Encryption rule eases retailers’ security burden
(Editor’s note: In this guest essay, Christopher Kronenthal, CTO of FreedomPay, explains how Point-To-Point Encryption — P2PE — came to be, and how it should ease retailers’ security burden.)
By Christopher Kronenthal
As large-scale data breaches continue, merchants are under increased pressure to implement secure payment solutions. Any merchant who accepts payment card transactions must adopt the Payment Card Industry Data Security Standard (PCI DSS).
These are the rules of the road for protecting sensitive consumer data established and enforced by the PCI Council: Visa, MasterCard, American Express and Discover.
The PCI Council has validated a new set of payment security solutions at their highest level of security, known as point-to-point encryption (P2PE). A P2PE solution, provided by a third-party, is a combination of secure devices, applications and processes that encrypt data from the point of interaction (the point of swipe) until the data reaches the solution provider’s secure decryption environment.
Validated P2PE ensures that merchants are utilizing proven security protocols that safeguard customer data and reduce the merchant’s technical requirements to maintain PCI DSS compliance.
P2PE directs merchants to use a secure point-of-interaction device to swipe or enter customer payment data. This device is usually a standard point-of-sale (POS) device, but with extra security. From the moment a credit card is swiped, customer data (called clear-text customer data) is encrypted and sent outside of the merchant’s network to a payment processor who also uses a secure hardware decryption tool to process the payment.
This is an important step in security since it keeps customer data out of a merchant’s environment. The requirements for PCI validation are very rigorous. As a requirement of PCI validation, all merchant devices including POS devices must be delivered through a secure distribution channel to ensure that the payment device has not been tampered with or altered in any way prior to merchant deployment.
P2PE offers merchants a streamlined way to secure payment data while more easily maintaining PCI DSS compliance. It brings merchants both the security protections they need while decreasing their annual compliance requirements for PCI DSS.
The rigor of maintaining annual PCI DSS compliance is difficult and many payment solutions on the market can be below the PCI-Validated P2PE level. But merchants bear responsibility for securing both their POS and networks.
P2PE reduces the cost and challenge of operating a secure merchant payment environment. By using third-party software and hardware to secure payment data, P2PE ensures the merchant’s POS and network never touches unencrypted customer data. Also, P2PE reduces annual compliance responsibilities for merchants and the number of controls that the merchant must manage goes from more than 280 to fewer than 20.
The implementation of PCI-Validated P2PE holds much promise for helping to make things safer and easier for merchants. However, only PCI-Validate P2PE solutions listed on the PCI Council website will allow merchants to reap these benefits.
About the essayist: Chris Kronenthal is a P2PE systems developer. Prior to joining FreedomPay, a P2PE systems supplier, he worked on bio-repository systems at Coriell Institute for Medical Research.