If you read our blog regularly or review our product and solution pages, you will see that securing point of sale and online payments is our primary focus. Last week we announced a new partnership with PAX Technology to utilize their PCI-validated P2PE S500 and S300 payment terminals for both Bluefin’s validated P2PE solution as well as EMV.
The role that the payment terminal plays in the PCI P2PE process is crucial. The terminal is the first point of interaction (POI) with the credit or debit card – which is why you might hear or see the term “POI device” when a PCI P2PE solution is discussed. What sets a PCI-validated P2PE device apart from non-validated devices include the methods required to encrypt data, the tamper-resistance/responsiveness of the device, and the key injection of the devices.
Over the next several weeks, we will showcase the different aspects of a PCI-validated P2PE solution – covering encryption, data flow and hardware decryption; device key injection; device chain of custody (shipping, deployment and management of devices); and the resulting reduction of PCI scope and the Cardholder Data Environment (CDE).
The PCI P2PE Device – Requirements
Any device used in a PCI-validated P2PE solution, such as Bluefin’s solution, must also be validated and approved by the PCI SSC via the PCI PTS program with SRED (secure reading and exchange of data) listed as a “function provided” and with SRED enabled and active. Per the PCI SSC, SRED is:
“A set of PTS POI requirements that provide a standardized approach to protecting account data in POI devices. SRED requirements cover all methods of account-data entry supported by the POI device, and include physically and logically protecting account data within the device, protecting any associated sensitive data or functions, and providing for the encryption of account data before transmission outside the device.”
What sets validated devices apart from non-validated devices – aside from the fact that the devices must go through a rigorous review and certification process by PCI in order to be listed as PCI-validated P2PE devices – is that they encrypt payment data immediately upon swipe or dip, which prevents non-encrypted information from residing in the payment environment, even for one millisecond.
Think about that in the scheme of data breaches. A common tactic hackers use to steal credit card data is through point of sale (POS) memory-scraping malware, also called POS RAM scrapers. In a nutshell, POS RAM scrapers steal payment data from the RAM of POS systems. RAM scraper malware can reside on the payment terminal, finding clear-text card data in the milliseconds it takes a non-validated solution to encrypt the data, or it can be found in the RAM of the terminal. The most notorious and widespread example of how this works can be seen with the Target data breach. As reported by Brian Krebs in January 2014, a few short months after the breach was reported:
“In an interview with CNBC on Jan. 12, Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores. A report published by Reuters that same day stated that the Target breach involved memory-scraping malware.
This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants.”
Also, PCI-validated P2PE devices must implement active tamper detection mechanisms to meet the physical security requirements of PCI PTS – which means that if malicious activity is detected, the device is automatically deactivated, preventing a breach at the POI device.
Additional Components of the P2PE Process
Over the next several weeks, we will discuss additional components of PCI-validated P2PE solutions. These components must be in place in order for a solution provider (such as Bluefin) to receive PCI validation for their P2PE solution.
- Device Security (discussed today)
- Device Key Injection
- Device Chain of Custody
- Encryption and Hardware Decryption
We will also discuss the resulting benefits of implementing PCI-validated P2PE, which includes reduced PCI scope, resulting in time and cost benefits.
In addition to PAX Technology, Bluefin also utilizes a number of PCI P2PE-approved devices by Ingenico, ID Tech, and BBPOS. For more information on our devices, see our Resources page.