These testing requirements are not really intended for merchants, they’re meant for the solution provider that creates the products.”
Troy Leach, CTO, PCI SSC
The PCI Point-to-Point Encryption Solution Requirements and Testing Procedures (.pdf), has been revamped as of last month to add new guidance for merchants implementing validated point-to-point encryption products. It establishes testing procedures for encryption providers and is the basis for a list of validated or certified point-to-point encryption components. Version 1.1 also introduces a training program for Qualified Security Assessors, giving a special designation for QSAs who can properly assess a point-to-point encryption deployment.
“A list will go a long way toward making the process of reducing scope easier for everyone involved in properly selecting and implementing a point-to-point encryption solution,” said Diana Kelley, a partner at New Hampshire-based consulting firm Security Curve.
Network security expert Mike Chapple examines the benefits that P2P encryption brings to enterprise security and point out some of the open issues hindering adoption.
Encryption has historically been a source of confusion and can seem daunting to learn, but security expert Ed Moyle explains whether P2P encryption products can limit the scope for PCI DSS compliance.
The new document addresses hardware-based point-to-point encryption, but not software-based encryption. Troy Leach, CTO of the PCI SSC, said the council plans to address testing requirements for a hybrid approach in which software is used in certain elements of encryption within the hardware. A final document, Leach said, will address the use of software as a decryption mechanism for all of the encryption keys. The goal, he added, is to be as thorough as possible in addressing the various implementations of point-to-point encryption technology.
Under the revised document, the merchant is required to select point-of-interaction devices that are approved by the PCI DSS security requirements for pin transactions. The document outlines that merchants considering point-to-point encryption deployment are responsible for closely coordinating with their acquirer (merchant bank) to determine which validated equipment can be implemented.
The entire program is voluntary, Leach said, but following the guidance will help merchants properly reduce the scope of their systems. He said there are no future plans to wrap point-to-point encryption into the PCI DSS.
“This is more for awareness for merchants to let them know that these solutions are out there and we are aware of them,” Leach said. “These testing requirements are not really intended for merchants, they’re meant for the solution provider that creates the products.”
Leach said the PCI Council is also developing new streamlined self-assessment questionnaires to make it easier for Level 3 and 4 merchants to attest to a PCI-compliant environment.
A list of validated point-to-point encryption components is due out this summer. Under the testing requirements, the encryption hardware devices must segment a merchant’s cardholder data environment by containing all of the credit card transaction data within them. Account data is always entered directly into the device and encrypted within it before it is transmitted, according to the document.
The Council’s guidance document also states that all account-data related operations are to be managed by a validated provider. In addition, the document states that point-to-point encryption providers are required to give merchants an instruction manual outlining their obligations and controls.
PCI point-to-point encryption failure
The PCI Council also added a new merchant obligation in the event a point-to-point encryption device fails. If the merchant continues to accept credit card payments, it must follow a specific “opt-out” process with the encryption provider, informing the provider that the merchant chooses to process transactions without point-to-point encryption protection.
Leach said the process gives the merchant flexibility in the event of equipment failure. For example, a retailer may have hundreds of customers lined up and could decide to process them despite the lack of encryption.
“The opt-out is to recognize that there might be technical hiccups that happen,” Leach said. “The solution provider providing the key encryption has to be aware that this change and circumvention of the process is occurring, so the flexibility is put into the standard because of the technical fallback that might happen.
PCI point-to-point encryption: Short history, slow adoption
The PCI Council issued the first version of its point-to-point encryption documentation in September 2011, indicating that a properly implemented system can reduce the scope of a PCI DSS assessment. The council previously called encryption technology too immature. It hopes its latest guidance will give merchants and encryption providers a way to evaluate equipment and ensure they meet minimum security requirements, meeting the spirit of PCI DSS. The devices must be properly segmented from the rest of the network and data must be encrypted from the time credit card data is captured to its transmission to a processor and bank systems.
Adoption of the technology has been slow, said Mark Akins, a QSA and CEO of Coral Springs, Fla.-based compliance assessment consultancy 1st Secure IT. He said Tier 1 organizations that require a QSA PCI assessment have already made substantial investments in security to meet PCI DSS and are not yet ripping out and replacing their payment terminals to support point-to-point encryption. Most large merchants, Akins said, wait until the end of an equipment cycle before investing in new systems.
“I think point-to-point encryption is a good thing; it takes a lot of requirements off of the merchant,” Akins said. “It’s not bleeding-edge technology, but it is cutting-edge technology and until it becomes more mainstream, I don’t think we’re going to see too many people seeking QSAs trained to assess it.”
Other merchants rely on service providers to process credit cards, Akins said. Adoption of tokenization technology to eliminate credit card data is being driven by service providers as a Software as a Service (SaaS) option for their customers, he said.
Security Curve’s Kelley said small and midsize businesses with fewer payment terminals will likely be among the first to use point-to-point encryption devices to secure payment data. Smaller merchants have a small, if any, IT staff, and will rely on their acquirer, their payment processors and the encryption provider for assistance and guidance, Kelley said.
The new point-to-point encryption validation program will rely heavily on other PCI standards. Devices must meet the PIN Transaction Security (PTS) requirements. Cryptographic-key operations for both encryption and decryption environments use key-management practices derived from the PTS PIN Security Standard, according to the document. Applications on the devices must meet requirements derived from the Payment Application Data Security Standard (PA-DSS). And finally the decryption environment must be PCI DSS compliant.