not been validated and listed by the PCI SSC, but that encrypt data at the point of interaction (POI) and decrypt it outside the merchant environment, are commonly referred to as unlisted P2PE solutions or End-to-End Encryption (E2EE) solutions.
While many unlisted solutions may implement strong encryption practices, they have not been independently assessed against the PCI P2PE Standard by a QSA (P2PE) under the PCI SSC’s formal validation program. As a result, merchants may not have independent assurance that all technical and operational controls defined by the PCI SSC have been addressed.
Because unlisted solutions are not PCI-validated (PCI-listed) P2PE solutions, merchants using them are generally not eligible to complete SAQ P2PE and may instead need to complete SAQ D (or a Report on Compliance (ROC), if applicable), depending on their environment and scope.
What Is a PCI-Validated P2PE Solution and Why It Matters
A list of PCI-validated P2PE solutions can be found here.
A current list of PCI-validated (PCI-listed) P2PE solutions is maintained by the PCI Security Standards Council (PCI SSC) under Approved P2PE Solutions.
PCI-Validated P2PE solutions have been independently assessed by a QSA (P2PE) and confirmed to meet the requirements of the PCI P2PE Standard. Upon successful validation, the solution is formally listed by the PCI SSC.
In addition to meeting the PCI P2PE Standard, the decryption component of a listed solution must operate within a secure environment that has been assessed against the full PCI DSS.
Key requirements of PCI-validated P2PE solutions include:
- Evaluation of encryption strength, cipher suites, and key management practices
- The use of certified key injection facilities (KIFs)
- Deployment and configuration of PTS-approved POI devices, with encryption performed within the SRED (Secure Reading and Exchange of Data) tamper-resistant security module (TRSM)
- Positive device identification prior to decryption
- Key management and decryption performed within hardware security modules (HSMs) validated by PCI and/or compliant with FIPS 140-2 Level 3 (as applicable)
Key Differences Between PCI-Validated and Non-Validated P2PE Solutions
It is impossible to generalize and say that all non-validated P2PE solutions are missing any specific security control(s), because every solution is different. However, PCI-validated P2PE solutions have been independently assessed under the PCI P2PE program and confirmed to meet the requirements of the PCI P2PE Standard. Non-validated solutions, by definition, have not completed this formal validation and listing process.
For some providers, non-validation may simply reflect that the assessment process has not yet been completed. For others, non-validated solutions may lack controls required by the PCI P2PE Standard, such as performing key management functions without the use of an approved HSM or using PTS devices that lack the SRED-certified TRSM.
Benefits of Using PCI-Validated P2PE vs. Non-Validated Encryption
Beyond protecting customers’ payment data, merchants may realize additional operational and compliance benefits by implementing a PCI-Validated P2PE solution that has completed the PCI SSC validation and listing process, compared to using non-validated encryption solutions.
PCI-Authorized Scope Reduction
Merchants who implement a PCI-validated P2PE solution within their environment and keep this environment segmented from any card data from other channels (e.g., e-commerce) are eligible to complete the authorized self-assessment Questionnaire (SAQ) P2PE, that is known and accepted by all acquirers. Under PCI DSS v3.2, this represents a significant reduction of controls, reducing the number of questions by nearly 90% for merchants moving from the SAQ D (329 questions) to SAQ P2PE (33 questions).
When cardholder data is encrypted at the point of interaction and cannot be accessed by merchant systems, fewer networks and systems may fall within PCI DSS scope. PCI SSC scoping guidance recognizes this impact for properly implemented and listed P2PE solutions that have completed the validation process.
Card Brand Programs
Visa Technology Innovation Program (TIP)
Merchants that process a significant percentage of their transactions (for example, 75% or more) through a PCI-validated (PCI-listed) P2PE solution may be eligible to apply through their acquirer for the Visa Technology Innovation Program (TIP).
For approved merchants, Visa TIP may provide validation benefits, including reduced PCI DSS assessment requirements. Program eligibility, approval, and specific benefits are determined by Visa and the acquiring bank. This program can be particularly valuable for high-volume or geographically dispersed merchants that would otherwise undergo a more extensive annual PCI DSS assessment.
