PCI's New P2PE Rules Won't Kick In Until Spring 2012 Or Later

The PCI Council on Thursday (Sept. 15) will detail its initial guidelines for point-to-point encryption (P2PE), but retailers need not—and should not—take any near-term action. Nor should they sign any imminent contracts involving P2PE. Why? The Council will stress that the document—a 96-page detailed description of various P2P approaches and common-sense security processes for each—is only "the first set of validation requirements" and that key parts of the program won't even be in place for six to eight months and might be delayed even further.

Why such delays? First, the Council wants retailers to contract only for P2PE applications that appear on a Council list of applications validated to be PCI compliant. The problem? That list doesn't yet exist, and the list's creation is "targeted for Spring 2012," according to a draft copy of the Council's document.

A second reason for the delay is PCI training of assessors. The Council isn't promising to identify the testing procedures until "the end of 2011" and "training opportunities" (which we assume means classes) won't be detailed until "Spring 2012."

The report will say that the guidelines—even if perfectly followed—won't offer a path for a retailer to be considered out-of-scope. The best that a chain can hope for, according to the document, will be "reduced scope." But nowhere does the document say what exactly that would and wouldn't include. Even a 10-page glossary in the document doesn't define "reduced scope," although it does take the time to define "authorization," "clear text" (we kid you not. Its full definition is "See Plain Text."), "password" and "software." But reduced scope? Everyone obviously knows exactly what the Council meant by that.

The document will also bring new levels of bureaucracy, including creating special P2PE QSAs. "Not all QSAs are P2PE QSAs—there are additional qualification requirements that must be met for a QSA to become a P2PE QSA," the report said, although it doesn't list what those additional requirements will be. Presumably, that is part of next year's training plans.

The guidelines—a copy should be available here on the PCI Council Web site—only deal with "Encryption, Decryption and Key Management within Secure Cryptographic Devices (Hardware/Hardware)," which is also the catchy name of the report.