PCI SSC's latest: P2PE guidelines

The PCI Security Standards Council released a paper that provides guidelines for payment players considering the implementation of a point-to-point encryption (P2PE) apparatus for protecting cardholder data.

The paper is a general roadmap that discusses the use of P2PE solutions, including some of the technologies and methods involved in its implementation, the ways P2PE may reduce the scope of PCI compliance, the PCI standards that bear on P2PE solutions and the path to certification.

According to the PCI SSC website, "Currently no global standardization of point-to-point encryption technology or validation of its implementation exists in the industry. However, by providing this new guidance on P2PE, the council has taken the first step by definitively stating that P2PE may simplify PCI DSS [Payment Card Industry Data Security Standard] compliance by reducing the scope of the cardholder data environment."

The PCI SSC indicated the paper, titled Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance, will be one in a series of documents that "cover the use of encryption as it relates to the PCI [DSS] and scope reduction." The paper was posted on the PCI SSC's website on Oct. 5, 2010, in conjunction with a separate document of guidelines for the use of Europay, MasterCard and Visa (EMV) systems.

The council stated in its point-to-point roadmap that the paper is written with the "merchant perspective" in mind but is also aimed at payment processors, acquirers, assessors, vendors and other payment solution providers.

Point-to-point versus end-to-end

The phrase "point-to-point encryption" is often used interchangeably with "end-to-end encryption," but the PCI SSC eschews "end-to-end" because it can be misleading, according to Mark Bower, Vice President of Product Management for data security firm Voltage Security Inc.

Bower said P2PE entails the encryption of data from the point of capture at the card swipe device or other data entry point to its arrival at a payment processor – including its journey through a POS system, the merchant's information technology infrastructure and a gateway – where decryption is usually necessary before the data is distributed to different card issuers or other end points.

Because the data is almost always decrypted before reaching its final destination, Bower said the council has determined "point-to-point encryption" is a more accurate description than "end-to-end encryption."

Bower said there are no security silver bullets, but the proper use of P2PE is "as close as you're going to get" with the security solutions currently on the market. He said P2PE would make life easier for merchants by reducing the scope of PCI compliance (because new encryption methods reduce the need for other security measures), lowering fraud prevention costs and reducing data theft.

"For the first time, the PCI council is essentially acknowledging that encryption technologies, when applied correctly and against the forthcoming validation guidelines, can actually be used to simplify and reduce the scope of PCI standards for merchants," he said. "If you can take a lot of these systems out of that assessment – for instance, remove the point of sale, remove the store controllers and the merchant's IT – that's reducing the costs of security right there and also getting a risk reduction benefit at the same time."

P2PE already in gear

Bower added that many merchants are already using P2PE solutions, and that the PCI SSC's guidelines would help propel it into the mainstream.

"The train has left the station in terms of point-to-point encryption," he said. "Our customers are already implementing this. Really, the PCI council agreed that there are probably three technologies that are most important in helping organizations mitigate threats: EMV, point-to-point encryption and – what's next? – what's coming down the pike is guidance of tokenization."

(In the payments industry, tokenization protects cardholder data by replacing the 16-digit card number with an alpha-numeric substitute ("token") for storage in a POS system. The token can be used to identify the purchaser for chargebacks or other post-transaction issues but is useless if stolen.)

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.