The PCI Security Standards Council (PCI SSC) has released an update to its Point-to-Point Encryption (P2PE) Standard, marking the arrival of P2PE v3.2. This minor revision introduces technical clarifications, stakeholder-driven adjustments, and process improvements that bring greater consistency to how payment encryption is assessed and implemented.
While P2PE v3.2 does not alter the validation status of existing products, it streamlines important operational details, including device testing, whitelist management, and P2PE application governance. These changes reflect the Council’s ongoing effort to evolve security standards in alignment with industry realities, without disrupting active validations. The release of this version also supports a smoother transition towards the next major update, P2PE v4.0, currently under development.
P2PE v3.2 introduces targeted updates that respond to stakeholder feedback and previously released FAQs. These changes are technical but important, especially for vendors, assessors, and solution providers maintaining validated encryption technologies.
Key updates in v3.2 include:
Importantly, these revisions do not alter the structure of the current P2PE standard. Instead, they reinforce and clarify how specific controls should be implemented and evaluated.
Organisations currently using P2PE solutions validated against v3.0 or 3.1 are not required to make changes as a result of this update. All existing validations remain in effect, and vendors will continue to maintain their listings in accordance with the current P2PE v3.x Program Guide, released in September 2024.
This ensures continuity for businesses and service providers relying on P2PE technology to protect cardholder data in transit, while allowing time to adapt to new requirements at the next scheduled reassessment.
PCI SSC has defined a transition schedule to allow organisations to complete any in-progress work under v3.1 while preparing for v3.2 compliance in the future.
This clear transition window helps vendors and assessors manage timelines without disrupting service or compliance posture.
While v3.2 addresses immediate clarifications, it is also part of the broader effort to develop the forthcoming P2PE v4.0. All stakeholder feedback previously submitted for consideration in a major revision is being retained and reviewed as part of that process. This ensures continuity in standards development while allowing near-term issues to be addressed through v3.2.
Organisations planning for longer-term roadmap decisions should monitor Council updates regarding the direction of v4.0, particularly if they are in early planning stages for new product validations
Risk Associates conducts P2PE assessment reviews to determine compliance with the applicable version of the standard. These reviews include evaluating whether P2PE solutions, components, and applications meet the required controls, are accompanied by appropriate documentation, and comply with current program guidelines.
While the v3.2 update does not alter assessment workflows, it underscores the importance of technical accuracy, process validation, and alignment with current Council expectations. Our role is to ensure that submissions are validated against the latest version in use and that all supporting evidence reflects the intent of the standard.
The release of PCI SSC’s P2PE v3.2 reflects the Council’s ongoing commitment to evolving payment security standards in a way that is both practical and structured. It brings refinements to areas that benefit from greater clarity while maintaining stability for validated products.
Organisations engaged in Point-to-Point Encryption implementations should review the Summary of Changes and Technical FAQs published by PCI SSC to understand how these revisions may affect future assessments. With clear timelines and consistent guidance, v3.2 enables a confident step forward while maintaining alignment with operational realities.
Table of Content
