Need for Payment Cardholder Data Protection
There have been 2,216 confirmed data breaches in 2018. 76% of breaches were financially motivated. Cybercriminals are increasingly becoming more sophisticated. Data breach preparedness among the companies are at an alltime high. 324 data breaches involved stealing credit card data at the Point of Sale (POS) where card-present retail transactions are conducted. 414 credit card data breaches involved targeting payment web applications.
There’s one common security vulnerability leading to these payment cardholder data breaches at the POS and within web applications: Lack of payment cardholder data encryption.
PCI Point to Point Data Encryption (P2PE) to the rescue!
Better Security and Easier Compliance:
Merchants who accept payment cards as payment for goods and/or services should consider deploying PCI validated Point-To-Point Encryption (P2PE) solution in order to not only secure payment card industry data from data breaches and potential threats but also you can save time and money on your overall PCI DSS (PCI Data Security Standard) compliance efforts. Point-to-Point Encryption (P2PE) has the highest impact on data security and reducing fraud. Point-to-Point Encryption (P2PE) technology makes data unreadable so it has no value to criminals even if stolen in a breach.
You can read more about PCI DSS here.
What is Encryption and Decryption?
One of the most effective means of ensuring data security and integrity is encryption. Encryption is the process of encoding plaintext into a ciphertext or unintelligible code using an secret key. Decryption is the process of decoding the ciphertext back into original plaintext using a decoding key. In the case of an encrypted data communication, the sender transmits the encrypted data to the intended recipient. The intended recipient who will have the decrypting key will be able to decrypt the data.
What is PCI Point-to-Point Encryption (P2PE)?
The PCI Point-to-Point Encryption (P2PE) Standard contains detailed security requirements and
testing procedures for application vendors and service providers of P2PE solutions to ensure that their solutions can meet the necessary compliance requirements for the data protection of a payment card, whether it be a credit or debit card.
What is PCI Point-to-Point Encryption (P2PE) Solution?
PCI validated P2PE solutions are lab-tested data encryption products and the solution providers
guarantee the strongest encryption protections for your business, so you don’t have to worry about data being stolen between your store and the bank.
A point-to-point encryption (P2PE) solution cryptographically protects account data from the point where a merchant accepts the payment card to the secure point of decryption.
PCI validated point-to-point encryption (P2PE) solution is provided by a third party solution provider, and is a combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe or dip) until the data reaches the solution provider’s secure decryption environment. Intelligible payment cardholder data never actually enters the point-of-sale system or merchant’s card data environment (CDE). If this were not the case, there is a way to protect the system’s components in CDE through encryption.
These PCI P2PE solutions have been assessed by a PCI-qualified P2PE assessor, a qualified security assessor certified to validate a P2PE solution against PCI P2PE standards. PCI validated P2PE solutions are therefore listed on the PCI website under approved P2PE Solutions.
What is a P2PE Solution Provider?
A P2PE solution provider is an entity, usually a third-party such as a processor, acquirer (merchant bank), or payment gateway, that designs, implements, and manages the P2PE solution. The solution provider may outsource certain responsibilities, but will always retain overall responsibility for the P2PE solution.
The solution provider has overall responsibility for ensuring that all P2PE requirements are met, including any P2PE requirements performed by third-party organizations on behalf of the solution provider (for example, certification authorities and key-injection facilities).
What makes a PCI P2PE Solution?
P2PE solution consists of point-to-point encryption and decryption environments, their configuration and design, and any P2PE components used with these environments.
P2PE solutions typically consist of secure encryption devices at the merchant premises, validated applications on the Point-of-Interaction (POI) device, and secure decryption and encryption key management in the solution provider’s environment.
Account data is always entered directly into a PCI-approved POI device with secure reading and exchange of data (SRED) enabled. This approach minimizes exposure of clear-text account data, and protects against point-of-sale exploits such as “memory scraping” malware.
