On March 13th, Bluefin was listed on the PCI SSC website as a PCI-validated Point-to-Point Encryption (P2PE) Component Provider under the Decryption Management Services heading for our Decryption as a Service (DaaS) component.
PCI’s P2PE 2.0 Standard introduced the possibility for both solution providers and for merchants to “create” their own PCI-validated P2PE solutions by putting together components from other validated providers. The goal of 2.0 was to simplify the development and merchant adoption of PCI-validated P2PE solutions by giving providers and merchants the ability to build and manage their own secure P2PE solutions.
Bluefin’s Component Listing allows PCI-validated Service Providers such as payment gateways, processors and SaaS/ISV platforms that are interested in achieving their own Validated PCI/P2PE Service Provider listing to utilize Bluefin’s DaaS service to handle all of the device validation and decryption of the P2PE payloads. The Component Listing also allows merchants pursuing a P2PE Merchant Managed Solution (MMS) to utilize Bluefin’s DaaS environment for decryption of their solution.
PCI-validated P2PE solutions, such as Bluefin’s, encompass 5 Domains:
- Domain 1: Encryption Device and Application Management
- Domain 2: Application Security
- Domain 3: P2PE Solution Management
- Domain 5: Decryption Environment
- Domain 6: P2PE Cryptographic Key Operations and Device Management
*Note that Domain 4 is reserved for Merchant Managed Solutions (MMS)
P2PE 2.0 allows PCI-validated P2PE solution providers like Bluefin to offer Components of their validated solution to non-validated providers and to merchants.
The 4 Component Types currently available are:
- Encryption Management Services (Domain 1): This is the listing for companies that provide Encryption and Key Management Services.
- Certification/Registration Authorities (Domain 6): This is the listing for Remote Key Injection (RKI) providers.
- Decryption Management Services (Domain 5): This is the listing for off-site decryption environments.
- Key Injection Facilities (Domain 6): This is the listing for approved component Key Injection Facilities (KIFs).
Component Solutions for Service Providers
There are currently four primary paths for service providers to offer a PCI-validated P2PE solution to their customers:
- Build and audit their own P2PE solution, which can be costly and time-consuming.
- Build and audit Domain 3 (Solution Management) and partner with various Component Providers (such as Bluefin DaaS) for the complete P2PE solution. Domain 3 encompasses the overall management of the P2PE solution by the solution provider, including third-party relationships, incident response, and the P2PE Instruction Manual (PIM).
- Integrate to Bluefin’s Decryptx (P2PE as a Service Platform) to enable merchants to use PCI-validated P2PE without having to re-integrate to a new payment gateway/service provider.
- Integrate to any one of the 22+ payment gateway and service providers that have integrated to Bluefin’s Decryptx platform under #3 above.
Bluefin’s Decryptx Platform offers a complete P2PE Solution as a Service, including our patented P2PE Manager, key injection, P2PE devices, and off-site decryption – all in a package that does not require our partners to be separately audited, while providing the benefits of PCI scope reduction to our partners’ merchants.
Component Solutions for Merchants
P2PE 2.0 allows merchants to “build” their own P2PE solution, choosing from different components, and to perform specific functions, if they wish. For example, a merchant may create their own Key Injection Facility (KIF) in order to manage logistics and service internally while using Bluefin for decryption and chain of custody functions. Some of the benefits of an MMS include:
- No processor lock-in: Merchants may want to manage their own P2PE solution rather than tying themselves to their processor’s solution.
- Build vs. Buy: Modularization means that merchants can outsource components of their P2PE Solution to P2PE-listed component vendors instead of building it themselves.
- More PCI-validated P2PE Solution providers will be listed: Simplification and modularization of the standard will give merchants greater vendor choice.
Check out Bluefin’s DaaS Component Listing under the Decryption Management Services tab on the Component Listing link found near the top of PCI’s P2PE Solution Provider listing page.