This is page 2 of:
Do Merchants Need P2PE?
Let me be clear. A package that permits merchant access to the decryption key may very well be PCI compliant. My point is that the data is in scope if there is any circumstance whereby the merchant can gain access to the ability to decrypt the data. Therefore, an ISA or QSA must to look at the details of any contract or service-level agreement, which may be the most important element in determining whether the encrypted data is assessed to be in scope.
Yes, I know I might be a hard grader, but that is what I believe the PCI Council intended when it clarified the FAQ. As I started to explore the implications of this process, I wondered if this clarification could open the door for merchants, service providers and acquirers to get encrypted data out of scope without a P2PE-approved approach in some cases.
The P2PE requirements are extensive, and meeting them requires a significant investment by POI device manufacturers, software developers and the technology providers. For example, version 1.1 of the P2PE Program Guide runs to 210 pages, including six domains and detailed specifications for both product providers and merchants. The sales pitch for the merchant is significantly reducing their PCI scope, together with a new, shortened Self-Assessment Questionnaire (SAQ P2PE-HW).
But what happens to this sales pitch when the merchant can achieve virtually the same scope reduction with less work using an encryption product already on the market?
Merchants already can choose from a variety of encrypting card readers, some of which are offered by their acquirer. If the vendor implements these devices securely, and if the merchant performs appropriate due diligence on the software and the implementation (Note: this due diligence is critical!), the acquirer and the merchant’s QSA may agree that the package reduces the merchant’s PCI scope, perhaps as effectively as a P2PE-approved approach. That is, the encrypted data traversing the merchant’s network and systems could be deemed out of PCI scope based on good research and a solid service-level agreement.
This approach will not work for all merchants—e.g., those using mobile devices or E-Commerce merchants. It could work, though, for many retailers and their card-present environments.
I do not want to underestimate one big advantage of a P2PE-approved approach: The PCI Council (and a P2PE QSA) has already performed the due diligence. I want to call everyone’s attention the value of a P2PE label, because encryption and key management are complicated topics that call for a level of expertise most merchants do not have. As I noted above, even with a P2PE-approved approach, merchants still need to perform a host of actions. But they will be certain they have reduced their PCI scope effectively. Nevertheless, the question for merchants will be whether the additional cost of a P2PE approach (including implementation and maintenance of the approved software) delivers greater benefit than an encryption package already in the market.
Naturally, there are questions and some uncertainties. For example, the PCI Council just revised the FAQ addressing when encrypted cardholder data may be deemed out of scope. Could it go back and revise that FAQ again? Yes. Could the Council revise the FAQ to say that encrypted data is out of scope only with certain POI devices or only as part of a P2PE-approved approach? Yes, again, in both cases. Therefore, basing your scoping plans on a current FAQ entails a certain risk.
A wild card in this mix is the acquirer. An acquirer could tell a merchant it can reduce its PCI scope if it uses the acquirer’s encrypting POS device. Some acquirers may be willing to take that risk. Based on my experience at several merchants, some acquirers already are making the case that their proprietary encrypting card readers reduce a merchant’s scope. An acquirer could take this position not just to reduce risk but to build merchant loyalty.
Could we have the Law of Unintended Consequences (which holds that no good act, such as clarifying the FAQ, goes unpunished) at work with the revised FAQ? That is, by clarifying and tightening the guidelines for when encrypted data is out of scope, might the PCI Council have inadvertently provided an alternative that will reduce merchants’ demand for P2PE-approved packages?
We will know more when the first P2PE applications are approved and merchants see the price tag (including internal resources for implementation). Until then, I’d like to hear what you think. Has your organization looked at either encrypting card readers or P2PE approaches? Did a sales person describe his or her company’s encrypting POS device as “point-to-point” or “end-to-end” encryption? Either leave a comment or E-mail me.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
