Situation: A customer engaged Trausta’s P2PE consultant to assess the compliance of their newly developed payment application, which was designed for a specific point-of-interaction (POI) vendor as part of a $2 million P2PE solution implementation contract. The customer had previously built similar payment applications for other POI models, but in this case, they encountered a major compliance challenge. Due to the architecture of the POI, they were required to implement their own custom IP stack. This presented a violation of P2PE Domain 2, which mandates the use of Open Protocol (OP) implementation provided by the POI vendor.
Task: The task was to find a solution that ensured the payment application could meet P2PE compliance without violating the requirement to use the vendor’s Open Protocol, thereby preventing the entire contract from being at risk.
Action: Upon reviewing the architecture of the payment application, our expert assessors at Trausta identified that the application was modular and could be logically divided into two separate components:
- A payment module that did not handle IP stack functions, which could be independently validated as a P2PE-compliant payment application.
- A non-payment module that was responsible for the IP stack and other non-sensitive operations, which could be treated as a non-payment application within the P2PE solution.
We proposed this modular approach to the customer, separating the modules into compliant and non-compliant components and ensuring the payment application would meet the stringent requirements of P2PE without violating the Open Protocol rule.
Result: By breaking the application into distinct modules and treating each part appropriately within the P2PE validation process, we were able to confirm full compliance with the P2PE standard. This solution not only preserved the integrity of the payment application but also saved the entire $2 million contract, ensuring the customer could move forward with their P2PE solution as planned.
