Coalfire Systems was engaged by FreedomPay to provide clarity on the use of SSL and early TLS (collectively “SSL”) by merchants leveraging a validated, listed Point-To-Point-Encryption (P2PE) solution. There are several different aspects of this topic that are addressed by the Payment Card Industry (PCI) Security Standards Council (SSC). In each case, the PCI SSC establishes a directive that merchant transactions originating from a P2PE Point-Of-Interaction (POI) device or Point-Of-Sale (POS) system leveraging a P2PE POI for all card capture functions has no applicable controls related to the use of transport layer security.
Therefore, these merchants are not held to the June 30, 2018 deadline for transition to TLS v1.2 or later transport layer security for card-present cardholder data (CHD) captured through the use of the P2PE POI. The PCI SSC has provided the following guidance on this topic: First, merchants using a validated, listed P2PE solution may be eligible for reporting compliance using the P2PE Security Assessment Questionaire (SAQ). For eligible merchants, the P2PE SAQ removes all controls within the PCI Data Security Standard (DSS) Requirement 4 which addresses transport layer security for CHD.
The merchant eligibility requirements for the P2PE SAQ are contained within the SAQ document.
Download full PDF information here.