Build a Better P2PE Solution.
Why merely have a payments encryption advisor when you can have a partner?
A point-to-point encryption (P2PE) solution provider must be fully compliant with the current PCI standard for P2PE and undergo an assessment by a QSA (P2PE). For many P2PE solution providers, this can be a significant challenge.
Since the PCI SSC's P2PE program launched in 2011, over 80 solutions have been validated and listed on the PCI Security Standards Council website to provide merchants with streamlined compliance through P2PE. Each of these payment solutions must meet many of the same 600-plus requirements in order to maintain their listing, but leverage different approaches for doing so.
ControlScan’s P2PE security consulting practice is unique. We know point-to-point encryption:
- We know POIs;
- We know HSMs;
- We know key management and modern symmetric and asymmetric cryptosystems;
- We know traditional and hybrid decryption; and
- We know physical security for decryption, key injection and certificate operations environments.
But we also know that the P2PE standard is a framework, not a formula. Rather than take a closed-minded approach that shoehorns you into an auditor’s preconceived notion of what a P2PE solution “must look like,” we start by learning about your solution, its capabilities and your unique merchant needs. Then we help navigate the complexities of P2PE to provide valuable guidance, gap assessments, and ultimately, assist in bringing to market a secure and efficient offering.
P2PE doesn’t stand for “Pay Double, Poor Experience.”
Somewhere along the line, it seems that some P2PE assessor companies realized that there are few firms that can provide P2PE assessment services, so they raised prices and sacrificed quality. ControlScan is not one of those companies.
As existing experts in both the P2PE and PCI DSS world, we built our P2PE practice on values that ControlScan has successfully proven for over a decade:
- Drive Customer Success – We are successful when you are successful. Bringing your solution to market and maintaining a compliant listing is your priority, and it’s our priority too.
- Move Fast – We move at the speed of business. An assessment shouldn’t take over a year to complete, even one as complex as P2PE. When you’re ready, so are we.
- Be Transparent – We don’t dance around the notion of remediation. It happens. Instead, we provide real-time reporting of findings, and we ensure your team knows exactly what is needed to reach a compliant state.
Bring your offering to market with the help of one of the following P2PE services.
Our team has provided consulting to the top processors and encryption support organizations on complex P2PE implementation and support issues. Let us help you engineer your solution to avoid common pitfalls and ensure long-term success.
P2PE Gap Assessment
The P2PE standard is nuanced, and few entities are as prepared as they think they are. If your business is going through this process for the first time, we strongly recommend a gap assessment, which includes a full report of findings and recommendations before the audit, to ensure compliance and timely launch.
P2PE Solution Assessment
When you’re ready to launch, so are we. The P2PE assessment process covers each of the applicable domains and annexes with precision and efficiency, and ControlScan monitors the submission process to expedite the listing of your solution. Our secure evidence collection project portal streamlines the collection of evidence and provides stakeholder reporting of progress towards the final report.
P2PE Component Assessment
Many solution providers make the strategic decision to list their individual components as well. Where this fits your business model, ControlScan can streamline the submission of both reports, allowing you to double your market exposure through multiple product offerings.
Non-Listed Encryption Solution Assessment (NESA)
Providers with existing solutions may wish to have ControlScan produce a NESA—a merchant-facing report following guidance from the PCI SSC that provides reassurance of solution compliance against P2PE, and details the PCI DSS controls merchants must meet under the interim program.
P2PE Merchant-Managed Solution (MMS) assessment
Merchants can be solution providers, too. Ideal for level 1 retail merchants with complex business needs, the MMS solution returns control over post-decryption cardholder data to the merchant central office, while still preserving scope reduction for retail locations.