Frequently Asked Question

In P2PE, how do "hybrid" decryption environments differ from "hardware" decryption environments?
In a hardware decryption environment, all decryption operations are performed only by PCI listed or FIPS approved HSMs.
In a hybrid decryption environment, the decryption of account data is performed on a "Host System", outside of an HSM. The solution provider's decryption environment may consist of multiple Host Systems in one or more locations. When the Host System is required to decrypt encrypted account data received from a POI, the account-data decryption key (DDK) is retrieved from a key store protected by the HSM, then passed to the Host System The Host System temporarily retains account-data decryption keys (DDKs) in volatile memory for the purpose of decrypting account data. When the DDK reaches the end of its cryptoperiod, it will be erased from memory. These DDKs are the only keys permitted to exist in the clear outside of the HSM and only for the purpose of decrypting account data. All other cryptographic keys, functions and key management operations must still occur within the secure cryptographic devices (HSMs).
In both hardware and hybrid decryption environments, all HSMs used in the solution must be approved to either FIPS140-2 (or 140-3) Level 3 or higher, or to PTS HSM. Refer to the P2PE Standard for further information.
In a hybrid decryption environment, the decryption of account data is performed on a "Host System", outside of an HSM. The solution provider's decryption environment may consist of multiple Host Systems in one or more locations. When the Host System is required to decrypt encrypted account data received from a POI, the account-data decryption key (DDK) is retrieved from a key store protected by the HSM, then passed to the Host System The Host System temporarily retains account-data decryption keys (DDKs) in volatile memory for the purpose of decrypting account data. When the DDK reaches the end of its cryptoperiod, it will be erased from memory. These DDKs are the only keys permitted to exist in the clear outside of the HSM and only for the purpose of decrypting account data. All other cryptographic keys, functions and key management operations must still occur within the secure cryptographic devices (HSMs).
In both hardware and hybrid decryption environments, all HSMs used in the solution must be approved to either FIPS140-2 (or 140-3) Level 3 or higher, or to PTS HSM. Refer to the P2PE Standard for further information.
April 2020
Article Number: 1248
Related
-
How should PCI DSS v4.x requirements noted as superseded by another requirement be reported after 31 March 2025?
-
Are providers of third-party scripts for e-commerce environments considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
-
Why do requirements 8.3.9 and 8.3.10.1 focus on passwords/passphrases used for single-factor authentication, when multi-factor authentication is required for all access into the CDE?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
How should PCI DSS v4.x requirements noted as superseded by another requirement be reported after 31 March 2025?
-
Are providers of third-party scripts for e-commerce environments considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
-
Why do requirements 8.3.9 and 8.3.10.1 focus on passwords/passphrases used for single-factor authentication, when multi-factor authentication is required for all access into the CDE?
-
Do PCI DSS Requirements 8.3.9 and 8.3.10.1 apply to all system components?
-
Is the cardholder in scope for PCI DSS?
Most Recently Updated
-
How should PCI DSS v4.x requirements noted as superseded by another requirement be reported after 31 March 2025?
-
Are providers of third-party scripts for e-commerce environments considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
-
Why do requirements 8.3.9 and 8.3.10.1 focus on passwords/passphrases used for single-factor authentication, when multi-factor authentication is required for all access into the CDE?
-
Do PCI DSS Requirements 8.3.9 and 8.3.10.1 apply to all system components?
-
Is the cardholder in scope for PCI DSS?