Component providers offer strategic value and efficiency in the complex P2PE ecosystem.
PCI P2PE version 2.0, released in 2015, first introduced the role of component providers—a move that is likely responsible for accelerated adoption of P2PE. Component entities can validate to specific subsets of the standard and are listed on the PCI website for selection and use by solution providers.
There are currently four component types (with additional types coming in version 3.0):
- Key Injection Facility (KIF) – Managing secure protection of keys through its lifecycle, while also providing physical protection of point of interaction (POI) devices and the injection process, KIFs play a crucial role in preparing and deploying terminal devices for P2PE solutions.
- Certification Authority / Registration Authority (CA/RA) – Asymmetric keys that are used to protect other keys for remote distribution must be cryptographically signed by a validated CA/RA. This component is necessary for Remote Key Injection (RKI) providers to update P2PE keys in the field, or during repair or injection by non-KIF entities.
- Encryption Management Service – An encryption management entity oversees the system build process for POIs, as well as the support, troubleshooting, code-signing, and update of devices after deployment. Hardware providers are well-suited to offer encryption management as part of their service offering for their POI devices.
- Decryption Management Service – Many solution providers prefer to avoid operating their own decryption environment, as the physical security and inspection requirements for decryption hardware security modules (HSM s) and/or hybrid application servers can be very complex. Component providers that perform secure P2PE decryption have helped contribute to the growth of P2PE solution providers and merchant-managed solutions around the world.
Our assessment processes for component providers is streamlined by component type, with just testing procedures needed to get listed. Furthermore, component providers may also wish to leverage ControlScan’s consolidated audit for P2PE and PIN for increased audit efficiency, where they also handle key injection, certificate signing, translation, or decryption for PIN processing devices.
ControlScan understands that different organizations have different strengths. Our consultants will work with your team to optimize your service offering to align to the P2PE component model. Entering the P2PE component provider marketplace starts with building a compliant offering that can securely and efficiently support your solution provider and merchants-as-solution-provider clients. And ControlScan’s P2PE component consulting services will be with you all along the way.