PCI P2PE

PCI certifications

In retail payments, trust is everything. PCI P2PE is not just compliance—it’s your strongest shield against fraud and data breaches. At Patronusec, we help you achieve certification fast and flawlessly, so your payment solutions earn customer trust and win market advantage.

Don’t just meet the standard—set it.

Book your free consultation
PCI P2PE
A formal requirement for every P2PE solution is the use of cryptographic solutions (HSM) compliant with PCI PTS HSM standards or FIPS 140-2 level 3 or higher. The implementation of a P2PE solution significantly reduces the scope of PCI DSS certification for a merchant, though it does not absolve the merchant of compliance with PCI DSS.

How we can help you?

If you are planning a P2PE solution, component, or application, we can assist in verifying your assumptions, suggesting appropriate solutions, consulting, and clarifying the standard’s provisions.

We hold P2PE QSA (Qualified Security Assessor) and PA P2PE QSA accreditations, which enable us to conduct certification audits for PCI P2PE compliance, whether for solutions, components, or applications.

Free consultation

How will we work with you?

Stage 1

Defining the Solution
or Component

Every PCI P2PE certification starts by establishing the scope of the solution. At a minimum, this will include a list of PCI POI devices, payment applications, the decryption environment, HSM device locations, and cryptographic key management processes.

Stage 2

Gap
Analysis

This step is optional and works best for new clients who may not be sure if they are ready for a certification audit. During the gap analysis, we simulate what the certification audit would look like, pointing out non-conformities and areas for improvement. We’ll also suggest solutions to address any challenges.

Stage 3

Consulting

We’ll guide you through the certification process, providing answers to your questions and recommending solutions to any issues. From experience, we know that working with an experienced partner helps resolve doubts quicker than trying to figure it all out on your own.

Stage 4

Certification
Audit

The audit can be performed remotely, on-site, or in a hybrid format. You can read more about the process below. Within two weeks of completing the audit, you will receive a list of required documents and evidence (known as a tracker) that you need to provide us with.

Stage 5

Remediation and
Evidence Collection

You will have up to 90 days to provide us with audit evidence or implement corrections after receiving observations. The sooner you deliver the evidence, the sooner we can provide you with the audit documents.

Stage 6

Reporting

We’ll work with the provided evidence and documents to create the compliance report. The report is a detailed document, often more than 200 pages, describing your card environment for each domain of the standard. Additionally, we must complete a QA process before delivering the report to you. The entire process typically takes up to a month. At the end of this stage, you will receive an Attestation of Compliance (AOC) for signature.

Stage 7

Submitting Documents
to PCI SSC

At this point, the solution will be listed on the PCI SSC website and undergo a review and assessment by the AQM (Assessor Quality Management) team. The team reviews our work and approves the solution or returns it to us for clarification. This process typically takes up to 3 months and is entirely independent of us. The payment to PCI SSC is crucial at this stage to initiate the process.

Stage 8

Completion

This is the step we enjoy most. Once the solution is approved, you will receive a signed AOV (Approval of Validation) document from PCI SSC. The solution will appear on the PCI SSC website within a couple of days. Shortly after, we will send you a marketing certificate confirming the completion of the process.

Certification audit

A certification audit is a combination of on-site and remote activities designed to confirm your compliance with the PCI P2PE standard. The audit consists of five key elements:

1.

Personnel Interviews Before the audit, we’ll send you an agenda with the topics we’ll discuss with your staff or suppliers. These interviews help us better understand your organisation, the scope of responsibilities, and how you manage your card environment.

2.

Configuration Review Next, we’ll review and verify the configuration of your environment. We will ask your staff to show us the configuration of systems, devices, and other elements like access control systems or alarm systems. During this review, we may request audit evidence.

3.

Management Process Review We will also review the processes used to manage your card environment. We may request documents such as change logs, evidence of log reviews, or evidence of patching sessions.

4.

Documentation Review This step is usually done remotely. We will request a list of documents that describe your card environment, network diagrams, policies, and procedures. Remember, the documents must be current (i.e., the date of the last review must not exceed 12 months).

5.

Observations and Testing Some aspects of how you manage compliance with PCI P2PE must be observed in person. This includes processes like key generation and distribution, terminal key uploads, payment application recording, secure room visits, etc. We simulate processes to see how you handle each required step.

After the audit, we’ll provide you with a set of observations, documents, and evidence in a document we call the tracker. The tracker ensures that once you submit all the required items, we can start preparing your compliance report.

FAQ – PCI P2PE Certification

How long does the PCI P2PE certification process take?

The process typically spans 5 to 9 months, depending on the solution’s complexity and the completeness of submitted evidence. This timeframe covers all stages, from gap analysis to PCI SSC approval of the solution, including the PCI SSC’s review period.

What is the cost of implementing or achieving PCI P2PE certification?

Costs are determined on a case-by-case basis, influenced by the solution’s scale, number of POI devices, components, cryptographic environments, and documentation readiness. A tailored estimate is provided following a brief, no-obligation consultation.

When can the certification process commence?

The process can begin immediately upon defining the solution scope and signing the agreement. Conducting a prior gap analysis is advisable to streamline the subsequent certification audit.

What does collaboration with Patronusec entail?

Each project is structured across eight stages, encompassing scope definition, gap analysis, consultancy, audit, reporting, and final PCI SSC approval. Clients benefit from a dedicated consultant guiding them through every step.

When will the certificate or PCI SSC listing be received?

Following audit completion and report preparation, documents are submitted to PCI SSC for AQM team verification, a process usually lasting 2 to 3 months. Upon approval, the solution is listed, and AOV and marketing certificates are issued.

Does P2PE implementation exempt users from PCI DSS requirements?

No, though it substantially narrows the PCI DSS scope for adopting merchants. Card payment acceptors must maintain PCI DSS compliance, but P2PE limits the audit to fewer environments and systems, rendering it simpler and more cost-effective.

What benefits does P2PE certification provide?

Certification validates payment solution security through robust encryption from POI to authorisation. It fosters partner and customer trust, mitigates breach risks, and alleviates PCI DSS regulatory burdens.

Don't buy a pig in a poke -
request a free consultation and check how we can assist you.

Free consultation
Contact form

Use the contact form or contact us directly.

Patronusec Sp z o. o.

Head Office:
ul. Święty Marcin 29/8
61-806 Poznań, Polska

KRS: 0001039087
REGON: 525433988
NIP: 7831881739
D-U-N-S: 989454390
LEI: 259400NAR8ZOX1O66C64