PayCipher is a validated PCI P2PE and PCI PIN Key Injection Facility. The company listing may be found on the PCI Security Council listing of P2PE Component Providers here.
PayCipher provides key injection services for a wide range of POI devices, both within P2PE and PIN environments, as well as key injection for entities utilizing a proprietary solution.
The PayCipher team is committed to industry leading shipping accuracy and efficient turnaround for all key injection and testing services, with chain of custody, rapid deployment, secure storage, trouble free integration and customer service you can count on.
P2PE Background
With credit card breaches and stolen card numbers from merchant environments on the rise, the PCI Security Standards Council (PCI SSC) published a new Point-to-Point Encryption (P2PE) assessment standard in 2012. There have been several revisions of the standard up to the current 2015 release.
Vendors who have implemented a P2PE solution, which has also been assessed by an accredited P2PE QSA, can provide an end-to-end validated encryption solution for end-user merchants. In the P2PE standard, this vendor assumes the role of a P2PE solution provider.
This allows merchants the option to use a PCI SSC validated P2PE solution providers to help protect data in their environment. P2PE Solution providers distribute validated PTS devices to merchants with pre-injected encryption keys that merchants are unable to obtain or access.
A validated Point-to-Point encryption solution allows a merchant to claim scope reduction with their acquirer if they follow the Point-to-Point implementation manual (PIM) provided by the solution provider. The PIM includes 8 requirements/sub requirements of the PCI standard as well as over 25 additional requirements outlined in the PIM for correct implementation. The responsibility for PCI DSS compliance remains with the merchant for any environments outside of their POS/PMS system including MOTO, ecommerce, etc.
PTS-validated devices are devices that have been validated as being tamper-resistant and secure. If tampering occurs, the device will erase all secure memory and conduct and go into an auto-reset process. These types of devices are known as Tamper Resistant Security Modules, or TRSMs.
Many TRSM devices encompass an additional level of security where secure processing and encryption of sensitive data is handled. This additional functionality is validated and listed as Secure Read and Encrypt of Data (SRED), which is required for POI devices used in a P2PE solution.
Solution providers assume responsibility for the security and integrity of the POI device from the manufacturing facility, through key injection, to the merchant location where the device is securely stored or installed for use.
Solution providers are required to use a unique key per POI device, so in the event one device was compromised, the remaining devices or encryption keys in the merchant environment are not compromised as well. At the end of the lifecycle the POI device is returned to the solution provider for secure erasure and disposal.
The Key Injection process is essential for the success of any P2PE solution offered by solution providers and many of these organizations utilize the services of specialized Key Injection Facility (KIF) services such as PayCipher.
PayCipher has achieved certification for compliance with the rigorous security requirements necessary for KIF service providers to perform this critical function, as specified by the PCI P2PE and PIN security standards.