PCI Security Standards Council Bulletin: Revisions to the Implementation Dates for PCI P2PE Security Requirement 18-3

PCI Security Standards Council Bulletin:
Revisions to the Implementation Dates for PCI P2PE Security Requirement 18-3

20 August 2020

In response to stakeholder feedback about the impact COVID-19 has had on implementations, PCI SSC
is updating the effective dates for key block implementations. These revised dates are
effective immediately. A technical FAQ will convey the revised dates until such time the P2PE Standard is
updated. The new dates are provided in the excerpt below.

18-3 Encrypted symmetric keys must be managed in structures called key blocks. The key usage
must be cryptographically bound to the key using accepted methods.

The phased implementation dates are as follows:
• Phase 1 – Implement Key Blocks for internal connections and key storage within Service
Provider Environments – this would include all applications and databases connected to hardware
security modules (HSM). Effective date: 1 June 2019. (past)
• Phase 2 – Implement Key Blocks for external connections to Associations and Networks. New
Effective Date: 1 January 2023 (replaces previous effective date of 1 June 2021).
• Phase 3 – Implement Key Block to extend to all merchant hosts, point-of-sale (POS) devices and
ATMs. New Effective Date: 1 January 2025 (replaces previous effective date of 1 June 2023).

The individual payment card brands manage compliance programs for PCI Security Standards.
Organizations should contact the applicable payment brand(s) directly with any compliance questions.