NEW: Guidance for Assessing Non-validated Encryption Solutions in POS Environments. PCI DSS Releases New Guideline.

2. December 2016

Background: The latest Payment Card Industry Security Standard PCI P2PE (point-to-point encryption) ensures that credit card data is encrypted from the point of interaction until it reaches its destination point, with transmission channels and any connected components on the part of the merchant becoming irrelevant for PCI assessments. PCI P2PE solutions have been validated against the rigorous security requirements of the PCI P2PE Standard and are listed on the PCI Security Standards Council (PCI SSC) website.

Many merchants, however, are currently using encryption solutions that have not yet been validated against the P2PE Standard. The Council has now released a guideline to help those merchants’ auditors (QSAs) assess the non-listed encryption solutions.
Solution Providers may now have their encryption solutions assessed by a P2PE QSA. The QSA prepares an audit report in accordance with the P2PE Standard requirements (P-RoV*) as well as a NESA (Non-listed Encryption Solution Assessment) documentation, which may be handed to the merchant’s QSA for evaluation. Based on this information, the QSA can perform a risk assessment and aim to reduce the merchant’s PCI scope where applicable. Until now, this has only been possible with P2PE-validated solutions.
The “Assessment Guidance for Non-listed Encryption Solutions” can be downloaded from the PCI Security Standards Council website.
Do you need help with evaluating your encryption solution? As a P2PE QSA and P2PE PA-QSA, we perform official P2PE assessments as well as assessments according to the new guideline. Please contact us anytime.
* P2PE Report of Validation

Also interesting:

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

Users of the SWIFT network are required to demonstrate compliance with the mandatory security controls through an annual independent audit in accordance with the Customer Security Control Framework (CSCF). As part of this SWIFT Assessment, the security of an...

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

In the dynamic field of cybersecurity, it is often the obscure and long-forgotten vulnerabilities that pose a hidden threat to otherwise hardened systems. One such vulnerability lies in invalid character encodings that violate the UTF-8 standard. While overlong UTF-8...

Categories

Categories