Point-To-Point Encryption (P2PE) – What’s the Point?

Point-To-Point Encryption (P2PE) – What’s the Point?

I’ve been reading some recent online posts and recent questions from some of my clients. Despite the information available people are not clear whether Point-To-Point Encryption (P2PE) is for them and apprehensive to roll out such P2PE solutions. On the other end, some merchants see it as a “silver bullet” and jumping as quickly as possible to implement a P2PE solution and in my opinion have not clearly understood what this means to them.

This is just a quick post to help you and your business understand what P2PE means for your business and hopefully aid you evaluate the P2PE option for your business. With any change we need to evaluate the benefit and drawbacks.

How does the PCI-validated P2PE solution benefit me as a merchant?

Remember that you are not mandated to use a P2PE solution. As a merchant, we need to remind ourselves that our objective is working towards and maintaining PCI DSS compliance. In the “As Is” situation, you are eligible for completing an SAQ or undertaking a formal assessment, you will have a set of questions/requirements to answer. Depending on your business you may have constraints (business reasons or technology reasons) where you cannot satisfy all the PCI DSS requirements directly.

More often, it is that it is simply not cost-effective to meet all those requirements directly and your business may not have the resources available to maintain PCI DSS compliance. So this is where P2PE helps, whereby by using a PCI-P2PE validated solution you have a level of assurance that the cardholder data is protected from end-to-end (that is protected from terminal all the way to the P2PE solution provider). As weakness lies in People, Process and Technology the main risk is to the endpoint (the terminal) and people – most importantly for a merchant this means that if a P2PE solution is implemented correctly, the network between the terminal and solution provider is taken “Out Of Scope”. Therefore, for P2PE SAQ and formal validation of merchant environments using P2PE, the set of questions is far less, less complicated and more maintainable. Weighing up the original capital expenditure (Capex) and business As Usual (BAU) operational expenditure (OPEX) costs for using a P2PE solution may be more cost-effective and pragmatic that meeting all the original PCI DSS requirements as applicable – using P2PE could be for you as a merchant.

The disadvantage of P2PE as a merchant?

First, I must say if a merchant chooses to use a P2PE solution, this DOES NOT mean they have outsourced their responsibility – they still have a set of responsibilities as per the SAQ P2PE or formal assessment as applicable (ask a QSA about this).  Merchants are obliged to follow the P2PE Implementation Manual (PIM). If implemented correctly and all applicable requirements (such as those within an SAQ P2PE are met), then it can be deemed the network out of scope accordingly.

Secondly, the PIM contains details about understanding how to manage terminals, such as keeping a frequent inventory that is often ignored. Merchants will need to have a process in place to track all the terminals in use, not in use, in transit etc. This may not be as simple as it seems and takes some thought and working with any third parties including logistics service providers or logistics staff.

Actions for merchants:

  • Undertake a gap analysis for the current scope. Where possible, engage with a PCI QSA to ensure an accurate gap analysis.
  • Review the solutions/controls to remediate the outstanding PCI DSS requirements.
  • Explore P2PE solution providers and how much CAPEX and OPEX for P2PE terminals. Compare this to the cost to remediate and operate without P2PE.

How does providing a P2PE solution benefit me as a service provider?

Service providers have a tough time. In short, this means evaluating the P2PE domains. A question that needs to be posed is whether or not the additional rental uplift to charge per month for providing a P2PE-validated solution vs a non-validated solution to worthwhile – this question can only be answered by the service provider. What I can say is that service providers are underestimating the workload involved. Service providers must work closely with third parties for example any key injection facilities, CAs/RAs, application developers, decryption environment providers and ensure proper key management, monitoring and reporting mechanisms much more than the normal expectation. For service providers providing large terminals estates, the effort could be worthwhile.

