Guest blogger: Tim Winston CISSP, CISA, QSA (P2PE)
Many payment vendors claim to offer P2PE (point-to-point encryption) solutions but are not actually PCI-validated. What does it mean to offer a PCI-Validated P2PE Solution Provider? Tim Winston from Coalfire, a PCI SSC Qualified Security Assessor Company, answers some of the most frequently asked questions about P2PE solutions.
What is a QSA (P2PE)?
A QSA (Qualified Security Assessor) Company is recognized by the PCI Council as a qualified assessor of an organization’s adherence to PCI requirements. As a QSA Company, Coalfire performs assessments of an organization’s systems and validates the company for meeting PCI requirements. When it comes to P2PE solutions, Coalfire serves as a QSA (P2PE) to determine if a solution can be submitted to the PCI Council for P2PE validation.
What Does it Mean to Offer a PCI P2PE Validated Solution?
To be a PCI-Validated P2PE Solution Provider, a vendor must complete the detailed security requirements and testing procedures outlined by the PCI Council to ensure that their solutions meet the necessary requirements to protect payment card data. When Coalfire assesses a vendor P2PE solution for PCI P2PE validation, we perform testing to determine that the solution meets all PCI P2PE requirements. If the assessments are successful and we determine that a vendor is qualified, we submit our assessment to the PCI Council for review. The PCI Council then assures that the assessment meets quality standards and adds the solution to the list of PCI P2PE solutions on their website.
Many solutions implement P2PE, but only those listed on the PCI Council website have been assessed to the complete PCI P2PE Standard and approved by the Council as validated solutions.
What are the Benefits of Leveraging a PCI P2PE Validated Solution for Healthcare Providers?
PCI P2PE delivers the highest level of security for payment card data stored and processed on a healthcare organization’s systems. P2PE immediately encrypts payment card information at the point of entry within a secure device. Once encrypted, the payment card information is unreadable in the merchant’s environment and public networks until it reaches a secure endpoint and is decrypted by the payment processor. If a data breach does occur, encryption de-values the payment card information, making it practically worthless if it is stolen.
PCI DSS Compliance Effort Reduction
The use of a PCI-validated P2PE solution can help reduce the DSS compliance effort of a healthcare organization’s cardholder data environment. Only PCI Council-listed P2PE solutions are recognized as meeting the requirements necessary for healthcare organizations to reduce their PCI DSS compliance effort through use of these solutions. Additionally, healthcare organizations using a PCI-validated P2PE solution can leverage a simplified 35-question SAQ (Self-Assessment Questionnaire) P2PE-HW. This is a significant reduction in effort compared to the 332-question SAQ D.
The use of a PCI-validated P2PE solution enables healthcare providers to expand payment opportunities for patients with the confidence that they are processing payment card information securely.
How Can You Learn More About InstaMed’s PCI P2PE v3.0 Validated Solution?
Coalfire recently assessed InstaMed Healthcare Payments P2PE for PCI-validation. We audited InstaMed’s bi-coastal data centers and spoke with InstaMed employees to ensure their systems and processes meet PCI requirements. The PCI Council approved our submission of InstaMed Healthcare Payments P2PE as a PCI-validated P2PE solution, and InstaMed is validated for PCI P2PE v3.0.
As a result, we have re-released our white paper with InstaMed, Security and Encryption in Healthcare Payments, which details the validity of InstaMed’s PCI-validated P2PE solution.