NEW: Guidance for Assessing Non-validated Encryption Solutions in POS Environments. PCI DSS Releases New Guideline.

2. December 2016

Background: The latest Payment Card Industry Security Standard PCI P2PE (point-to-point encryption) ensures that credit card data is encrypted from the point of interaction until it reaches its destination point, with transmission channels and any connected components on the part of the merchant becoming irrelevant for PCI assessments. PCI P2PE solutions have been validated against the rigorous security requirements of the PCI P2PE Standard and are listed on the PCI Security Standards Council (PCI SSC) website.

Many merchants, however, are currently using encryption solutions that have not yet been validated against the P2PE Standard. The Council has now released a guideline to help those merchants’ auditors (QSAs) assess the non-listed encryption solutions.
Solution Providers may now have their encryption solutions assessed by a P2PE QSA. The QSA prepares an audit report in accordance with the P2PE Standard requirements (P-RoV*) as well as a NESA (Non-listed Encryption Solution Assessment) documentation, which may be handed to the merchant’s QSA for evaluation. Based on this information, the QSA can perform a risk assessment and aim to reduce the merchant’s PCI scope where applicable. Until now, this has only been possible with P2PE-validated solutions.
The “Assessment Guidance for Non-listed Encryption Solutions” can be downloaded from the PCI Security Standards Council website.
Do you need help with evaluating your encryption solution? As a P2PE QSA and P2PE PA-QSA, we perform official P2PE assessments as well as assessments according to the new guideline. Please contact us anytime.
* P2PE Report of Validation

Also interesting: