5 updates from PCI SSC you need to know
The PCI P2PE standard has for sometime governed security requirements for technologies and services that organizations use for end-to-end encryption of cardholder data. The goal is to ensure that no sensitive cardholder data passes in unencrypted form through a merchant’s point of sale system. P2PE has widely been recognized as a way for organizations to reduce the scope of their PCI compliance obligations.
In December 2019, the Council will publish Version 3.0 of the P2PE standard, featuring changes more to the underlying program itself rather than to specific compliance requirements. Starting with P2PE v3.0, the Council will allow point-to-point encryption providers to validate individual components of their technology instead of having to validate them as a complete set.
According to the Council, Version 3.0 of P2PE would double the number of component providers that can validate against the standard. The listing of individual components will make it easier for P2PE technology provider to be aware of and to select validated components for integration, and will give organizations more choices, it noted in a blog last week. “Entities that provide elements of an overall solution will be able to more easily demonstrate their role to protect integrity of the key management and confidentiality of data,” Leach says. “This includes organizations such as [Key Injection Facilities] and Certification Authority’s/Registration Authorities,” he says.