Remember the non-listed encryption solution assessment (NESA)? Probably not because it really didn’t get legs. That is until now and from an unlikely source – Bank of America (BoA). QSAs that perform a lot of merchant Report On Compliance (ROC) that go to BoA have likely noticed that BoA have been scrutinizing those ROCs more than before.
This has been particularly true of ROCs that use end-to-end encryption (E2EE) solutions such as Verifone Verishield or First Data TransArmor and you are asking BoA for scope reduction to point-to-point encryption (P2PE). I ran into this three years ago with a client that was implementing TransArmor at their retail stores. After much negotiation by my client, they were finally granted P2PE scope reduction and their assessment moved on.
However, at the same client this past year, a shock. BoA told them not so fast on P2PE scope reduction this year. As the client and their new QSA found out, sometime in 2018 BoA introduced a whole program to deal with E2EE solutions that now requires a P2PE-QSA to assess the solution and produce a NESA report. Surprise!
What makes this particularly sad and annoying is that First Data and BoA are joint partners in Bank of America Merchant Services (BAMS) the transaction processing arm of BoA. BAMS relies on First Data solutions such as TransArmor for processing and securing payment transactions. But guess what? Think that your TransArmor solution will get a “pass” from BoA when it was recommended by BAMS? Think again. BoA is requiring all non-P2PE validated solutions to go through a NESA. And that is exactly what this client has, TransArmor from First Data that is a partner in BAMS.
The lesson here is, be prepared as a QSA to deal with a new issue if you have E2EE, you want P2PE scope reduction and your client’s bank is BoA.
PCI Guru 
Thanks, PCI Guru – you are such a great resource of support and wisdom in the community. I appreciate you. I have a who is embarking on an E2EE with permission from Elavon.
Thanks again, Cindy