In March 2014 Bluefin became the first North American provider of a PCI-validated Point-to-Point Encryption (P2PE) solution and just one of four available solutions worldwide. At the time, everyone was still wondering what the acronym “P2PE” meant or even stood for, never mind truly understanding its security importance to payments.
It was also the time when another acronym – this one being “EMV” – was forefront on the mind of every major retailer and also many enterprises, healthcare organizations and educational institutions, thanks to the October 2015 liability shift to merchants for customer usage of non-chip credit cards. In the wake of the high-profile data breaches at Target and Home Depot, publications, industry organizations and even major news outlets quoted “experts” who basically stated that if these big-box stores had implemented EMV when the breaches happened, that they could have been prevented.
As a result, the frenzy around EMV implementation prevented many merchants from seeing the major benefit that PCI-validated P2PE and not EMV provided – encryption of card data immediately upon swipe or dip, so that no data is available in the terminal RAM and never reaches the merchant POS as clear-text. So as breaches in 2015, 2016 and 2017 continued to expose credit card data, it became clear that EMV was not the security answer that was really needed.
EMV is an authentication tool that can protect merchants from receiving counterfeit cards. Counterfeit card fraud affects roughly 1% of 1% of transactions focused on certain card present transaction types and certain areas of the country. Most merchants never see a counterfeit card, whereas card data breaches affect thousands of businesses each year – and every business is vulnerable to attack. Every merchant can also benefit from scope reduction found with P2PE only; because EMV is not a security technology, there is no scope reduction available for PCI DSS. EMV is great at performing the authentication tasks it was built to do, but it was never built as a card data security tool.
Now we are nearly at the end of January 2018 and much has changed. Four years after Bluefin’s listing, there are now 48 PCI P2PE solutions – a 1,200% increase from the number of providers in March 2014, demonstrating the industry demand for validated solutions. Providers include processors, gateways, and SaaS companies, and some solutions specialize in just one industry, like healthcare. And there are many more PTS devices that providers can support and now offer to their clients, giving merchants and enterprises a wide array of mobile, countertop and call center terminals to choose from.
From a Stand-Alone P2PE Solution to a Universal Offering – Decryptx®
A conversation early-on with a major petroleum provider demonstrated the industry’s interest in PCI P2PE – but it also highlighted the emerging challenge of providing a P2PE solution that worked for everyone.
“The company wanted our PCI-validated P2PE solution but they didn’t want to leave their payment processor to get it,” said Ruston Miles, Bluefin’s Chief Strategy Officer. “So we thought to ourselves, how could we decouple P2PE from payment processing and only provide the P2PE piece to these companies?”
That’s when the idea for Bluefin’s Decryption as a Service (DaaS) product, Decryptx®, was born. The goal of Decryptx was to enable Bluefin’s PCI P2PE solution through payment gateways, processors and software providers through a simple API connection – essentially decoupling payment processing from P2PE and allowing Bluefin’s solution to reside on any platform.
Decryptx was introduced in November 2014 – just 7 months after our validation – and Bluefin’s first Decryptx partner, 3Delta Systems, went live in December 2014.
Expansion Beyond P2PE Partners – Devices and KIFs
“We proved the value of the Decryptx platform with our first partners – who were security trailblazers in recognizing the importance of PCI P2PE to their clients. Starting in mid-2016, interest in joining our Decryptx network grew significantly. Fifty of some of the largest gateway and processing companies are Decryptx partners, and we look forward to adding another 10 by the end of this year,” stated Greg Cornwell, Head of Global Sales for Bluefin, in December 2017.
Decryptx was a game-changer for P2PE because it allowed companies to offer a value-added solution to their thousands of clients with little to no integration work and, as Ruston stated:
“These Connected Partners come to Bluefin for three reasons: 1) Increase margins, 2) Move market-share and 3) Reduce merchant attrition.”
Today, Bluefin’s Decryptx partner network currently includes 60 processors, gateways and software providers, meaning that each of these companies offers Bluefin’s PCI P2PE solution through their own software or platform – making PCI P2PE accessible to over 1.5M merchants in the U.S., Canada, Latin America, the UK and EU.
While availability through our processor, gateway and software partners is helping to make PCI P2PE a truly universal security solution, there is more to P2PE than just the solution providers – there’s the payment terminals, the device manufacturers, and the key injection facilities (KIFs).
“What we learned as more partners joined our Decryptx network was that they wanted to provide as much choice to their clients as possible in terms of types of devices, like mobile, and device brand. So we knew that to really meet the needs of our partners, we would have to expand our P2PE network to include more industry constituents,” stated Ruston.
In keeping with this P2PE network expansion, Bluefin recently added 3 new PTS devices – the Miura System Ltd, Shuttle; the BBPOS International Limited, WisePad 2; and the MagTek Inc, DynaPro – bringing total device count to 22.
Also Bluefin expanded its KIF network, with the addition of PayCipher Terminal Management and Logistics, the Ingenico US KIF and the Ingenico UK KIF, bringing the total KIF count to 5.
PCI P2PE – No Longer “Just” a Solution
We’re approaching our 4-year anniversary of validation and we are excited that *most* of the industry now knows what P2PE stands for (or at least we hope so). But to be completely serious, it has taken a lot of education on the part of PCI, vendors like Bluefin, industry organizations, device manufacturers, and more for merchants and enterprises to understand the true value of a PCI-validated P2PE solution.
And now that the understanding is there, we see the industry moving more toward solutions that provide merchants and partners a “plug and play” approach to P2PE, where networks of providers and supporters will accompany PCI-validated P2PE solutions.
“Bluefin has grown from 3 P2PE-connected Partners to 56 in the last two years. This is a direct result of major merchants requiring their providers to offer a PCI-validated P2PE Solution,” said Ruston. “Bluefin offers the fastest path to P2PE for payment providers. It can take a year or more for a provider to add a basic P2PE Solution. Via integration with Bluefin, the provider can get there in as little as three weeks with a simple API. This is the primary reason we have seen such astronomical growth in partner connections to Bluefin’s Decryptx and P2PE Manager.”