The Green Sheet Online Edition
February 26, 2018 • Issue 18:02:02
PCI-validated P2PE for every merchant environment
Atlanta-based Bluefin Payment Systems LLC, a payment security company with additional offices in New York, Chicago, Tulsa and Waterford, Ireland, enhanced its point-to-point encryption (P2PE) technology suite, with updated versions of P2PE Manager and Decryptx P2PE.
The patent protected, Payment Card Industry (PCI) Data Security Standard (DSS)-validated solutions are compatible with online, in-store, mobile and self-service payments applications and environments. When implemented with EMV (Europay, Mastercard and Visa) and tokenized payment transactions, their added security layers protect merchants and consumers from payment card data breaches, company representatives stated.
Bluefin noted that in 2014, it became the first North American P2PE solution provider to achieve PCI validation, and since then, a growing number of partner organizations have implemented the company's P2PE technology suite to manage large device populations. Ruston Miles, Chief Strategy Officer, Executive Vice President and founder of Bluefin, said the purpose-built system can manage asset tracking, chain of custody and other device requirements typically related to large POS deployments and roll outs.
"We built a system to manage complexity and simplify the process, enabling merchants to get P2PE through their existing software providers and roll out and manage these programs with greater ease," he stated. "We're the only provider that offers P2PE as a service. In every other case it has been part of the payment process."
Decryptx P2PE: Decryption-as-a-service
Bluefin's processor-agnostic subscription model Decryptx P2PE, enables processors, acquirers and gateways to provide PCI-validated P2PE directly to merchants through their own platforms, Miles noted. Sixty partner organizations, comprising payment acquirers and gateways, offer the service. Bluefin has received six U.S. patents on its Decryptx and P2PE Manager products, with additional patents pending in the United States, Europe and Japan.
BridgePay Network Solutions LLC, a payment transaction gateway based in Altamonte Springs, Fla., added Decryptx to its suite of turnkey payment applications, enabling the company to provide PCI-validated P2PE to its partners and independent software vendors (ISVs).
"From a BridgePay perspective, many of our customers and prospects asked us what we were doing about a PCI P2PE solution," said Rick Taylor, President and Chief Executive Officer at BridgePay. "We investigated the audit process and the chain of custody requirements and quickly decided that Bluefin was a quick, reliable, and affordable alternative to doing it all ourselves. Bluefin's Decryptx service enables BridgePay to provide our ISVs our best in class payment gateway with Bluefin as a gold standard of PCI validated P2PE."
Bluefin's P2PE Manager, a cloud-based device management platform, is designed to assist merchants with all aspects of device management. The online system provides merchants with tools to manage a range of P2PE activities, achieve and maintain PCI compliance and derive the benefits of PCI-validated P2PE scope reduction. Clients can use P2PE Manager to monitor the POS device lifecycles, from key injection and deployment to device state and attestation management, including decryption transaction histories.
PCI P2PE certified devices provide additional benefits to end-users and service providers, described by Bluefin as follows:
- Tamper-resistance: PCI P2PE certified devices are designed to detect tampering and will automatically deactivate when malicious activity is detected.
- Chain of custody: PCI-validated P2PE devices employ a "chain of custody" process to manage device lifecycles. The Bluefin online P2PE Manager enables users to track devices for PCI attestation and compliance.
- Strict controls: PCI-validated P2PE solution providers are required to implement strict controls to protect encryption keys. Device key injection is done directly at a certified key injection facility, and decryption only occurs in the Bluefin hardware security module.
- Reduced PCI assessment: Merchants that implement Bluefin's PCI-validated P2PE solution are eligible for a 33-question self-assessment questionnaire, SAQ P2PE-HW, a significantly reduced version of the standard 329-question SAQ.
"In Europe, P2PE is required by Visa for mobile POS," Miles said. "And now that EMV is in the rearview mirror in the United States, we're seeing increased demand for P2PE solutions."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.