Document Comparison
P2PE_v2_Summary_of_Changes.pdf
→
P2PE_v2.0_r1.2_Summary_Of_Changes.pdf
2% similar
22 → 3
Pages
7678 → 360
Words
24
Content Changes
Content Changes
24 content changes. 23 administrative changes (dates, page numbers) hidden.
Added
p. 1
Payment Card Industry (PCI) Point-to-Point Encryption Solution Requirements and Testing Procedures Summary of Errata Changes from v2.0 r1.1 to r1.2
Added
p. 2
PCI P2PE Summary of Errata Changes This document provides an overall summary of errata changes from P2PE v2.0 revision 1.1 to P2PE v2.0 revision 1.2 of the Solution Requirements and Testing Procedures (i.e., the P2PE Standard).
Table 2: Summary of Changes P2PE v2.0 r1.1 P2PE v2.0 r1.2 CHANGE TYPE P2PE Solutions and Use of Third Parties and/or P2PE Component Providers Applicability of Domain 6 and Annexes to P2PE Solution Providers and Component Clarified applicability of Domains for the operation of CA/RAs.
Clarification DOMAIN 6 and ANNEX B Fixed typo by changing “double” to “triple” in the context of allowable TDEA key lengths, which aligns with the pre-existing Annex C key table information.
Fixed numbering for test procedure 6C-3.1.c Clarification Appendix A Added clarity to the use cases regarding CA/RAs. Clarification
Table 2: Summary of Changes P2PE v2.0 r1.1 P2PE v2.0 r1.2 CHANGE TYPE P2PE Solutions and Use of Third Parties and/or P2PE Component Providers Applicability of Domain 6 and Annexes to P2PE Solution Providers and Component Clarified applicability of Domains for the operation of CA/RAs.
Clarification DOMAIN 6 and ANNEX B Fixed typo by changing “double” to “triple” in the context of allowable TDEA key lengths, which aligns with the pre-existing Annex C key table information.
Fixed numbering for test procedure 6C-3.1.c Clarification Appendix A Added clarity to the use cases regarding CA/RAs. Clarification
Modified
p. 3 → 2
Additional Explanation, definition, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Additional guidance Explanation, definition, and/or instruction to increase understanding or provide further information or guidance on a particular topic.
Modified
p. 3 → 2
Evolving / New Changes to ensure that the standard is up to date with emerging threats and changes in the market. May consist of a new or modified requirement, test procedure, or context.
Modified
p. 3 → 2
Removal Deleted a requirement due to redundancy or to better reflect the intent of the standard.
Removal Deleted a requirement or context due to redundancy or to better reflect the intent of the standard.
Removed
p. 4
Table 2: Changes to Introduction Introduction Section Change Type P2PE v1.1 P2PE v2.0 Purpose of this Document Refocused section on the objective of the P2PE standard relative to P2PE solutions and the benefits that usage provides to merchants.
Removed references to merchant PCI DSS scope reduction. Guidance for merchants using P2PE solutions will be provided via PCI SSC FAQs.
Clarification Types of Solution Added section to describe and define “P2PE solution providers” and “merchant as a solution provider.” Added note regarding the term “merchant” and its meaning when used in Domains 1, 3, 5, and 6 in relation to merchant-managed solutions.
Additional P2PE at a Glance
• Overview of Domains and Requirements for P2PE Validation P2PE at a Glance
• Overview of Domains and Requirements Moved table from former position after the P2PE Program Guide section.
Renamed, reorganized, and updated table to clarify intent of domains and reflect new domain sub-sections.
Clarification Definition of Secure Cryptographic Devices …
Removed references to merchant PCI DSS scope reduction. Guidance for merchants using P2PE solutions will be provided via PCI SSC FAQs.
Clarification Types of Solution Added section to describe and define “P2PE solution providers” and “merchant as a solution provider.” Added note regarding the term “merchant” and its meaning when used in Domains 1, 3, 5, and 6 in relation to merchant-managed solutions.
Additional P2PE at a Glance
• Overview of Domains and Requirements for P2PE Validation P2PE at a Glance
• Overview of Domains and Requirements Moved table from former position after the P2PE Program Guide section.
Renamed, reorganized, and updated table to clarify intent of domains and reflect new domain sub-sections.
Clarification Definition of Secure Cryptographic Devices …
Removed
p. 5
Additional Third Parties/Outsourcing P2PE Solutions and Use of Third Parties and/or P2PE Moved section after SCD Domain Applicability.
Renamed and updated to provide guidance and definitions on use of third parties and/or P2PE component providers in P2PE solutions, and to show relevant domains/annexes for each type of P2PE component provider.
Added new diagram to explain relationships between P2PE solution providers, P2PE component providers, and other third parties.
Additional P2PE Solutions and Use of P2PE Applications and/or P2PE Non-payment Added section to provide assessment guidance and definitions for P2PE applications and P2PE non-payment software.
Incorporated information for application vendors formerly in the introduction section of Domain 2.
