Executive Insight: True P2PE – What You Need To Know (Part 2)
By Stephen Ames, CISA, CISSP – Senior Director, Security Compliance, Shift4 Corporation
Riding on the fantastic news that Shift4’s True P2PE® solution is PCI validated, which means that you may be able to significantly reduce the scope and time of your PCI DSS assessments by using the Self-Assessment Questionnaire (SAQ) P2PE, I’m sure you have a ton of questions about your particular environment. I will try to answer all of your questions as a follow up to my January 2017 Executive Insight, “PCI-Validated P2PE – What You Need To Know“. In case you missed it, let’s recap:
First, aside from implementing PCI PIN Transaction Security (PTS) validated POI devices, there is no additional cost to you. If you’ve already done so, you are set. Second, as with the many value-added services that come with our DOLLARS ON THE NET® payment gateway, implementing True P2PE will not require you to change processors. Third, be mindful that not all encryption-at-the-swipe POI devices are created equal, and some don’t qualify for any validated P2PE solution. And finally, depending on your current setup, you may be instantly “grandfathered” in to our PCI-validated True P2PE solution and qualify to use the SAQ P2PE.
How to Qualify for Shift4’s PCI-Validated True P2PE Solution
If you’re an existing Shift4 customer using True P2PE, flip your POI devices over and match your model and version to a device on the True P2PE solution list here. If your device does not appear on this list, it doesn’t necessarily mean you’re any less secure, but you do not qualify to use the SAQ P2PE. What it likely means is that you are using a Shift4-supported encryption-at-the swipe device, but it doesn’t have SRED as a function, which is required to qualify for a validated P2PE solution.
Shift4-supported POI devices can be found here, but it is highly recommended you choose a device included in the True P2PE validated solution listing. Your best option is to contact Shift4 Customer Support at firstname.lastname@example.org or 702.597.2480 (option 2) for advice as to which devices may best suit your environment.
If your device model and version appears on the True P2PE solution list, then search your model and version on the PCI SSC’s Approved PTS Devices list to confirm that you’re using PTS-validated devices and note their date of expiry. The “Version” column in this list refers to the PTS version for which your device is validated. Why does this matter? Part of your responsibilities for PCI compliance is to maintain an inventory of your True P2PE environment. For more information, refer to merchant responsibilities in the True P2PE Instruction Manual for PCI P2PE.
Why Are the PTS Versions and Expiry Dates Important?
PTS version 2 device validations will expire on April 30, 2017. If you have version 2 validated devices in your True P2PE environment, you may continue using them until April 12, 2020 – the revalidation date of True P2PE. This is made possible according to PCI SSC Frequently Asked Question #1434. Keep this FAQ handy because after April 30, 2017 your QSA or acquirer might question the validity of your True P2PE environment if you are using PTS version 2 devices. You should plan to replace these devices by April 12, 2020.
Don’t Have a PTS-Approved Device Yet? Don’t Worry
We encourage you to take advantage of the SAQ P2PE available when using True P2PE with approved SRED PTS devices. However, it’s important to note that there have been no changes to our product that should interfere with you continuing to leverage a smaller PCI DSS footprint whether or not you qualify for a validated P2PE solution. So, if you aren’t able to upgrade your devices just yet, don’t worry. It is our recommendation however that you check with your PCI Qualified Security Assessor (QSA) or similarly qualified advisor to make sure.
As always, feel free to reach out to me directly at PCI@shift4.com for clarification on the information I provided here or any other questions that you may have.