The release of the PCI Security Standards Council’s (PCI SSC) new point-to-point encryption (P2PE) standard, version 2.0 – designed to simplify the P2PE process for small and large merchants and improve credit card processing security – was recently discussed by Jeremy King, International Director of the PCI SSC, in an interview with Information Security Media Group. King answered questions regarding the primary changes and revisions in the new standard, emphasizing that by implementing a PCI-validated P2PE encryption solution, merchants can significantly reduce their PCI-DSS requirements and secure cardholder data in the process.
Source Media Group – What are the major changes that come with the new 2.0 P2PE standard?
King: “Version 1 offered a methodology by which a solution provider, using a PCI-validated point of sale (POS) device, provided the merchant the complete P2PE process. Merchants had to look on the list of PCI SSC approved solution providers for the entire solution.
In the new 2.0 standard, PCI has attempted to simplify the process, making it easier for the solution providers and vendors who provide the PCI-validated equipment to be able to have individual elements of the process evaluated and approved by PCI SSC. For merchants, it speeds up the process for selecting approved options showing up on the PCI website, therefore making it easier for merchants to adopt a P2PE solution.”
Source Media Group – What was the catalyst for the 2.0 update?
King: “In working with the industry, we saw that merchants wanted more options as well as simpler process. Additionally, PCI saw that large merchants wanted the option to manage the decryption of their own data. In version 1, this management had to occur from an approved 3-party vendor, but with the 2.0 standard, large merchants can manage their PCI-validated P2PE solution within their own data center, without any impact on their face to face stores.”
Source Media Group – Has the management of decryption keys been a concern?
King: “These keys are elements of great worth to criminals. It is important to have good key management and key controls in place for the process of decrypting data, and PCI has ensured that the process that was just available for the 3-party P2PE providers is now available to merchants. In version 2.0, we also had to make sure that the face to face stores could not gain access to un-encyrpted data, so additional security requirements were put in place, or it would remove the benefit.”
Listen to King’s full interview for additional topics, including how small merchants can reduce PCI-DSS compliance expenses by utilizing P2PE and why the rollout of EMV should make deployment of PCI-certified encrypting point-of-sale devices easier for U.S. merchants.
All in all, the new P2PE standard is good for merchants of all sizes, and helps to simplify the process of utilizing P2PE to protect card holder data from a security breach. As the leading PCI-validated P2PE solution provider, Bluefin offers a full suite of P2PE products for mobile, retail, call center, and kiosk/unattended. Merchants that partner with Bluefin directly for PCI-validated P2PE get all the benefits of P2PE without the heavy lifting. Through our Decryptx Decryption as a Service (DaaS) product, Bluefin performs the hardware decryption while making it simple for merchants to track, manage and monitor all P2PE devices and users with our 100% online, patent-pending P2PE Manager.