The most (and almost the only) important topic was, as everyone expected, P2PE (Point To Point Encryption).
Recently, just few days before the meeting, the Council released a big document which defines requirements for Hardware/Hardware P2PE.
“Hardware/Hardware” means that both encryption and decryption are being performed by hardware modules approved by FIPS 140-2 Level 3, PCI HSM or PCI PTS certification programs (normally - pinpad device at the client point and HSM appliance at the switch end).
The document and its outcomes have been widely discussed during the meeting, and here are several important points that I noticed:
· Hardware P2PE, when implemented according to SSC requirements and properly certified, is supposed to significantly reduce the PCI DSS certification scope, meaning reducing the merchants PCI costs, particularly – may eliminate additional firewalls installations and quarterly penetration tests. Therefore, merchants are supposed to be financially stimulated to look for P2PE encryption solutions. Technical detail: This is applied mostly to Hardware encryption, also with pinpad content signed by the vendor in a way that it would be impossible to alternate it, which provides functionality of internal “firewall” isolating device middleware from the rest of merchant’s network.
· Final release of the requirements and most important – test procedures – will be published in Q4, or by the end of 2011, which means that if you want to be the first in this race – the design and the code should be done by the end of this year.
· There will be special certification program introduced for P2PE, auditors will have to be certified as “P2PE QSA” in order to be able to perform such assessments. The timeline for certification program finalization and QSA training – Q1 2012, but no one believes it is going to happen in Q1 and most probably it is going to be Q2 or even later. I talked to several QSAs and all of them have no clue about the program details, even not all of them intend to be trained for it in near future. If you want to be in first wave of certified P2PE solutions, most probably, you will have to stick with the “big” guys as they are the only ones who commit for everything from SSC as soon as it comes to live.
· Even though major focus is being made on Hardware/Hardware P2PE as almost ultimate solution for the PCI compliance, software P2PE will still remain a valid option. There is a plan to release detailed requirements regarding SW P2PE as the next step (though no timelines were provided). This will include definition of HW P2PE with SW key management.
There is interesting tool provided by PCI SSC that allows you to determine whether application is eligible for PA-DSS assessment. This is simple questionnaire which is available online. If one of the answers is YES, the application should not go through the PA-DSS validation.
Please take a look – there are interesting questions.
For example, according to question #8, if the product is DLL that requires third party hosting application, such software might not be validated through PA-DSS while any POS that uses it should be certified either through PA-DSS or PCI DSS process.
Currently, according to the guidelines recently released by the PCI SSC, most mobile payment applications do not qualify to be PA-DSS compliant. There will be a draft guidance on PA-DSS for Mobile devices released in Q4 2011.
There is interesting program for companies that want to perform their own internal PCI DSS like assessments – it is called ISA (Internal Security Assessor). The company that wants to participate just needs to enroll to this program and send people for training.