NEW: Guidance for Assessing Non-validated Encryption Solutions in POS Environments. PCI DSS Releases New Guideline.

2. December 2016

Background: The latest Payment Card Industry Security Standard PCI P2PE (point-to-point encryption) ensures that credit card data is encrypted from the point of interaction until it reaches its destination point, with transmission channels and any connected components on the part of the merchant becoming irrelevant for PCI assessments. PCI P2PE solutions have been validated against the rigorous security requirements of the PCI P2PE Standard and are listed on the PCI Security Standards Council (PCI SSC) website.

Many merchants, however, are currently using encryption solutions that have not yet been validated against the P2PE Standard. The Council has now released a guideline to help those merchants’ auditors (QSAs) assess the non-listed encryption solutions.
Solution Providers may now have their encryption solutions assessed by a P2PE QSA. The QSA prepares an audit report in accordance with the P2PE Standard requirements (P-RoV*) as well as a NESA (Non-listed Encryption Solution Assessment) documentation, which may be handed to the merchant’s QSA for evaluation. Based on this information, the QSA can perform a risk assessment and aim to reduce the merchant’s PCI scope where applicable. Until now, this has only been possible with P2PE-validated solutions.
The “Assessment Guidance for Non-listed Encryption Solutions” can be downloaded from the PCI Security Standards Council website.
Do you need help with evaluating your encryption solution? As a P2PE QSA and P2PE PA-QSA, we perform official P2PE assessments as well as assessments according to the new guideline. Please contact us anytime.
* P2PE Report of Validation

Also interesting:

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Bafin Publishes 9th Amendment to MaRisk

Bafin Publishes 9th Amendment to MaRisk

On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements...

usd AG Listed as EPI Partner for Mobile Security Evaluations

usd AG Listed as EPI Partner for Mobile Security Evaluations

The popularity of mobile payments is growing, and with it, the demand for verified security. usd AG is expanding its activities in the EPI environment and will also conduct Mobile Security Evaluations in the future. This places us among the few EPI-listed Security...

Categories

Categories