Visa Secure Acceptance Program
The Visa Secure Acceptance Program is designed to incentivize acquirers by offering certain protections related to PCI non-compliance assessments for eligible Level 3 and Level 4 card-present merchants that process 100% of their transactions through a PCI-validated (PCI-listed) P2PE solution.
There is no separate merchant application process; however, eligibility and program protections are determined by Visa and the acquirer. Merchants are still expected to maintain PCI DSS compliance and retain documentation demonstrating that all transactions are processed through a listed P2PE solution.
Solution for Challenging Compliance Issues
Mobile Acceptance
Mobile point-of-sale (mPOS) apps available for download on consumer mobile devices (such as Android and iOS platforms) are not eligible for validation under the former PA-DSS program and may not be validated under the PCI Secure Software Framework (PCI SSF). As a result, merchants may face challenges in independently assessing the security and compliance posture of these software applications.
PCI-validated P2PE can help address these concerns. When cardholder data is encrypted within a validated P2PE card reader before passing through the consumer mobile device, the mobile device may be considered out of scope for PCI DSS—provided it does not store, process, or transmit unencrypted cardholder data and is not used for other payment functions. Proper implementation of a listed P2PE solution helps support compliant card acceptance on consumer mobile devices.
Foreign Networks
When properly implemented, PCI-validated P2PE can reduce PCI DSS scope by ensuring that systems and networks between the encryption point and the decryption environment do not have access to unencrypted cardholder data. This architectural advantage can help address complex network responsibility challenges for certain merchant environments.
For example, store-within-a-store retail concepts often rely on a host retailer’s network to provide Internet connectivity but cannot treat that network as a true “open, public network” under PCI DSS Requirement 4. In a PCI SSC case study, The Hillman Group describes this specific challenge and its use of Bluefin’s PCI-validated P2PE solution to transmit P2PE-encrypted account data over the host’s network without introducing unencrypted cardholder data into that environment.
Get Started with PCI-Validated P2PE and Reduce Your Compliance Burden
To learn how Bluefin’s PCI-validated P2PE and tokenization solutions can help support your security and compliance strategy, contact a representative today.
PCI-Validated P2PE FAQs
What is a PCI-validated P2PE solution?
A PCI-validated P2PE (Point-to-Point Encryption) solution is a payment encryption solution that has been formally assessed by a QSA (P2PE) and validated under the PCI Security Standards Council (PCI SSC) P2PE program. These solutions encrypt payment card data at the point of interaction (e.g., a card reader) and decrypt it within a secure environment that is assessed against PCI DSS requirements.
What is the difference between PCI E2EE and P2PE?
E2EE (End-to-End Encryption) refers to any encryption system where data is encrypted at the source and decrypted at the destination. While E2EE may use strong encryption methods, it is not a PCI SSC validation program and does not follow the standardized assessment and listing process required under the PCI P2PE Standard. In contrast, PCI-validated P2PE solutions must meet defined technical and operational criteria and are independently assessed by a QSA (Qualified Security Assessor) under the PCI SSC P2PE program. Because they are formally validated and listed, PCI-validated P2PE solutions may enable eligible merchants to qualify for PCI DSS scope reduction and the use of SAQ P2PE, when properly implemented.
Does PCI-validated P2PE reduce PCI scope?
Yes. When properly implemented, PCI-validated P2PE can significantly reduce PCI DSS scope by ensuring that cardholder data is encrypted at the point of interaction and not accessible within the merchant environment. Merchants using a PCI-validated (PCI-listed) P2PE solution may be eligible to complete the shorter SAQ P2PE instead of SAQ D, resulting in substantially fewer PCI DSS requirements to assess. For eligible merchants, this can simplify the validation process and help reduce the time and resources required to maintain compliance.
Why should merchants avoid non-validated encryption solutions?
Merchants should be cautious of encryption solutions that have not been assessed and validated under the PCI P2PE standard. These are often referred to as unlisted P2PE or more accurately, End-to-End Encryption (E2EE) solutions. While they may encrypt card data, they haven’t undergone formal PCI SSC validation and listing process required for PCI-validated P2PE.
Because they are not PCI-validated (PCI-listed), merchants using non-validated encryption solutions are generally not eligible for the scope reduction associated with listed P2PE solutions and may need to complete SAQ D or other applicable validation requirements. In addition, these solutions do not provide the same standardized, independently assessed assurance defined by the PCI P2PE program.
