On August 13th, Bluefin will speak with Visa, the PCI SSC and NCC Group on the “Maintaining a Successful PCI Compliance Program” panel at the 2015 Visa Payment Security Symposium. The panelists will share their strategy for addressing major security gaps with the implementation of penetration testing, point-to-point encryption (P2PE), and monitoring of system activity logs. The Symposium provides an interactive forum for registered Third Party Agents, VisaNet Processors, Merchants and Acquirers to share trends and developments on cybersecurity, mobile payments and Ecommerce.
Visa is a staunch advocate for the advancement of payment security technology, including PCI-validated Point-to-Point Encryption (P2PE). On March 26th, 2015, Visa took the pioneering step to expand its Technology Innovation Program (TIP) qualification to merchants that have invested in a validated P2PE solution.
“The Technology Innovation Program (TIP) recognizes and acknowledges merchants that take action to prevent counterfeit fraud by investing in EMV technology, specifically through purchasing, deploying and enabling EMV point-of-sale (POS) terminals. Participation in TIP allows qualifying merchants to discontinue the annual Payment Card Industry Data Security Standard (PCI DSS) validation assessment. Qualifying merchants can reap meaningful savingsand have the opportunity to reinvest those savings into additional secure acceptance technology.
Effective 1 April 2015, Visa will expand TIP qualification to merchants that have invested in a validated point-to- point encryption solution. Qualifying solutions are those that are included on PCI SSC’s list of Validated Point-to-Point Encryption Solutions or independently validated by a PCI SSC Qualified Security Assessor point-to-point encryption company. Point-to-point encryption helps to secure a merchant’s acceptance environment by removing or devaluing cardholder data. Visa recognizes the security value this technology brings to the POS acceptance environment.”
In March 2014, Bluefin became the first PCI-validated provider of P2PE in North America and is today one of 13 companies globally with this validation – and still one of four in the U.S. Why PCI-validated P2PE and not just a regular P2PE solution that has not been validated by the Council?
- Device Security: PCI P2PE certified devices are more secure and are designed to detect tampering. So if a malicious activity is detected, the device shuts down, preventing a breach at the point-of-entry (POI).
- Chain of Custody: PCI P2PE includes a built-in “chain of custody” process for managing PCI P2PE certified devices where you can automatically track and report on all POI devices for PCI compliance review.
- Strict Controls: All PCI-validated P2PE solution providers must abide by strict controls to protect encryption keys. Device key injection is done directly at a certified Key Injection Facility (KIF) and decryption only occurs in hardware environment (HSM).
- Reduced PCI Assessment: Merchants using a PCI-validated P2PE solution throughout their POS environment are eligible for the 35-question SAQ P2PE-HW – a significant reduction from the 332-question SAQ D.
The Visa Payment Security Symposium will touch on a number of payment security technologies, including P2PE, EMV, and Tokenization, as well as current issues including:
- “Expanding the Conversation….Defending, Detecting and Destroying Malware”
- “Evaluating Key Elements to Creating an Effective Incident Response Plan”
- “Securing the Payment Value Chain”
- “Network Segmentation and Zero Trust”
Learn more about the Symposium.