Additional Alignment of P2PE Requirements with Entities Offering P2PE Services Added table to illustrate the types of entities eligible to undergo an assessment for each P2PE domain.
Additional Scope of Assessment for P2PE Solutions Moved section after Alignment of P2PE Requirements with Entities Offering P2PE Services and made minor updates.
Clarification …
Renamed and updated to provide guidance and definitions on use of third parties and/or P2PE component providers in P2PE solutions, and to show relevant domains/annexes for each type of P2PE component provider.
Added new diagram to explain relationships between P2PE solution providers, P2PE component providers, and other third parties.
Additional P2PE Solutions and Use of P2PE Applications and/or P2PE Non-payment Added section to provide assessment guidance and definitions for P2PE applications and P2PE non-payment software.
Incorporated information for application vendors formerly in the introduction section of Domain 2.
Additional Alignment of P2PE Requirements with Entities Offering P2PE Services Added table to illustrate the types of entities eligible to undergo an assessment for each P2PE domain.
Additional Scope of Assessment for P2PE Solutions Moved section after Alignment of P2PE Requirements with Entities Offering P2PE Services and made minor updates.
Clarification …
Removed
p. 6
Deleted explanatory notes after this diagram.
Table 3: General Changes General changes implemented throughout the P2PE Domains Type General restructuring of this standard included the following:
Consolidated content related to a specific function into Domains (e.g. all content about preparing devices and applications consolidated into Domain 1).
Removed duplicate device-management requirements from Domains 1, 3, and 5 and moved relevant requirements to Domain 6, section 6G.
Added, reordered, and renumbered requirements in Domain 6 to align with PIN v2.0.
Moved all guidance-related content that solution providers document for merchants using P2PE solutions to the new PIM Template.
Restructure Renumbered/reorganized requirements as needed due to deletion of sections. Clarification Added “Intended Target Audience” near the start of each Domain. Clarification Added note in the Overview section of Domains 1, 3, 5, and 6 regarding applicability of the term “merchant” in regards to merchant-managed solutions. Clarification Added note in the Overview section of Domains …
Table 3: General Changes General changes implemented throughout the P2PE Domains Type General restructuring of this standard included the following:
Consolidated content related to a specific function into Domains (e.g. all content about preparing devices and applications consolidated into Domain 1).
Removed duplicate device-management requirements from Domains 1, 3, and 5 and moved relevant requirements to Domain 6, section 6G.
Added, reordered, and renumbered requirements in Domain 6 to align with PIN v2.0.
Moved all guidance-related content that solution providers document for merchants using P2PE solutions to the new PIM Template.
Restructure Renumbered/reorganized requirements as needed due to deletion of sections. Clarification Added “Intended Target Audience” near the start of each Domain. Clarification Added note in the Overview section of Domains 1, 3, 5, and 6 regarding applicability of the term “merchant” in regards to merchant-managed solutions. Clarification Added note in the Overview section of Domains …
Removed
p. 7
Table 4: Requirement Changes Requirement Change Type P2PE v1.1 P2PE v2.0 Domain 1 - Encryption Device and Application Management Domain 1 - General Updated domain title to better reflect the new focus of the domain.
Removed “sampling” language from Domain 1 tests to clarify that the intent was to review all unique POI device types.
Clarification (Untitled) Overview Added notes regarding the intent of Domain 1 requirements and that Domain 1 now has the only requirements applicable to P2PE non-payment software.
Clarification Renamed section to Account data must be encrypted in equipment that is resistant to physical and logical compromise to better reflect content.
Clarification Clarified characteristics of interest between the PTS approval listing and the POI device; eliminated the bullet that included name and application version number, added bullet for SRED as a function provided.
Combined testing procedures to eliminate repetition.
Clarification 1A-.1.1.1 Combined testing procedures 1A-1.1.1.a and b. Clarification Removed example that previously followed …
Removed “sampling” language from Domain 1 tests to clarify that the intent was to review all unique POI device types.
Clarification (Untitled) Overview Added notes regarding the intent of Domain 1 requirements and that Domain 1 now has the only requirements applicable to P2PE non-payment software.
Clarification Renamed section to Account data must be encrypted in equipment that is resistant to physical and logical compromise to better reflect content.
Clarification Clarified characteristics of interest between the PTS approval listing and the POI device; eliminated the bullet that included name and application version number, added bullet for SRED as a function provided.
Combined testing procedures to eliminate repetition.
Clarification 1A-.1.1.1 Combined testing procedures 1A-1.1.1.a and b. Clarification Removed example that previously followed …
Removed
p. 8
Evolving/New Requirement 1A-2.2 Added requirement: All P2PE applications are only deployed on POI devices confirmed as PTS approved.
Evolving/New Requirement 1B Renamed section to Logically secure POI devices to include requirements moved from Domain 3. Restructure 3B-3, 3B-4 3B-5, 3B-6 1B-1, 1B-2 1B-3, 1B-4 Moved applicable requirements from Domain 3 to Domain 1 to consolidate all requirements intended for entities managing encryption devices into Domain 1.
