UK payment service provider, Commidea, is supporting the new PCI Security Standards Council's (SSC) PCI Point-to-Point Encryption Solution Requirements released recently. These new requirements confirm that a significant simplification of a merchant's compliance can be achieved by using such solutions.
Marc White, Head of Security & Compliance at Commidea, said, "As an active member of the Council, Commidea has been involved closely with the drafting of the guidance and welcomes the clarification the requirements now bring in the field of point-to-point encryption. As the UK's first managed service provider to have one of its services PA-DSS approved, we have continued to work closely with the SSC and other encryption task force members to ensure that our products meet and support these guidelines going forward. We are committed to ensuring our solutions simplify a merchant's compliance efforts and will continue to be best of breed. Commidea is working towards being in a position to submit its Ocius Sentinel for approval as a P2PE solution when the council is ready to start such approvals during Q1 2012."
The new standards require a PCI-PTS v3 approved terminal and Commidea is already developing Ocius Sentinel for the VeriFone Vx820 Pin Pad and is currently working on ensuring that its encryption methodology meets all the requirements of the standards.
The PCI Security Standards Council (PCI SSC) has published the first set of validation requirements of its point-to-point encryption (P2PE) program. The PCI Point-to-Point Encryption Solution Requirements document provides the requirements for vendors, assessors and merchants wishing to build and implement hardware-based point-to-point encryption solutions which support PCI DSS compliance.
Merchants themselves will also find the document a useful resource for understanding more about P2PE and PCI DSS scope. The new requirements do not supersede the PCI Data Security Standard, nor is a merchant mandated to use P2PE technology. However merchants interested in this technology are encouraged to consult with the Council's listing of validated P2PE solutions, targeted for spring 2012, to choose a secure solution that will support compliance with PCI Standards.
"This is a solid first step in recognising one popular type of deployment of P2PE solutions" said Bob Russo, General Manager, PCI Security Standards Council. "These P2PE requirements will help vendors, assessors, and merchants that are choosing to use hardware-based versions technology, to build, assess and implement P2PE solutions securely. If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant's card data environment, mitigate potential breaches and simplify PCI DSS validation efforts."