By Ruston Miles, Chief Innovation Officer
As Featured in this Month’s Issue of The Green SheetPOS malware has been the bane of retailers for nearly two years now, claiming nearly 1,400 breaches in a 24-month period. Target Corp., The Home Depot Inc., P.F. Chang’s China Bistro and many other merchants were attacked in this way.
The fallout from these attacks has forced the widespread review of merchant data security. The current solution focuses on the technological trinity of EMV (or chip cards), tokenization, and point-to-point encryption (P2PE), underpinned by standard setting through Payment Card Industry Data Security Standard (PCI DSS) managed by the PCI Security Standards Council (PCI SSC). This has become known as the “layered” or “secure-all-channels” approach.
To date, the mainstream media discussion on the topic of payment card security has been focused on Europay, MasterCard and Visa (EMV) – chip card technology intended to protect consumers against the consequences of breached, lost or stolen cards. However, EMV has no direct role in combatting POS malware. Most merchants know that EMV chip cards can protect plastic cards from counterfeiting, but many have not yet learned that P2PE – that is, encrypting card data at the point-of-entry – has to be the primary defense to protect their locations against POS malware.
The killer app
This lack of understanding is concerning, because P2PE is the killer app where POS malware is concerned. It is the element of the layered approach that protects data during the transaction itself. In June 2015, the PCI SSC updated its standards for P2PE to make adopting it more user-friendly in response to requests from merchants and processors asking for more flexibility. The PCI SSC’s Version 1.0 of the P2PE standard set the bar extremely high – something I know from first-hand experience shepherding my company, Bluefin, through the expensive, time-consuming PCI P2PE-validation process. The P2PE assessors adhered strictly to the standard, and getting through nearly 1,000 requirements covering areas of security and logistics that are foreign to payment processors was a significant challenge.
For this reason, the first P2PE standard was called the gold standard by some but was decried as unattainable by others. Indeed, I know of some processors that spent six to 12 months trying to comply with the P2PE standard only to decide that it was not possible to validate their in-market encryption solutions.