Restructure 3B-3.1 1B-1.1 Clarified intent of requirement: Solution providers ensure merchant logical access to POI devices is restricted.
Clarified bullets related to cryptographic keys and clear-text PAN.
Clarification Added requirement: Allows merchants to print full PAN on receipts where there is a legal or regulatory obligation to do so.
See also 2A-3.1.2 and 3A-1.3.
Evolving/New Requirement Clarified intent of requirements: Solution provider personnel with logical access to POI devices deployed in merchant encryption environments.
Clarification 3B-4.1 1B-2.1 Deleted former note. Added note that requirement includes access from terminal management systems. Clarification …
Evolving/New Requirement 1B Renamed section to Logically secure POI devices to include requirements moved from Domain 3. Restructure 3B-3, 3B-4 3B-5, 3B-6 1B-1, 1B-2 1B-3, 1B-4 Moved applicable requirements from Domain 3 to Domain 1 to consolidate all requirements intended for entities managing encryption devices into Domain 1.
Restructure 3B-3.1 1B-1.1 Clarified intent of requirement: Solution providers ensure merchant logical access to POI devices is restricted.
Clarified bullets related to cryptographic keys and clear-text PAN.
Clarification Added requirement: Allows merchants to print full PAN on receipts where there is a legal or regulatory obligation to do so.
See also 2A-3.1.2 and 3A-1.3.
Evolving/New Requirement Clarified intent of requirements: Solution provider personnel with logical access to POI devices deployed in merchant encryption environments.
Clarification 3B-4.1 1B-2.1 Deleted former note. Added note that requirement includes access from terminal management systems. Clarification …
Removed
p. 9
Clarified meaning of “critical software security update” and that updates can be deployed via “push” or “pull.” Clarification 3B-5.4 3B-5.5 1B-3.4 1B-3.5 Clarified that methods for delivering updates in a secure manner are defined by the software vendor. Clarification 1C Added section: Use P2PE applications that protect PAN and SAD to include related requirements moved from Domain 2. Restructure 1C-1 1C-2 1D-1 1D-2 Moved solution provider testing procedures formerly in Domain 2 to Domain 1, and rewrote requirements and testing procedures as needed for a solution provider (rather than an application vendor) audience.
Restructure 2A-2.3 1C-1.1 Clarified intent for solution provider audience: Install and configure applications to use only external communication methods specified in the application’s Implementation Guide.
Clarification 2A-2.4 1C-1.2 Clarified intent for solution provider audience: Manage any whitelisting functionality. Clarification 2A-3.1 2A-3.2 2A-3.3 Moved requirements for applications with no access to account data to Domain 1, and combined three former …
Restructure 2A-2.3 1C-1.1 Clarified intent for solution provider audience: Install and configure applications to use only external communication methods specified in the application’s Implementation Guide.
Clarification 2A-2.4 1C-1.2 Clarified intent for solution provider audience: Manage any whitelisting functionality. Clarification 2A-3.1 2A-3.2 2A-3.3 Moved requirements for applications with no access to account data to Domain 1, and combined three former …
Removed
p. 10
Restructure Domain 2
• Application Security Domain 2 - General Removed Testing Procedures: Solution Provider Assessment column and moved all applicable solution provider content to Domain 1. Renamed remaining testing procedure column for application vendors to Testing Procedures.
Added concept of “test platform” to applicable testing procedures throughout Domain 2.
Clarification (Untitled) Overview Clarified relationships between P2PE applications and PA-DSS, and between POI devices, firmware, and coverage of the PTS review.
Moved options for Domain 2 assessments to the P2PE Solutions and Use of P2PE Applications and/or P2PE Non-payment Software section.
Added section to describe “Use of a “Test” Platform.” Added section “Domain 2 Informative Annex
• Application’s Implementation Guide” to describe and reference the annex.
Clarification 2A-1.1 Added requirement: Application must be intended for use on a POI device approved per the PCI PTS program.
Evolving/New Requirement 2A-1.2 Added requirement: Application only uses PTS SRED-validated data capture mechanisms on the POI device.
Evolving/New Requirement 2A-1 2A-2 Clarified intent …
• Application Security Domain 2 - General Removed Testing Procedures: Solution Provider Assessment column and moved all applicable solution provider content to Domain 1. Renamed remaining testing procedure column for application vendors to Testing Procedures.
Added concept of “test platform” to applicable testing procedures throughout Domain 2.
Clarification (Untitled) Overview Clarified relationships between P2PE applications and PA-DSS, and between POI devices, firmware, and coverage of the PTS review.
Moved options for Domain 2 assessments to the P2PE Solutions and Use of P2PE Applications and/or P2PE Non-payment Software section.
Added section to describe “Use of a “Test” Platform.” Added section “Domain 2 Informative Annex
• Application’s Implementation Guide” to describe and reference the annex.
