By Ruston Miles
Bluefin Payment Systems LLC
If 2015 was the year of Europay, MasterCard and Visa (EMV), 2016 will be the year of point-to-point encryption (P2PE). In our fight to prevent data breaches, EMV has a walk-on role. The uncelebrated star of the show is P2PE, a technology that protects against sophisticated malware that has caused 1,400 data breaches in the last two years, including at Target, P.F. Chang's and Home Depot. With increased awareness of the role of P2PE and a new standard that streamlines its adoption for merchants, we will soon see P2PE move to center stage.
With the commotion around the U.S. implementation of chip cards, it's been easy to overlook the fact that EMV is intended only as a single element of the "layered approach": a three-prong technological security strategy that also incorporates tokenization, which protects data at rest in merchant systems, and P2PE, which protects data in transit, particularly at the POS.
EMV cards are important; they prevent counterfeit cards from being used at the POS and so make it harder for fraudsters to use stolen card data. But P2PE is integral to preventing the card data from being stolen in the first place. Many merchants are surprised to learn that without P2PE, card numbers are sent through their terminals' POS systems unencrypted even if EMV chip cards are used, leaving them wide open to attack. This lack of awareness is concerning, because P2PE is the critical technology where POS malware is concerned. It is the element of the layered approach that protects data during the transaction itself. To spur adoption, in 2015, the PCI Security Standards Council updated its standards for P2PE to make adopting it more user-friendly in response to requests from merchants and processors asking for more flexibility.
Many observers, including myself, believe this new standard, which streamlines merchant adoption, has made a good technology excellent. Merchant adoption promises unparalleled protection against malware, and with EMV and tokenization technologies working together, consumer protections will be significantly enhanced.
The PCI SSC's Version 1.0 of the P2PE standard set the bar extremely high. The P2PE assessors were strict to the standard, and getting through nearly 1,000 requirements covering areas of security and logistics that are foreign to payment processors was a significant challenge. For this reason, it was called the "gold standard" by some, but held up as unattainable by others. Some processors spent a year trying to comply only to conclude it wasn't possible to validate their in-market encryption solutions.
Understanding that a standard is only as effective as its adoption, the council gathered feedback which would allow it to create a 2.0 version that would increase ease of adoption without watering down the protections in it. This involved three major changes.
First, it modularized the standard so that a P2PE solution isn't required to audit all solution components at once. A solution provider can now partner with other companies that offer validated components without having to have the entire solution re-audited. This saves time, money and greatly reduces complexity. This is a groundbreaking change that will spur adoption.
The second major change was to allow merchants to create and manage their own P2PE solutions. Merchants indicated they were concerned with processor lock-in: if processors owned the encryption/decryption keys, merchants would be unable to leave their processors for better deals and would lose leverage. Now merchants can create and manage their own P2PE solutions, or choose from various P2PE solution components, in the same way that processors can. This puts merchants in the driver's seat.
The third major change incorporates feedback from the P2PE solution implementations aimed at simplifying logistics, cleaning up gray areas and removing problematic requirements. For example, in the first standard, devices had to be regularly weighed to determine if skimmers or other hardware had been attached. This requirement was difficult to implement and provided little additional security.
In 2016, adoption of Payment Card Industry (PCI)-validated P2PE is easier than most might think, with the new standards allowing far faster validation than before. Many merchants who have purchased payment terminals in the past two years may already have P2PE in their devices and simply not have it configured. An article in The Wall Street Journal noted that Home Depot had terminals and a project in support of P2PE but did not have it turned on when it was breached.
Merchants are learning that technologies such as EMV and P2PE are useful in solving two very different risks. EMV chip cards protect merchants from accepting counterfeit cards at the POS; P2PE protects card data from being exposed to hackers when it is entered into the POS. In light of the deluge of breaches over the past two years, it's clear that while both technologies are important, P2PE is absolutely critical to stem the tide of attacks. So there we have it, 2016: the year of P2PE. For the sake of consumers and the reputations and viability of the merchants who serve them, I hope my prediction turns out to be correct.
Ruston Miles is the Chief Innovation Officer at Bluefin Payment Systems LLC, the first PCI-validated P2PE solution provider in North America. He is a well-known speaker on data security issues. For more information on Ruston Miles or Bluefin, please email firstname.lastname@example.org.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next