- What is the Payment Card Industry (PCI) Point-to-Point Encryption (P2PE) Standard?
- What is a PCI-validated P2PE solution?
- What does a PCI-validated P2PE solution have to include?
- What is the difference between PCI-validated and non-validated P2PE solutions?
- How does PCI-validated P2PE work with EMV and Tokenization?
- How does P2PE help prevent the loss of cardholder data in the event of a data breach?
- What are the benefits of a PCI-validated P2PE solution for merchants?
- What is the cost-benefit and Return on Investment (ROI) of a PCI-validated P2PE solution?
What is the Payment Card Industry (PCI) Point-to-Point Encryption (P2PE) Standard?
As defined by the PCI Security Standards Council (PCI SSC), “Building upon the solid data and environmental security foundation established and promulgated by the PCI SSC for the payments industry via the PCI DSS, PA-DSS, and PTS, the P2PE Standard is a comprehensive set of requirements focused on providing the requisite security requirements necessary to support the deployment of secure P2PE solutions.”
The PCI Point-to-Point Encryption (P2PE) Standard was introduced in 2012. Bluefin became the first company in North America to receive PCI validation for a P2PE solution in March 2014. Today there are nearly 50 PCI-validated P2PE solution providers worldwide.
A PCI-validated P2PE solution includes a combination of secure devices, applications and processes that encrypt credit card data immediately upon swipe or dip in the payment terminal (which is also called the Point of Interaction, or POI). The data remains encrypted until it reaches the Solution Provider’s secure decryption environment.
With Bluefin’s PCI-validated P2PE solution, we encrypt cardholder data at the POI in a PCI-Approved PTS device running P2PE validated software and decryption is done off-site in an approved Bluefin Hardware Security Module (HSM). Our solution prevents clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach.
In order for a P2PE solution to receive validation from PCI, the solution, the Solution Provider, and associated players in the overall P2PE solution must undergo assessment and audit by a P2PE Qualified Security Assessor (QSA), before being brought before the Council for approval.
Note that “Only Council-listed P2PE solutions are recognized as having met the rigorous controls defined in the PCI P2PE Standard for the protection of payment card data, as well as meeting the requirements necessary for merchants to reduce the scope of their cardholder data environment (CDE) through use of a P2PE solution.”
What does a PCI-validated P2PE solution have to include?
A PCI-validated P2PE solution must include all of the following:
- Secure encryption of payment card data at the POI / i.e., the payment terminal
- P2PE-validated application(s) at the POI
- Secure management of encryption and decryption devices
- Management of the decryption environment and all decrypted account data
- Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection and administration
As a PCI-validated P2PE Solution Provider, Bluefin is responsible for the design and implementation of our P2PE solution, and management of the solution for our partners and their merchants. We are also responsible for ensuring that all P2PE requirements are met, including any P2PE requirements performed by third-party organizations on our behalf (for example, hardware manufacturers, certification authorities, and key injection facilities).
What is the difference between PCI-validated and non-validated P2PE solutions?
Non-Validated (Unlisted) Encryption Solutions
Encryption solutions that have not been validated by the PCI SSC, but still provide functions such as encrypting within the POI terminal and decrypting outside the merchant environment, are generally called unlisted P2PE solutions or End to End Encryption (E2EE) solutions.
PCI-Validated (PCI-Listed) P2PE Solutions
PCI-validated P2PE solutions have been assessed by a P2PE QSA as having met the PCI P2PE standard and are therefore listed on the PCI website under Approved P2PE Solutions. In addition to meeting the P2PE standard, the decryption component of the solution must operate within a secure environment that is annually assessed to the full PCI DSS standard.
How does PCI-validated P2PE work with EMV and Tokenization?
- PCI-validated P2PE protects data in transit. The role of P2PE is to immediately and fully encrypt all cardholder data within the payment terminal so it does not enter the POS as clear-text card data. By using strong encryption, device management practices, and key management, P2PE is effective at addressing the risk of card data compromise for card data in transit out of the merchant network as it is transmitted to the gateway or acquirer for decryption and processing.
- Tokenization enables merchants and enterprises to safely “store” cardholder data at rest for use in future transactions. Tokenization is the technology where secure card data storage is centralized and a different value is used to represent the original cardholder data. When ready to be re-used, the token must generally be passed to the tokenization provider, where the original cardholder data is retrieved, decrypted, and utilized.
- EMV authenticates the credit or debit card at the point of sale by reading a chip embedded on the card and validating the cardholder with their signature. EMV makes it extremely difficult (though not impossible) to “white-label” or duplicate a physical credit card that could then be used by thieves to purchase items at the POS.
How does P2PE help prevent the loss of cardholder data in the event of a data breach?
P2PE prevents clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach.
In the Target breach, for example, it was confirmed by CEO Gregg Steinhafel that malicious software – also referred to as malware – was installed at POS devices in Target’s retail stores. Malware uses a technique that parses clear-text data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe or chip in the instant after it has been swiped or dipped at the terminal and is still in the system’s memory as clear-text.
The whole purpose of PCI-validated P2PE is to immediately encrypt cardholder data using the validated POI device, thus eliminating any clear-text cardholder data, which could be picked up by hackers.
What are the benefits of a PCI-validated P2PE solution for merchants?
There are numerous tangible benefits merchants receive from using a solution that has been through the validation process.
PCI-Authorized Scope Reduction
Merchants who use a validated solution within their environment and keep this environment segmented from any card data from other channels (e.g., e-commerce) are eligible to complete the authorized self-assessment questionnaire SAQ P2PE that is known and accepted by all acquirers. Under PCI DSS v3.2, this represents a significant reduction of controls, reducing the number of questions by nearly 90% for merchants moving from the SAQ D (329 questions) to SAQ P2PE (33 questions).
Card Brand Programs
Visa Technology Innovation Program (TIP)
Merchants who accept at least 75% of their transactions through a PCI-validated P2PE service may qualify to apply through their acquirer for the Visa TIP program, which allows approved merchants the ability to discontinue their annual assessment process to re-validate PCI DSS compliance.
Visa Secure Acceptance Program
This program incentivizes acquirers by providing safe harbor for fees in the event of a compromise for Level 3 and 4 card-present merchants who use a PCI-validated P2PE solution.
Solution for Challenging Compliance Issues
By encrypting all card data within a validated card reader before it passes through the mobile device, the consumer mobile device is rendered out of scope for PCI DSS compliance (so long as it is not used for any other payment function), ensuring compliant card acceptance via a consumer mobile device.
Because systems and networks between the encryption point and the decryption environment are no longer in scope due to the P2PE encryption, this unique advantage can address complex network responsibility challenges for some merchants.
What is the cost-benefit and Return on Investment (ROI) of a PCI-validated P2PE solution?
In 2017, we released a white paper with P2PE QSA Coalfire Systems that detailed the ROI of a P2PE PCI solution. See our media page to download the white paper and to view our case studies and educational videos on P2PE.