Guest Analysis: P2PE – The Most Secure Way to Process, to Date.
Brandon Benson, CISSP, P2PE QSA
November 7, 2013 – The Payment Card Industry (PCI) Council’s recent acceptance of the world’s first point-to-point encryption-validated solution is great news for both acquirers and merchants, and will aid in reducing merchant scope and increasing business security worldwide. If your P2PE know-how is a little spotty, here are the basics.
What is P2PE?
Point-to-point encryption (P2PE) is the combination of hardware and processes that encrypts customer credit/debit card data from the point of interaction until it reaches a merchant solution provider’s environment for processing. Because card data is immediately encrypted as the card is swiped (or dipped), it prevents clear-text information from residing on the payment environment. Encrypted card data is then transferred to, decrypted by, and processed through the solution provider processor who is the sole holder of the decryption key.
Many question the difference between P2PE and typical point of sale (POS) encryption. In a POS environment, merchants often store decryption keys on their backend servers. Bad idea. If a cybercriminal hacks into that environment, they not only have access to the encrypted card numbers, but the decryption key as well. Hacker jackpot.
The reason P2PE is arguably the most secure way to process is because merchants don’t have access to decryption keys. If a hacker breaches a merchant using a validated P2PE solution, he/she will only recover a long string of useless encrypted card numbers with no way to decode them.
Why use P2PE?
The main point of using a P2PE-valiated solution is to significantly lessen the scope of security efforts through PCI Data Security Standard (DSS) requirement and P2PE Self-Assessment Questionnaire (SAQ) reduction. Compared to the 80+ questions required of mainstream merchant SAQs, the P2PE-HW SAQ only requires merchants to answer 18 questions.
Basically, P2PE increases data security and has the ability to make a merchant’s job of reaching PCI compliance easier.
Are all P2PE solutions created equal?
The short answer is – no. Many P2PE solution vendors claim their solution reduces scope, but in order for a merchant to qualify, they must select only P2PE-validated solutions listed on the PCI Council’s website.
To get P2PE solutions and applications listed on the approved website, solution provider processors must go through a rigorous testing process performed by a qualified P2PE Qualified Security Assessor (QSA). P2PE QSAs help entities thorough the 210-page document of P2PE requirements, testing procedures, and controls required to keep cardholder data secure – a task which only a few companies in the world can do.
As of this post, the only P2PE hardware solution approved by the PCI Council is European Payment Services’ (EPS) Total Care P2PE solution, validated by P2PE QSA SecurityMetrics. A number of other P2PE solutions are currently undergoing the review process and will be added to the list once approved.
[spacer height=3]Brandon Benson, a SecurityMetrics P2PE QSA, assessed the world’s first P2PE-validated solution. To have your P2PE solution audited by a P2PE QSA, or to learn more about the benefits of P2PE, please contact SecurityMetrics at 801.705.5656 or [email protected].
The views expressed in the posts and comments of this blog do not necessarily reflect those of ETA.
[divide] [spacer height=3]