It has been pretty quiet on the data breach front. Considering that it is the busiest shopping time of the year, this is excellent news for retailers. Forbes recently published a great article by Gartner analyst and vice president Avivah Litan on how retailers are still bracing for attacks – and we are pleased to say that both P2PE and Tokenization were the two strategic protection technologies recommended.
The conversation is finally shifting from “just” EMV to include technologies that protect data in transit (P2PE) and data at rest (tokenization). EMV, of course, has significant merits, protecting the card itself, the consumer, and helping to thwart white-labeling and card duplication. But it’s not a security silver bullet.
P2PE is steadily gaining increased attention from retailers, banks, and enterprises. In fact, Aite Group’s October Impact Note found that 62% of surveyed FI executives and product managers said P2PE would have a Very High Impact/High Impact on reducing card fraud and increasing data security, followed by Tokenization at 50% and EMV at 26%.
As Avivah Litan states in the Forbes piece, “To breathe more easily, retailers should move toward point-to-point encryption and tokenization technologies and recognize those measures will be compromised if improperly implemented. But it’s wiser to focus on a couple of strategic technologies than to juggle dozens of point solutions.”
And we believe the conversation will shift even more deeply into P2PE – namely, what does it mean to choose a Payment Card Industry (PCI) validated P2PE solution? To date, Bluefin’s PayConex P2PE is one of two PCI-validated P2PE solutions in the U.S. and one of just six in the world. P2PE is an integral part of securing the point of sale because data is encrypted immediately within the point of entry device (swipe or keyed) so that it is never available in the device in the clear or in the merchant’s network in the clear.
While there are many companies providing P2PE or End-to-End Encryption (E2EE) solutions, some of the major differences between PCI-validated P2PE and non-validated solutions include device security, chain of custody and controls. For example, a PCI-validated P2PE solution can only decrypt data in a Hardware Security Module (HSM), whereas non-validated solutions can decrypt in software or hardware. With a PCI-validated P2PE solution, providers must adhere to strict chain of custody requirements, from key injection of the device, to shipping the device, to merchant logging receipt of device, to use and end of life. Non-validated solution providers can set their own methods for device chain of custody. And PCI-validated solutions must *only* interface with PCI-validated P2PE hardware point of entry device.
In other words, PCI-validated P2PE solutions have been fully assessed and validated by the PCI Security Standards Council and received their “stamp of approval.” Non-validated solutions are not required to be assessed by an outside party.
By choosing a PCI-validated P2PE solution, retailers get the benefit of reduced PCI scope and audit if they implement their entire POS operation with PCI-validated P2PE. Companies doing an SAQ D today, at 288 questions, would qualify for the reduced SAQ P2PE-HW at 18 questions when they implement the PCI-validated technology throughout the organization.
All to say – kudos to analysts for recognizing P2PE as an integral part of the ideal holistic payment solution. Our white paper discusses the merits of PCI-validated P2PE as well as how P2PE fits with EMV and Tokenization.