PYMNTS.com posted a great interview this morning with Thierry Denis, President of Ingenico Group NA and Gregory A. Leos, General Manager, NA Global Collect e-Commerce Solutions (now an Ingenico company) on “Who Will Lead and Lag in 2015.” #1 Observation – Security is a key driver in U.S. payments. But what’s really hot? They predict that “Point-to-point encryption (P2PE) will likely be adopted by virtually all Tier 1 and 2 merchants.” This comes on the heels of the December 11th report by the U.S. Payments Security Task Force (PST) that advises P2PE will play a “vital role” in 2015 payment security.
Like we said in our earlier post this week – P2PE is now being recognized as an integral part of payment security. Ingenico also sees a trend with EMV, predicting that merchants will combine EMV and P2PE to optimize security (we vote tokenization too: P2PE protects data in transit, tokenization protects data at rest, and EMV protects the card).
And it’s not just vendors singing the praises of P2PE. This week, the U.S. Payments Security Task Force (PST), which includes payment networks, banks of various sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups, released their strategic road map for increased payment systems security in 2015. The three “vital” technologies include chip cards, tokenization – and you guessed it, P2PE:
“While many current “best practices” center on securing system periphery with the intent of preventing breaches, the PST urges a focus on devaluing or eliminating sensitive data as it moves within and between systems,” the report states. “A multi-layered approach to security that includes compliance with PCI standards is called for, as no one solution alone is sufficient to combat payment card fraud. Three technologies that will play vital roles in this approach are chip technology, tokenization and encryption.”
The paper advises:
- Consider adopting hardware-based encryption using a full PCI PTS and Secure Read & Exchange of Data (SRED)-approved terminal.
- Consider avoiding solutions that only encrypt outside of the terminal, since such solutions leave sensitive data vulnerable for a longer period of time and, therefore, are less secure than those that encrypt inside the terminal.
- Consider implementing encryption solutions that decrypt transactions outside of the merchant’s own environment. Decryption should only be performed within a trusted and secure third-party platform managed by an acquirer, processor or other trusted party with the security know-how and resources to ensure a secure decryption environment and secure management of encryption keys.
Bluefin’s P2PE solution has been audited and vetted by the PCI Security Standards Council (SSC) and is one of just six PCI-validated P2PE solutions globally. Learn more about how PCI-validated P2PE, tokenization and EMV work together to secure payments in our white paper authored by P2PE auditor Coalfire Systems. We also strongly recommend downloading the PST’s full report, “U.S. Payments Security Evolution and Strategic Road Map.”