Update simplifies security and compliance for merchants while protecting consumers from consequences of data breaches
July 1, 2015 (Atlanta, GA) —- Bluefin Payments Systems, the first company in North America to provide Payment Card Industry Security Standards Council (PCI SSC) validated Point-to-Point Encryption (P2PE) solutions, today welcomed PCI SSC’s updated P2PE standard, which builds on the earlier version to simplify the development and merchant adoption of PCI validated P2PE Solutions.
P2PE devalues consumer card data through encryption, making it unreadable to Point-of-Sale (POS) Malware. Criminals have employed POS Malware in most of the major card data breaches over the past two years.
Adoption of P2PE has been steady as merchant and processor development resources have been focused on implementing EMV (“chip cards”) in advance of the October liability shift. Meanwhile, hackers have exposed unencrypted card data at an alarming rate. Merchants and processors have asked for more flexibility in the standard to spur adoption.
The updated standard, PCI P2PE Version 2.0, allows merchants, for the first time, to build and manage a P2PE Solution that protects retail and call center locations. A “merchant managed P2PE Solution” can be either homegrown or comprised of components from PCI-validated and listed vendors. This remedies the “processor lock-in” scenario which many merchants say is a primary commercial reason for delayed P2PE projects.
The Council responded to feedback from Acquirers, processors, solution providers and merchants by making the standard more flexible while still keeping in place P2PE’s strong security requirements such as hardware encryption, chain of custody controls and HSM key management. The standard creates a new market for vendors to provide certified PCI P2PE components that can be used by merchants or other solution providers to develop their own P2PE solutions.
“PCI’s P2PE Standard simplifies security and compliance for merchants while protecting cardholder data from breaches,” said Ruston Miles, Chief Innovation Officer and Founder of Bluefin. “With version 2.0, PCI has made the development and implementation of P2PE Solutions easier. Now, Solution Providers and Merchants can simply choose from individually validated components to build and manage their own P2PE Solutions. This increases flexibility and choice among vendors, and puts the merchant in the driver’s seat.”
Bluefin is a Participating Organization (PO) of the PCI Council and a validated Level 1 PCI DSS Compliant Service Provider. Ruston Miles assisted with the development of the updated standard as part of an industry feedback group for PCI SSC.
Speaking of Bluefin’s involvement, Jeremy King, PCI SSC International Director, said, “Version 2.0 of the PCI P2PE requirements is about simplifying the process for both solution providers and merchants. Ultimately this is going to mean more solutions will be available for merchants that are easier to put in place. We’re pleased to have Bluefin Payment Systems and other PCI-validated solution providers already partnering with merchants to help them improve the security of their payment data and simplify their PCI DSS compliance efforts.”
Bill Bolton, Vice President of Information Technology at The HoneyBaked Ham Co., who was quoted in the PCI announcement, also said of Bluefin, “Protecting your customers and your Corporate Brand continue to be the biggest challenges faced by IT executives. To meet that challenge, we turned to the team at Bluefin to help us navigate the evolving world of PCI Compliance and enable their PCI-validated P2PE payment solution across all our stores in a simplified and cost effective way.”
PCI’s also announced the publication of a P2PE case study, a joint effort by the PCI Council, The Hillman Group and Bluefin to educate merchants on the benefits of using an accredited P2PE Solution.
“This updated merchant-friendly standard means there is now no excuse for merchants and solution providers that are seeking the best possible safeguards for their consumer payment data, to avoid implementing PCI validated P2PE,” said Bluefin CEO John Perry. “Furthermore, the standard is recognition of P2PE’s critical role in a “secure-all-channels” approach to data security, providing, alongside EMV chip cards and tokenization technology, the protections that American consumers deserve.”
Bluefin’s PayConex P2PE solution received P2PE validation in March 2014 with validation for mobile payments following in December 2014.