Conclusions

4-5 years ago, I was a fan of what was back then deemed “End-To-End Encryption” (E2EE). Coupled with tokenisation, this can be a good way to reduce the scope for compliance, which can lead to:

  • Less resources required as the network is not in scope.
  • Less cost compared to maintaining all the original applicable PCI DSS requirements.
  • More focus on people and security awareness training.

P2PE is similar to E2EE, but a validated solution to more rigorous requirements as per the P2PE standard.

I am still a fan and I would like to see more solutions on the market. However, due to the uplift in becoming a P2PE service provider we still see few providers (I personally know the effort as I have successfully gone through the journey and validated a P2PE entity listed on PCI SSC website). However, those service providers who do become listed will have a competitive advantage.

Did you find this post useful? Feel free to share and link to this article.

Covid-19 and Malware Infections

Covid-19 and Malware Infections

Coronavirus (Covid-19) is disrupting the way we live and killing the economy. Many people have lost their jobs and out of work. Covid-19 does not stop cybercriminals from doing their work. Many more people working from home online and this is an opportunity that is being exploited – it’s actually a great time for cybercriminals.

Cybercriminals are using the current environment to trick users into infecting user systems by downloading malware or simply plain stealing their information.

Microsoft has reported that out of millions of emails it sees, 60,000 are Covid-19 related malicious emails (less than 2%). This is not to say that there has been an increase in malicious emails, but the fact that the email templates, scripts, subject lines are just changing.

For example, there are email campaigns that impersonate the World Health Organisation (WHO) and the Centers for Disease Control and Prevention (CDC) are just some examples.

Phishing is a technique for a way for cybercriminals to persuade you to get your personal information. Once your information is obtained, cybercriminals use your details to login to websites or install malware/backdoors into your system to steal more information.

Phishing emails are emails that are sent to steal information. Here are some examples

As an example, did that email from the DHL delivery company, HSBC, Netflix etc really come from them? 

What about that email from PayPal, Walmart, Amazon etc?

What about that email from the WHO or CDC?

 One of my saying as an auditor is “Trust, but verify”. As consumers, we all need to do this when checking emails. By all means this is not 100% foolproof, but here are just some top tips:

  • Most legitimate companies will not request for your password, credit card, national IDs etc.
  • Most legitimate know your name. Instead of “Dear customer…”, it’s more like “Dear Michael…” in the email.
  • Most legitimate companies have a legitimate domain name (like www.dhl.com) and not fake sites like (www.dhl.abcd.com).
  • Most legitimate companies know how to spell properly. Scammers may have bad spelling. This is likely to be on purpose to target those who are not as educated.
  • Most legitimate companies do not send unusual attachments in the email.

If you are in doubt, ask a colleague or friend before clicking that link or before downloading that file.

Hope that helps.

Stay Safe

#cyberattack, #cybersecurity, #dataprotection, #datasecurity, #datasecuritybreach, #gdpr, #gdprcompliance, #informationsecurity, #infosec, #pcidss, #personaldata, #security, #StayHomeSaveLives

Kristoffer Kvello

I worked with Michael on a verification task for a mutual customer. The task involved a large amount of arcane details, so I expected the activity to be taxing. However, Michael dealt with it in such a friendly, quick and professional manner that the whole job was accomplished with little effort. Should our companies get a similar assignment later, I hope Michael will be available to do the auditor part again. 

Peter Burgess

I worked with Mike for a number of years at Sysnet Global Solutions while I was engaged in PCI DSS work as a QSA. He is an excellent QSA, and a highly knowledgeable Information and Cyber Security specialist. More than that he is friendly and approachable and I always knew I could go to him with a problem or dilemma. I thoroughly enjoyed working with Mike and would not hesitate to recommend him both as a friend and colleague.

Chetan Pendharkar

It was pleasure working with Mike. Mike is very experienced QSA. He assessed my company for PCI DSS / PA-DSS / P2PE. I learned a lot during the assessment. He was very clear with current situation, requirements and remedial actions. It was his guidance which made it possible for us to achieve PCI accreditation. Thanks for your help and support Mike.

