In the first six months of 2019 4.1 billion records were compromised in publicly disclosed breaches and with 2020 just beginning, merchants are more aware than ever about customer data security. In the midst of this, Point-to-Point Encryption (P2PE) has emerged as a security solution that assures payment data is as safe as possible. P2PE works to keep payment data secure in transit as well as prevent tampering at the point of sale (POS) devices themselves, as it encrypts card data at the point of interaction - when a card is inserted or swiped. From that point, the data is encrypted until it reaches the gateway so no cybercriminal or third party can access the unencrypted data.
In addition to the security benefits to the business, P2PE also reduces the scope, complexity and administration costs of Payment Card Industry Data Security Standard (PCI DSS) compliance for payment solutions. As the gateway is the only holder of the decryption key, and sensitive card data is kept out of the POS environment, the scope is greatly reduced for PCI DSS certification. This saves the merchants a lot of time and money.
How are Merchants Getting Started with P2PE?
There’s a few ways businesses have implemented P2PE into their security strategy. Some large merchants with dedicated security resources and a quality security assessor build their own P2PE strategy from scratch. Internally-built solutions such as those might work for larger merchants but are less accessible for smaller merchants with fewer resources. Oftentimes, building a custom P2PE solution can create more complexities, require long and costly certifications and prove to be an immense challenge.
In the past, many have opted to pair together different parts of P2PE solutions from different vendors, which requires trusting both the service provider and a third-party entity that validated all of these pieces independently. To avoid the headache associated with this, many smaller merchants should invest in validated solutions.
How Providers Specializing in Validated P2PE Solutions are Helpful for Business
Vendors with validated-P2PE solutions can properly implement all parts of the technology into your systems with assurance of full PCI DSS compliance. What is equally important, is that they can eliminate the need for security experts within your business. These providers can greatly simplify the process of implementation and are trained to correctly implement people, process and technology in five domains:
- Encryption device and application management ensures that the payment acceptance device has been properly secured through its manufacturing, initialization, software loading and delivery to the customer. This domain also ensures that the terminal properly implements the standards-based methods used to encrypt the data.
- Application security ensures that the application operating on the payment acceptance devices are developed securely, are void of defects that would expose cardholder data and that use card data properly (allowing the device to manage encryption and external communications).
- Decryption environment ensures that the payment gateway has implemented the decryption technologies properly in a secure environment, validating that there is no way for cybercriminals to break in and steal the cardholder data.
- Cryptographic key operations and device management ensures that the appropriate technologies and processes are being used to protect the key materials used in both the terminal for encryption and the payment gateway for decryption.
- P2PE solution management ensures that providers who pull together multiple P2PE components have processes in place to manage the integration of those components and that they provide user-facing documents (P2PE Implementation Manuals - PIMs) on how to use the solution securely.
With all the benefits of P2PE, both in securing payment data and cutting down on the scope of PCI DSS compliance, many merchants are realizing the value of integrating this technology into their security strategy. How they choose to implement all of the elements of a P2PE solution is the second step.
In the age of open source solutions, creating your own P2PE solution can be tempting. Choosing to do this without an in-house specialist, however, can pose a challenge. With complex implementation and certification costs for payment security, working with an expert will save you time, money and effort in the long run. Investing in a validated solution ensures that most of the heavy lifting is already done for you - and your customers’ data will stay secure.
The PCI SSC maintains an updated authoritative list of validated components and solutions on their website. To learn more visit this page.
If you would like to learn more about a validated- P2PE solution, drop us a line and speak with our security experts!
Steven Bowles is the Regional Security Officer & Director of Security Solutions at Ingenico Group, North America