GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Think technology and loyalty for the holidays

News

Industry Update

AmEx, the DOJ settlement holdout

PCI SSC's latest: P2PE guidelines

ALDI breach may highlight fraudster M.O.

Trade Association News

Features

Keeping merchants in the know

Selling Prepaid

Prepaid in brief

Prepaid profile: Prepaid Solutions Inc.

How regulations can help prepaid

Views

Interchange: Matching loyalties and realities

Patti Murphy
The Takoma Group

Does PayPal's new offering actually mean anything?

Ron Osborne
Salus-Novus Inc.

Education

Street SmartsSM:
Making VAR relationships work for you

Ken Musante
Eureka Payments LLC

Think before you send

Dale S. Laszig
Castles Technology Co. Ltd.

HIPAA and PCI: How do they compare?

Nicholas Cucci
Network Merchants Inc.

Budgeting: A crucial management skill - Part 2

Vicki M. Daughdrill
Small Business Resources LLC

Company Profile

TriSource Solutions LLC

New Products

Automated, but not ignored, billing

Information & Analytics Services
First Data Corp.

Inspiration

Opening doors through community service

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

October 25, 2010  •  Issue 10:10:02

previous next

PCI SSC's latest: P2PE guidelines

The PCI Security Standards Council released a paper containing guidelines for payment professionals considering the implementation of a point-to-point encryption (P2PE) apparatus to protect cardholder data.

The paper discusses the use of P2PE solutions, including some of the technologies and methods involved in its implementation, the ways P2PE may reduce the scope of PCI compliance, the PCI standards that bear on P2PE solutions, and the path to certification.

According to the PCI SSC website, "Currently no global standardization of point-to-point encryption technology or validation of its implementation exists in the industry.

However, by providing this new guidance on P2PE, the council has taken the first step by definitively stating that P2PE may simplify PCI DSS [Payment Card Industry Data Security Standard] compliance by reducing the scope of the cardholder data environment."

The PCI SSC indicated the paper, titled Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance, will be one in a series of documents that "cover the use of encryption as it relates to the PCI [DSS] and scope reduction."

The paper was posted on the PCI SSC's website on Oct. 5, 2010, in conjunction with a separate document of guidelines for Europay, MasterCard and Visa (EMV) systems.

The council stated that the paper is a roadmap written with the "merchant perspective" in mind but is also aimed at payment processors, acquirers, assessors, vendors and other payment solution providers.

Point-to-point versus end-to-end

The phrase "point-to-point encryption" is often used interchangeably with "end-to-end encryption," but the PCI SSC eschews "end-to-end" because it can be misleading, according to Mark Bower, Vice President of Product Management for data security firm Voltage Security Inc.

Bower said P2PE entails the encryption of data from the point of capture at the card swipe device or other data entry point to its arrival at a payment processor - including its journey through a POS system, the merchant's information technology infrastructure and a gateway - where decryption is usually necessary before the data is distributed to different card issuers or other end points.

Because the data is almost always decrypted before reaching its final destination, Bower said the council has determined "point-to-point encryption" is a more accurate description than "end-to-end encryption."

Bower said there are no security silver bullets, but the proper use of P2PE is "as close as you're going to get" with the security solutions currently on the market.

He said P2PE would make life easier for merchants by reducing the scope of PCI compliance (because new encryption methods reduce the need for other security measures), lowering fraud prevention costs and reducing data theft. "For the first time, the PCI council is essentially acknowledging that encryption technologies, when applied correctly and against the forthcoming validation guidelines, can actually be used to simplify and reduce the scope of PCI standards for merchants," he said.

"If you can take a lot of these systems out of that assessment - for instance, remove the point of sale, remove the store controllers and the merchant's IT - that's reducing the costs of security right there and also getting a risk reduction benefit at the same time."

P2PE already in gear

Bower added that many merchants are already using P2PE solutions, and that the PCI SSC's guidelines would help propel it into the mainstream. "The train has left the station in terms of point-to-point encryption," he said. "Our customers are already implementing this. Really, the PCI council agreed that there are probably three technologies that are most important in helping organizations mitigate threats: EMV, point-to-point encryption and - what's next? - what's coming down the pike is guidance of tokenization."

(Tokenization protects cardholder data by replacing the 16-digit card number with an alpha-numeric substitute ("token") for storage in a POS system. The token can be used to identify the purchaser for chargebacks or other post-transaction issues but is useless if stolen.)

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems