On May 1st, Bluefin issued its new white paper on the Value of P2PE in POI and POS environments. The paper, authored by Verizon Enterprise Solutions, overviews the POI/POS threat landscape and details how criminals obtain access to cardholder data (CHD), while discussing the evolution of P2PE, the differences between certified and non-certified encryption solutions, benefits of PCI-validated P2PE solutions in POI environments, including compliance management and scope reduction, and the roles of tokenization, EMV and P2PE in protecting data. Excerpts from the Executive Summary are provided below and the full paper can be downloaded here.
Executive Summary
Ciske van Oosten, Senior Manager Global Intelligence, Verizon Enterprise Solutions
Malicious hackers continue to adversely impact nearly every industry. Threat actors attempt to steal data from point of sale (POS) systems using various methods, such as payment card skimmers, POS intrusions and web app attacks. They particularly take advantage of organizations that fail to reduce the size of their attack surfaces. While organizations cannot stop all security breaches, they can prevent or at least mitigate the possibility of sensitive data being compromised.
Significant effort and substantial annual investments in time and resources are necessary to protect cardholder data (CHD) and meet Payment Card Industry Data Security Standard (PCI DSS) compliance requirements. About half of organizations worldwide consistently fail to sustain security controls that support data security compliance initiatives. Traditional methods for securing CHD can be risky and inadequate.
The good news is that simpler, more effective, less expensive technology and methods to prevent data breaches do exist. Adoption of these technologies has grown rapidly as awareness and understanding has taken hold. Early adopters have been wise enough to move beyond the question “How can I protect CHD?” to “How can I reduce or even eliminate CHD?” These adopters of next-generation payment data security have implemented PCI-validated point-to-point encryption (P2PE) solutions that devalue CHD and reduce the scope of PCI DSS compliance. P2PE addresses the data breach risk by essentially removing the data that risks being breached. This helps create the capacity, capability, and competence to comply with industry data security regulations and develop a sustainable control environment to maintain effective security controls.
In 2011, the Payment Card Industry Security Standards Council (PCI SSC) created the PCI P2PE standard to establish uniform encryption requirements (PCI P2PE v3.0 is expected sometime in Q4 2019 to Q1 2020). Today’s validated P2PE solutions offer a high level of assurance of encryption capability and a tightly locked down CHD environment with little wiggle room for exploitation.
Only PCI-listed P2PE solutions offer substantial scope reduction, risk reduction and compliance simplification. The PCI SSC does not endorse the use of non-listed encryption solutions, since they have not been validated as fully meeting the PCI P2PE standard for security and cannot ensure a reduced PCI DSS validation effort.
This paper reviews the benefits of PCI-validated P2PE solutions in point-of-interaction, (POI) environments. In addition to highlighting the various compliance management and scope reduction benefits, it aims to explore the POI threat landscape, detailing how criminals obtain access to CHD.
This paper also examines the merits of a layered approach to data security and fraud prevention, combining different technologies such as EMV, P2PE and tokenization – a configuration that provides opportunities for efficiencies and compliance simplification and the strongest protection offered with current technology.
Download the paper.