P2PE milestone: PCI SSC OKs first point-to-point encryption product
30 Oct 2013 | SearchSecurity.com
The Payment Card Industry Security Standards Council (PCI SSC) has validated a hardware-based point-to-point encryption (P2PE) product for the first time, a move its leadership calls an important step toward ensuring the secure transmission of payment card transactions.
U.K.-based European Payment Services Ltd. is the first point-of-sale (PoS) vendor to have its product, the EPS Managed Payments Platform, designated as an approved P2PE product. That designation means enterprises that use it can not only ensure clear-text cardholder data is removed from their payment environments, but also leverage the validation to make Payment Card Industry Data Security Standard (PCI DSS) assessments easier.
Use of a validated P2PE product for accepting and processing payment card transactions permits merchants to reduce the scope of PCI DSS assessments, often avoiding broad documentation for and scrutiny by a PCI QSA.
The announcement, made today during the SSC's 2013 European Community Meeting in Nice, France, is the latest and perhaps most significant step to date in the SSC's multiyear effort to foster P2PE adoption among merchants and acquiring banks.
Bob Russo, chairman of the PCI SSC, said the coming wave of validated P2PE products will help increase awareness among merchants about the security and compliance benefits of P2PE, and motivate all payment processing technology vendors to ensure their PoS products are validated against the SSC's specifications, ensuring more secure products.
"From the merchant side, this is nothing but good news," Russo said. "This technology is going to make the compliance process a little easier, but more importantly make card data much more secure."
How hardware-based PoS encryption works
Using P2PE requirements and testing standards developed by the SSC in May of 2012, the technology is designed to work as part of the PoS systems used by merchants and the back-end card processing systems employed by acquiring banks. Card data is encrypted immediately after a card is read at the PoS, either via traditional swiping methods or "dipping"-style systems at ATMs, gas stations and vending machines. The data is then transmitted in encrypted form to the acquirer, where it can only be decrypted by a system that meets similar requirements. The SSC plans to finalize decryption zone technology requirements next year.
The EPS Managed Payments Platform relies on hardware-based encryption technology built into its PIN entry devices (PEDs) residing at the PoS. Encryption keys and CA certificates unique to each merchant are built into the PEDs at the time they are manufactured. The EPS platform then manages each transaction to ensure it is routed and decrypted by the intended acquirers. The EPS product also utilizes the PED's built-in certificates to authenticate and validate each PED on the network, a control that can be used to identify card-skimming devices and other rogue PEDs.
Merchants using legacy PoS technology may need to update or replace their systems to benefit from hardware-based encryption, but not always. Troy Leach, CTO of the PCI SSC, said that many merchants' existing PoS systems possess the necessary technology to take advantage of P2PE.
As part of the planning and development groundwork to enable hardware-based encryption at the PoS, Leach said the SSC in 2010 introduced a guideline called Secure Reading and Exchange of Data, or SRED, that outlines hardware encryption best practices for PoS systems, and many vendors have been developing products using SRED for several years.
Russo declined to say how many P2PE products are currently undergoing the validation process, which requires approval from a select group of P2PE assessors, but said he hopes to see a hundred or more make the SSC's list within the next two years.
"With the announcement of this first one, there will be a lot of activity among vendors who want to get on this list," Russo said. "We feel vendors will be conspicuous by their absence if they're not on the list."
Software-based encryption: A work in progress
Leach said today's announcement represents the culmination of the SSC's efforts to get validated hardware-based P2PE technology into the marketplace, but much work is left to be done. A 70-member SSC task force is developing the next version of the P2PE requirements, which will define requirements and implementation guidelines for software-based payment card encryption products.
Software-based encryption technology poses a greater challenge. Encryption experts cede that hardware-based encryption is far less prone to tampering because keys and certificates can be hard-coded into devices; software, conversely, has consistently proven to be vulnerable to savvy attackers.
"There has to be evidence that there's not going to be tampering with a software solution when it's deployed in a retail location," commented Leach. "Especially when you have unique challenges, like unattended transactions that may not have a cashier associated with them."
Leach said the software-based encryption product guidance is slated for release in 2014.