What merchants and retailers need to know
Recently a group of card payment industry practitioners gathered at a Vendorcom Special Interest Group meeting (SIG) to discuss the subject of PCI and the security of card data. The meeting was hosted by Anderson Zaksat their offices in Bracknell.A significant proportion of the debate focused on Point-to-Point Encryption (P2PE).Adina Ahmed, Operations Director at Anderson Zaks explains here the salient points.
The P2PE program is optional and provides a comprehensive set of security requirements for payment solution providers to validate their hardware based solutions, and may help reduce the PCI DSS scope of merchants using such solutions.*
This is to ensure that card information is passed securely from the point of payment (i.e. where you insert or give card details) to the acquirer (bank) and that the merchant does not hold card information. Even though they are not holding this data, the merchant will still have to provide evidence that they adhere to PCI standard, however,P2PE may significantly reduce the scope of their cardholder data environment and annual PCI DSS assessments.
While it has been around for a couple of years P2PE is still in the early stages of market adoption, and different solutions that address various requirements are still evolving. In many cases, whilst larger tier 1 and 2 merchants/retailers with IT departments are already evaluating the benefits of P2PE, some smaller merchants may not even be aware of this potentially advantageous approach. The consensus of the meeting was that the future direction of P2PE should not be seen as cast in stone as the implications are only now becoming fully apparent as more companies – both solutions suppliers and retailers/merchants – assess the options available to them.in this context, a more open debate with merchants and retailers about the direction that the technology may take is to be welcomed and encouraged.
The salient points highlighted during discussions were:
• P2PE is not compulsory
• There are different forms of P2PE
• The future direction of P2PE is not necessarily set
• Merchants and Retailers should look to future proof any purchases made now
P2PE is not compulsory
There are potential misconceptions circulating currently, and the fact that P2PE is compulsory is one of them. The banks are not insisting on P2PE which means that merchants/retailers are free to choose any solution that meets their card processing requirements so long as it is PCI DSS compliant. However, for any solution they do select, merchants would be wise to ensure that it is future-proofed. By this we mean that the component parts of their system could incorporate a P2PE solution in the future.
Different forms of P2PE
One of the current debates is where exactly is the ‘point’ within the merchant/ retailer systems from which the data needs to be encrypted. As is to be expected different sectors of the card payment industry have different approaches to the situation. Terminal manufacturers are building encryption into their PINpads, whereas software solution providers claim that their approach is to encrypt or mask card data within the merchant’s systems and pass limited details back thus equally reducing the scope of PCI for the merchant. These probably represent the two polar extremes of opinion, and there is an increasing ground swell for a third or middle path that combines elements of both approaches.
The following diagrams illustrate the two approaches. The first diagram shows encryption taking place between the merchants ‘POS’ application and the payment providers system. The PSP in turn interfaces with the PINPad and host gateway fully encrypting the card data.
This approach is currently approved under PCI DSS compliance validation.
The second diagram has all the encryption activity within the payment terminal but still sending limited transaction data back to the merchants POS systems.
The perceived benefit of this option to the merchants/ retailers is that they will significantly reduce their effort in attaining and maintaining PCI DSS compliance. However this is really only pertinent for level 1 merchants doing over 6 million card transactions per annum**.
There are benefits to both approaches. By having P2PE in the PINpad everything is self-contained within the terminal merchants/ retailers are providing with a simple turnkey solution. By adopting software based approach merchants/ retailers can mix and match their payment hardware and still use the same payment processing solution, so maintaining flexibility.
Which direction will P2PE develop?
Both of the approaches outlined above have their pros and cons, however, neither has gained dominance within the market, and this is why the future for P2PE isn’t yet decided. However, as the first generation PINpads reach end of life and need to be replaced, merchants and retailers are faced with the fact that they must replace their systems – there is simply no ‘do nothing’ option. This is why members of Vendorcom are suggesting that discussions continue across the industry with input from all stakeholders including acquirers, solutions suppliers, other interested industry associations and standards bodies such as the Payments Council, EPC and PCI SSC, PSPs, QSAs and merchants/ retailers. The ultimate aim is that developments in P2PE should deliver a strong, flexible, future proof and market empathetic solution.
In the meanwhile we wait to see a QSA certified PCI P2PE solution in deployment.