Guest Analysis: Leveraging P2PE Security Before EMV’s Deadline

Brandon Benson

August 22, 2014 – Despite the steady drum of data security by card brands, acquirers, and security professionals worldwide, compromise still happens. Regularly. Point-to-point encryption (P2PE) is the logical next step to prevention … or is it?

Since the first P2PE-validated solution was announced at the Payment Card Industry (PCI) Security Standards Council (SSC) 2013 European Community Meeting by EPS1, P2PE has emerged as the newest payment industry buzzword. More and more acquirers are considering P2PE portfolio implementation. However, it’s not a solution for everyone.

P2PE has the potential to strain relationships between acquirers, ISOs, service providers, gateways, and even merchants. For example, acquirers looking to develop their own P2PE solutions may consequently cut out longtime ISO partners.

On the more positive side, P2PE is a godsend for industry surveyors diligently waiting for a more secure processing solution. Because of its inherent encryption protection, P2PE has serious PCI Data Security Standard (DSS) scope reduction benefits and may actually cut costs of overall security.

Comparing EMV and P2PE

With only two approved solutions at the beginning of 20142, P2PE’s adoption is presently microscopic. However, P2PE’s eventual industry results could be more earth shattering than the already-positive effects of EMV implementation.

According to UK card fraud expert Neira Jones3, Europe’s EMV chip migration reduced fraud so much that hacking efforts migrated elsewhere. Discover Financial Services reports that Europe has seen an 80% reduction in credit card fraud since its migration to EMV. Unfortunately, hackers have already begun to drift toward low hanging fruit in the unprotected ecommerce industry.

Like EMV, P2PE reduces processor liability and deters hackers. Then it takes security a step further and diminishes PCI Self-Assessment Questionnaire (SAQ) scope to a mere 18 questions4. EMV may protect track data and prevent card reproduction, but P2PE helps eliminate actual track data storage.

Bob Russo, head of the PCI SSC said, “Even in the very mature [EMV] markets, people are realizing that EMV alone, while a good fraud tool in the face-to-face environment, is not really enough to protect everything.”5

While a great solution for today’s physical point of sale systems, EMV is not the future of payment security.

Kill two security requirements with one stone

Visa and MasterCard’s 2015 EMV requirement means merchants across the nation must seriously review current point of sale solutions. Merchants using archaic and even current point of sale hardware/software will soon be instructed by the card brands and their acquirer to upgrade to EMV.

Here is where P2PE comes in. As merchants look to replace hardware for 2015, it would be beneficial for acquirers to encourage their ISOs to seek P2PE validation. That way, when processors truly begin pushing EMV, they can provide merchants with a P2PE solution that both reduces PCI scope and meets EMV requirements.

Combining P2PE with EMV could be the solution to two problems merchant processors face: EMV mandates and comprehensive payment security.6

Think of it this way. If acquirers already plan to offer a new EMV solution, it might as well also be a P2PE-validated device.

P2PE pros

It’s no question that the PCI DSS exhausts merchants. Businesses are required to annually complete an SAQ, conduct quarterly vulnerability scans, scan systems for unencrypted card data, conduct regular employee training, implement firm policies, and handle regular network updates. Not to mention the managerial, strategic, and personal decisions executed on a daily basis.

Council-listed P2PE solutions7 relieve a significant portion of that security burden. Because credit card data is encrypted at swipe and merchants have no access to decryption keys, scope and risk are significantly reduced.

Really, all the headaches of compliance are eliminated and addressed by the P2PE solution provider. P2PE completely negates the need for network segmentation, firewalls, log management, IT personnel, etc. It’s the closest a merchant can get to one-stop shop PCI compliance, likely leading to a significant diminishment of merchant PCI frustration.

The few PCI responsibilities a merchant would continue to hold include maintaining the physical security of the P2PE hardware/software and completing an annual 18-question PCI SAQ.

Many in the industry believe P2PE spells PCI’s doom. A bit dramatic, this perception is not entirely true. After all, service providers, ISO’s, gateways, and all ecommerce merchants are still in scope for PCI.

P2PE cons

Is P2PE the silver bullet? Absolutely not. Like EMV, P2PE does nothing to help the online businesses conducting millions of ecommerce transactions per day. Because no ecommerce P2PE standard exists, the estimated 25 million8 ecommerce merchants worldwide are out of luck when it comes to scope reduction.

In addition, although P2PE seems quite bulletproof right now, all technologies have weak spots. It may take years to find, but eventually and inevitably, hackers will find their way around P2PE. They always do.

Another negative aspect of P2PE is that it may create touchy situations between acquirers and ISOs. Acquirers that offer a direct P2PE solution must walk a careful line to not alienate the ISOs that work with them.

By far, the greatest cons of P2PE are capital expenses. It takes time and money to successfully implement a validated P2PE solution. New point of sale hardware/software, hardware security modules, inventory tracking and monitoring, alerting programs, and key management are just a handful of considerations for an effective P2PE solution offering. To be a P2PE solution provider, acquirers are looking at expenses well over $1 million.

Moving forward with P2PE

Even with its faults, P2PE is the most secure and liability reducing payment technology available to businesses today.

Merchants may whine about the costs associated with an EMV/P2PE solution, but should also take into account the cost savings of not having to address all the different controls required to implement PCI in their environment. As a bonus to acquirers, switching processors after making the P2PE transition would be extremely difficult. Merchants may end up in another non-P2PE environment, requiring them to again meet all PCI requirements.

If acquirers and ISOs wish to transition their merchants to EMV and P2PE at the same time, today is the day to begin. With a combined EMV/P2PE solution, approaching EMV requirements are covered, transactions are fortified through solid encryption, solution value is increased, merchant frustration is reduced, and processors reduce their risk.

Brandon Benson, a SecurityMetrics P2PE QSA, assessed the world’s first P2PE-validated solution. To learn more, please contact SecurityMetrics at 801.995.6860 or [email protected].

References:

  1.  http://www.darkreading.com/authentication/pci-security-standards-councils-validate/240163378
  2. https://www.pcisecuritystandards.org/approved_companies_providers/validated_p2pe_solutions.php
  3. http://www.bankinfosecurity.com/jones-a-6047/op-1
  4. http://www.pcicomplianceguide.org/docs/PCI_SSC_P2PE_Update_July_2012.pdf
  5. http://www.qsrmagazine.com/exclusives/are-you-ready-emv
  6. http://www.pcmsdatafit.com/blog/2014/02/
  7. https://www.pcisecuritystandards.org/documents/P2PE_v1_1_FAQs_Aug2012.pdf
  8. http://www.internetretailer.com/commentary/experts/how-many-online-retailers-are-there-worldwide/

The views expressed in the posts and comments of this blog do not necessarily reflect those of ETA.