Where there's a will, there's a way – right?
Absolutely, however, if there is a simpler, better route, why not channel your efforts towards that? Life is complicated enough as it is with constant pressures from all directions and in some cases an ‘easier’ option doesn’t exist, so when a pragmatic approach does, it makes sense to grab it with both hands!
With all the buzz around PCI Point to Point Encryption (PCI P2PE), we have been getting a lot more enquiries around the topic, so have decided to create a couple of blog posts to help clear up some of the basics on PCI P2PE.
Having worked with many of the UK’s mid-large retailers over the years, we’re well aware of the challenges that PCI DSS presents them. Operationally these businesses have their networks and payment systems built for resilience and speed. Security was an after-thought. So when requested to become PCI DSS Compliant within specific timeframes, it is not surprising that many of them have not managed to achieve this. Given the trading environment in recent years, it is not surprising either to see many of the retailers hold off on investing in improving their payment systems – further delaying their PCI DSS Compliance projects.
For some of these businesses, PCI DSS will always seem to be an inconvenient chore, a problem getting in the way of them doing business. Fortunately this mindset is becoming less prevalent as organisations realise that security is the key and that PCI DSS compliance will come naturally to a business that takes their security seriously.
Scope is a word that is used often in the PCI world - if you process, store, or transmit card details your business environment is in scope of PCI DSS. The first step in simplifying PCI DSS is to reduce the scope as far as possible and then apply the appropriate controls to the key systems that remain in scope handling the organisation’s transaction data. There is a plethora of risk reduction/scope reducing solutions available. Once the analysis is done on which solutions will address which challenge/control, a number of questions then get asked, such as:
“What is this data worth to me?”
“Why do we need this payment data?”
Often, the answers to the above questions are:
- the payment card data is not worth much to the organisation after processing the transaction; and
- no they do not need the payment data.
“How can we get rid of this data?”
“How do we make life easier for ourselves?”
Obviously we’re simplifying the discussion, but the point is that if there is an easier way to manage the payment process, which is more secure and means that a retailer can focus on being a retailer, not a technology expert, then surely it would make sense to consider it.
PCI P2PE Validated Solutions
A PCI P2PE validated solution consists of a combination of secure devices, applications and processes that ensure the encryption of cardholder data from the point of interaction (e.g Chip and Pin device) to the solution provider’s decryption environment. By implementing a PCI P2PE solution, organisations are removing the handling of non-encrypted cardholder data from their environment and ensuring security is managed by a validated, specialist, secure third party.
This provides a secure solution for the retail organisation and their customers, as their networks and systems do not handle cardholder data. Consequently, their compliance requirements are significantly reduced.
Foregenix have considerable experience working with PCI P2PE solution providers and merchants who have implemented such solutions into their businesses – we’d be happy to help if you have any questions about how PCI P2PE could help your business.
We offer a free PCI Surgery for organisations looking for extra help with their PCI programs and would be happy to spend time talking through the pros and cons of a PCI P2PE solution too.
You can sign up for the PCI Surgery here – one of our team will be in touch to set up a call with a senior security consultant – completely FREE of charge.