StorefrontBacktalk

Point-To-Point Encryption Guidance Arrives: Device Testing and Possible Surprises For Early Adopters

Written by Walter Conway

September 14th, 2011

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

The PCI Council on Thursday (Sept. 15) is releasing a guidance document
on point-to-point encryption (P2PE). This technology—properly implemented—has the potential to reduce PCI scope greatly, and several retailers have already implemented it. But one issue may have early adopters digging up their vendor agreements: Are they sure their implementations—particularly the encrypting POS devices—will pass the Council’s new Secure Card Reader testing program? Will their vendors replace the POS devices with compliant ones, assuming they can, and what will that cost?

The idea behind P2PE is that an encrypting POS terminal encrypts the cardholder data (the first “point”) immediately as the customer’s card is swiped. A third-party service provider (the second “point,” and often the merchant’s card processor) manages both encryption and key management. The third party is the only one that can access the actual cardholder data. The result is that when P2PE is properly implemented, almost all the merchant’s systems are out of PCI scope because the merchant has no way to decrypt the data or ever to get access to the clear-text cardholder data.

To be effective, P2PE relies on a secure hardware device, the encryption software and a PCI-compliant service provider. Today it is difficult for any QSA to assess the hardware and software systems to determine if they are compliant. For example, is the hardware tamper resistant, was the software/firmware securely developed and can the merchant ever access any cardholder data or data from the card’s magnetic stripe? This is the challenge that the PCI Council’s P2PE guidance is designed to address.

Although merchants and QSAs want black-and-white answers, we all need to manage our expectations. As with the Council’s previous tokenization document, the guidance will provide exactly that: guidance. It will have definitions and describe some use cases, but I do not expect it to give blanket endorsement to any technology. And we should not expect to get simple answers to complicated scoping questions.

As I write this, I have no inside knowledge of the details. But at its heart, I expect the most important element will be defining a new process for testing P2PE devices by PTS (PIN Transaction Security) laboratories similar to how PIN-encrypting devices (PEDs) are tested today.

The Council informed QSAs it will soon release a new version of its Point of Interaction Security Requirements that are part of the PCI PTS. Of special note for P2PE fans is that the PCI PTS will now include a new approval class (Secure Card Reader) for testing and approving P2PE devices, even if they do not accept PINs.

Posted in E-Commerce, In-Store, Mobile/Wireless/Contactless, Payment Systems, Security/Fraud

One Comment | Read Point-To-Point Encryption Guidance Arrives: Device Testing and Possible Surprises For Early Adopters

ed Says:
September 15th, 2011 at 8:31 am
What is being described in the article appears to be the implementation of a Trust Service Management (TSM) entity meant for peer-to-peer mobile payments, not retailers. But maybe I’m wrong.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.