Page 26 - GS230901
P. 26
Co v er St o r y
CoverStory
they operate, what is required to operate, and how this most part, he noted, a single company needed to provide
impacts the security of cardholder data," he said. "As a the entire solution, including all the many components of
one-size-fits-all standard, this change will better accom- the P2PE standard, from key management in hardware se-
modate different environments, technologies, and frame- curity modules (HSMs) and key injection facilities (KIF),
works while pushing needed security principles." to devices and chain of custody management.
Verify, authenticate To solve for this complexity, Miles stated, the PCI SSC
Consumers have acclimated to presenting identity docu- modularized the second version of the P2PE standard,
ments when passing through airport security, applying for making it much more flexible and representative of the
loans or purchasing restricted items that require age veri- complex and valuable interconnections among payments
fication; merchants use advanced technology to verify and industry participants. This enabled each company to focus
authenticate their customers. These terms are frequently on what they do best and validate their individual compo-
used interchangeably but are materially different, stated nent in the overall solution.
Andrew Shikiar, executive director of the FIDO Alliance.
Miles noted that this is where we saw P2PE adoption take
"Simply put, verification is the process of confirming some- off exponentially, where a key injection facility (KIF) for-
one's identity. Authentication is the process of recogniz- merly focused on debit PIN-key injection could now ex-
ing someone's identity," he said. "The easiest way to think tend their operations to be validated as a P2PE key injec-
about it is that you verify someone's identity less often— tion facility component. And a device estate management
usually at the point of account creation—to confirm they company could extend their platform to satisfy device
are who they say they are. You then authenticate them at tracking and chain of custody management requirements
subsequent sign-ins to confirm the person logging in is for P2PE solutions.
the person who created the account."
"I'm truly grateful to have been a part of the evolution of
Noting that multifactor authentication (MFA) has sparked the P2PE solution standard," he said. "And I truly believe
lively commentary among PCI SSC working groups, Shi- that the Council's foresight and leadership in componen-
kiar pointed out that MFA is not foolproof or phishing tizing the standard directly led to P2PE's mass adoption
resistant, because fraudsters can intercept one-time pass- and has made the payments world a safer place.
words. In fact, FIDO's passkey, a multidevice credential, Secure global checkpoints
allows users to log in once to access multiple devices and
platforms, he said, adding that Google, Microsoft, Apple As payments become increasingly global, companies of
and other major platforms use this solution, which is more all sizes are navigating disparate regulatory landscapes as
secure and simple than 40-year-old password technology. they expand their footprints and adapt to different pay-
ment methods, currencies and privacy laws. The Digital
Point-to-point encryption Operational Resilience Act (DORA), adopted by the Euro-
Ruston Miles, founder and CEO at Payfactory, recalled pean Union on Dec. 22, 2022, is designed to improve op-
the genesis of point-to-point encryption, (P2PE) a solution erational efficiencies in information and communications
promulgated by the PCI SSC, which the council stated is technology (ICT).
designed to cryptographically protect account data from
the point where a merchant accepts the payment card to Mark Young, cyber resilience and IT recovery lead at Mor-
the secure point of decryption. ganFranklin, suggested that DORA's January 17, 2025,
deadline, provides a long runway to implementation. EU
By using P2PE, account data is unreadable until it reaches members and U.S. firms operating in the region will have
the secure decryption environment, which makes it less to comply with DORA's policies, procedures and security
valuable if the data is stolen in a breach, the council added, controls, he stated, by fully documenting their operational
noting that PCI P2PE solutions can help merchants signifi- and digital resilience capabilities. This will require wide-
cantly reduce the PCI DSS validation effort of their card- spread integration and adoption across each participating
holder data environment. organization.
"The PCI Security Standards Council created the P2PE "It is important that U.S. companies begin preparing for
program in 2011," Miles said, adding that Bluefin, anoth- DORA compliance promptly," he said. "Changing policy
er company he founded, became the first North American or process alone won't be sufficient in this case; organi-
provider of a PCI-validated P2PE solution in 2014 and now zational or even cultural changes may be required. Ad-
serves 300 global partners in 55 countries. Reflecting on the ditionally, many clients are having difficulty securing
massive growth of P2PE over the past decade, Miles attrib- funding and resources to implement current resilience re-
uted its success to "componentization." The original P2PE quirements that will be necessary for DORA compliance,
standard was monolithic in nature, and each solution was so there is much work to be done with a fixed timeline to
complete from end to end but didn't flex to include mul- comply before January 17th, 2025."
tiple participants in the solution chain, he stated. For the
26
