PCI P2PE
PCI certifications
PCI P2PE (Payment Card Industry Point to Point Encryption) is a security standard developed by the PCI Security Standards Council (PCI SSC), defining the technical and procedural requirements for solution providers or components of P2PE solutions.
A P2PE solution consists of a payment terminal installed at the merchant’s location, a payment application on that terminal, and a data decryption environment for card data.

How we can help you?
If you are planning a P2PE solution, component, or application, we can assist in verifying your assumptions, suggesting appropriate solutions, consulting, and clarifying the standard’s provisions.
We hold P2PE QSA (Qualified Security Assessor) and PA P2PE QSA accreditations, which enable us to conduct certification audits for PCI P2PE compliance, whether for solutions, components, or applications.
How will we work with you?
Stage 1
Defining the Solution
or Component
Every PCI P2PE certification starts by establishing the scope of the solution. At a minimum, this will include a list of PCI POI devices, payment applications, the decryption environment, HSM device locations, and cryptographic key management processes.
Stage 2
Gap
Analysis
This step is optional and works best for new clients who may not be sure if they are ready for a certification audit. During the gap analysis, we simulate what the certification audit would look like, pointing out non-conformities and areas for improvement. We’ll also suggest solutions to address any challenges.
Stage 3
Consulting
We’ll guide you through the certification process, providing answers to your questions and recommending solutions to any issues. From experience, we know that working with an experienced partner helps resolve doubts quicker than trying to figure it all out on your own.
Stage 4
Certification
Audit
The audit can be performed remotely, on-site, or in a hybrid format. You can read more about the process below. Within two weeks of completing the audit, you will receive a list of required documents and evidence (known as a tracker) that you need to provide us with.
Stage 5
Remediation and
Evidence Collection
You will have up to 90 days to provide us with audit evidence or implement corrections after receiving observations. The sooner you deliver the evidence, the sooner we can provide you with the audit documents.
Stage 6
Reporting
We’ll work with the provided evidence and documents to create the compliance report. The report is a detailed document, often more than 200 pages, describing your card environment for each domain of the standard. Additionally, we must complete a QA process before delivering the report to you. The entire process typically takes up to a month. At the end of this stage, you will receive an Attestation of Compliance (AOC) for signature.
Stage 7
Submitting Documents
to PCI SSC
At this point, the solution will be listed on the PCI SSC website and undergo a review and assessment by the AQM (Assessor Quality Management) team. The team reviews our work and approves the solution or returns it to us for clarification. This process typically takes up to 3 months and is entirely independent of us. The payment to PCI SSC is crucial at this stage to initiate the process.
Stage 8
Completion
This is the step we enjoy most. Once the solution is approved, you will receive a signed AOV (Approval of Validation) document from PCI SSC. The solution will appear on the PCI SSC website within a couple of days. Shortly after, we will send you a marketing certificate confirming the completion of the process.
Certification audit
A certification audit is a combination of on-site and remote activities designed to confirm your compliance with the PCI P2PE standard. The audit consists of five key elements:
Personnel Interviews Before the audit, we’ll send you an agenda with the topics we’ll discuss with your staff or suppliers. These interviews help us better understand your organisation, the scope of responsibilities, and how you manage your card environment.
Configuration Review Next, we’ll review and verify the configuration of your environment. We will ask your staff to show us the configuration of systems, devices, and other elements like access control systems or alarm systems. During this review, we may request audit evidence.
Management Process Review We will also review the processes used to manage your card environment. We may request documents such as change logs, evidence of log reviews, or evidence of patching sessions.
Documentation Review This step is usually done remotely. We will request a list of documents that describe your card environment, network diagrams, policies, and procedures. Remember, the documents must be current (i.e., the date of the last review must not exceed 12 months).
Observations and Testing Some aspects of how you manage compliance with PCI P2PE must be observed in person. This includes processes like key generation and distribution, terminal key uploads, payment application recording, secure room visits, etc. We simulate processes to see how you handle each required step.
After the audit, we’ll provide you with a set of observations, documents, and evidence in a document we call the tracker. The tracker ensures that once you submit all the required items, we can start preparing your compliance report.
Don't buy a pig in a poke -
request a free consultation and check how we can assist you.
