Multi-gateway validated P2PE without shared root key. Live API for processor evaluation.
This is the live deployment of the XSOC validated P2PE solution architecture. It exposes an HTTP API surface that demonstrates the architectural property no current PCI-listed P2PE solution can claim: a single point of interaction can route encrypted account data to multiple decryption environments, in real time, with cryptographic isolation between them. No shared root key. No re-injection. No cleartext re-encryption hop.
This service is wired into the same XSOC NIE-Go identity backbone that authenticates every public XSOC deployment. Authentication, attestation, scoped action tokens, and three-channel revocation are all governed by the production NIE-Go gateway at nie.xsoccorp.com.
The fastest path to evaluation is the bash test harness. It walks the full demonstration
and prints labeled OK or FAIL for each property. Requires curl and jq.
curl -fsSL https://p2pe.xsoccorp.com/test.sh | bash -s -- https://p2pe.xsoccorp.comOr, exercise individual endpoints directly. Two demo gateways
(gw_alpha and gw_beta) are pre-enrolled, so you can begin testing
immediately. Properties one through three require no authentication.
# Enroll a POI (gets independent enrollment secrets per gateway)
curl -X POST https://p2pe.xsoccorp.com/p2pe/v1/poi/enroll \
-H "Content-Type: application/json" \
-d '{"poi_id":"poi_eval_001"}'
# Encrypt PAN bound for gateway alpha
curl -X POST https://p2pe.xsoccorp.com/p2pe/v1/encrypt \
-H "Content-Type: application/json" \
-d '{"poi_id":"poi_eval_001","gateway_id":"gw_alpha","pan":"4111111111111111"}'
# Try to decrypt at gateway beta (will return 403)
curl -X POST https://p2pe.xsoccorp.com/p2pe/v1/decrypt \
-H "Content-Type: application/json" \
-d @decrypt-attempt.jsonProperties one through three are open. Property four (revocation) requires a ScopedActionToken issued by the XSOC NIE-Go gateway. The token binds:
action equal to p2pe:admin:revokeresource equal to the POI ID being revokedexp within a bounded windowepoch at or above the current X-ARC lineage epochTo request a token for evaluation use, contact ssaddigh@xsoccorp.com. Tokens are issued by the same fabric that authenticates every other public XSOC service. The reference does not maintain its own admin credential.
OpenAPI 3.0 spec Health Version Current X-ARC epoch Pre-enrolled gateways
DSKAG, QSIG, and SP-VERSA are XSOC trade-secret primitives. They are stubbed in this reference using HKDF-SHA256, HMAC-SHA256, and AES-256-GCM respectively. The API contract and protocol flow are identical between the reference and production. The cryptographic security properties of the reference are those of the underlying public primitives. Production-grade properties are documented in the controlled-distribution Executive Validation Report under separate NDA, ECCN 5D002.C1.
The cryptographic claims behind the production primitives are anchored in independent academic audit and statistical validation. Perrin and Biryukov audits in 2020 and 2024 of the legacy cryptosystem predating DSKAG. Cal Poly San Luis Obispo Dieharder v3.31.1 entropy validation at 99.4 percent aggregate across 98 tests. GMU SENTINEL FP5223 full report scheduled June 2026. FIPS 140-3 CMVP submission targeted Q3 2026. XSOC-NIE-GUARD published at Zenodo DOI 10.5281/zenodo.19685360 v2. XSOC-QSIG specification at DOI 10.5281/zenodo.19639166.
XSOC will be the listed Solution Provider on the PCI Security Standards Council P-ROV. Operational rights to the validated solution are licensed through a structured process. Initial bidder briefings are open. Direct inquiries to ssaddigh@xsoccorp.com.