Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .


P2PE– It’s still early days

Adina Ahmed
What merchants and retailers need to know
Recently a group of card payment industry practitioners gathered at a Vendorcom Special Interest Group meeting (SIG) to discuss the subject of PCI and the security of card data. The meeting was hosted by Anderson Zaksat their offices in Bracknell.A significant proportion of the debate focused on Point-to-Point Encryption (P2PE).Adina Ahmed, Operations Director at Anderson Zaks explains here the salient points.Adina Ahmed
The P2PE program is optional and provides a comprehensive set of security requirements for payment solution providers to validate their hardware based solutions, and may help reduce the PCI DSS scope of merchants using such solutions.*
This is to ensure that card information is passed securely from the point of payment (i.e. where you insert or give card details) to the acquirer (bank) and that the merchant does not hold card information.  Even though they are not holding this data, the merchant will still have to provide evidence that they adhere to PCI standard, however,P2PE may significantly reduce the scope of their cardholder data environment and annual PCI DSS assessments.
While it has been around for a couple of years P2PE is still in the early stages of market adoption, and different solutions that address various requirements are still evolving.  In many cases, whilst larger tier 1 and 2 merchants/retailers with IT departments are already evaluating the benefits of P2PE, some smaller merchants may not even be aware of this potentially advantageous approach.  The consensus of the meeting was that the future direction of P2PE should not be seen as cast in stone as the implications are only now becoming fully apparent as more companies – both solutions suppliers and retailers/merchants – assess the options available to this context, a more open debate with merchants and retailers about the direction that the technology may take is to be welcomed and encouraged.
The salient points highlighted during discussions were:
• P2PE is not compulsory
• There are different forms of P2PE
• The future direction of P2PE is not necessarily set
• Merchants and Retailers should look to future proof any purchases made now
P2PE is not compulsory
There are potential misconceptions circulating currently, and the fact that P2PE is compulsory is one of them.  The banks are not insisting on P2PE which means that merchants/retailers are free to choose any solution that meets their card processing requirements so long as it is PCI DSS compliant.  However, for any solution they do select, merchants would be wise to ensure that it is future-proofed.  By this we mean that the component parts of their system could incorporate a P2PE solution in the future.  
Different forms of P2PE
One of the current debates is where exactly is the ‘point’ within the merchant/ retailer systems from which the data needs to be encrypted.   As is to be expected different sectors of the card payment industry have different approaches to the situation.  Terminal manufacturers are building encryption into their PINpads, whereas software solution providers claim that their approach is to encrypt or mask card data within the merchant’s systems and pass limited details back thus equally reducing the scope of PCI for the merchant.  These probably represent the two polar extremes of opinion, and there is an increasing ground swell for a third or middle path that combines elements of both approaches.  
The following diagrams illustrate the two approaches. The first diagram shows encryption taking place between the merchants ‘POS’ application and the payment providers system. The PSP in turn interfaces with the PINPad and host gateway fully encrypting the card data.
This approach is currently approved under PCI DSS compliance validation.
The second diagram has all the encryption activity within the payment terminal but still sending limited transaction data back to the merchants POS systems.
The perceived benefit of this option to the merchants/ retailers is that they will significantly reduce their effort in attaining and maintaining PCI DSS compliance. However this is really only pertinent for level 1 merchants doing over 6 million card transactions per annum**.
There are benefits to both approaches.  By having P2PE in the PINpad everything is self-contained within the terminal merchants/ retailers are providing with a simple turnkey solution. By adopting software based approach merchants/ retailers can mix and match their payment hardware and still use the same payment processing solution, so maintaining flexibility.
Which direction will P2PE develop?
Both of the approaches outlined above have their pros and cons, however, neither has gained dominance within the market, and this is why the future for P2PE isn’t yet decided.   However, as the first generation PINpads reach end of life and need to be replaced, merchants and retailers are faced with the fact that they must replace their systems – there is simply no ‘do nothing’ option. This is why members of Vendorcom are suggesting that discussions continue across the industry with input from all stakeholders including acquirers, solutions suppliers, other interested industry associations and standards bodies such as the Payments Council, EPC and PCI SSC, PSPs, QSAs and merchants/ retailers. The ultimate aim is that developments in P2PE should deliver a strong, flexible, future proof and market empathetic solution.
In the meanwhile we wait to see a QSA certified PCI P2PE solution in deployment.

Global Banking & Finance Review


Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!

By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post