Point to Point Encryption: Do you have a Customer Service PCI Scope Problem?
You’ve noticed that Point-to-Point Encryption (P2PE) is currently a hot topic in the payment card industry. That’s both good new and bad news. First the good news:
It means that businesses have attained a certain level of security proficiency in communicating PAN data to payment card processors, in PAN segregation, and PAN storage. These are the rewards of strenuous efforts to develop and comply with PCI DSS. Now for the bad news: much more recently, like a pack of jackals, hackers have focused on the next weakest member of the herd, the one on the fringe: credit card data transiting into a cardholder data environment at the PED (payment entry device). So, what does Point-to-Point-Encryption entail? How is security on the fringe assured?
After serious attacks on Pin Entry Devices (PED) began a few years ago, the PCI SSC published a guidance document, “The Roadmap,” in October 2010 [i], which was followed in September 2011 by the initial release of solution requirements (hardware only) [ii]. Both documents provide assurance that P2PE will not change established security practices: businesses still need to be sure that the fundamental twelve requirements of the PCI DSS [iii]are met. But, scope is malleable: including the point of interaction (POI) in scope could be a nightmare. Or on the other hand, encrypting at the POI could strengthen your security on the fringe, reducing the risk of attack or breach. It could also shrink PCI scope, and limit the relevant PCI DSS requirements to 1, 9, and 12. Wow !
The Roadmap lights a pathway on how P2PE might improve a business’s security posture, and suggests that P2PE does indeed provide for reducing the size of the overall compliance effort! As could be expected, the P2PE document mirrors the DSS requirements by including “the people, processes, and technology in place to encrypt and decrypt a transmitted PAN (or sensitive authentication data)”. However, P2PE “must include comprehensive cryptographic and key management systems which limit or prevent the business’s access to “plaintext” of the PAN in transit, processing and storage”. This is a gift: Early encryption creates a broad avenue of opportunity to reduce scope by reconsidering your cardholder data environment and compliance strategy
What the Roadmap doesn’t do is help you find the most cost-effective, efficient route towards shrinking the cardholder data environment and reworking your compliance approach. Securing the PAN in an open retail environment via “sheer muscle” can be a very complicated, expensive process. Some larger businesses have spent millions of dollars to rebuild and lock-down the retail channel. Others invested similar amounts building a parallel infrastructure to segregate PAN data as required by their auditor. Perhaps various vendor elements purchased separately didn’t work well together; successful system integration will be a key success factor in P2PE. None of these approaches is very inviting: expensive to build, and expensive to run, prone to complications. But, if well planned and executed, P2PE doesn’t have to be like that.
So, can we imagine a smarter, PCI DSS compliant, cost-effective, efficient P2PE process, which also shrinks the cardholder data environment (CDE)? Yes!
[i] See https://www.pcisecuritystandards.org/documents/pci_ptp_encryption.pdf, “Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance”