P2PE - What are the benefits to retail merchants?
Point-to-Point-Encryption, known to most as P2PE is a standard that is quickly becoming the preferred way for acquirers and merchants to secure customer cardholder data. Most of the registered solutions out there are from the US and Europe; but Africa and Asia have formerly registered a couple too indicating that there is a global buy in to the security benefits that are associated with P2PE.
First of all, a brief introduction to what P2PE actually is and how it can benefit merchants and acquirers:
PCI P2PE is a standard that defines the benchmark for the encryption of payment card data from the point of interaction (the Chip and PIN device/Contactless Reader/ – otherwise known as the PIN Encrypting Device) to the decryption of the payment card data within a secure environment (generally within the payment processor or acquiring bank) using industry standard cryptographic algorithms.
PCI P2PE is a somewhat detailed standard, requiring a considerable number of controls to be in place to ensure the resulting solution protects the payment card data appropriately. Achieving compliance is not all that difficult and most entities have been applying the same practices in protecting cardholder PINs for many years now. In simple terms, the focus is mainly in the following three areas:
- Managing encryption and decryption devices securely and ensuring chains of custody.
- Managing cryptographic keys and processes securely.
- Building and managing all the applications that run on the devices securely.
So, as a retail merchant, what is the benefit of implementing a PCI P2PE compliant solution? As most retailers have been battling to achieve and maintain PCI DSS Compliance, let’s firstly look at what the key challenges are for retailers in securing their customer payment card data. We believe that there are 4 key Retailer Challenges to achieve PCI DSS Compliance:
Lack of Skills. Highly skilled security professionals are hard to find and even harder to keep, so most retailers are unlikely to have access to the level of skills required to operate in a PCI DSS compliant manner. Criminals, however, are highly skilled and are always looking for a way in. It's this skills mismatch which often results in the retailer IT team trying desperately to protect their business against adversaries who are just far better skilled. It’s not a fair fight. Apart from that, the criminals only have to succeed once.
Legacy Systems. Many retailers have flat networks, designed to maximise up-time and business/service delivery, not security. As a result, data is spread everywhere and PCI DSS scope is huge. Narrowing the PCI DSS scope down is key to reducing the PCI DSS challenge. However, this can be very hard to do in practice.
Financial. With most retailers dealing with legacy systems, a considerable investment is required in new technology and the specific skill set needed. With a challenging trading environment, budgets have not necessarily allowed for the level of investment needed.
Education. Senior Management through to Till Operators all need to understand the cybersecurity threat and the importance of protecting their customer data. Very few organisations have managed to educate their staff effectively to ensure appropriate focus and attention on their security programs. Of course, public info on data breaches serve well to heighten the awareness of security across an organisation.
However, well-managed security education programs are not yet commonly seen – and they need to be – to ensure that an organisation’s staff is kept updated on the threats that they face. For example; Social Engineering attacks (phishing & spear-phishing emails, impersonation, etc) are increasing in complexity, requiring more vigilance from employees to avoid putting your business at risk.
With the understanding of some of the key challenges that retailers face in getting their payment systems PCI DSS Compliant, let’s take a look at what a PCI P2PE solution would do to simplify the PCI DSS process for a retailer.
The network: With a PCI P2PE validated solution implemented, the network is deemed out of scope for PCI DSS and therefore many of the challenges relating to the protection of payment card data fall away as the payment data within a PCI P2PE solution is encrypted and protected.
The PCI DSS validation process: The PCI DSS validation is simple for a merchant who has implemented a PCI P2PE validated solution. The validation process includes:
- Ensuring that the solution has been implemented properly.
- Self Assessment Questionnaire focusing mainly on paper receipts and basic security procedures.
- Clean up of legacy data – ensuring that no legacy data is left stored (intentionally or otherwise) on the older payment systems. Using a cardholder data discovery solution/PAN Scanning solution to scan systems for unprotected payment card data will help to automate this process, making it easily repeatable for the annual validation process.
Like all security solutions, P2PE is not a silver bullet. Given enough time, a hacker will always find a way past security solutions; but with standards such as PCI DSS and P2PE, you can keep most hackers at bay. They usually look for low hanging fruit, so are much more likely to move on to an easier target if you're deploying adequate security measures.
What are the benefits of deploying a P2PE certified solution in your retail business?
- It secures the payment card data significantly better than most merchants are able to do by themselves using strong encryption processes.
- The PCI validation process is simplified as there is huge scope reduction benefits.
- Retailers can focus on what they do best, knowing that their payment card data is secured.
And there you have it! A quick rundown on P2PE, the challenges retailers face as well as the benefits of deploying a P2PE certified solution. As both security and compliance specialists, we have everything you need to help you reach your compliance goals; we've even been named Consultancy Practice Of The Year at the Cybersecurity Awards in London this year. If you're interested in our services, click the link below for more information.