Review of the newly released documents by the PCI SSCMarch 15th, 2013 by Geraint Williams
The PCI Security Standard Council (PCI SSC) has released the following documents in February 2013. They are available within the documentation library on the PCI Security Standards Council website.
- P2PE Glossary v1.2
Fact sheets & information supplements:
- Mobile Payment Acceptance Security Guidelines for Merchants v1.0
- PCI DSS 2.0 Cloud Computing Guidelines
- P2PE QSA Qualification Requirements v1.1
- P2PE Program Guide v1.1
The new information and fact sheets cover Mobile Payment Acceptance Security Guidelines for Merchants as End-Users and Cloud Computing Guidelines. The Mobile Payment document focuses on payment-acceptance applications that operate on any consumer electronic handheld device (e.g., smartphone, tablet, or PDA) that is not solely dedicated to payment-acceptance transaction processing and where the electronic handheld device has access to clear-text data. It provides guidance to merchants on how to implement a secure mobile payment-acceptance solution.
The Cloud computing guidelines document provides guidance on the use of Cloud technologies and considerations for maintaining PCI DSS controls in Cloud environments. This guidance builds on that provided in the PCI DSS Virtualization Guidelines and is intended for organisations using, or thinking of using, providing, or assessing cloud technologies as part of a cardholder data environment (CDE). It is intended to provide an initial point of discussion for cloud providers and clients, and does not delve into specific technical configurations.
The P2PE program covers point-to-point encryption (P2PE) solution which is provided by a third party solution provider, and is a combination of secure devices, applications and processes that encrypt data from the point of interaction until the data reaches the solution provider’s secure decryption environment.
The P2PE program guide covers the requirements currently recognised by all Participating Payment Brands regarding:
- P2PE Solution Requirements
- Processes for recognizing P2PE Assessor validated P2PE Solutions and P2PE Applications
- Quality assurance processes for P2PE Assessors
The P2PE QSA qualification requirements provide addition requirements to those for a Qualified Security Assessor (QSA) company to enable them to qualify as P2PE Assessor
All the Terms, Abbreviations, and Acronyms relating to the P2PE program are explained in the glossary.
For more information on PCI DSS visit www.itgovernance.co.uk/pci_dss.aspx.