Clarification 2A-1.1 Added requirement: Application must be intended for use on a POI device approved per the PCI PTS program.
Evolving/New Requirement 2A-1.2 Added requirement: Application only uses PTS SRED-validated data capture mechanisms on the POI device.
Evolving/New Requirement 2A-1 2A-2 Clarified intent …
Removed
p. 11
Added testing procedures for the application’s design documentation and a source code review.
Clarification Added requirement: Any truncated PANs output from the application must adhere to allowable number of digits as specified in PCI DSS and related FAQs.
Evolving/New Requirement Added requirement: Allow application to support printing of full PAN on receipts where there is a legal or regulatory obligation to do so.
See also 1B-1.1.1 and 3A-1.3.
Evolving/New Requirement 2A-2.2 2A-3.2 Refocused former requirement on internal communication methods to clarify that an application cannot facilitate, via its own interfaces, sharing of clear-text PAN or SAD with other applications.
Clarification 2A-2.3 2A-3.3 Clarified intent of requirement: Application only uses external communication methods approved per PCI PTS, and use of non- approved methods will invalidate the PTS approval and is prohibited in P2PE solutions.
Clarification 2A-2.4 2A-3.4 Clarified intent of requirement: If an application implements whitelisting functionality, guidance must be included in the application’s Implementation Guide.
Clarification 2A-3 …
Clarification Added requirement: Any truncated PANs output from the application must adhere to allowable number of digits as specified in PCI DSS and related FAQs.
Evolving/New Requirement Added requirement: Allow application to support printing of full PAN on receipts where there is a legal or regulatory obligation to do so.
See also 1B-1.1.1 and 3A-1.3.
Evolving/New Requirement 2A-2.2 2A-3.2 Refocused former requirement on internal communication methods to clarify that an application cannot facilitate, via its own interfaces, sharing of clear-text PAN or SAD with other applications.
Clarification 2A-2.3 2A-3.3 Clarified intent of requirement: Application only uses external communication methods approved per PCI PTS, and use of non- approved methods will invalidate the PTS approval and is prohibited in P2PE solutions.
Clarification 2A-2.4 2A-3.4 Clarified intent of requirement: If an application implements whitelisting functionality, guidance must be included in the application’s Implementation Guide.
Clarification 2A-3 …
Removed
p. 12
Clarification 2B-1.4.2 Added requirement: Application risk assessment techniques from PA-DSS v3.0.
Evolving/New Requirement 2B-1.5, 2B-1.5.1 Added requirements: Training for application vendor personnel from PA-DSS v3.0.
Evolving/New Requirement 2B-1.6 Added requirement: Secure source control practices from PA- DSS v3.0.
Evolving/New Requirement 2B-1.7, 2B-1.8 2B-1.9, 2B-1.10 2B-1.11, 2B-1.12 Added requirements: Processes for software versioning methodology and wildcarding from PA-DSS v3.0.
Evolving/New Requirement 2B-1.13 Added requirement: Processes for final release of the application from PA-DSS v3.0.
Evolving/New Requirement Clarified intent of requirement and testing procedures for applications that rely on the Open Protocol functionality of the POI device.
Clarification Clarified intent of requirement: Application does not circumvent, bypass, or add more services to the Open Protocols of the POI device than those documented in the POI device vendor's security guidance.
Added note that adding or enabling additional services will invalidate the PTS approval status of the POI device.
Clarification Added requirement: If the application provides configuration/update functionality at the terminal, it …
Evolving/New Requirement 2B-1.5, 2B-1.5.1 Added requirements: Training for application vendor personnel from PA-DSS v3.0.
Evolving/New Requirement 2B-1.6 Added requirement: Secure source control practices from PA- DSS v3.0.
Evolving/New Requirement 2B-1.7, 2B-1.8 2B-1.9, 2B-1.10 2B-1.11, 2B-1.12 Added requirements: Processes for software versioning methodology and wildcarding from PA-DSS v3.0.
Evolving/New Requirement 2B-1.13 Added requirement: Processes for final release of the application from PA-DSS v3.0.
Evolving/New Requirement Clarified intent of requirement and testing procedures for applications that rely on the Open Protocol functionality of the POI device.
Clarification Clarified intent of requirement: Application does not circumvent, bypass, or add more services to the Open Protocols of the POI device than those documented in the POI device vendor's security guidance.
Added note that adding or enabling additional services will invalidate the PTS approval status of the POI device.
Clarification Added requirement: If the application provides configuration/update functionality at the terminal, it …
Removed
p. 13
Updated annex contents throughout to match changes made to related content in Domain 2.
Clarification Domain 3
• P2PE Solution Management Domain 3 - General Updated title to reflect the new focus and intent of the domain.
Removed requirements for content or instructions for the P2PE Instruction Manual (PIM) to the separate PIM Template.
Clarification (Untitled) Overview Added wording regarding the PIM Template used by the solution provider to create the merchant PIM.
