PCI Update

There is good news for those of you waiting to hear about where the PCI Security Standards Council (PCI SSC) stands on P2PE (point-to-point encryption).  As part of the standards update to 3.1 released on October 14, 2011 the council has updated its pin transaction security program to include changes that will address encryption for data other than pin numbers.  The changes in this update are effective immediately superseding the version 3.0 standards.  The full document is located at the PCI Councils website here:  https://www.pcisecuritystandards.org/documents/P2PE_Hardware_Solution_%20Requirements_Initial_Release.pdf

Appendix A of this document contains the worksheet to determine eligibility to reduce your PCI scope.

What had not been clearly defined before has now been defined for manufactures to comply with PCI requirements for devices and encryption beyond the normal pin pads and pin numbers.  This new information will apply to mobile devices as well.

Please note there is language that specifically states that the end to end encryption does not take the merchant totally out of scope for PCI compliance, however this is a very big step forward.

Link to the announcement:  https://www.pcisecuritystandards.org/pdfs/pr_111014_pts_v3-1.pdf