controlgap.com

Compliance simplification, what most people call “scope reduction”, can have huge benefits in terms of saving time, effort, headaches, and money. Merchants desire ways to simplify their PCI compliance as do the card brands, acquirers, and processors. When the PCI Council announced P2PE in 2011, there was an immediate and huge demand for approved P2PE solutions. It wasn’t that merchants wanted P2PE, rather they wanted the massive compliance simplification and risk reduction that P2PE promised to provide. QSAs and ISAs hoped for clear assessment requirements to make their merchant PCI DSS assessments simpler and less ambiguous. Late in 2016, the PCI Council announced NESA (Non-listed Encryption Assessments) and there was again an immediate and huge demand for this. The problem is that the demand is based on perception not understanding.

Earlier this month the PCI Security Standards Council published a new document as part of the Point-to-Point Encryption (P2PE) program. This initial guidance Assessment Guidance for Non-Listed Encryption Solutions introduces a new path into the P2PE solution space. This new initiative introduces the idea of a standardized way of reporting the strengths and weaknesses of solutions that don't fully meet P2PE requirements. The council is expected to provide more information over the next 3-4 months including a standardized report template that will be called a Non-Listed Encryption Solution Assessment or NESA.