Evolving/New Requirement 3A-1.1 3A-1.2 3A-1.3 3A-1.4 Deleted the following requirements (not consolidated into 6G per below):
Maintaining inventory control and monitoring procedures Performing annual POI device inventories, and maintaining documented inventories Responding to variances in the annual inventory 3A-2, 3A-3 3A-4, 3A-5 Removed POI device-management requirements and consolidated into Domain 6, section 6G to eliminate repeated requirements and to align with the PCI PIN v2.0 standard.
Restructure 3A Renamed section to P2PE solution management. Restructure 3A-1.1 Added requirement: Current documentation for …
Clarification Domain 3
• P2PE Solution Management Domain 3 - General Updated title to reflect the new focus and intent of the domain.
Removed requirements for content or instructions for the P2PE Instruction Manual (PIM) to the separate PIM Template.
Clarification (Untitled) Overview Added wording regarding the PIM Template used by the solution provider to create the merchant PIM.
Evolving/New Requirement 3A-1.1 3A-1.2 3A-1.3 3A-1.4 Deleted the following requirements (not consolidated into 6G per below):
Maintaining inventory control and monitoring procedures Performing annual POI device inventories, and maintaining documented inventories Responding to variances in the annual inventory 3A-2, 3A-3 3A-4, 3A-5 Removed POI device-management requirements and consolidated into Domain 6, section 6G to eliminate repeated requirements and to align with the PCI PIN v2.0 standard.
Restructure 3A Renamed section to P2PE solution management. Restructure 3A-1.1 Added requirement: Current documentation for …
Removed
p. 14
Evolving/New Requirement 3A-2.2 Added requirement: Maintain P2PE controls when changes to the P2PE solution occur.
Evolving/New Requirement 3B-9.1 3A-3.1 Refocused requirement on responding to notifications of suspicious activity, rather than providing notifications.
Added several bullets for types of suspicious activity.
Clarification 3B-2.1 3B-2.1.1 3A-3.2 3A-3.2.1 Removed fail closed from the requirement.
Clarified intent of opt out of the P2PE solution•merchants provide written notification formally requesting stopping of P2PE encryption.
Clarification 3A-2.1.2 3A-3.3 Clarified intent of requirement: Maintain a record of all suspicious activity rather than just encryption failures. Clarification 5D-3.2 3A-3.4 Moved requirement from Domain 5 and clarified that it applies to any incident response procedures defined by the brands. Restructure 3A-3.5 Added requirement: Address P2PE control failures. Evolving/New Requirement 3B-2.2 3B-2.2.1 3B-2.2.2 3B-2.2.3 3B-2.2.4 3A-4.1 3A-4.1.1 3A-4.1.2 Clarified intent of requirement: If a solution provides an option to allow merchants to stop P2PE encryption of account data.
Clarified intent is that merchants provide written notification …
Evolving/New Requirement 3B-9.1 3A-3.1 Refocused requirement on responding to notifications of suspicious activity, rather than providing notifications.
Added several bullets for types of suspicious activity.
Clarification 3B-2.1 3B-2.1.1 3A-3.2 3A-3.2.1 Removed fail closed from the requirement.
Clarified intent of opt out of the P2PE solution•merchants provide written notification formally requesting stopping of P2PE encryption.
Clarification 3A-2.1.2 3A-3.3 Clarified intent of requirement: Maintain a record of all suspicious activity rather than just encryption failures. Clarification 5D-3.2 3A-3.4 Moved requirement from Domain 5 and clarified that it applies to any incident response procedures defined by the brands. Restructure 3A-3.5 Added requirement: Address P2PE control failures. Evolving/New Requirement 3B-2.2 3B-2.2.1 3B-2.2.2 3B-2.2.3 3B-2.2.4 3A-4.1 3A-4.1.1 3A-4.1.2 Clarified intent of requirement: If a solution provides an option to allow merchants to stop P2PE encryption of account data.
Clarified intent is that merchants provide written notification …
Removed
p. 15
Updated testing procedures to confirm PIM includes only PCI- approved POI devices and applications, and that they were assessed as part of P2PE solution.
Clarification 3C-1.1.1 3C-1.1.2 3C-1.1.3 3C-1.1.4 3C-1.1.5 3C-1.1.6 Deleted requirements with information about specific PIM content•all PIM content moved to the PIM Template. Removal 3C-1.2 3C-1.2 Clarified intent of requirement for updating PIM upon changes includes additions/removals of devices and applications/software. Clarification Annex: Summary of Contents for the P2PE Implementation Manual (PIM) Deleted annex. All information about specific PIM content moved to the PIM Template. Removal Domain 4
• Merchant-managed Solutions: Separation between Merchant Encryption and Decryption Environments Domain 4
• General Updated title to better reflect the content of the new domain.
Domain 4 is all new content for P2PE v2.0.
Domain 4 defines the separation necessary between a merchant’s encryption environment(s) and decryption environment, for merchants managing their own P2PE solutions.
