The PCI Security Standards Council has revised its point-to-point encryption (P2PE) standard, which is used to protect payment card information so that it will not be exposed to merchants during transactions involving mobile phones.
The first document describing the standard included requirements for vendors, assessors, and merchants who wanted to build and install hardware-based P2PE products capable of supporting PCI Data Security Standard compliance. The most important addition to that document is the inclusion of testing procedures that will make it possible to verify that the requirements for control of point-to-point encryption transactions for hardware-to-hardware are being met.
PCI CTO Troy Leach notes that these testing procedures allow his organization to have the full P2PE program, including qualifying assessors through training, having assessors test for the requirements, and at some point being able to list P2PE products on PCI’s Web site. In addition to the testing procedures, other changes include the clarification of the requirements for the P2PE standard.
The next phase in the program, which is expected to be completed this summer, will focus on requirements for products that integrate hardware-based encryption and decryption through secure cryptographic devices. Software could be used to manage transaction-level cryptographic keys for decryption.
From “PCI Updates Encryption Standard With Addition of Testing Procedures”
Infosecurity (USA) (04/30/12)