When security managers and executives gather this week for the PCI Security Standards Council’s annual North America Community Meeting, one of the topics sure to be on their minds is point-to-point encryption (P2PE) of payment card data. The Council reported Friday that it plans to issue a new version of its P2PE standard late next year or in early 2020.
The Wakefield, Mass.-based PCI Council, which administers the main Payment Card Industry data-security standard and its sister standards covering payment-processing software and hardware, issued a request for comment last year on revising the P2PE standard, and had planned on issuing an update this year. But some of the comments prompted the Council to postpone the revision.
“We really expected the comments would be to minimize any significant changes from the previous release,” PCI Council chief technology officer Troy Leach said in a blog post. “That was what we were hearing from the industry, and somewhat confirmed by the feedback results. However, we received a few suggested changes that were minor in the approach to the security requirements of the standard itself, but significant in some of the program changes recommended and organization of requirements within the standard.”
Now the Council is planning on another request-for-comment period for security-services vendors, payment processors, merchants, and other so-called PCI stakeholders. The new goal is to publish version 3.0 of the P2PE standard in 2019’s fourth quarter or 2020’s first quarter, according to Leach.
“Changes will focus on modernizing, simplifying, and adding flexibility to the P2PE program,” he said.
In the meantime, version 2.0 of the P2PE standard remains in effect. Point-to-point encryption is aimed at masking payment card data that otherwise might be exposed to hackers during vulnerable times in the transaction process. The Council wants merchants to use P2PE products validated as meeting its standards to ensure the strongest data protection.
P2PE became a huge topic among merchants and merchant acquirers after the massive data breach at processor Heartland Payment Systems Inc. in 2008, which embarked upon a big encryption initiative afterward.
In other PCI news, the Council’s annual North America Community Meeting is set for Tuesday through Thursday in Las Vegas. One highlight will be comments by new PCI Council executive director Lance J. Johnson.