Evolving/New Requirements Domain 5 Decryption Environment Domain 5 General Updated …
Clarification 3C-1.1.1 3C-1.1.2 3C-1.1.3 3C-1.1.4 3C-1.1.5 3C-1.1.6 Deleted requirements with information about specific PIM content•all PIM content moved to the PIM Template. Removal 3C-1.2 3C-1.2 Clarified intent of requirement for updating PIM upon changes includes additions/removals of devices and applications/software. Clarification Annex: Summary of Contents for the P2PE Implementation Manual (PIM) Deleted annex. All information about specific PIM content moved to the PIM Template. Removal Domain 4
• Merchant-managed Solutions: Separation between Merchant Encryption and Decryption Environments Domain 4
• General Updated title to better reflect the content of the new domain.
Domain 4 is all new content for P2PE v2.0.
Domain 4 defines the separation necessary between a merchant’s encryption environment(s) and decryption environment, for merchants managing their own P2PE solutions.
Evolving/New Requirements Domain 5 Decryption Environment Domain 5 General Updated …
Removed
p. 16
Added a note and testing procedure that solution providers complete a written confirmation when operating FIPS-approved HSMs in non-FIPS mode.
Evolving/New Requirement 5A-1.1.3 5A-1.1.3 Refocused requirement on PCI PTS-approved HSMs and clarified that the HSM must be configured per the security policy included in the PCI PTS HSM approval.
Clarification 5A-1.2 Deleted requirement since context is now covered in 5A-1.1.2 and 5A-1.1.3. Removal 5B-1.1 5B-1.2 5B-1.3 5B-1.4 Deleted the following requirements (not consolidated into 6G per below) :
Maintaining inventory control and monitoring procedures Performing annual device inventories, and maintaining documented inventories Responding to variances in the annual inventory 5B-1 5B-2 5B-3 5B-4 5C-6 Removed device-management requirements and consolidated into Domain 6, section 6G to eliminate repeated requirements and to align with the PCI PIN v2.0 standard.
Restructure 5B-3.1.2 Deleted requirement (it was not consolidated into 6G per above) for a documented chain-of-custody process. Removal 5B-5 5B-6 5C-3 Deleted requirements for …
Evolving/New Requirement 5A-1.1.3 5A-1.1.3 Refocused requirement on PCI PTS-approved HSMs and clarified that the HSM must be configured per the security policy included in the PCI PTS HSM approval.
Clarification 5A-1.2 Deleted requirement since context is now covered in 5A-1.1.2 and 5A-1.1.3. Removal 5B-1.1 5B-1.2 5B-1.3 5B-1.4 Deleted the following requirements (not consolidated into 6G per below) :
Maintaining inventory control and monitoring procedures Performing annual device inventories, and maintaining documented inventories Responding to variances in the annual inventory 5B-1 5B-2 5B-3 5B-4 5C-6 Removed device-management requirements and consolidated into Domain 6, section 6G to eliminate repeated requirements and to align with the PCI PIN v2.0 standard.
Restructure 5B-3.1.2 Deleted requirement (it was not consolidated into 6G per above) for a documented chain-of-custody process. Removal 5B-5 5B-6 5C-3 Deleted requirements for …
Removed
p. 17
Added noted that a QSA (P2PE) should not challenge or re- evaluate the PCI DSS environment or compliance thereof, where a completed and current ROC exists.
Clarified testing procedures.
Clarification 5B-1.7 Added requirement: Clear-text account data is never sent back to the encryption environment.
Evolving/New Requirement Added requirement: Any truncated PANs sent back to the encryption environment adhere to the allowable number of digits specified in PCI DSS and related FAQs.
Evolving/New Requirement 5B-1.9 5B-1.9.1 5B-1.9.2 5B-1.9.3 Added requirements for any whitelisting functionality implemented in the decryption environment that transmits data to the encryption environment.
Evolving/New Requirement 5C Renamed section Monitor the decryption environment and respond to incidents to better reflect intent of the requirements. Restructure 5D-1.1 5C-1.1 Renumbered requirement. No change to content. Restructure 5D-1.2 5C-1.2 5C-1.5 Split former requirement to provide immediate notification of potential security into 2 requirements:
5C-1.2: Detect and respond to suspicious activity. Added new bullets and clarified several existing bullets.
5C-1.5: …
Clarified testing procedures.
Clarification 5B-1.7 Added requirement: Clear-text account data is never sent back to the encryption environment.
Evolving/New Requirement Added requirement: Any truncated PANs sent back to the encryption environment adhere to the allowable number of digits specified in PCI DSS and related FAQs.
Evolving/New Requirement 5B-1.9 5B-1.9.1 5B-1.9.2 5B-1.9.3 Added requirements for any whitelisting functionality implemented in the decryption environment that transmits data to the encryption environment.
