The Payment Card Industry Security Standards Council (PCI SSC) previously released guidance that allows Qualified Security Assessor for Point-to-Point Encryption (QSA (P2PE)) companies to complete a document related to a non-listed encryption solution assessment (NESA) to address the following:
- which of the PCI SSC’s P2PE standard requirements a vendor’s solution meets, and
- how the solution impacts a merchant’s PCI Data Security Standard (PCI DSS) compliance scope.
In our work with both merchants and service providers, it appears that there may be some confusion regarding what this document offers and how it should be used. Per the PCI SSC’s document, Frequently Asked Questions: Assessment Guidance for Non-Listed Encryption Solutions:
The aim of a non-listed encryption solution assessment is to identify the gaps between the solution and the PCI P2PE Standard and to show how use of the solution impacts a merchant’s PCI DSS assessment.
A number of payment applications in use today are installed on approved PIN transaction security (PTS) devices. For consideration as a non-listed encryption solution, the device must perform encryption according to the PCI PTS listing. The solution provided by acquirers, service providers, and merchants may address a number of the P2PE requirements or all of them, but has not been validated.
So, what’s the point of the NESA document for PCI compliance?
The NESA document provides a pathway for merchants to reduce scope, which is based on the risk of exposing cardholder data. The solution must already be fully compliant with Domains 5 (Decryption Environment) and 6 (P2PE Cryptographic Key Operations and Device Management) of the PCI P2PE standard before the NESA document can be completed. A QSA (P2PE) will then review the solution to identify which requirements are met within the other P2PE domains and determine how this impacts scope within the PCI DSS requirements. The solution vendor provides the completed NESA document to merchants, who are then able to use the document with their own QSA to determine a reduced scope. It must be noted that the merchant acquirer needs to agree with the scope reduction.
Ideally, the NESA document acts as an intermediary step for solutions that are on their way to achieving a full P2PE validation and being listed by the PCI SSC. The benefit for the merchant is that they may be able to realize scope reduction even if the solution has not been validated.
Why use a listed P2PE application if a solution covered by a NESA document offers scope reduction?
This is the crux of the discussion. A validated P2PE solution means that all aspects of the solution have been assessed, including the details of key generation, key handling, key loading, point of interaction (POI) configurations, key custodian obligations and their organizational reporting structure, applications on the POI, the decryption environment, hardware security module (HSM) functions, remote management of the POI and incident response activities. The P2PE Report on Validation (P-ROV) describes how an assessor reviewed configurations, interviewed personnel, examined procedural and policy documentation, observed supporting processes and evaluated incident response planning. When the P-ROV is complete, it is reviewed by the PCI SSC’s Assessor Quality Management (AQM) team to ascertain if all requirements were addressed and met. Once the solution is listed on the PCI SSC’s website, merchants using the solution can complete SAQ P2PE, which includes up to 32 questions (and often less) surrounding cardholder data retention, protection of POIs, and documentation.
Conversely, without a P2PE listing, merchants will need to confirm the scope reduction with their QSA and address the PCI DSS requirements that are not addressed by the unlisted solution.