Jeremy King, the International Director of the PCI Security Standards Council (SSC), published a great blog today on the 3 tips for establishing a P2PE solution in your organization. Check out the blog from Mr. King below.
There are many points payment card data can be exposed as it travels through a merchant’s systems and networks. Using malware and other techniques hackers can steal this data and sell it for use in card-not-present and online fraud. Point-to-Point Encryption (P2PE) renders card data useless from the moment it enters a merchant’s system all the way through the transaction cycle. This means it’s of no value to anyone without the proper key to decrypt it. It secures the original data, and if it is stolen in transit, makes it really difficult for criminals to do anything with it. This would have significantly devalued the cardholder data stolen in compromises we’ve seen in recent months.
When used alongside EMV chip at the physical point-of-sale (POS), and tokenization for protecting stored data, P2PE provides the best protection for payment data, and can simplify PCI Data Security Standard (PCI DSS) compliance efforts. A security expert recently described P2PE to me as “the cheapest, easiest and most secure way to remove cardholder data from your systems,” and with version 2 of the PCI P2PE standard this just became a whole lot easier to implement.
So how do you go about establishing a P2PE solution in your organization?
- Identify the cardholder data environment.
Where does card data live in your merchant environment? The ultimate goal of this technology is to minimize exposure of your data, so to do this, you have to be absolutely sure you understand all the places card data enters and flows within your systems.
- Use a PCI-validated solution.
When it comes to selecting a P2PE solution and provider, to get the security, PCI DSS compliance and business benefits of P2PE, make sure you are using a PCI validated P2PE solution. These products and providers, tested by our trained P2PE assessors against a peer-reviewed and publically available standard, guarantee the strongest encryption protections. The use of a PCI-validated P2PE solution can also cut down on where and how the PCI DSS applies to a merchant’s business environment, both increasing security of customer data and simplifying compliance efforts.
- Consult with your business partners.
Talk to your acquirer or payment service provider about which PCI P2PE solution and provider is right for your business. The new version of the standard (P2PE v2) has more flexibility in the assessment process, which means more solutions are being validated and made available to merchants. It also provides an option for larger merchants who wish to implement and maintain their own P2PE solution.
Get started by downloading PCI Point-to-Encryption (P2PE) Solutions for Merchants.