NCR Counterpoint and PCI Compliance
The NCR Counterpoint application is PCI compliant and is listed on the PCI DSS site. Please note that although applications are listed with only 2 levels all versions are PCI compliant (for example, 8.3 is listed but all versions of 8.3 are compliant, e.g. 8.3.8, 8.3.9).
The AoC and CoC for Secure Pay can be found on the partner portal under Products / Data Security / PCI Compliance Status.
PCI P2PE Validation is an additional validation that allows merchants using validated PCI P2PE solutions to get an automatic reduction in scope, but it is not a requirement for PCI compliance. NCR Secure Pay is not PCI P2PE Validated. This is TBD.
In parallel, NCR is also pursuing a white paper from our QSA to help facilitate a reduction in controls for Counterpoint merchants using Secure Pay P2PE. While the PCI P2PE validation provides “automatic” scope reduction, white papers have also been an effective technique to enable reduced PCI controls for non PCI P2PE solutions like Secure Pay. In fact, PCI recently introduced a new program for “Non listed P2PE encryption solutions” (NESA), because there are high number of P2PE payment solutions in situations similar to Secure Pay. Below is a link from CoalFire, our QSA, that explains the NESA Assessment: https://www.coalfire.com/The-Coalfire-Blog/December-2016/PCI-NESA-Non-Listed-Encrypted-Solution-Guidance. NCR is currently engaged with CoalFire to get that Assessment, in addition to laying out our more strategic path to true PCI P2PE validation.