toms logo
toms logo
English 

PCI P2PE
FlyKey passed PCI P2PE

Introduction of PCI P2PE

PCI P2PE standard is to facilitate the development, approval, and deployment of PCI-approved P2PE solutions that will increase the protection of account data by encrypting that data from the point of interaction (POI) within the encryption environment where account data is captured through to the point of decrypting that data inside a decryption environment, effectively removing clear-text account data between these two points.

Domain Overview P2PE Validation Requirements
Domain 1: Encryption Device and Application Management The secure management of the PCI- approved POI devices and the resident software.
  • 1A Account data must be encrypted in equipment that is resistant to physical and logical compromise.
  • 1B Logically secure POI devices.
  • 1C Use P2PE applications that protect PAN and SAD.
  • 1D Implement secure application-management processes.
  • 1E Component providers ONLY: report status to solution providers.
Domain 2: Application Security The secure development of payment applications designed to have access to clear-text account data intended solely for installation on PCI- approved POI devices.
  • 1A Protect PAN and SAD.
  • 2B Develop and maintain secure applications.
  • 2C Implement secure application-management processes.
Domain 3: P2PE Solution Management Overall management of the P2PE solution by the solution provider, including third-party relationships, incident response, and the P2PE Instruction Manual (PIM).
  • 3A P2PE solution management.
  • 3B Third-party management.
  • 3C reation and maintenance of P2PE Instruction Manual for merchants.
Domain 4: Decryption Environment The secure management of the environment that receives encrypted account data and decrypts it.
  • 4A Use approved decryption devices.
  • 4B Secure the decryption environment.
  • 4C Monitor the decryption environment and respond to incidents.
  • 4D Implement secure, hybrid decryption processes.
  • 4E Component providers ONLY: report status to solution providers.
Domain 5: P2PE Cryptographic Key Operations and Device Management Establish and administer key- management operations for account- data encryption POI devices and decryption HSMs.
  • Control Objective 1 Account data is processed using equipment and Account data is processed using equipment and methodologies that ensure they are kept secure.
  • Control Objective 2 Account data keys and key-management methodologies are created using processes that ensure it is not possible to predict any key or determine that certain keys are more probable than other keys.
  • Control Objective 3 Keys are conveyed or transmitted in a secure manner.
  • Control Objective 4 Key loading is handled in a secure manner.
  • Control Objective 5 Keys are used in a manner that prevents or detects their unauthorized usage.
  • Control Objective 6 Keys are administered in a secure manner.
  • Control Objective 7 Equipment used to process account data and keys is managed in a secure manner.
  • 5A Account data is processed using algorithms and methodologies that ensure they are kept secure.
  • 5H For hybrid decryption solutions: Implement secure hybrid-key management.
  • 5I Component providers ONLY: report status to solution providers.

Related Articles

PCI

The PCI Security Standards Council (PCI SSC) is a global forum that...

PCI DSS

PCI DSS contains 12 requirements, which are divided into 6 categories...

PCI PIN

PCI PIN standard contains a complete set of requirement for the secure...