Rahul Shivastava

Michael and I worked together to help Nationwide achieve PCI DSS compliance. Michael was the PCI QSA/PA QSA for a number of functional areas that I was working on. Michael has rich experience in PCI domain; he played paramount role in helping Nationwide achieve PCI compliance by providing guidance/direction to myself and my team throughout the assessment life cycle. Along with high professional ethics and standards, Michael has pleasant attitude and great sense of humour. One thing that struck me was – whenever I asked a question to Michael, instead of giving the answer on platter, he would ask few questions back that helped me arrive at the answer myself. This process helped us learn a great deal about PCI and grow professionally. Michael is an absolute pleasure to work with and a great asset to any organisation.

Can’t Wait To Fly Away?

Can’t Wait To Fly Away?

Countries are locked down. Only essential travel is happening. It is not a great time for airlines and the current environment we live in is going to hurt the bottom line of airlines.

So, it has recently been released that the budget airline EasyJet has been affected by a cyber-attack, affecting nine million customers. That is of course not a small number.

So how could a well-established business fall foul? Not much has been released, but what has been admitted is a “highly sophisticated cyber-attack”.

It is said that emails and travel details have been breached and the business says that no passport or credit card details have been affected. Well that is a relief!  But hang on a minute, can we take that a certain? There are twitter feeds out there clearly showing customers receiving communication “I need to make you aware of an incident that affects the security of the credit card”.

As soon as we became aware of the attack, we took immediate steps

Also reports on other news sites suggest that credit card details have been stolen including the 3 or 4 security digits on the back of the card (CVV – Card Verification Value). How can this be the case?  One of the basic principles is to not store the CVV after authorisation.

So, I’m just guessing a number of couple of scenarios:

  • Their systems were breached and CVV was not encrypted (CVV made unreadable)
  • There was some kind of breach that “sniffed” or intercepted the CVV in transit, usually by deployed malware/unauthorised software on compromised systems.

 Although this was identified back in January, EasyJet have now gone public, their PR department at the ready.

“As soon as we became aware of the attack, we took immediate steps to respond to and manage the incident and engaged leading forensic experts to investigate the issue. We also notified the National Cyber Security Centre and the ICO. We have closed off this unauthorised access,” said the airline in its statement..”

Will this result in a big fine? Let us review the British Airways hack of 2018. The Information Commissioner’s Office (ICO) gave British Airways a £183 million for 380,000 transactions.

So, with EasyJet 9 million transactions compromised… I will let you do the maths. Can we do a comparison? Can we compare apples with apples? I would say this is unlikely as I mentioned earlier airlines are struggling, so any sort of proportionate fine would put the airline out of business.

Highly Sophisticated

It is too early to say for sure, but I’m guessing it is not a “highly” sophisticated attack. Maybe a vulnerability in a system, or a vulnerability in perhaps a website code that should have been identified by normal security practices (vulnerability management, looking for any file changes etc).

But what I can say for sure, is that often the cost of implementing a good security practice is much cheaper than not having one and having your reputation impacted, or worse still closing your business.

Hey? I gave my details with them!

So, what next if you are a customer?

If you have in the past have placed your details with EasyJet, be vigilant:

  • Watch out for phishing emails:  So what’s a phishing email? It’s basically correspondence by email trying to persuade you that the fake email came from a legitimate source (take a quick read of the article here: https://www.linkedin.com/post/edit/6658294581458804736/)
  • Watch out for any suspicious transactions on your credit/debit card. If in doubt, contact your bank.

If you are in doubt, ask a colleague or friend before clicking that link or before downloading that file.

Hope that helps.

Stay Safe

#StayHomeSaveLives, #cybersecurity , #infosec, #informationsecurity, #security, #datasecurity, #datasecuritybreach, #personaldata, #gdprcompliance, #dataprotection, #pcidss, #gdpr, #cyberattack, #dataprivacy