I’ve been reading some recent online posts and recent questions from some of my clients. Despite the information available people are not clear whether Point-To-Point Encryption (P2PE) is for them and apprehensive to roll out such P2PE solutions. On the other end, some merchants see it as a “silver bullet” and jumping as quickly as possible to implement a P2PE solution and in my opinion have not clearly understood what this means to them.
This is just a quick post to help you and your business understand what P2PE means for your business and hopefully aid you evaluate the P2PE option for your business. With any change we need to evaluate the benefit and drawbacks.
How does the PCI-validated P2PE solution benefit me as a merchant?
Remember that you are not mandated to use a P2PE solution. As a merchant, we need to remind ourselves that our objective is working towards and maintaining PCI DSS compliance. In the “As Is” situation, you are eligible for completing an SAQ or undertaking a formal assessment, you will have a set of questions/requirements to answer. Depending on your business you may have constraints (business reasons or technology reasons) where you cannot satisfy all the PCI DSS requirements directly.
More often, it is that it is simply not cost-effective to meet all those requirements directly and your business may not have the resources available to maintain PCI DSS compliance. So this is where P2PE helps, whereby by using a PCI-P2PE validated solution you have a level of assurance that the cardholder data is protected from end-to-end (that is protected from terminal all the way to the P2PE solution provider). As weakness lies in People, Process and Technology the main risk is to the endpoint (the terminal) and people – most importantly for a merchant this means that if a P2PE solution is implemented correctly, the network between the terminal and solution provider is taken “Out Of Scope”. Therefore, for P2PE SAQ and formal validation of merchant environments using P2PE, the set of questions is far less, less complicated and more maintainable. Weighing up the original capital expenditure (Capex) and business As Usual (BAU) operational expenditure (OPEX) costs for using a P2PE solution may be more cost-effective and pragmatic that meeting all the original PCI DSS requirements as applicable – using P2PE could be for you as a merchant.
The disadvantage of P2PE as a merchant?
First, I must say if a merchant chooses to use a P2PE solution, this DOES NOT mean they have outsourced their responsibility – they still have a set of responsibilities as per the SAQ P2PE or formal assessment as applicable (ask a QSA about this). Merchants are obliged to follow the P2PE Implementation Manual (PIM). If implemented correctly and all applicable requirements (such as those within an SAQ P2PE are met), then it can be deemed the network out of scope accordingly.
Secondly, the PIM contains details about understanding how to manage terminals, such as keeping a frequent inventory that is often ignored. Merchants will need to have a process in place to track all the terminals in use, not in use, in transit etc. This may not be as simple as it seems and takes some thought and working with any third parties including logistics service providers or logistics staff.
Actions for merchants:
- Undertake a gap analysis for the current scope. Where possible, engage with a PCI QSA to ensure an accurate gap analysis.
- Review the solutions/controls to remediate the outstanding PCI DSS requirements.
- Explore P2PE solution providers and how much CAPEX and OPEX for P2PE terminals. Compare this to the cost to remediate and operate without P2PE.
How does providing a P2PE solution benefit me as a service provider?
Service providers have a tough time. In short, this means evaluating the P2PE domains. A question that needs to be posed is whether or not the additional rental uplift to charge per month for providing a P2PE-validated solution vs a non-validated solution to worthwhile – this question can only be answered by the service provider. What I can say is that service providers are underestimating the workload involved. Service providers must work closely with third parties for example any key injection facilities, CAs/RAs, application developers, decryption environment providers and ensure proper key management, monitoring and reporting mechanisms much more than the normal expectation. For service providers providing large terminals estates, the effort could be worthwhile.
Conclusions
4-5 years ago, I was a fan of what was back then deemed “End-To-End Encryption” (E2EE). Coupled with tokenisation, this can be a good way to reduce the scope for compliance, which can lead to:
- Less resources required as the network is not in scope.
- Less cost compared to maintaining all the original applicable PCI DSS requirements.
- More focus on people and security awareness training.
P2PE is similar to E2EE, but a validated solution to more rigorous requirements as per the P2PE standard.
I am still a fan and I would like to see more solutions on the market. However, due to the uplift in becoming a P2PE service provider we still see few providers (I personally know the effort as I have successfully gone through the journey and validated a P2PE entity listed on PCI SSC website). However, those service providers who do become listed will have a competitive advantage.
Did you find this post useful? Feel free to share and link to this article.