Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Essential Retail Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Comment: Solving the riddle of point-to-point encryption in retail

Encryption is now a technology that has very immediate relevance to every point of sale in high streets and retail parks up and down the UK.

Its use in payment security means it is a technology no longer confined to spies or restricted to high-profile rows between the FBI and Apple about data on a murder suspect's smartphone.

The increased emphasis on data security is being pushed by the Payment Card Industry Data Security Standards Council and its ever-evolving, industry-wide set of requirements – the Payment Card Industry Data Security Standards (PCI-DSS).

These standards, now in version 3.2, have been progressively enhanced over the past ten years, increasing security for the devices and applications that handle, transmit and store the highly-sensitive payment card data that hackers and fraudsters would love to steal.

The adoption of PCI-DSS practices should be a high priority for retailers. A non-compliant retailer that loses customer card data will run the very real risk of incurring fines from payment card schemes, liability for any financial losses and operational costs associated with replacing accounts.

In addition, retailers should consider that the requirement for protection of personal payment data will become even more stringent once the European Union' General Data Protection Regulation is fully implemented in 2018, inflicting stiffer penalties and creating greater security expectations from consumers.

With this in mind, Point to Point encryption (P2PE) should be a consideration for retailers. Here are some handy tips on how they should approach payment data encryption. It is not as daunting as it may at first appear, but its successful implementation does require care.

The advantages of encryption

One of the great advantages of compliance with PCI P2PE is that it simplifies what else a retailer has to achieve for full PCI-DSS accreditation.

The PCI encryption technology scrambles card data at the point when the card is inserted into the PIN entry device (PED), meaning the information is encrypted even before transmission to the payment service provider.

By adopting the PCI's P2PE standard, many of the responsibilities for PCI-DSS accreditation are transferred to the service or payment solution provider, delivering major savings in time and expense for the retailer. The scope of PCI paperwork that the retailer has to submit for approval by a Qualified Security Assessor is slashed from more than 60 pages of requirements to about 14.

Avoid dodgy solutions

Even so, when retailers embark on P2PE is all too easy to get caught up in a costly tangle of time-consuming red tape. Worst of all, they can end up with failed 'concepts' from providers who are not qualified that require expensive re-auditing and may even allow their customers to become victims of data-theft. 

Ensuring a quick, fully operational and wholly compliant implementation of P2PE that does not bust the budget takes special expertise.

Use an accredited provider

Engaging an in-store hardware support provider that is fully accredited to implement P2PE will eradicate the risk, pain and cost that would otherwise be incurred by the retailer itself.

This means only a single organisation is involved and dramatically reduces the scope of the work the retailer will have to undertake to demonstrate compliance, eliminating the need for the assessments otherwise necessary.

A hardware support provider with accreditation has a process for P2PE implementation that is already certified to PCI standards. This fits into the requirements of any payment solution provider and the all-important P2PE Instruction Manual (PIM) document which it supplies to the retailer.

Ensure the security of devices

Without such support, the retailer will have to engage its payment service provider to take care of the very strict requirements for the handling of PEDs. The deployment of these devices and their servicing are often the weak-points when ensuring system compliance.

From the point of dispatch from the manufacturer, these devices have to be securely stored in locations that have been visited and fully-approved by PCI-qualified security assessors.

Then the devices must be logged and checked for tampering before they are deployed in precise accordance with the regulations, which again, in the absence of a fully-accredited hardware support provider, will require Qualified Security Assessor approval.

Serial number data and locations of these devices have to be accurately tracked throughout their lifecycle and once out of use, they still have to be stored securely to ensure they do not end up back in the system as rogue devices adapted by card-skimming fraudsters.

These requirements mean all parties have to be able to locate each PED at all times. Without an accredited company to oversee all this, it becomes the responsibility of the retailer, who could be audited at any time.

Peace of mind

In truth, although the advantages of P2PE cannot be over-stated, if retailers want to give themselves and their customers full reassurance about the technology, they need to engage a properly accredited support provider. They will not only save a vast amount of time and a lot of money, they will also have considerable peace of mind.

Click below for more information:

Vista Retail Support