2020 was a tumultuous year for grocers. While they were one of the few essential businesses that were open during the initial COVID-19 lockdowns in the US, it took a while before their in-store foot traffic bounced back. The Health and safety of the shoppers and store staff is of prime importance, but grocers shouldn’t overlook the health and safety of their data. While the foot traffic to a store may seem significantly low – the need for security solutions is still urgent.
According to the 2020 Mid-Year Data Breach QuickView Report, there was a 52% decline in the number of data breaches in the first six months of 2020 as compared to 2019. However, the number of records exposed climbed to 27 billion – 12 billion more than the records exposed in the entirely of 2019. What this tells us is very simple - strengthening cybersecurity is a necessary ongoing process. Whether your business is already protected or not, the risk of data theft is ever growing, and you need to continuously be assessing your security measures to make sure you are protected against new threats, especially in payments.
Payment Security with Point to Point Encryption (P2PE)
Over the years, point-to-point encryption (P2PE) has emerged as a solution that assures top-notch security of payment data. P2PE works to keep this sensitive payment data secure in transit as well as prevent tampering at the point of sale (POS) devices themselves, as it encrypts card data at the point of interaction - when a card is inserted or swiped. From that point, the data is encrypted until it reaches the gateway so no cybercriminal or third party can access the unencrypted data.
In addition to the security benefits to the business, P2PE also reduces the scope, complexity and administration costs of Payment Card Industry Data Security Standard (PCI DSS) compliance for payment solutions. As the gateway is the only holder of the decryption key, and sensitive card data is kept out of the POS environment, the scope is greatly reduced for PCI DSS certification. This saves the merchant a lot of time and money.
How Are Grocers Getting Started with P2PE?
There are a few ways businesses have implemented P2PE into their security strategy. Some large grocers with dedicated security resources and a quality security assessor build their strategy from scratch. Internally built solutions such as those might work for larger grocers but are less accessible for smaller grocers with fewer resources. Often, building a custom P2PE solution can create more complexities, require long and costly certifications and prove to be an immense challenge.
In the past, many have opted to pair together different parts of P2PE solutions from different vendors, which requires trusting both the service provider and a third-party entity that validates all these pieces independently. To avoid the headache associated with this, many smaller grocers should look to invest in validated solutions.
How Providers Specializing in Validated P2PE Solutions are Helpful for Grocers
Vendors with validated-P2PE solutions can properly implement all parts of the technology into your systems with an assurance of full PCI DSS compliance. What is equally important, is that they can eliminate the need for security experts within your business. These providers can greatly simplify the process of implementation and are trained to correctly implement people, process and technology in five domains:
- Encryption device and application management ensures that the payment acceptance devices have been properly secured through their manufacturing, initialization, software loading and delivery to the customer. This domain also ensures that terminals are properly implemented with the standards-based methods used to encrypt the data.
- Application security ensures that the application operating on the payment acceptance devices are developed securely, are void of defects that would expose cardholder data and that use card data properly (allowing the device to manage encryption and external communications).
- The decryption environment ensures that the payment gateway has implemented the decryption technologies properly in a secure environment, validating that there is no way for cybercriminals to hack in and steal the cardholder data.
- Cryptographic key operations and device management ensure that the appropriate technologies and processes are being used to protect the key materials used in both the terminal for encryption and the payment gateway for decryption.
- P2PE solution management ensures that providers who pull together multiple P2PE components have processes in place to manage the integration of those components and that they provide user-facing documents (P2PE Implementation Manuals - PIMs) on how to use the solution securely.
With all the benefits of P2PE, both in securing payment data and cutting down on the scope of PCI DSS compliance, many grocers are realizing the value of integrating this technology into their security strategy. How they choose to implement all the elements of a P2PE solution is the second step.
In the age of open source solutions, creating your P2PE solution can be tempting. Choosing to do this without an in-house specialist, however, can pose a challenge. With complex implementation and certification costs for payment security, working with an expert will save you time, money and effort in the long run. Investing in a validated solution ensures that most of the heavy lifting is already done for you - and your customers’ data will stay secure.
The PCI SSC maintains an updated authoritative list of validated components and solutions on its website. To learn more visit this page.
If you would like to learn more about a validated- P2PE solution for your grocery business, drop us a line and speak with our security experts!
Steven Bowles is the Regional Security Officer & Director of Security Solutions at Ingenico