With clarification on Point to Point Encryption (P2PE) now out, it’s clearly a solution that could make compliance easier for most. But is there a sting in the tail?
With clarification on Point to Point Encryption (P2PE) now out, it’s clearly a solution that could make compliance easier for most. But is there a sting in the tail?
Back in September 2011 we were eagerly awaiting the clarification from the PCI Security Standards Council (PCI SSC) on Point to Point Encryption (P2PE). At the time I asked whether it was time to get off the fence and set out a white paper outlining the potential benefits of implementing such a solution. Now that the clarification has been published it’s clear that our assumptions remain valid and the approach, assuming that you use a solution which includes external hosting, will make compliance easier for most. But is there perhaps a sting in the tail?
First we have to wait until the QSA training is completed. Then there is the further wait for solutions to be validated. Combine this with the need for most Chip and PIN retailers to complete a PIN entry device (PED) replacement programme and we might have an issue with timing – and then supply and demand.
QSA training expected to slip
Initially there was a belief that QSA training would be completed by March 2012, but this is expected to slip. And the number of QSAs who will be trained and certified to complete the solution validation is likely to be a subset of the total QSA community. If we assume that the validation process takes three months, which may be optimistic, then we could be looking at July or August before any certified solutions are formally available to implement.
If retailers wait for the listing to be published then their selection of a new solution is unlikely to be completed until October 2012 at the earliest, giving no time at all to implement the solution before the end of the year (unless you ignore the traditional Christmas freeze). Some might think that this is a pessimistic view, but even if you take the best case it’s unlikely that you can start a change programme before August.
Five key planning steps
So let’s take the optimistic view. In August you sit down to start planning the implementation of a P2PE solution. Here’s what you need to think about:
- PED replacement – this goes hand in hand with the P2PE solution. Remember you’ll be limited to selecting a terminal which conforms to PCI-PTS version 3.x (this is not a long list in the UK or Eire).
- Accreditation with your acquirer(s) – not all solutions are pre-accredited and, if you need to go through an accreditation, your plan will have to include this, which could easily add 12 weeks (assuming you don’t have to wait too long for a slot).
- PED availability – demand will increase as the year progresses, lead times will therefore likely extend.
- Integration – most P2PE solutions will need to be integrated with your POS. Do not lose sight of the effort that this will take in terms of development, testing and implementation.
- Deployment – new PEDs will mean engineering visits and P2PE applications will require software upgrades.
Clearly timelines will vary and you’ll likely have a view on the considerations above. But if P2PE is your answer to solving your PCI DSS challenges then, as I said back in September 2011 – PLAN NOW. Get your budget in place and perhaps take a calculated gamble to start sooner rather than later. If you wait you might find that it leads to disappointment, with busy development and deployment teams, and long lead times on PEDs, not to mention stretched resources at the acquirers trying to deal with a host of accreditations in parallel.
You might find it useful to look at our Time to get off the fence? whitepaper to help with your planning or get in touch to discuss how BT might help.
- Kevin Burns, PCI DSS consultant, BT Expedite
No comments yet