Using a validated, Council-listed P2PE solution may reduce the scope of a merchant’s cardholder data environment, where the merchant does not store or decrypt encrypted data within their own environment.
Let’s look at how P2PE solutions may allow merchants to reduce the scope of their PCI DSS validation.
Firstly, the merchant has no access to account data, either within the point of interaction device or the decryption environment, which is managed by the P2PE Solution Provider. The merchant also has no involvement in any encryption or decryption operations, or in cryptographic key management, as all cryptographic operations are managed by the P2PE Solution Provider. Furthermore, the merchant does not have access to security configurations of POI devices or applications.
To be eligible for PCI DSS scope reduction through use of a validated P2PE solution, merchants must ensure that any other payment channels within their environment are adequately segmented (or isolated) from the P2PE environment.