Frequently Asked Question
In P2PE, how do "hybrid" decryption environments differ from "hardware" decryption environments?
In a hardware decryption environment, all decryption operations are performed only by PCI listed or FIPS approved HSMs.
In a hybrid decryption environment, the decryption of account data is performed on a "Host System", outside of an HSM. The solution provider's decryption environment may consist of multiple Host Systems in one or more locations. When the Host System is required to decrypt encrypted account data received from a POI, the account-data decryption key (DDK) is retrieved from a key store protected by the HSM, then passed to the Host System The Host System temporarily retains account-data decryption keys (DDKs) in volatile memory for the purpose of decrypting account data. When the DDK reaches the end of its cryptoperiod, it will be erased from memory. These DDKs are the only keys permitted to exist in the clear outside of the HSM and only for the purpose of decrypting account data. All other cryptographic keys, functions and key management operations must still occur within the secure cryptographic devices (HSMs).
In both hardware and hybrid decryption environments, all HSMs used in the solution must be approved to either FIPS140-2 (or 140-3) Level 3 or higher, or to PTS HSM. Refer to the P2PE Standard for further information.
In a hybrid decryption environment, the decryption of account data is performed on a "Host System", outside of an HSM. The solution provider's decryption environment may consist of multiple Host Systems in one or more locations. When the Host System is required to decrypt encrypted account data received from a POI, the account-data decryption key (DDK) is retrieved from a key store protected by the HSM, then passed to the Host System The Host System temporarily retains account-data decryption keys (DDKs) in volatile memory for the purpose of decrypting account data. When the DDK reaches the end of its cryptoperiod, it will be erased from memory. These DDKs are the only keys permitted to exist in the clear outside of the HSM and only for the purpose of decrypting account data. All other cryptographic keys, functions and key management operations must still occur within the secure cryptographic devices (HSMs).
In both hardware and hybrid decryption environments, all HSMs used in the solution must be approved to either FIPS140-2 (or 140-3) Level 3 or higher, or to PTS HSM. Refer to the P2PE Standard for further information.
Last updated: April 2020
Originally published: May 2013
Originally published: May 2013
Article Number: 1248
Related
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Most Recently Updated
-
How does encrypted cardholder data impact PCI DSS scope for third-party service providers?
-
Does PCI SSC provide a list of PCI DSS-compliant third-party service providers?
-
How does encrypted cardholder data impact PCI DSS scope?
-
What effect does the use of a PCI-listed P2PE solution have on a merchant's PCI DSS validation?
-
Are Mobile Payments on COTS (MPoC)™ solutions, Software-based PIN Entry on COTS (SPoC)™ solutions, or Contactless Payments on COTS (CPoC™) solutions eligible for a P2PE Solution approval?