You’ve noticed that Point-to-Point Encryption (P2PE) is currently a hot topic in the payment card industry. That’s both good new and bad news.  First the good news:

It means that businesses have attained a certain level of security proficiency in communicating PAN data to payment card processors, in PAN segregation, and PAN storage. These are the rewards of strenuous efforts to develop and comply with PCI DSS. Now for the bad news: much more recently, like a pack of jackals, hackers have focused on the next weakest member of the herd, the one on the fringe: credit card data transiting into a cardholder data environment at the PED (payment entry device).  So, what does Point-to-Point-Encryption entail? How is security on the fringe assured?

After serious attacks on Pin Entry Devices (PED) began a few years ago, the PCI SSC published a guidance document, “The Roadmap,” in October 2010 [i], which was followed in September 2011 by the initial release of solution requirements (hardware only) [ii].  Both documents provide assurance that P2PE will not change established security practices: businesses still need to be sure that the fundamental twelve requirements of the PCI DSS [iii] are met. But, scope is malleable: including the point of interaction (POI) in scope could be a nightmare. Or on the other hand, encrypting at the POI could strengthen your security on the fringe, reducing the risk of attack or breach. It could also shrink PCI scope, and limit the relevant PCI DSS requirements to 1, 9, and 12.  Wow!

The Roadmap lights a pathway on how P2PE might improve a business’s security posture, and suggests that P2PE does indeed provide for reducing the size of the overall compliance effort!  As could be expected, the P2PE document mirrors the DSS requirements by including “the people, processes, and technology in place to encrypt and decrypt a transmitted PAN (or sensitive authentication data)”. However, P2PE “must include comprehensive cryptographic and key management systems which limit or prevent the business’s access to “plaintext” of the PAN in transit, processing and storage”. This is a gift: Early encryption creates a broad avenue of opportunity to reduce scope by reconsidering your cardholder data environment and compliance strategy

What the Roadmap doesn’t do is help you find the most cost-effective, efficient route towards shrinking the cardholder data environment and reworking your compliance approach. Securing the PAN in an open retail environment via “sheer muscle” can be a very complicated, expensive process. Some larger businesses have spent millions of dollars to rebuild and lock-down the retail channel. Others invested similar amounts building a parallel infrastructure to segregate PAN data as required by their auditor. Perhaps various vendor elements purchased separately didn’t work well together; successful system integration will be a key success factor in P2PE. None of these approaches is very inviting: expensive to build, and expensive to run, prone to complications. But, if well planned and executed, P2PE doesn’t have to be like that.

So, can we imagine a smarter, PCI DSS compliant, cost-effective, efficient P2PE process, which also shrinks the cardholder data environment (CDE)?  Yes!

Consider this scenario: Your business is already PCI DSS compliant: communications with your card processor are encrypted; and you already tokenize the PAN for processing and storage purposes, minimizing scope to the current standards. Perhaps your secure servers are running on site, perhaps they are hosted – that part doesn’t matter.

Your final link in assuring P2PE is encrypting the PAN at the Point of Interaction, in a manner designed to be specifically compatible with your chosen security software solution.

Thus, imagine for moment a PIN pad at the POI, capable of triple DES encryption prior to sending the PAN for tokenization, at a cost of a few hundred dollars per device.  Yes, such an option does exist.

This approach aggressively minimizes the opportunities to view the PAN in plaintext and reduces scope. You will have reduced risk, and capped the expense of installing and running your compliance effort.