The Green Sheet Online Edition
October 12, 2015 • Issue 15:10:01
P2PE: Better than ever and vital to data security
POS malware has been the bane of retailers for nearly two years now, claiming nearly 1,400 breaches in a 24-month period. Target Corp., The Home Depot Inc., P.F. Chang's China Bistro and many other merchants were attacked in this way.
The fallout from these attacks has forced the widespread review of merchant data security. The current solution focuses on the technological trinity of EMV (or chip cards), tokenization, and point-to-point encryption (P2PE), underpinned by standard setting through Payment Card Industry Data Security Standard (PCI DSS) managed by the PCI Security Standards Council (PCI SSC). This has become known as the "layered" or "secure-all-channels" approach.
To date, the mainstream media discussion on the topic of payment card security has been focused on Europay, MasterCard and Visa (EMV) – chip card technology intended to protect consumers against the consequences of breached, lost or stolen cards. However, EMV has no direct role in combatting POS malware. Most merchants know that EMV chip cards can protect plastic cards from counterfeiting, but many have not yet learned that P2PE – that is, encrypting card data at the point-of-entry – has to be the primary defense to protect their locations against POS malware.
The killer app
This lack of understanding is concerning, because P2PE is the killer app where POS malware is concerned. It is the element of the layered approach that protects data during the transaction itself. In June 2015, the PCI SSC updated its standards for P2PE to make adopting it more user-friendly in response to requests from merchants and processors asking for more flexibility.
The PCI SSC's Version 1.0 of the P2PE standard set the bar extremely high – something I know from first-hand experience shepherding my company, Bluefin, through the expensive, time-consuming PCI P2PE-validation process. The P2PE assessors adhered strictly to the standard, and getting through nearly 1,000 requirements covering areas of security and logistics that are foreign to payment processors was a significant challenge.
For this reason, the first P2PE standard was called the gold standard by some but was decried as unattainable by others. Indeed, I know of some processors that spent six to 12 months trying to comply with the P2PE standard only to decide that it was not possible to validate their in-market encryption solutions.
Simplified, not watered down
In developing P2PE 2.0, the PCI SSC sought feedback that would allow the council to mature the standard, understanding that a standard is only as effective as its adoption. The PCI SSC's mandate was to increase ease of adoption while maintaining the standard's fidelity. Put simply the council sought to simplify the P2PE standard, not water it down.
To accomplish this, the council made three major changes. First, it modularized the standard so that a P2PE solution was not required to audit all of the solution components at once. A solution provider can now partner with other companies that offer validated components without having to have the entire solution re-audited. This saves time and money and greatly reduces complexity. I believe this modularization of the standard is a groundbreaking change that will surely spur adoption.
The second major change was to allow merchants to create and manage their own P2PE solutions. Feedback showed that merchants were concerned with processor lock-in, fearing that if a processor owned the encryption/decryption keys the processor's merchants would be unable to leave the processor for a better deal and would lose leverage. Now merchants can create and manage their own P2PE solutions or choose from various P2PE solution components, in the same way that processors can. This exciting new section of the standard puts the merchant in the driver's seat.
The third major change incorporates feedback from the P2PE solution implementations aimed at simplifying logistics, cleaning up gray areas and removing problematic requirements. For example, in the first standard, devices had to be regularly weighed in order to determine if skimmers or other hardware had been attached. This requirement was difficult to implement and comply with and found to provide little additional security.
The good news for merchants is that adoption of PCI validated P2PE is easier than most might think with the new standards allowing far faster validation than before. Interestingly, many merchants who have purchased payment terminals in the past two years may already have P2PE in their devices and simply not have them configured. An article in The Wall Street Journal noted that Home Depot had terminals and a project in support of P2PE but did not have it turned on when it was breached.
Many merchants thought P2PE was dead; many providers hoped it would be. But the new standard ensures that P2PE is alive and better than ever. Whether or not you have looked into a P2PE solution in the past, I encourage to you check it out now. It might well save you from a breach, reduce your scope, simplify your PCI compliance program, and save you a great deal of time and money. Long live P2PE.
Ruston Miles is the Chief Innovation Officer at Bluefin Payment Systems LLC, the first PCI-validated P2PE solution provider in North America. He is a well-known speaker on data security issues. For more information on Ruston Miles or Bluefin, please email firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.