March 2020 marked Bluefin’s 6th anniversary of being the first company in North America to receive PCI validation for a point-to-point encryption (P2PE) solution. We introduced our solution at a time when the big-name retail breaches were making headline news and when there were only 3 certified P2PE solutions listed, all out of Europe.
Today, there are 100 validated solutions for merchants and enterprises to choose from, but Bluefin’s offering remains unique in several key aspects – including the fact that we are still the only company offering P2PE as a stand-alone solution for payment gateways, processors and ISV’S with Decryptx®.
But Bluefin is also the only listed provider to offer the largest variety of PCI-validated P2PE devices, P2PE applications and Key Injection Facilities (KIFs). We recently announced one of our largest designated change listings that adds even more devices from PAX, Ingenico and Verifone, as well as our first KIF in Bulgaria.
“As the leader in payment and data security, Bluefin is always working to support the most current devices and secure P2PE applications available,” said Brent Johnson, CISO, Bluefin. “Maintaining this variety and choice is of the utmost importance to Bluefin, our merchants and partners that utilize our integrated and stand-alone P2PE solutions.”
What Does a P2PE Solution Encompass?
A PCI-validated P2PE solution is a combination of secure devices, applications, and processes that encrypt credit card data immediately upon swipe, dip, tap or key entry in the payment terminal (also called the Point of Interaction, or POI). The data remains encrypted until it reaches the Solution Provider’s secure decryption environment.
With Bluefin’s PCI-validated P2PE solution, we encrypt cardholder data at the POI in a PCI-Approved PTS device running P2PE validated software and decryption is done off-site in an approved Bluefin Hardware Security Module (HSM). Our solution prevents clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach.
A PCI-validated P2PE solution is required to have all of the following:
- Secure encryption of payment card data at the POI / i.e., the payment terminal
- P2PE-validated application(s) at the POI
- Secure management of encryption and decryption devices
- Management of the decryption environment and all decrypted account data
- Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection and administration
As a PCI-validated P2PE Solution Provider, Bluefin is responsible for the design and implementation of our P2PE solution, and management of the solution for our partners and their merchants.
We are also responsible for ensuring that all P2PE requirements are met, including any P2PE requirements performed by third-party organizations on our behalf (for example, hardware manufacturers, certification authorities, and key injection facilities).
Why are Devices, Applications and KIFs Important?
Devices, applications and KIFs are integral to a validated P2PE solution.
- In today’s world of omni-channel commerce, having a variety of P2PE devices from preferred manufacturers to fit business use cases is incredibly important. For example, all point-of-sale (POS) merchants now demand that devices be contactless and, in many cases, such as pay-at-table, portable to the customer. Unattended devices that can facilitate kiosk payments, whether at a car wash, in a healthcare office, or in parking, are also seeing increased demand. And just like consumers prefer certain vendors, so do merchants and enterprises. By providing P2PE devices from all of the major manufacturers through our solution, we afford any company globally the benefit of choice to meet their business needs.
- A compliant P2PE Application is an assessed and certified software application that forms a fundamental part of a P2PE solution and is listed by the PCI SSC. P2PE Applications are intended to be loaded onto PCI-approved point of interaction (POI) devices used as part of a P2PE Solution. In many cases, as manufacturers release new devices, they are only certified on the most recent P2PE Application versions. Additionally, many application vendors do not recertify older versions of their P2PE applications, which can only be used 180 days past expiration as part of a validated P2PE solution. By continually adding applications, we ensure that our customers have access to the most recent versions.
- The KIF is a secure facility where the injection of P2PE keys takes place and is an integral part of the P2PE process. KIFs must comply with strictly defined procedures around the sharing, safeguarding and injection of P2PE keys, as well as the proper storage of the devices and their tracking – from shipping to the merchant location, to merchant receipt of the device, to activation of the device. Having a variety of KIFs in locations across the globe ensures that clients worldwide can receive their P2PE devices in a timely manner.
Bluefin’s P2PE Solutions
Our P2PE solutions span our product suite and are offered by 135+ processors, gateways and ISV’s operating in 34 countries – providing merchants and enterprises globally the option to partner with Bluefin for P2PE or utilize our partner network. Additionally, Bluefin is the only provider of a 100% online system that offers our partners and clients an easy-to-use tool to administer their P2PE activities and ensure compliance to get the full benefits of PCI-validated P2PE scope reduction. Our P2PE Manager® enables Bluefin’s merchants and partners to monitor the complete lifecycle of a payment device. This includes key injection, device shipping and tracking for chain-of-custody, device state and attestation management, and a record of every decryption performed by every device.
Learn more about our P2PE Solutions.