PCI P2PE unencrypted: what you need to know about encryption
Encryption is a hot topic in payments today. But it’s not an entirely new concept. Human beings have been using forms of cryptography to protect sensitive information for thousands of years. While today’s payment encryption technology, particularly point to point encryption, is a far cry from earlier rudimentary methods of securing information, the end goal remains the same: render sensitive data non-sensitive so if it is stolen, it cannot be used.
One of the most common misconceptions about encryption is that it is the be-all end-all for protecting cardholder data—that having an encryption solution in place is enough to protect a business from data theft. The fact is that criminals continue to find ways to breach merchant systems and access account data.
Credit card security and fraud protection is a complex and detailed discipline that requires dedication and focus beyond encryption technology. The type of encryption, where the encryption happens, and how the encryption keys are managed are all considerations in the effectiveness of a particular solution. (An encryption key is used to both encrypt and decrypt data and is designed using a particular algorithm to ensure that each key is unique.)
Good technologies that are implemented poorly result in a false sense of security. An effective encryption solution not only relies on encryption keys, but also secure device requirements; key management that is in line with security requirements and best practices; properly implemented, trusted applications; and device deployment operations.
Why encrypt credit card data?
There are two main reasons for a merchant to implement a payment solution that includes encryption:
- To reduce the risk and impact of cardholder data theft
- To reduce the scope of PCI compliance
Although there are many encrypted payment solutions available, they are not all the same. The two most common options for small and medium sized businesses are non-validated, and PCI P2PE. Let’s take a look.
Non-validated encryption solution
A non-validated encryption solution is “risk reducing” against attackers, but it does not reduce the merchant’s scope of PCI compliance. This is because although data is encrypted, the hardware where the solution resides is not defined as secure by the PCI PTS-PIN, and the handling of encryption keys is not aligned with security best practices and standards. This means merchants and hackers could potentially have access to the encryption keys, and ultimately access to clear cardholder data.
One of the reasons smaller merchants often go this route is because non-validated solutions offer the most flexibility in choice of credit card hardware and payment applications. They can also be less expensive than PCI P2PE solutions. But more often than not, a merchant is simply unaware that their payments solution uses a non-validated encryption solution in the first place. Mag stripe readers, ROAM readers, Square dongles, keyboard emulators, and non-EMV enabled readers are all examples of on-validated solutions.
PCI Point-to-Point Encryption (PCI P2PE)
A PCI P2PE solution is PCI certified and offers the most benefits for most SMBs. With PCI P2PE, the service provider bears the responsibility for adhering to a full range of PCI mandates including secure hardware and application management; encryption schemas; the decryption environment; and encryption key management including the key injection facility.
Although the merchant still has to adhere to a required set of PCI mandates, their scope of compliance is much smaller with a PCI P2PE solution. Merchants using a PCI P2PE solution qualify for a simpler PCI DSS Self-Attestation Questions (SAQ) that is significantly shorter, and they benefit from the confidence that the solution they are using is PCI compliant.
While PCI P2PE provides merchants with risk reduction, PCI scope reduction, and even a shortened SAQ, it is also more restrictive than other solutions. Merchants must use the device, payment application, P2PE schema, and key injection facilities that were certified. Otherwise, they won’t get the benefit of the SAQ P2PE.
In addition, they must accept Merchant P2PE Implementation Responsibilities in order to be eligible for the SAQ P2PE. This includes implementing device management policies, ensuring the devices are not tampered with and are kept secure when not in use.
Due to the complexities and restrictions with PCI P2PE and the associated certifications, there are only a handful of P2PE solution providers. The list of providers is expected to expand, however, as the standard is rewritten in order to gain more adoption among solution providers.
Questions to ask
When evaluating your options for payment solutions that use encryption, here are a few questions to ask yourself:
- Do you have the time and resources to maintain a P2PE compliant environment? If you are not regularly completing security check-ups and task checklists, PCI P2PE may not be the right way to go.
- Are you able to get the hardware you want and work with your preferred processor? Not all devices are certified to meet P2PE standards, but more options are becoming available.
- What is your budget? Cost can be a consideration, since a PCI P2PE device is generally more expensive than a non-validated device. But these costs can be offset by the benefits of reduction in compliance scope and risk.
Although it is impossible to remove all risk from any payment processing environment, implementing secure processing technologies like PCI P2PE offers greater protection and ease of meeting compliance mandates. To learn more, check out these steps to more secure payment solutions.