P2PE solutions reduce not only the cost and effort retailers face when trying to meet stringent PCI compliance requirements, but also the risk associated with face-to-face payments.
Card data, once encrypted at the point of capture, becomes useless to the majority of criminals and fraudsters (unless they have access to the encrypt/decrypt keys), meaning it can be sent safely through the payment chain before being deciphered and authorised at the acquirer’s end.
Typically, the Triple Data Encryption Standard (3DES) is used as the encryption format. Officially known as the TDEA (Triple Data Encryption Algorithm), it is ideally suited for hardware implementations found across most payment channels.
Criminals have been increasingly successful at targeting organisations that store, process, or transmit customers’ personally identifiable information (PII) and payment data. Retailers are no exception, as one out of four data breach victims suffered identity fraud in 2012.
If card fraud occurs, merchants are liable for the cost unless they can prove full PCI DSS compliance at the time of the breach. Noncompliant merchants may also be on the hook for other costs, like investigations into how the fraud occurred, remedial costs to become compliant, and additional fines from regulatory authorities. They must also bear the often larger cost of reputational damage and loss of customer confidence, which can linger for years.
P2PE is important because it protects credit card data travelling through a merchant’s local network and across a payment gateway before reaching the payment processing system.
Deployment of a P2PE-approved solution can virtually eliminate the current risk of compromised credit card data in a retail environment. While it may incur businesses some additional costs in terms of recording and inventory management, these can be offset by the solution providing a clear and dramatic PCI scope reduction that will, in turn, reduce the cost of PCI compliance.
The costs associated with PCI security and compliance for merchants are high. According to Gartner, it costs an average of $1.7 million over 2.35 years, excluding the cost of PCI Qualified Security Assessors. Over the same time period, Level 1 retailers spend an average of $2.1 million on PCI compliance, while Level 2-4 retailers spend an average of $1.1 million. It comes as no surprise that many retailers are now looking at P2PE to reduce their PCI requirements and costs.
In most cases, merchants simply want to focus on running their business, securing sales, and keeping customers loyal. They often have limited network security, and time spent on IT is seen as being non-productive rather than advantageous. Some merchants still consider payment security as their bank’s problem. By placing ownership for data security best practices in the hands of the retailer and making it mandatory, PCI compliance has helped address this perception.
It’s not only payment terminals and POS systems that need to meet security standards; network environments also need to be properly secured. Although many individual devices now come with some form of security certification, unless they’re deployed in the correct manner and the network is locked down, retailer systems are still unprotected from hackers or malware.
This is where P2PE comes in. P2PE is the most logical route to addressing fraud while creating minimal effort for the retailer. While it doesn’t prevent fraud using lost or stolen cards, it does prevent criminals from accessing card data at the point of sale (POS), and further addresses the unauthorised interception of cardholder data-in-motion from the POS terminal to the payment processor.
In 2012, to prevent confusion and ensure best practice, the Payment Card Industry Security Standards Council (PCI SSC) released guidelines on P2PE as part of the PCI Data Security Standard (PCI DSS).
Not only did the guidelines clarify exactly what was required for a secure P2PE solution, they also opened the door to certification, allowing approved P2PE solutions to be used as a means of officially reducing PCI scope—and thereby costs—for retailers.
In order to do this, however, P2PE solutions require the following:
Secure encryption of payment card data at the point-of-interaction.
P2PE-validated application(s) at the point-of-interaction.
Secure management of encryption and decryption devices.
Management of decryption environment and all decrypted account data.
Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration, and usage.
At present, only PCI-PTS certified payment devices with SRED and Open Protocol (OP) approvals can be used as part of an approved P2PE solution. All payment devices utilised in a P2PE environment must be handled according to the P2PE Instruction Manual (PIM) document and be traceable from birth to death of the device. Merchants can only use non-P2PE certified devices in a P2PE environment if they choose to opt out of P2PE at the chosen payment location.
Tokenisation can be used in tandem with P2PE to effectively create an integrated solution that protects data both in transit and at rest. Software-based tokenisation replaces the cardholder’s primary account number (PAN) with a randomly generated proxy alphanumeric number (or token) that cannot be mathematically reversed. This is used for long-term storage or as a transaction identifier.
Tokenisation is ideal for recurring payments, as the card number is only on the merchant’s network “in flight” during the initial transaction—which can be encrypted and protected using P2PE. Beyond that, the merchant uses the token that represents the original card, for subsequent payments or to track customer transactions for marketing purposes. This allows personalised marketing programmes to be developed and targeted using cardholder purchase history data.