Determining the Scope for Your P2PE Solutions Assessment
Consider this: when a house gets inspected before a sale, the entire thing gets assessed. It doesn’t matter whether one contractor did all of it, or if one did most while another did the bathrooms, or maybe the seller got a different contractor to renovate each room.
Regardless of how they outsource the work, the seller still has to get the house past full inspection if they have hope of making any money.
If you’re a point-to-point encryption (P2PE) solution provider, you’re similarly accountable. You may very well be responsible for all or almost none of the individual components that make up said solution, but you’ve still got to get the entire thing assessed and validated if you want to get listed as a P2PE solution available for use.
The trouble is, how do you scope an assessment of your solution if you’ve got other cooks in the kitchen, so to speak? If someone else provides part of your overall solution, how does that fit into your assessment?
In this article, we’re going to decipher that for you. Schellman has been in the payment card business for over a decade, and we have a dedicated team that is well-versed specifically in payment encryption assessments.
We’re going to break down how validation works for P2PE solutions first when incorporating validated components and applications. To illustrate that concept further, we’ll provide examples of scoping details for three separate, common scenarios P2PE solution providers may find themselves in:
- Those that run a full solution entirely on their own
- Those that provide a solution but rely on others for some parts of it
- Those that provide a solution but rely heavily on others to do so
No matter which of these three you are, you’ll have a better idea of what will be in scope for your future P2PE solution assessment.
A Validated P2PE Solution: What’s In and What’s Out?
Let’s start with a high-level overview of what exactly your P2PE assessment will look to validate.
A validated P2PE solution must account for the security of cardholder data from the terminal/point of interaction (POI) device through the decryption of cardholder data for authorization.
However, a P2PE solution vendor does not need to provide each of these services on its own and may leverage P2PE component providers that previously underwent their own validation.
That part is key, because if you are a solution provider using components or applications that have not been validated—i.e., not listed on the P2PE website—then your assessor will evaluate those items as a part of your full solution assessment.
To rephrase, as a P2PE Solution provider, you are responsible for all subsets of the solution, even when using a P2PE component provider. The sum of all parts needs to be assessed, but your assessor will accept any components you’ve brought in that were already, individually validated and not review them again.
Let’s see delve more deeply into three common scenarios.
What’s in Scope if You Run a Full P2PE Solution on Your Own?
Let’s say you provide a P2PE solution and you provide all the functions—no outsourcing whatsoever. That means you are responsible for sourcing the point-of-interaction (POI) devices, POI device management, maintaining the decryption environment, key management, key injection onto the POI devices, incident response, and the overall solution management.
We can break all that down into four sections of a P2PE solution:
- The Encryption Environment: Where the POI devices reside (almost always the merchant location) and cardholder data is taken directly from the cardholder.
- Your assessor will test and validate the POI devices used by the solution, their configurations, and how you support them, as well as perform a review of the functions.
- The assessment will also examine remote access and customer troubleshooting operations.
- The Decryption Environment: Where encrypted cardholder data is received, decrypted, and sent to acquirers for authorization.
- You’ll need to confirm that this environment was assessed against the PCI DSS.
- During the P2PE assessment, your third party will review the hardware security module (HSM) and systems performing decryption operations.
- They’ll also assess your procedures in place to identify potential security issues based upon malformed data received from POI
- Key Management: Accounts for the handling of all encryption operations and keys used by your solution. Easily the largest part of your scope with the most compliance requirements. The review will include:
- Assessment of your general key management, including policies, processes, and evidence that show how you generate, convey, store, protect, load, and delete keys and key material (i.e., key components). A good assumption to make is that your assessor will cover anything to do with key management.
- A review of the key injection facility (KIF) where encryption keys are securely installed on POI devices before you sent them to merchants for use. Your assessor will examine the following:
- Physical controls around all injection operations and POI storage
- Inspections of equipment
- Secure room controls
- Alerting and incident management
- Solution Management: The overarching policies, procedures, and evidence that show how you actively maintain the entire data flow.
- To evaluate this, your assessor will:
- Inspect the P2PE Instruction Manual (PIM) issued to merchants that covers end-users’ obligations to maintain the deployed POI devices and troubleshooting guidance.
- Assess how you maintain solution details and the management of outsourced services provided by third-parties
- Review troubleshooting processes and your detailed solution overview
- To evaluate this, your assessor will:
What’s in Scope if You Provide a P2PE Solution But Rely on Others for Some Parts of the Solution?
Now let’s shift gears to look at what outsourcing parts of a solution mean.
Perhaps you maintain a solution where you host the decryption environment but outsource key-injection and POI device management to validated P2PE component providers. How much of what is in scope for a full solution applies now?
- Encryption Environment: The review must include any of the services not provided by the POI device management component provider.
- Decryption Environment: Must be assessed in full.
- As we mentioned before, this environment will also need to be assessed under the PCI DSS.
- Key Management: In our posited scenario, this is what you’ve outsourced, so your assessor will just need an itemized list of services rendered to verify that they have been previously validated.
- Any services not listed are considered in scope for your assessment—your assessor will validate them.
- Solution Management:
- This will need to be assessed in full, as we laid out above.
Do you maintain a solution that provides all functions but key injection? Then, your review would include:
- Encryption Environment: Must be assessed in full.
- Decryption Environment: Must be assessed in full.
- Will also need to be assessed under the PCI DSS.
- Key Management: Again, you outsource a portion of this. Your assessor will need to review the listing details of the P2PE component provider that provides the KIF before validating the rest of the management functions you provide yourself.
- If the outsourced services are not listed, then they will be considered in scope for your assessment and validated by your assessor.
- Solution Management:
- This will need to be assessed in full, as we laid out in the first scenario.
What’s in Scope if You Provide a P2PE Solution that Outsources as Much as Possible?
You may very well only use one or two outside services to facilitate your solution. But what if your solution is almost entirely dependent on outsourced components and applications?
If that’s the case, you would only be assessed against the P2PE Solution Management requirements that cannot be outsourced to third-party component providers—there is a limit to what can be contracted out.
But if you are outsourcing every part of the solution you can to validated component providers, here’s what’ll happen during the assessment of your solution:
- You’ll need to provide listing details of the P2PE component providers that deliver the decryption environment, encryption environment services, and KIF.
- If any or all of these are not listed as validated, then they will be considered in scope for your assessment and validated by your assessor.
- As for solution management, this cannot be outsourced and will be assessed in full as we laid out in the first scenario above.
Moving Forward with Your P2PE Solution Assessment
Assessing a P2PE solution is a bit like getting your home past inspection ahead of sale. No matter how many contractors you do work with to put it together, you’re still responsible for the entire thing. Regardless of how many component or application providers you use in providing your solution, you now understand how scoping around those would work.
To sum it up: you must account for each of the control objectives and associated requirements in order for your solution to be validated and listed. However, any control or requirement met by a previously validated component/application will not need to be assessed again as a part of your solution.
Interested in learning more about P2PE and a potential assessment? Make sure you read our other content that can help clarify other aspects:
About Sully Perella
Sully Perella is a Senior Manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Sully now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.