Do Merchants Need P2PE?
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
Point-to-point encryption (P2PE) is a technology that promises to reduce a merchant’s PCI scope significantly. Ideally, with an approved P2PE product, a merchant’s only PCI scope will be the point-of-interaction (POI) device itself. But do merchants really need to wait for a P2PE-approved package to get the benefits?
The answer to that question, in some cases, might be: “No.” Instead, based on the PCI Security Standards Council’s revised guidance on when encrypted cardholder data may be considered out of scope, I have to wonder if it might be possible that existing vendor offerings could potentially bring some merchants the same benefits with less work and without waiting—and paying—for the first P2PE products to hit the market. Achieving this scope reduction won’t be easy, and I don’t have all the answers. However, I do have some questions that are worth considering.
Before merchants conclude that any product is for them, they need to address several issues.
Let’s start with the encrypted data. The PCI Council clarified a long-standing frequently asked question (FAQ) response that addressed the conditions under which encrypted cardholder data may be considered out of PCI scope. That FAQ (number 10359) stated encrypted cardholder data was always in the merchant’s or service provider’s scope unless that merchant or service provider did not have the means to decrypt the data.
The PCI Council revised that FAQ in August, with many merchants and assessors seeing the new one for the first time at the recent PCI Community Meeting. (Yet another reason, if you are reading this column, you should become a Participating Organization and attend the annual PCI “Woodstock.”) The revised FAQ still states that encrypted cardholder data is in scope with the following exception: “It is possible that encrypted data may be deemed out of scope for a particular entity if and only if [PCI Council’s emphasis] it is validated that the entity in possession of the encrypted data does not have the ability to decrypt it.”
The revised FAQ goes on to specify the three conditions that must now be met to conclude that the data is out of scope. The conditions are: The encrypted cardholder data must not be stored on the same system or media as the decryption key; the encrypted data must not be in the same environment as the decryption key; and the merchant must have no ability to access the decryption key. It is this third condition that is the most important.
On a side note, I noticed the new FAQ removes the requirement that the service provider managing the encrypted data must be PCI DSS compliant. The original FAQ declared that “service providers or vendors that provide encryption (products) to merchants who have administrative access and controls to Keys along with the management of termination points for encryption to process transactions, are required to demonstrate physical and logical controls to protect cryptographic keys in accordance with industry best practices (such as NIST referenced in PCI DSS requirement 3.6), along with full compliance with PCI DSS.” The original FAQ reinforced this requirement in the next sentence: “Merchants should ensure their providers who provide key management services and/or act as the point of encryption/decryption are in compliance with PCI DSS.” Speaking as a QSA, I must remind everyone that just because that requirement is no longer spelled out in the revised FAQ, merchants must not assume they do not need the same due diligence as before to confirm their encryption implementation will remove the data from scope.
The clarification is good news for merchants and assessors alike. It bases the scoping decision on who can access the decryption key and under what circumstances. The key word here is access.
Every Internal Security Assessor (ISA) and QSA knows to consider the intent, as well as the letter, of all PCI DSS requirements. To this QSA, the phrase “no ability to access” means exactly what it says. Therefore, to consider encrypted cardholder data out of scope, the merchant must never—and I mean never—be able to gain either possession of the decryption keys or access to the decryption environment.
For example, if the decryption key is in the merchant’s datacenter, the data is in scope. If a third party manages the process and the encryption environment (hardware or software), but it is in the merchant’s datacenter or the merchant can access that environment remotely, the data is in scope. And if the whole encryption process is outsourced but the vendor contract gives the merchant access to the decryption key in specified circumstances (e.g., if the vendor goes out of business), I would still assess the data to be in the merchant’s scope.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
