P2PE – Don’t Lose Your Investment

Protect The Investment in Your P2PE Solution Provider Offering.

‍

A Payment Card Industry Point-to-Point Encryption (P2PE) Solution is an effective way to secure your clients payment systems and reduce their burden of maintaining PCI DSS compliance.

Building a P2PE Solution can be performed by updating your current systems and processes or by using several P2PE components along with PCI PIN Transaction Security (PTS) validated Point-of-Interaction (POI) devices and P2PE applications, or a combination of both. Either way, it will be a significant investment in your solution.

It's my experience that creating the solution and having it validated is a good start, but without the proper maintenance, the investment will likely be lost.

It can be difficult for solution providers to continue to adhere to the P2PE standard because of the difficulties that solution providers encounter in maintaining P2PE compliance; including annual attestation, change management, ensuring that component providers maintain their components, and proper planning for the re-validation of the solution. This creates overhead and, with staff changes internally, creates a headache for some businesses!

In this blog post, we will explore the essential steps solution providers must take to protect their investment.

‍

• Change management: Managing modifications to their P2PE solutions presents another requirement for solution providers. To guarantee they do not jeopardize the security or compliance status of the P2PE solution, any change, including the addition of new hardware or software components, must be thoroughly verified and, if major, validated and added as a formal change to the solution. In version 3 of the P2PE standard, the change of HSMs (Hardware Security Modules) was added as a major change and requires a Delta Validation.
• Adding/removing POIs: The list of POIs supported by your solution is likely to change based on demands from customers/merchants and your offering. The best option is to create an ongoing testing and maintenance program for this purpose as; a) This will ensure that your solution is ready to offer what the market demands, and; b) Adding POIs will require a change to be submitted to the SSC. Additionally, you need to ensure that the P2PE application validation includes the POI you are adding to your solution.
• Adding/updating components: As you continue to add customers/merchants to your solution, you will likely need to either add or update components used, as locations, component providers as well as systems used in your solution and components, might change based on demands from your customers/merchants.
• Ensure that components are validated and up to date: Solution providers must ensure that all parts of their P2PE solution are validated and kept current. P2PE component providers need to attest their components annually and revalidate every 3 years. As they do, the listing numbers will change. Ensure to:

1. Engage with your component providers to understand where they are in their validation cycle and that they are indeed on track with any attestation, re-validation, as well as changes.
2. Track all components used in your solution, and ensure it includes listing numbers.

• Annual Attestation: The attestation is an attestation that you adhere to the P2PE standard and can be considered a self-validation. The yearly attestation of your P2PE solution is a relatively simple process, but it's easy to miss. You will get a reminder from the council, which will go to the point of contact. However, if the point of contact has changed or they have the wrong email address it's likely to be missed. The attestation in itself is the Attestation of Validation (AoV) and should reflect the initial AoV as produced during the validation as well as relevant changes performed to the solution. Consider the following checklist:

1. Ensure that P2PE controls are maintained.
2. Use group or functional email as the POC email to ensure coverage.
3. Get a copy of the initial AoV and ensure it is kept up to date relative to changes to your solution.
4. Plan the submission of your annual attestation either before or after a change to your solution.

‍

Conclusion

‍

In summary, to protect your investment in your P2PE solution and remain prepared to meet customer and market demand, an ongoing maintenance program is crucial. The program should include changes to the solution, such as adding/removing POIs, HSMs, and components. Set up the program to include the annual attestation, change validation, as well as planning for revalidation, and you should be in good shape to protect your investment with your P2PE Solution Provider Offering for a few years to come!
‍

If you would like to learn more about how VikingCloud can help you to protect your P2PE solution investment, contact us today to talk to an expert.