The data decryption component of the P2PE solution operates within a secure environment that has been assessed and validated against PCI DSS standards.
A list of current P2PE solutions may be viewed at any time on the PCI website.
PCI DSS Compliance with P2PE and Merchant Benefits
While use of a validated, listed P2PE solution can help to reduce the scope of a merchant’s cardholder data environment, it does not remove the need for PCI DSS in the merchant environment. The merchant environment remains in scope for PCI DSS because cardholder data is always present within the merchant environment. For example, in a card-present environment, merchants have physical access to the payment cards in order to complete a transaction, and may also have paper reports or receipts with cardholder data. As another example, in card-not-present environments (such as mail-order or telephone-order), payment card details are provided via other channels that need to be evaluated and protected according to PCI DSS.
Merchants using PCI-validated P2PE solutions have fewer applicable PCI DSS requirements, which helps simplify the PCI DSS compliance process. PCI P2PE solutions reduce where and how PCI-DSS requirements apply to your business.
Since merchant systems can no longer access the cardholder data once it is properly encrypted, P2PE effectively reduces the number of networks and systems considered to be within the scope of the PCI DSS assessment. This should save you time and money on overall compliance efforts, without sacrificing the security of your customers’ data. How does encrypted cardholder data impact PCI DSS scope? Check out or related post to learn more.
PCI P2PE solution is just one piece of PCI compliance. Merchants must also meet other requirements that include the key themes of education and awareness, increased flexibility, and security as a shared responsibility.
CARD BRAND PROGRAMS
Visa Technology Innovation Program (TIP)
Merchants who accept at least 75% of their transactions through a PCI-validated P2PE service may qualify to apply through their acquirer for the Visa TIP program, which allows approved merchants the ability to discontinue their annual assessment process to revalidate PCI DSS compliance. While available for merchants of any size, this program is especially valuable for high-volume or geographically dispersed merchants who may otherwise undergo a more strenuous and costly assessment process.
Visa Secure Acceptance Incentive Program
This program incentivizes acquirers by providing safe harbor for fees in the event of a compromise for Level 3 and 4 card-present merchants who use a PCI-validated P2PE solution. There is no application process, although a merchant should still strive for full PCI DSS compliance and have documentation showing that 100% of transactions were accepted via a listed solution.
PCI DSS Self Assessment Questionnaire (PCI DSS SAQ)
The PCI DSS Self-Assessment Questionnaire is a set of multiple-choice questions about the merchant’s card acceptance and processing environment. It is used to identify your risk level and assess your compliance with pci requirements of all card associations regarding your cardholder data policies, procedures, administrative controls, access controls, and physical security measures.
Merchants who use a validated solution within their environment and keep this environment segmented from any card data from other channels (e.g., e-commerce transactions) are eligible to complete the authorized self-assessment questionnaire SAQ P2PE that is known and accepted by all acquirers. The P2PE Self-Assessment Questionnaire includes only 26 PCI DSS requirements as compared to over 200 PCI DSS requirements.
Who can use SAQ P2PE?
Merchants wishing to use SAQ P2PE must meet payment brand requirements for using an SAQ, and must also confirm that:
- All payment processing is via a validated PCI P2PE solution approved and listed by the PCI SSC
- The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCI-listed P2PE solution
- Your company does not otherwise receive or transmit cardholder data electronically
- There is no legacy storage of electronic cardholder data in the environment
- Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically
- Your company has implemented all security controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
SAQ P2PE is not applicable to e-commerce channels.
SAQ P2PE merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants. For example, a mail/telephone-order merchant could
be eligible for SAQ P2PE if they receive cardholder sensitive data on paper or over a telephone, and key it directly and only into a P2PE validated hardware device. Read more in our related blog about protecting telephone-based payment card data.
Have PCI DSS, SAQ, P2PE, Security Assessment Questions?
Remember: Cardholder Data: If you don’t need it, don’t store it!