Point to Point Encryption often referred to as “PCI P2PE” has been picking up a lot of interest in the market – usually for very good reasons. Interestingly, a lot of people use the word but don’t have a full understanding of PCI P2PE is, what it entails and how their business can benefit from it. So we thought a short article providing a high level overview of what PCI P2PE is and how merchants can benefit from it would help.
What is PCI P2PE?
PCI P2PE is the encryption of payment card data from the point of interaction (the chip and PIN device – otherwise known as the PED (PIN Encrypting Device) in the industry) and then the decryption of the payment card data within a secure environment (generally within the payment processor or acquiring bank) using an approved cryptographic algorithm. The PCI P2PE is a very detailed standard, requiring a considerable number of controls to be in place to ensure that the resulting solution protects the payment card data appropriately. However, in simple terms, the focus is mainly in the following three areas:
- Managing encryption and decryption devices securely and ensuring chains of custody.
- Manage cryptographic keys securely.
- Building and managing all the applications that run on the devices securely.
What’s the benefit for Merchants?
So, as a retail merchant, what is the benefit of implementing a PCI P2PE compliant solution? As most retailers have been battling to achieve and maintain PCI DSS Compliance, let’s firstly look at what the key challenges are for retailers in securing their customer payment card data. We believe that there are 4 key Retailer Challenges to achieve PCI DSS Compliance:
- Lack of Skills. Highly skilled security professionals are hard to find and even harder to keep, so most retailers are unlikely to have access to the level of skills required to operate in a PCI DSS compliant manner. The criminals, however, are highly skilled and looking for a way in – therefore there is often a skills mismatch, which results in the retailer IT team trying desperately to protect their business against adversaries who are just far better skilled. It’s not a fair fight. Apart from that, the criminals only have to succeed once…
- Legacy Systems. Many retailers have flat networks, designed to maximise up-time and business/service delivery, not security. As a result data is spread everywhere and PCI DSS scope is huge. Narrowing the PCI DSS scope down is key to reducing the PCI DSS challenge. However, this can be very hard to do in practice. And expensive.
- Financial. With most retailers dealing with legacy systems, a considerable investment is required in new technology. Let alone skills. With a challenging trading environment, budgets have not necessarily allowed for the level of investment needed.
- Education. Senior Management through to Till Operators all need to understand the cyber security threat and the importance of protecting their customer data, as this is essentially protecting their company. Very few organisations have managed to educate their staff effectively to ensure appropriate focus and attention on their security programs. Of course, public info on data breaches, such as Target - which result in significant penalties, senior management job losses and expensive remediation projects - serve well to heighten the awareness of security across an organisation. However, well-managed security education programs are not yet commonly seen – and they need to be – to ensure that an organisation’s staff is kept updated to the threats that they face.
With the understanding of some of the key challenges that retailers face in getting their payment systems PCI DSS Compliant, let’s take a look at what a PCI P2PE solution would do to simplify the PCI DSS process for a retailer.
The Network. With a PCI P2PE validated solution implemented, the network is deemed out of scope for PCI DSS and therefore many of the challenges relating to the protection of payment card data fall away as the payment data within a PCI P2PE solution is encrypted and protected.
PCI DSS Validation Process. The PCI DSS validation is simple for a merchant who has implemented a PCI P2PE validated solution. The validation process includes:
- Ensuring that the solution has been implemented properly.
- Self Assessment Questionnaire focusing mainly on paper receipts and basic security procedures.
- Clean up of legacy data – ensuring that no legacy data is left stored (intentionally or otherwise) on the older payment systems. Using a cardholder data discovery solution/PAN Scanning solution like FScout to scan systems for unprotected payment card data will help to automate this process, making it easily repeatable for the annual validation process.
And that’s basically it.
PCI P2PE is certainly not a silver bullet as it does not apply to all payment acceptance channels and does not protect non-payment related data (such as personally identifiable information), but it certainly does provide a number of key benefits for retail merchants:
- It secures the payment card data significantly better than most merchants are able to do by themselves.
- The PCI validation process is simplified.
- Retailers can focus on what they do best, knowing that their payment card data is secured.
For more information on how a PCI P2PE solution could help your business, sign up for our free PCI Surgery where you will be able to speak with one of our Qualified Security Assessors.