Point-to-Point Encryption: Security Requirements and Testing Procedures, v3.1 September 2021
© 2011-2021 PCI Security Standards Council, LLC. All Rights Reserved. Page ii
Contents
Document Changes ...................................................................................................................................................................................................... i
Introduction: Security Requirements for Point-to-Point Encryption ..................................................................................................................... 1
Purpose of this Document ........................................................................................................................................................................................... 1
Types of Solution Providers ........................................................................................................................................................................................ 1
P2PE Solution Provider ........................................................................................................................................................................................... 1
Merchant as a Solution Provider/Merchant-managed Solution ............................................................................................................................... 1
P2PE at a Glance – Overview of Domains and Requirements ................................................................................................................................... 2
Scope of Assessment.................................................................................................................................................................................................. 4
Definition of Secure Cryptographic Devices (SCDs) to be used in P2PE Solutions .................................................................................................. 4
P2PE Solutions: Hardware Decryption or Hybrid Decryption ..................................................................................................................................... 4
SCD Domain Applicability ........................................................................................................................................................................................... 5
P2PE Solutions and Use of Third Parties and/or P2PE Component Providers ......................................................................................................... 6
P2PE Solutions and Use of P2PE Applications and/or P2PE Non-payment Software .............................................................................................. 7
Scope of Assessment for P2PE Solutions .................................................................................................................................................................. 8
Relationship between P2PE and other PCI Standards ............................................................................................................................................... 9
For Assessors: Sampling for P2PE Solutions ............................................................................................................................................................. 9
Multiple Acquirers ...................................................................................................................................................................................................... 10
P2PE Program Guide ................................................................................................................................................................................................ 10
At-a-glance P2PE Implementation Diagram ............................................................................................................................................................. 11
Technical References ................................................................................................................................................................................................ 12
ANSI, EMV, ISO, FIPS, NIST, and PCI Standards ................................................................................................................................................... 12
Domain 1: Encryption Device and Application Management................................................................................................................................ 15
Overview.................................................................................................................................................................................................................... 15
Requirement 1A: Account data must be encrypted in equipment that is resistant to physical and logical compromise ...................................... 16
Requirement 1B: Secure logical access to POI devices ...................................................................................................................................... 19
Requirement 1C: Use applications that protect PAN and SAD ............................................................................................................................. 26
Requirement 1D: Implement secure application-management processes ........................................................................................................... 29
Requirement 1E: Component providers ONLY: report status to solution providers .............................................................................................. 31
Domain 2: Application Security ................................................................................................................................................................................ 33
Overview.................................................................................................................................................................................................................... 33