Encryption rule eases retailers’ security burden

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

(Editor’s note: In this guest essay, Christo­pher Kro­nen­thal, CTO of Free­dom­Pay, explains how Point-To-Point Encryp­tion — P2PE — came to be, and how it should ease retail­ers’ secu­ri­ty burden.)

By Christo­pher Kronenthal

As large-scale data breach­es con­tin­ue, mer­chants are under increased pres­sure to imple­ment secure pay­ment solu­tions. Any mer­chant who accepts pay­ment card trans­ac­tions must adopt the Pay­ment Card Indus­try Data Secu­ri­ty Stan­dard (PCI DSS).

These are the rules of the road for pro­tect­ing sen­si­tive con­sumer data estab­lished and enforced by the PCI Coun­cil: Visa, Mas­ter­Card, Amer­i­can Express and Discover.

The PCI Coun­cil has val­i­dat­ed a new set of pay­ment secu­ri­ty solu­tions at their high­est lev­el of secu­ri­ty, known as point-to-point encryp­tion (P2PE). A P2PE solu­tion, pro­vid­ed by a third-par­ty, is a com­bi­na­tion of secure devices, appli­ca­tions and process­es that encrypt data from the point of inter­ac­tion (the point of swipe) until the data reach­es the solu­tion provider’s secure decryp­tion environment.

Val­i­dat­ed P2PE ensures that mer­chants are uti­liz­ing proven secu­ri­ty pro­to­cols that safe­guard cus­tomer data and reduce the merchant’s tech­ni­cal require­ments to main­tain PCI DSS compliance.

Chris Kronenthal, CTO, FreedomPay
Chris Kro­nen­thal, CTO, FreedomPay

P2PE directs mer­chants to use a secure point-of-inter­ac­tion device to swipe or enter cus­tomer pay­ment data. This device is usu­al­ly a stan­dard point-of-sale (POS) device, but with extra secu­ri­ty. From the moment a cred­it card is swiped, cus­tomer data (called clear-text cus­tomer data) is encrypt­ed and sent out­side of the merchant’s net­work to a pay­ment proces­sor who also uses a secure hard­ware decryp­tion tool to process the payment.

This is an impor­tant step in secu­ri­ty since it keeps cus­tomer data out of a merchant’s envi­ron­ment. The require­ments for PCI val­i­da­tion are very rig­or­ous. As a require­ment of PCI val­i­da­tion, all mer­chant devices includ­ing POS devices must be deliv­ered through a secure dis­tri­b­u­tion chan­nel to ensure that the pay­ment device has not been tam­pered with or altered in any way pri­or to mer­chant deployment.

P2PE offers mer­chants a stream­lined way to secure pay­ment data while more eas­i­ly main­tain­ing PCI DSS com­pli­ance. It brings mer­chants both the secu­ri­ty pro­tec­tions they need while decreas­ing their annu­al com­pli­ance require­ments for PCI DSS.

The rig­or of main­tain­ing annu­al PCI DSS com­pli­ance is dif­fi­cult and many pay­ment solu­tions on the mar­ket can be below the PCI-Val­i­dat­ed P2PE lev­el. But mer­chants bear respon­si­bil­i­ty for secur­ing both their POS and networks.

P2PE reduces the cost and chal­lenge of oper­at­ing a secure mer­chant pay­ment envi­ron­ment. By using third-par­ty soft­ware and hard­ware to secure pay­ment data, P2PE ensures the merchant’s POS and net­work nev­er touch­es unen­crypt­ed cus­tomer data. Also, P2PE reduces annu­al com­pli­ance respon­si­bil­i­ties for mer­chants and the num­ber of con­trols that the mer­chant must man­age goes from more than 280 to few­er than 20.

The imple­men­ta­tion of PCI-Val­i­dat­ed P2PE holds much promise for help­ing to make things safer and eas­i­er for mer­chants. How­ev­er, only PCI-Val­i­date P2PE solu­tions list­ed on the PCI Coun­cil web­site will allow mer­chants to reap these benefits.

About the essay­ist: Chris Kro­nen­thal is a P2PE sys­tems devel­op­er. Pri­or to join­ing Free­dom­Pay, a P2PE sys­tems sup­pli­er, he worked on bio-repos­i­to­ry sys­tems at Coriell Insti­tute for Med­ical Research.


Posted in Cybersecurity, Data Security, Guest Essays