Questions for a Point-to-Point Encryption (P2PE) Consultant
As it stands, Foregenix have certified 70% of the current P2PE Applications and 40% of P2PE Solutions globally - so we have our fair share of experience and knowledge in a relatively new market. We asked one of our leading Consultants, Paolo Basilio, a few questions that frequently crop up during the process.
1. The growth of interest in Point-to-Point Encryption (P2PE) has been exponential in the last year and a half. What do you think has influenced this growth?
I believe this is driven by the fact that merchants and processors are seeing the value that P2PE offers when it comes to security of cardholder data and scope reduction for PCI DSS compliance. This is particularly helpful for the larger retail merchants that have distributed payment acceptance architecture spanning across multiple outlets in various different regions, as you can imagine, these types of environments takes a massive amount of resources and funding to achieve PCI DSS compliance. Another factor that has stimulated the growth of P2PE in some markets is the large amount of network breaches and subsequent harvesting of cardholder data from POS systems that have occurred in the past couple of years and seem to be increasing daily.
2. For organisations that understand the value of P2PE Solutions, there still tends to be barriers. What internal challenges do those that you work with typically face?
Many ‘would be’ solution providers have very large processing environments and have established cryptography implementations in place already making it difficult for them to adapt these environments to address the stringent requirements of P2PE. Another issue is the fact that a P2PE solution can involve a number of different vendors and service providers that all need to be in compliance before a solution can be listed. This means that solution providers may be waiting on other vendors to get their act together before they can list a solution. The PCI SSC has tried to mitigate this by dividing the standard into components which vendors can be assessed and listed independently for so that solution providers can select services from already listed vendors but this process is still in its infancy and some service providers do not provide all services in the PCI SSC defined components meaning that they are not eligible to list independently. Some examples of service providers (or component providers) are listed below:
1. POI device vendors
2. POI application vendors
3. Key injection facilities
4. Certificate Authorities
5. Decryption environments (The PCI DSS compliant network where the cardholder data is decrypted)
6. Encryption environments (This involves distribution and management of POI devices and their applications before and after deployment at merchants)
3. How can you check reputation and quality of a QSA?
The PCI SSC website has each individual QSA listing and identifies what standards they are qualified to perform assessments and whether they are in good standing or not. Ultimately, when it comes to P2PE, I believe experience is key considering the young age, complexity and extension of the standard, and particularly when it comes to different POI device types out there in the market as a solution is often defined by the types of devices that perform the encryption of cardholder data out there in the field. Luckily each solution, component and application is listed on the PCI SSC website and the dependencies (POI devices and applications) are listed along with it so it is relatively simple to identify the QSA companies that have experience with different POI device types. For those solution providers that are looking for identifying assessors with the most experience on specific devices and applications, this is the best way of considering and selecting a QSA company.
In our particular case, Foregenix have supported and pioneered the P2PE standard since its inception, as a result all our QSAs have vast real world experience in not just assessing, but also helping on the design of P2PE solutions. We have the privilege of supporting very large accounts globally, including the top players on the PED industry, MasterCard and many other solution providers that are just about to launch their solutions. This is a very busy and dynamic market, and we are very excited about what is coming.
4. How long could the whole process of certifying a P2PE Solution take?
This is very much dependent on a number of factors. First and foremost, this is dependent on the solution providers readiness and willingness to pursue the implementation of a solution. There is the complexity aspect as well, that with proper QSA support can be well managed; in this aspect, P2PE is a demanding standard that requires a level of operational discipline not seen by many organisations before. The rewards are there but they do require a level of investment! The controls can be quite onerous and ‘would be’ solution providers sometimes do not understand the full extent of the investment or the level of detail that is required to implement P2PE in the correct way. Other factors are:
1. Number of POI devices to be included in the solution, and how many varieties of POI device lifecycles exists. (It is important that the POI device be controlled throughout its lifecycle, therefore a variety of different distribution channels means a larger scope)
2. Number of POI device applications to be included in the solution and whether these are already listed on the PCI SSC website or not.
3. Number of facilities that form part of the solution. (Key management facilities, distribution facilities, datacenters etc.)
4. Type of key management and encryption schemes used and whether this differs for different devices. (It often does)
5. ***Existing PIN processing infrastructure (Like HSMs performing online PIN translation or verification) trying to be adapted to support P2PE.***
5. How can key influencers in affecting the time of certifying a solution be mitigated?
Start simple! There is often a lot of pressure on solution providers from Merchants to implement a P2PE solution tomorrow. The quickest way to get a solution listed is to focus on 1 POI device and 1 POI application (or 2, just not 10) initially to get the solution listed as soon as possible and to start migrating merchants on to the solution. Firstly, this gets the solution provider listed on the PCI SSC website, their "name in lights". Thereafter, changes can be made to the solution to add additional devices, applications and facilities if required on a piecemeal basis. Eating an elephant one bite at a time so to speak. This approach has worked well with the solution providers we have worked with and at the same time, we have seen ‘would be’ solution providers struggle by not following this approach. Some are still struggling. Foregenix has assisted a customer who started of their solution small, focused on a specific region, and within two years, are now one of the largest P2PE Solution Providers globally, covering all continents, with components spread throughout Europe, Asia and and are starting to focus on Africa.
If you would like to learn more, please request a call back using the form below.