On Monday, Bluefin was very pleased to announce that we are nearing introduction of our PCI-validated P2PE hardware-based Solution.
So far, no U.S. based company has achieved PCI-validation for a hardware-based P2PE Solution – check out proof of this.
Why have industry participants seen this as so difficult? Well, the PCI Standards require not only a PCI-approved point-of-interaction device (POI) but also a hardware-based key management device – and that requires a lot of time, development and resources. And software-based key management solutions are not eligible for P2PE certification.
In online articles, blogs, and at industry conferences, many would-be P2PE solution providers in the payments industry have lamented the PCI SSC’s commitment to a hardware-based key management solution. Initially, the PCI P2PE Solution Requirements only allowed an HSM (Host/Hardware Security Module) to be used for decryption and key management. Later, the SSC announced that hybrid (hardware/software) solutions would be allowed whereby decryption could occur in software but cryptographic key management would be only allowed in hardware.
Bluefin Payment Systems, a long-standing Participating Organization (PO) of the PCI Security Standards Council (SSC), applauds the PCI SSC’s commitment to cardholder data (CHD) security and its refusal to lower the P2PE security standard by allowing solution providers to expose cryptographic keys within their software environments. The decryption keys are at the center of the entire P2PE security Solution. If they are exposed, the entire P2PE system is worthless. By limiting key management to PCI lab-tested HSM’s, the PCI SSC can ensure that the keys are protected to the highest standard since HSM’s must undergo a separate assessment by PCI PTS (PIN Transaction Security) labs which not only tests the key management operations, but also the physical security of the HSM.
We’re really looking forward to discussing our hardware-based P2PE Solution not only with the market – but also at next month’s PCI Security Standards Council Community Meeting.