Article by Tim Winston, PCI/P2PE Practice Director, Coalfire Systems
To help IT executives in the payment industry, there is a need to have a well-maintained overall unified system to verify each payment transaction’s validity. The PCI Security Standards Council provides a program for validating Point-to-Point Encryption solutions which are slowly transitioning from a nice-to-have security option to a must-have for all merchants in the industry. Point-to-Point Encryption solutions, also known as P2PE, bring an added layer of protection for retail merchants by removing them from the encryption/decryption of sensitive payment data.
Through the use of P2PE, customer data is encrypted at the point the card gets swiped, inserted, or tapped at the Point-of-Sale device and then decrypted when it arrives at the payment processor. Retailers are notified when the transaction is approved or declined, thus removing their risk from accepting and transmitting cardholder data.
When P2PE is implemented correctly, retailers will significantly reduce risk and PCI compliance costs. With this type of technology, innovation is being leveraged to virtually eliminate the risk that hackers have been able to exploit in very public ways. While reducing risk among all involved parties is a prudent strategy, consumers can rest assured that their data is safe with updated payment systems.
Throughout my career in the risk, audit and compliance arena, I’ve talked to dozens of large and mid-sized retail merchants about their options for implementing a P2PE solution.
As each of these retailers have their own set of issues with cyber risks, here’s what I’ve learned over the years -- that most merchants aren’t aware of in the P2PE space:
1 Listed PCI DSS Solution: This is preferred if you’re looking to reduce cost of PCI compliance, however, there are currently very few listed solutions. Currently, there are only 16 listed, but more are being added to the list this year as assessments reach completion.
2 Non-PCI listed Encryption Solutions: Most of these solutions pre-date the PCI P2PE standard and achieve the fundamental goal of removing unencrypted cardholder data from the retail environment. While they significantly reduce the risk of a cardholder data breach, they typically do not offer all of the protections of PCI listed P2PE solutions. A reduction DSS compliance effort can be achieved with agreement from their bank.
3 Self-managed P2PE Solutions (i.e. a self-built solution): This option requires in-depth knowledge and careful implementation. As this necessitates a new domain to be built out within an organization, it can be a very onerous undertaking. Self-managed P2PE solutions typically do not provide a clear ROI. The “homegrown” newly built solution is not eligible to be a listed PCI DSS Solution and will call for a full staff of software developers to spend a year or more to develop the solution. Adding to the cost and risk equation, the encryption will need to be reevaluated every three years to guarantee a solid product offering.
4 State of Compliance and Costs: Having any of the above does not eliminate PCI compliance but it can reduce scope over time. While a P2PE solution may not initially reduce cost, savings can be achieved from the second year onward. Compliance costs are increased during the first year because both the proper implementation of the new P2PE solution and the elimination of any residual data from the decommissioned system must be assessed. In subsequent years, assessments will focus on the much more limited scope of the proper maintenance of the P2PE or encryption solution.
Reasons to use a listed P2PE solution:
Reduces the scope and work associated with PCI compliance. Merchants transition from producing a few hundred documents to a few extra store visits.
Thoroughly vetted with the highest PCI standards.
Provides the maximum reduction in compliance cost and organizational effort.
Accepted without obtaining acquirer approval because listed P2PE solutions are already part of the PCI framework. This, in turn, makes assessing the merchant a much easier process as much more effort is required to verify the PCI environment with a non-listed solution. If merchants use a non-PCI listed solution, then there is a solution verification process that adds the time and cost required to each year’s assessment.
The choice for merchants is not “if”, but “when” to implement a P2PE solution. Currently, there is a much wider range of available non-PCI listed solution options; merchants are more likely to find a solution that has a more tailored approach for their specific needs. These solutions offer significant risk reduction and the possibility of reduced DSS compliance effort. This is attractive for merchants that have difficulty achieving and maintaining the security and compliance of their retail systems. This is balanced by the risk of future costs for a second transition to a PCI listed solution.
As merchants move through assessing their 2016 cybersecurity risks, P2PE solutions will undoubtedly be reviewed as an option to help boost security for both themselves and consumers. While EMV will eventually improve risk exposure in retail locations, it’s not a cure all even when it becomes fully implemented and all consumers having chip-enabled credit cards. A security stance where EMV is implemented with a listed P2PE solution is the best case solution today.