Evolving/New Requirement 5C Renamed section Monitor the decryption environment and respond to incidents to better reflect intent of the requirements. Restructure 5D-1.1 5C-1.1 Renumbered requirement. No change to content. Restructure 5D-1.2 5C-1.2 5C-1.5 Split former requirement to provide immediate notification of potential security into 2 requirements:
5C-1.2: Detect and respond to suspicious activity. Added new bullets and clarified several existing bullets.
5C-1.5: …
Removed
p. 18
Renumbered all of 5D; only actual content changes are summarized below.
Updated diagram with an example of a hybrid decryption implementation is included at the start of this section.
Restructure 5E-1.6 5D-1.6 Deleted fourth bullet of list, which required testing of any operating system software on which decryption operations are dependent.
Restated objective statement from “Configure access controls for the Host System” to “Access controls for the Host System are configured securely.
Clarification 5E-2.3 5D-2.3 Changed PIN/passphrase to PIN or password/passphrase to align with PCI DSS language. Clarification 5E-2.6.1 Deleted since this requirement was not achievable as written. Removal 5E-2.6.2 5E-2.6.3 5D-2.6.1 5D-2.6.2 Renumbered requirements due to deletion of previous requirement. Restructure Restated section statement to Non-console access to the Host System is configured securely.
Added note to clarify what non-console access means.
Clarification 5E-3.1 5D-3.1 Deleted examples of strong cryptography and security protocols. Clarification Restated section statement to The physical environment of the Host System …
Updated diagram with an example of a hybrid decryption implementation is included at the start of this section.
Restructure 5E-1.6 5D-1.6 Deleted fourth bullet of list, which required testing of any operating system software on which decryption operations are dependent.
Restated objective statement from “Configure access controls for the Host System” to “Access controls for the Host System are configured securely.
Clarification 5E-2.3 5D-2.3 Changed PIN/passphrase to PIN or password/passphrase to align with PCI DSS language. Clarification 5E-2.6.1 Deleted since this requirement was not achievable as written. Removal 5E-2.6.2 5E-2.6.3 5D-2.6.1 5D-2.6.2 Renumbered requirements due to deletion of previous requirement. Restructure Restated section statement to Non-console access to the Host System is configured securely.
Added note to clarify what non-console access means.
Clarification 5E-3.1 5D-3.1 Deleted examples of strong cryptography and security protocols. Clarification Restated section statement to The physical environment of the Host System …
Removed
p. 19
Restructure Domain 6
• Cryptographic Key Operations and Device Management Domain 6 General Updated Domain 6 requirements to align with the PIN v2.0 standard (P2PE v.1.1 was based on the PIN v1.0 standard), with updated wording as applicable for P2PE solutions. These updates are not individually noted below.
Updates to PIN v2.0 requirements that did not apply, and were not added, to P2PE are not summarized here.
Updated “PIN” to “account data” throughout.
For details on what changed between PIN v1.0 and 2.0, please refer to PIN Security Requirements Modifications: Summary of Changes v 1.0 to 2.0.
Clarification (Untitled) Overview Added note regarding hybrid decryption environments and related requirements added in section 6H.
Added table to illustrate the applicability of Domain 6, Annex A (part A1), Annex A (part A2), and Annex B to solution providers and the various component providers.
Added “Normative” to the titles of each annex to indicate they are required annexes, as applicable …
• Cryptographic Key Operations and Device Management Domain 6 General Updated Domain 6 requirements to align with the PIN v2.0 standard (P2PE v.1.1 was based on the PIN v1.0 standard), with updated wording as applicable for P2PE solutions. These updates are not individually noted below.
Updates to PIN v2.0 requirements that did not apply, and were not added, to P2PE are not summarized here.
Updated “PIN” to “account data” throughout.
For details on what changed between PIN v1.0 and 2.0, please refer to PIN Security Requirements Modifications: Summary of Changes v 1.0 to 2.0.
Clarification (Untitled) Overview Added note regarding hybrid decryption environments and related requirements added in section 6H.
Added table to illustrate the applicability of Domain 6, Annex A (part A1), Annex A (part A2), and Annex B to solution providers and the various component providers.
Added “Normative” to the titles of each annex to indicate they are required annexes, as applicable …
Removed
p. 20
Evolving/New Requirement 6A-1.3.2 Added requirement to maintain a list of all devices used to generate keys or key components for the P2PE solution.
Evolving/New Requirement 6B-2.2 6B-2.2 Clarified intent in note is key generation/loading. Clarification 6B-2.5 6B-2.6 Clarified that this applies to private or secret keys or their components and that the intent of the second-to-last bullet is affixing (e.g., taping).
Clarification 6E-3.5 Clarified intent of testing procedure is production platforms temporarily used for test purposes. Clarification 6F General Added note at start of section that requirements specific to hybrid decryption environments are in italics throughout 6F. Restructure 6F-1.1 6F-2.1.1 6F-2.1.2 6F-2.1.5 Includes an italicized note about that requirement relative to use in a hybrid decryption solution. Restructure 6F-8.1 6F-8.1 Clarified intent of background checks is that they are within the constraints of local laws. Clarification Added section Equipment used to process account data and keys is managed in a secure manner …
Evolving/New Requirement 6B-2.2 6B-2.2 Clarified intent in note is key generation/loading. Clarification 6B-2.5 6B-2.6 Clarified that this applies to private or secret keys or their components and that the intent of the second-to-last bullet is affixing (e.g., taping).
