Point-to-Point Encryption in focus: what retailers need to know

In the first of a series of Q&As with international director at PCI Security Standards Council Jeremy King, Essential Retail gets the lowdown on Point-to-Point Encryption (P2PE), how it works and general PCI compliance concerns for the retail industry.

ER: Why Point-to-Point Encryption? How does it work to protect data in a retail environment?

JK: There are lots of points where card data can be exposed as it travels through a retailer's systems and networks. We've seen how hackers use malware and other techniques to steal this data and sell it for use in card-not-present and online fraud. Point-to-Point Encryption (P2PE) scrambles card data from the moment it enters your system all the way through the transaction cycle. This means it's unreadable and useless to anyone without the proper key to decrypt it. So it secures the original data, and if it is stolen in transit, makes it really difficult for criminals to do anything with it. This would have significantly devalued the cardholder data stolen in compromises we've seen in recent months.

ER: What are the benefits of P2PE over other technologies or approaches?

JK: The major advantage of today's P2PE is that is provides the strongest protections available for your customer data, so at any point during the transaction process, it's locked up. When used alongside EMV chip at the physical point-of-sale, and tokenisation for protecting stored data, you have the best protection for your customers' data, and you can simplify your PCI Data Security Standard compliance efforts.

How does it work? Without getting too technical, a PCI-approved P2PE solution includes a PCI approved payment terminal that encrypts the account data at the initial point of interaction. This means account data is protected using strong encryption through to the secure decryption environment, devaluing the data for attackers and potentially significantly reducing the PCI DSS scope and compliance efforts.

ER: You mentioned PCI DSS compliance. Retailers often struggle with meeting PCI DSS requirements, and balancing the cost and benefit. How does P2PE help with this?

JK: PCI DSS says that any point where payment card data is handled it must be secured. Depending on the size of your retail operation, this can be significant. PCI P2PE solutions protect account data from the point where the merchant accepts the payment card and so reduces where and how PCI DSS requirements apply to your business. This makes the compliance process easier and can help you save time and money, but without sacrificing the security of your customers' data.

ER: What tips do you have for retailers considering P2PE?

JK: Before actually implementing a P2PE solution, the first step is properly identifying the cardholder data environment in your merchant environment. The ultimate goal of this technology is to minimise exposure of your data, so to do this, you have to be absolutely sure you understand all the places card data enters and flows within your systems.

When it comes to selecting a P2PE solution and provider, remember, to get the security, PCI DSS compliance and business benefits of P2PE, make sure you are using a PCI validated P2PE solution. These products and providers, tested by our trained P2PE assessors against a peer-reviewed and publically available standard, guarantee the strongest encryption protections for your business. Talk to your acquirer or payment service provider about which PCI Point-to Point Encryption Solution and provider is right for your business.

We have recently released Version 2.0 of our P2PE standard, this new version gives more flexibility in the assessment process which we expect to lead to more solutions being validated. It also introduces a new option for larger merchants who wish to implement and maintain their own P2PE solution.  

ER: Do you expect adoption to increase? What are you doing to help retailers take advantage of P2PE technology?

JK: Absolutely. In Europe P2PE is seen as a major step forward for protecting cardholder data and simplifying PCI DSS. Most of the early PCI approved P2PE solutions came out of Europe, and many merchants are now either installing or looking to install P2PE solutions. The P2PE V2.0 standard significantly helps in this process. Helping drive continued merchant awareness and adoption of PCI P2PE solutions will be a key focus area for industry leaders at our upcoming Europe Community Meeting in Nice, France. In the US, we are encouraging merchants to get the most out of their investment to support EMV chip migration by upgrading to version 3.1 or higher from the Council's certified payment device listing, which also supports P2PE.  

Click below for more information:

PCI Security Standards Council

What’s Hot on Essential Retail?