Frequently Asked Question

In P2PE, how do “hybrid” decryption environments differ from “hardware” decryption environments?
In a hardware decryption environment, all decryption operations are performed only by PCI listed or FIPS approved HSMs.
In a hybrid decryption environment, the decryption of account data is performed on a "Host System", outside of an HSM. The solution provider’s decryption environment may consist of multiple Host Systems in one or more locations. When the Host System is required to decrypt encrypted account data received from a POI, the account-data decryption key (DDK) is retrieved from a key store protected by the HSM, then passed to the Host System The Host System temporarily retains account-data decryption keys (DDKs) in volatile memory for the purpose of decrypting account data. When the DDK reaches the end of its cryptoperiod, it will be erased from memory. These DDKs are the only keys permitted to exist in the clear outside of the HSM and only for the purpose of decrypting account data. All other cryptographic keys, functions and key management operations must still occur within the secure cryptographic devices (HSMs).
In both hardware and hybrid decryption environments, all HSMs used in the solution must be approved to either FIPS140-2 (or 140-3) Level 3 or higher, or to PTS HSM. Refer to the P2PE Standard for further information.
In a hybrid decryption environment, the decryption of account data is performed on a "Host System", outside of an HSM. The solution provider’s decryption environment may consist of multiple Host Systems in one or more locations. When the Host System is required to decrypt encrypted account data received from a POI, the account-data decryption key (DDK) is retrieved from a key store protected by the HSM, then passed to the Host System The Host System temporarily retains account-data decryption keys (DDKs) in volatile memory for the purpose of decrypting account data. When the DDK reaches the end of its cryptoperiod, it will be erased from memory. These DDKs are the only keys permitted to exist in the clear outside of the HSM and only for the purpose of decrypting account data. All other cryptographic keys, functions and key management operations must still occur within the secure cryptographic devices (HSMs).
In both hardware and hybrid decryption environments, all HSMs used in the solution must be approved to either FIPS140-2 (or 140-3) Level 3 or higher, or to PTS HSM. Refer to the P2PE Standard for further information.
April 2020
Article Number: 1248
Related
-
How should payment terminals be considered during a PCI DSS assessment?
-
Are P2PE Products (P2PE Solutions, P2PE Components, P2PE Applications) on the P2PE Expired Listings still considered “validated” per the P2PE Program Guide?
-
If a P2PE Solution is on PCI’s list of Point-to-Point Encryption Solutions with Expired Validations, does the solution meet the eligibility criteria for SAQ P2PE?