Do Merchants Need P2PE?

Written by Walter Conway
October 2nd, 2012

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Point-to-point encryption (P2PE) is a technology that promises to reduce a merchant’s PCI scope significantly. Ideally, with an approved P2PE product, a merchant’s only PCI scope will be the point-of-interaction (POI) device itself. But do merchants really need to wait for a P2PE-approved package to get the benefits?

The answer to that question, in some cases, might be: “No.” Instead, based on the PCI Security Standards Council’s revised guidance on when encrypted cardholder data may be considered out of scope, I have to wonder if it might be possible that existing vendor offerings could potentially bring some merchants the same benefits with less work and without waiting—and paying—for the first P2PE products to hit the market. Achieving this scope reduction won’t be easy, and I don’t have all the answers. However, I do have some questions that are worth considering.

Before merchants conclude that any product is for them, they need to address several issues.

Let’s start with the encrypted data. The PCI Council clarified a long-standing frequently asked question (FAQ) response that addressed the conditions under which encrypted cardholder data may be considered out of PCI scope. That FAQ (number 10359) stated encrypted cardholder data was always in the merchant’s or service provider’s scope unless that merchant or service provider did not have the means to decrypt the data.

The PCI Council revised that FAQ in August, with many merchants and assessors seeing the new one for the first time at the recent PCI Community Meeting. (Yet another reason, if you are reading this column, you should become a Participating Organization and attend the annual PCI “Woodstock.”) The revised FAQ still states that encrypted cardholder data is in scope with the following exception: “It is possible that encrypted data may be deemed out of scope for a particular entity if and only if [PCI Council’s emphasis] it is validated that the entity in possession of the encrypted data does not have the ability to decrypt it.”

The revised FAQ goes on to specify the three conditions that must now be met to conclude that the data is out of scope. The conditions are: The encrypted cardholder data must not be stored on the same system or media as the decryption key; the encrypted data must not be in the same environment as the decryption key; and the merchant must have no ability to access the decryption key. It is this third condition that is the most important.

On a side note, I noticed the new FAQ removes the requirement that the service provider managing the encrypted data must be PCI DSS compliant. The original FAQ declared that “service providers or vendors that provide encryption (products) to merchants who have administrative access and controls to Keys along with the management of termination points for encryption to process transactions, are required to demonstrate physical and logical controls to protect cryptographic keys in accordance with industry best practices (such as NIST referenced in PCI DSS requirement 3.6), along with full compliance with PCI DSS.” The original FAQ reinforced this requirement in the next sentence: “Merchants should ensure their providers who provide key management services and/or act as the point of encryption/decryption are in compliance with PCI DSS.” Speaking as a QSA, I must remind everyone that just because that requirement is no longer spelled out in the revised FAQ, merchants must not assume they do not need the same due diligence as before to confirm their encryption implementation will remove the data from scope.

The clarification is good news for merchants and assessors alike. It bases the scoping decision on who can access the decryption key and under what circumstances. The key word here is access.

Every Internal Security Assessor (ISA) and QSA knows to consider the intent, as well as the letter, of all PCI DSS requirements. To this QSA, the phrase “no ability to access” means exactly what it says. Therefore, to consider encrypted cardholder data out of scope, the merchant must never—and I mean never—be able to gain either possession of the decryption keys or access to the decryption environment.

For example, if the decryption key is in the merchant’s datacenter, the data is in scope. If a third party manages the process and the encryption environment (hardware or software), but it is in the merchant’s datacenter or the merchant can access that environment remotely, the data is in scope. And if the whole encryption process is outsourced but the vendor contract gives the merchant access to the decryption key in specified circumstances (e.g., if the vendor goes out of business), I would still assess the data to be in the merchant’s scope.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.