Wednesday, November 17, 2021
Ryan Smith, vice president, global business development at Futurex, a cryptographic solutions provider, observed the need for broader, more robust key management in today's integrated and increasingly interoperable payments landscape, in which more parties are sharing sensitive data.
"With all these different applications sharing payment information, how do I encrypt data from point A to point B and minimize risk when my application is in use?" Smith said. "Ten years ago, retailers thought of P2PE in terms of hidden keys; today they have a better understanding of application keys, authentication keys and the role security plays in the transaction."
Ruston Miles, founder at Bluefin, stated P2PE protects account data across the payment transaction lifecycle by making personally identifiable information (PII) unreadable from point of entry to its final destination where it can be securely decrypted. While many payment encryption products are available, Miles noted, PCI Security Standard Council (PCI-SSC) validated solutions have met rigorous standards for encryption, decryption, key management and chain of custody.
"PCI validated P2PE solutions simplify validation by showing assessors that security controls are in place," he said. "Otherwise, assessors will spend more time and due diligence to determine if non-validated solutions meet the same security levels as PCI validated P2PE solutions."
Smith has also found that PCI P2PE version 3.0, released in December 2019 by the PCI SSC, has simplified certification and deployment. The universal standard makes it easier for component and solution providers to validate P2PE product and service offerings, he stated.
"Being on the same watch with PCI has made our engineering and design standards process a lot better," Smith said, adding that Futurex engineers can have more control of the PCI certification process by selectively enabling and disabling features within a hardware secure module (HSM) without placing that burden on the customer or end-user.
Subscription-based product offerings have also helped to democratize P2PE by making the technology service more accessible and affordable to small and midsize enterprises, Smith noted. For example, cloud based HSMs and cryptography-as-a-service can protect financial data in different PCI zones, reduce PCI compliance scope, and increase redundancy in the cloud while offering the same performance and dependability of physical hardware, Smith stated.
"We've taken our same physical requirements and implemented a virtualization technology to create our own hypervisor within the HSM that runs behind that physical security boundary," Smith said. "This is how we've created a service out of our HSM."
Smith additionally noted that this time of year is probably not an ideal time to sell new POS equipment or solutions. However, security best practices can help retailers balance security with customer experience, he added. "If retailers will hire additional staff for the holidays, they can train these frontline soldiers to monitor customer traffic and ask for IDs when necessary," Smith said. "And they can dedicate resources, whether financial or human, to better understand the risk factors."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.