Small businesses around the world are jumping on the credit card bandwagon due to new technologies that allow the acceptance of credit cards through smartphones and tablets. Emerging vendors like Square Inc. and VeriFone Inc.'s Sail provide small hardware dongles that attach directly to mobile devices and provide inexpensive, seamless credit card processing. If you haven't already seen one of these devices in a taxicab, small shop or with a sidewalk merchant, it won't be long until you notice the technology in use.
Merchants who use approved P2PE encryption devices relieve themselves of a significant amount of the burden of PCI DSS compliance.
However, as fascinating and revolutionary as this technology may be, there are compliance ramifications. What exactly does the use of this technology mean for regulatory compliance? That's what we'll cover in this tip.
PCI still applies; P2PE makes compliance simpler
First and foremost, the Payment Card Industry Data Security Standard (PCI DSS) still applies in these situations. Anyone accepting a credit card, regardless of the technology used, must comply with PCI DSS. While the likelihood that the sidewalk hot dog stand will be subject to a PCI DSS assessment is fairly low, merchant banks will still request annual validation of PCI DSS compliance.
The most important thing that merchants considering the use of mobile payment processing systems can do is to ensure that they use a card scanner that is certified by the PCI Security Standards Council (SSC) as compliant with its point-to-point encryption (P2PE) standard. Devices using P2PE ensure that the smartphone never sees sensitive credit card information in unencrypted form, therefore removing the device from the scope of PCI DSS compliance. That's a big deal; otherwise, attempting to comply with PCI DSS with smartphones as part of the in-scope payment processing system would be quite challenging. The Payment Card Industry Security Standards Council (PCI SSC) released a set of requirements for P2PE, but has not yet released a list of validated P2PE products or vendors. Watch its website for that release in the coming months. Some may wish to consider postponing rollout of this technology until the list becomes public. Otherwise, there is a small risk that the equipment will need to be replaced if the product initially chosen does not successfully become validated.
With P2PE, the card reader itself uses encryption technology to secure the details of a credit card transaction. The card number and other sensitive information are transformed into an encrypted message that is unreadable without the secret decryption key. The reader then uses the smartphone to transmit this encrypted message to the credit card transaction processor, which possesses the decryption key. The beauty of this approach is that all the transaction points between the card reader and the transaction processor have no access to sensitive information and, therefore, are not subject to the rigorous compliance procedures mandated by the PCI DSS.
Simplified validation process
Merchants who use approved P2PE encryption devices relieve themselves of a significant amount of the burden of PCI DSS compliance. The PCI Council recognizes this and allows merchants to use a simplified compliance validation process if they meet four requirements:
- The merchant is using a P2PE product on the soon-to-be-released list of PCI SSC-validated P2PE products.
- The merchant does not store, process or transmit any cardholder information on any system other than the validated P2PE product.
- The merchant does not store any cardholder data in electronic form, including cardholder data left over from old payment systems.
- The merchant has obtained a copy of the PCI SSC P2PE instruction manual for their specific P2PE product (provided by the vendor) and meets all of the requirements outlined in that manual.
From the editors: More on mobile security and compliance
P2P encryption for mobile is not an technology endorsement, says PCI Council
Merchants meeting all four of these requirements are eligible to fill out the abbreviated P2PE-HW Self Assessment Questionnaire (SAQ). In short, this version of the SAQ only asks questions about:
- The contents of the merchant's policies and procedures related to cardholder data retention, incident response, secure disposal of data and storage of cardholder data.
- Enforcement and review of the organization's policies and procedures.
- Use and storage of card verification codes/values (the three or four digit "security code" on the back of the card).
- Masking credit card numbers when displayed on paper.
- Prohibiting the transmission of card numbers over email, instant messaging and chat technology.
- Securing physical media containing cardholder information.
- Security awareness training for staff.
- Use of service providers.
- Incident response planning.
The seven pages of questions on this SAQ are a welcome relief compared to the much longer questionnaires required for more complex cardholder information processing systems.
Small merchants who can meet their business needs with mobile payment systems will find that their compliance burden can be significantly lowered when using a validated P2PE card-processing product. By removing card data from the merchant's environment, P2PE products provide customers with a high degree of security and dramatically lower the risk that a merchant will be the source of an information security breach.
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.