The Green Sheet Online Edition
October 25, 2010 • Issue 10:10:02
PCI SSC's latest: P2PE guidelines
The PCI Security Standards Council released a paper containing guidelines for payment professionals considering the implementation of a point-to-point encryption (P2PE) apparatus to protect cardholder data.
The paper discusses the use of P2PE solutions, including some of the technologies and methods involved in its implementation, the ways P2PE may reduce the scope of PCI compliance, the PCI standards that bear on P2PE solutions, and the path to certification.
According to the PCI SSC website, "Currently no global standardization of point-to-point encryption technology or validation of its implementation exists in the industry.
However, by providing this new guidance on P2PE, the council has taken the first step by definitively stating that P2PE may simplify PCI DSS [Payment Card Industry Data Security Standard] compliance by reducing the scope of the cardholder data environment."
The PCI SSC indicated the paper, titled Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance, will be one in a series of documents that "cover the use of encryption as it relates to the PCI [DSS] and scope reduction."
The paper was posted on the PCI SSC's website on Oct. 5, 2010, in conjunction with a separate document of guidelines for Europay, MasterCard and Visa (EMV) systems.
The council stated that the paper is a roadmap written with the "merchant perspective" in mind but is also aimed at payment processors, acquirers, assessors, vendors and other payment solution providers.
Point-to-point versus end-to-end
The phrase "point-to-point encryption" is often used interchangeably with "end-to-end encryption," but the PCI SSC eschews "end-to-end" because it can be misleading, according to Mark Bower, Vice President of Product Management for data security firm Voltage Security Inc.
Bower said P2PE entails the encryption of data from the point of capture at the card swipe device or other data entry point to its arrival at a payment processor - including its journey through a POS system, the merchant's information technology infrastructure and a gateway - where decryption is usually necessary before the data is distributed to different card issuers or other end points.
Because the data is almost always decrypted before reaching its final destination, Bower said the council has determined "point-to-point encryption" is a more accurate description than "end-to-end encryption."
Bower said there are no security silver bullets, but the proper use of P2PE is "as close as you're going to get" with the security solutions currently on the market.
He said P2PE would make life easier for merchants by reducing the scope of PCI compliance (because new encryption methods reduce the need for other security measures), lowering fraud prevention costs and reducing data theft. "For the first time, the PCI council is essentially acknowledging that encryption technologies, when applied correctly and against the forthcoming validation guidelines, can actually be used to simplify and reduce the scope of PCI standards for merchants," he said.
"If you can take a lot of these systems out of that assessment - for instance, remove the point of sale, remove the store controllers and the merchant's IT - that's reducing the costs of security right there and also getting a risk reduction benefit at the same time."
P2PE already in gear
Bower added that many merchants are already using P2PE solutions, and that the PCI SSC's guidelines would help propel it into the mainstream. "The train has left the station in terms of point-to-point encryption," he said. "Our customers are already implementing this. Really, the PCI council agreed that there are probably three technologies that are most important in helping organizations mitigate threats: EMV, point-to-point encryption and - what's next? - what's coming down the pike is guidance of tokenization."
(Tokenization protects cardholder data by replacing the 16-digit card number with an alpha-numeric substitute ("token") for storage in a POS system. The token can be used to identify the purchaser for chargebacks or other post-transaction issues but is useless if stolen.)
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.