Skip to Main Content
July 13, 2021

Reducing Merchant Scope to Ease the Compliance Burden

Written by Art "Coop",Cooper
Business Risk Assessment PCI Assessment Policy Development Privacy & GDPR Compliance Assessment Program Assessment & Compliance

Merchants should spend more time doing what they are good at—i.e., selling and merchandising—versus trying to keep up with validating and maintaining PCI compliance. How can this be accomplished? Using either an end-to-end encryption (E2EE) or point-to-point encryption (P2PE) solution for each point-of-sale (POS) system eliminates some of the complex hoops that merchants are required to jump through and reduces the overall compliance scope.

The Bottom Line

A Cardholder Data Environment (CDE) is comprised of the components (i.e., people, processes, and technologies) that store, process, or transmit cardholder data or sensitive authentication data. The bottom line is: if a component stores, processes, or transmits cardholder data, or can impact the security of the CDE, it’s considered in scope for PCI compliance.

Solutions that have not been validated by the PCI SSC, but still provide identical functions such as encrypting within the point-of-interaction (POI) terminal and decrypting outside the merchant environment, are generally called unlisted P2PE solutions, non-listed encryption solution assessment (NESA) solutions, or just E2EE solutions. The use of these systems can usually provide a similar amount of scope reduction as P2PE validated solutions listed on the PCI website:

The significant difference between listed and non-listed solutions is in terms of validating the merchant’s scope and compliance level and properly documenting and validating it on an annual basis. With listed P2PE solutions, scope reduction is automatic, and level 2, 3, and 4 merchants (level is determined by the payment brands and based on transaction volume) are automatically eligible to complete the authorized self-assessment questionnaire (SAQ P2PE) that is known and accepted by all acquiring banks. Level 1 merchants must complete a Report on Compliance (RoC), but the level of effort is greatly reduced when reporting use of a listed P2PE solution.

With an E2EE solution, scope reduction is not automatic, and generally it is advisable for a QSA to assess the solution and how it has been implemented, assist the merchant in documenting the reduced scope, and request approval for the reduced scope from the merchant’s acquiring bank.

Fewer Questions, More Time

Under PCI DSS v3.2.1, proper use and implementation of a P2PE or E2EE solution will represent a significant reduction of controls, reducing the number of validation questions by nearly 90% for merchants validating their compliance on an annual basis. Merchants must currently use one (1) of the following SAQ documents or the RoC document annually in order to validate compliance with the PCI DSS. Here are the number of questions on each document WITHOUT the use of E2EE or P2PE solutions in-place:

  • SAQ B-IP             Approximately 82 questions
  • SAQ C                    Approximately 160 questions
  • SAQ D                    Approximately 329 questions
  • RoC                        All 12 requirements and sub-requirements (330+ controls)

Using a listed P2PE solution allows for automatic use of the SAQ P2PE for level 2, 3, and 4 merchants and takes the merchant down to only 33 questions/controls. If the merchant is indeed a level 1, this can also be documented quite easily on a RoC. The use of E2EE solutions will generally apply nearly identically in many situations. In nearly all merchant implementations of E2EE solutions, the merchant is able to realize a similar reduced scope with the assistance of their QSA and permission from their acquiring bank.

In summary, if merchants correctly implement either a P2PE or E2EE solution in their POI devices, generally the entire physical CDE would exist only within the POI devices. The POS system and all the other connected systems that were long considered in-scope no longer are, so in real terms, this could mean:

  • No more network and firewall management requirements
  • No more POS system hardening requirements
  • No more POS vulnerability management/patching program requirements
  • No more POS and other system user account and password management issues
  • No more audit logging and FIM requirements (in most scenarios)
  • No more intrusion prevention requirements
  • No more scanning requirements (internal and external)
  • No more penetration testing requirements (in most scenarios)

Obviously, all of these areas are considered industry best practices and should still be accomplished to ensure a secure environment. However, in terms of the level of effort required for validating and maintaining PCI compliance, this would present a giant leap for any merchant once the solution is in place and implemented 100% correctly and in a PCI-compliant manner.