Clarification 6E-3.5 Clarified intent of testing procedure is production platforms temporarily used for test purposes. Clarification 6F General Added note at start of section that requirements specific to hybrid decryption environments are in italics throughout 6F. Restructure 6F-1.1 6F-2.1.1 6F-2.1.2 6F-2.1.5 Includes an italicized note about that requirement relative to use in a hybrid decryption solution. Restructure 6F-8.1 6F-8.1 Clarified intent of background checks is that they are within the constraints of local laws. Clarification Added section Equipment used to process account data and keys is managed in a secure manner …
Removed
p. 21
Restructure Noted that 6G-1.4.2 (security policy enforced by the HSM does not allow unauthorized or unnecessary functions) is not used in the main body of Domain 6 but is used in Annex B.
Clarification 5C-6.2.4 6G-1.4.3 Moved requirement for HSMs connected to online systems to new section 6G to align with PIN v2.0. Restructure 1B-1.5 5B-3.1.5 6G-1.4.4.
Moved requirements to inspect and test all HSMs prior to installation to new section 6G to consolidate requirements and align with PIN v2.0.
Clarified that requirement only applies to HSMs.
Clarified that requirement only applies to HSMs.
Restructure 3A-3.1.4 5B-3.1.6 6G-1.4.5 Moved requirements to maintain HSMs in tamper-evident packaging to new section 6G to consolidate requirements and align with PIN v2.0.
Restructure Noted that 6G-2 (POIs and HSMs are secured throughout the device lifecycle and secure device-management processes are implemented) is not used in the main body of Domain 6 but is used in Annex B.
Clarification Added note that …
Clarification 5C-6.2.4 6G-1.4.3 Moved requirement for HSMs connected to online systems to new section 6G to align with PIN v2.0. Restructure 1B-1.5 5B-3.1.5 6G-1.4.4.
Moved requirements to inspect and test all HSMs prior to installation to new section 6G to consolidate requirements and align with PIN v2.0.
Clarified that requirement only applies to HSMs.
Clarified that requirement only applies to HSMs.
Restructure 3A-3.1.4 5B-3.1.6 6G-1.4.5 Moved requirements to maintain HSMs in tamper-evident packaging to new section 6G to consolidate requirements and align with PIN v2.0.
Restructure Noted that 6G-2 (POIs and HSMs are secured throughout the device lifecycle and secure device-management processes are implemented) is not used in the main body of Domain 6 but is used in Annex B.
Clarification Added note that …
Removed
p. 22
Restructure Annex A: Cryptographic Key Operations
• Symmetric Key Distribution using Asymmetric Techniques Domain 6 Normative Annex A: Symmetric Key Distribution using Asymmetric Techniques Renamed annex and updated content to align with PIN v2.0. Evolving/New Requirements Annex A: Cryptographic Key Operations
• Key-Injection Facilities Domain 6 Normative Annex B: Key- Injection Facilities Renamed annex and updated content to align with PIN v2.0.
This Annex now includes ALL requirements relevant to a key- injection facility.
Evolving/New Requirements Annex B: 6I Added section Component providers ONLY: report status to solution providers. This section is ONLY applicable for P2PE component providers offering key-injection facilities services.
Restructure Appendix A: Minimum Key Sizes and Equivalent Key Strengths Domain 6 Normative Annex C: Minimum and Equivalent Key Sizes and Strengths for Approved Algorithms Renamed annex and updated language and format to align with PIN v2.0 Annex C.
Updated minimum key sizes to reflect current standards.
Clarified via footnote the allowable uses of double-length …
• Symmetric Key Distribution using Asymmetric Techniques Domain 6 Normative Annex A: Symmetric Key Distribution using Asymmetric Techniques Renamed annex and updated content to align with PIN v2.0. Evolving/New Requirements Annex A: Cryptographic Key Operations
• Key-Injection Facilities Domain 6 Normative Annex B: Key- Injection Facilities Renamed annex and updated content to align with PIN v2.0.
This Annex now includes ALL requirements relevant to a key- injection facility.
Evolving/New Requirements Annex B: 6I Added section Component providers ONLY: report status to solution providers. This section is ONLY applicable for P2PE component providers offering key-injection facilities services.
Restructure Appendix A: Minimum Key Sizes and Equivalent Key Strengths Domain 6 Normative Annex C: Minimum and Equivalent Key Sizes and Strengths for Approved Algorithms Renamed annex and updated language and format to align with PIN v2.0 Annex C.
Updated minimum key sizes to reflect current standards.
Clarified via footnote the allowable uses of double-length …