PCI Announces NESA - A Stepping Stone To P2PE

Earlier this month the PCI Security Standards Council published a new document as part of the Point-to-Point Encryption (P2PE) program. This initial guidance Assessment Guidance for Non-Listed Encryption Solutions introduces a new path into the P2PE solution space. This new initiative introduces the idea of a standardized way of reporting the strengths and weaknesses of solutions that don't fully meet P2PE requirements. The council is expected to provide more information over the next 3-4 months including a standardized report template that will be called a Non-Listed Encryption Solution Assessment or NESA.

The Current Need For NESA

• The potential and desire to reduce compliance footprints is enormously compelling. While organizations have been doing this for some time, the processes from an industry perspective has been inconsistent. While there are some excellent examples there have also been missteps and even rumored breaches due to overzealous and inadequately validated solutions. The council's guidance (see below) on this has evolved with significant updates in 2009, 2012, and 2016.
• P2PE solutions have not taken off as quickly or as well as people had hoped. The first listed solutions appeared almost two years after the standard was created. As of this writing there are only 25 solutions world-wide. Many of those are region specific or of limited functionality (e.g. non-EMV). P2PE projects can also be large and expensive. Remediation to get from being "almost there" to "crossing the finish line" and getting listed can require a significant investment of time and money.  Consequently, there are many more encryption solutions available than are listed.
• There are aspects of the full P2PE process that have proven more difficult than expected. For example, getting the needed information on SRED implementation from some vendors has in the past been challenging.
• Who and how non-listed solutions get validated and what constitutes acceptable validation are open to debate. Sometimes acquirers do this. Other times merchants may need to perform some work.
• Finally, having merchants staying on non-encrypting solutions does not benefit the industry. As an analogy,  if you are in a leaky long ship under siege with all hands bailing madly then your wise move might be to switch to a gently used frigate rather than wait for the launch of a shiny new battleship.

What Are The Benefits Of NESA?

• For solution providers considering or on the path to P2PE, NESA will allow them to gain traction more quickly and provide a way to demonstrate partial progress in a standardized format that may be leveraged by their customers to support simplified compliance.
• For other stakeholders such as acquirers, processors, merchants and their QSAs, a standardized report will confidence by supporting informed decisions on where compliance may or may not be simplified .
• Flexibility, because it isn't a strict pass/fail approach the absence of a P2PE feature like SRED is not necessarily a show stopper.
• Additionally, this approach provides more choice and options to the market and should help to accelerate long term movement towards P2PE. In particular, it will provide areas like mobile payments added legitimacy when using solutions that de-scope end user consumer devices such as tablets and phones.
• It leverages the expertise of P2PE QSA's who have additional training and experience in encryption beyond the skills of a QSA
• NESA is optional and whether or not an organization uses NESA to assess their solutions, it is will likely show best practice and allow flexibility. It may need some tweaking and extra guidance as it evolves. Organizations that assess differently will increasingly need to consider what it includes. The mere existence of NESA will raise eventually the bar for encryption solutions.

How Does NESA Work?

• A solution provider considering P2PE engages a P2PE-QSA company to conduct a gap assessment using the P2PE (P-ROV) assessment template
• A supplementary document called a NESA (Non-Listed Encryption Solution Assessment) is used to document status in a client facing deliverable targeting stakeholders
• Customers can use the NESA document to assess risk and options for compliance simplification and reducing their PCI footprint
• The solution provider can proceed down the P2PE path with remediation and reevaluation having got part way there

The Unknowns

• There are certainly a great number of them and many questions will be raised. We know we have a few. As the council holds consultations and as the program unfolds we'll provide updates.  If you have questions, we’d be happy to hear them. You may contact us at 1.866.644.8808.

Learn More

• PCI Assessment Guidance for Non-Listed Encryption Solutions
• Frequently Asked Questions: Assessment Guidance for Non-Listed Encryption Solutions (Updated/added: 2016-12-6)
• 1086 How does encrypted cardholder data impact PCI DSS scope?
• 1178 How do I reduce the scope of a PCI DSS assessment?
• 1300 How does PCI DSS apply to payment terminals?
• 1252 Do all PCI DSS requirements apply to every system component?

See the FAQ Search page for more like these.