PCI DSS
All retail merchants globally need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). Compliance has to be achieved either by self-assessment or through a security audit completed by a qualified assessor (QSA). The aim of the PCI DSS is to enhance data security protection levels and thereby reduce the number of data breaches that are occurring. Unfortunately criminals have recognised the value of credit/debit card numbers and this has resulted in huge levels of financial fraud losses from stolen card numbers.
PCI DSS compliance is not a trivial task. Retailers have found out that it has a broad scope and requires serious organisational commitment, resourcing and investment. There are various ways to reduce the amount of work that needs to be done with the easiest being to reduce the number of places where card data is stored.
Point-to-point encryption
One way to simplify PCI DSS compliance is to introduce point-to-point encryption (P2PE). The initial point is encrypting the card data right at the start of a payment transaction, as soon as it is read. The encryption occurs within a Secure Read Encrypting Device (SRED) module within the PIN pad. In an STS implementation the G8 software product talks to this SRED module and then provides the connectivity to the other end point, which is housed within a secure data centre where the decryption takes place. Few retailers are familiar with managing Hardware Security Modules (HSM) and security kits, and are put off by the high costs involved.
Immediately encrypting the card data has the effect of removing clear card data from the store environment or business premises. This may help reduce PCI DSS scope although some vendors have at times embellished the possible savings. P2PE aims to simplify the audit and compliance process thereby generating cost reduction and faster certification. No mandate exists to force retailers to adopt P2PE.
PIN pads must be PCI PTS SRED approved and there has to be a clear ‘Chain of Custody’ in place for security keys - right from time of manufacture. When taken together this often has the effect of forcing a PIN pad refresh on most retailers looking to move to P2PE. The vast majority of existing PIN pads cannot be remotely upgraded, partly due to key loading requirements, P2PE may therefore be best introduced as part of a broader payments infrastructure refresh strategy.
The two largest PIN pad manufacturers Ingenico and VeriFone have each introduced P2PE solutions; these are called Ingenico On-guard and VeriShield Total Protect. They work with their latest versions of devices and include a host decryption module and key management service. P2PE is also available from other PIN pad manufacturers including MagTek who offer this as a standard feature within their DynaPro product range.
P2PE adoption has not been an easy journey for any organisation. The PCI SSC has gradually clarified the standards and approval process but this has taken longer than anticipated. The introduction of encryption requires strong key management to be implemented; in reality this is far more complex than the encryption process. You must be able to track and control access to each device right from time of manufacturing through to installation in-store. Some major retailers have opted to only introduce certain elements of P2PE rather than a full and certified solution thinking that the total costs and tasks to be completed could not be justified.
As at the end of November 2014 there are only six companies globally that have achieved P2PE validated solution status and five with P2PE validated applications. Details of all validated products can be found at the PCI SSC website.
STS position
We recognise that point-to-point encryption is appropriate for certain retailers and as such are supporting it within our product set. However we do not think it is appropriate for all retail merchants. It should not be thought of as a ‘single silver bullet’, as no retailer can abdicate all of their PCI DSS responsibilities and it is unlikely that a large enterprise store network can be completely taken out of PCI audit scope.
PCI SSC validated P2PE solutions are highly restrictive in nature and have to be implemented exactly as certified in accordance with the P2PE Instruction Manual (PIM). This inflexibility may not suit all retailers. Many retailers chose to outsource their payment processing but with P2PE are now becoming burdened with unexpected responsibilities that have to be resourced in-house.
We have always looked to offer clients hardware flexibility and as such have architected our P2PE solution to be manufacturer agnostic. Our first P2PE customer implementations will be G8 in conjunction with Ingenico Onguard and are scheduled for rollout in Spring 2015, others will follow based on customer demand.
Some of our customers and partners have been reluctant to adopt P2PE and instead chosen to run G8:Enterprise and utilise network-based encryption with clear network segmentation. They have felt that P2PE is overly complex, inflexible and expensive and the advantages had been exaggerated. Adopting a secure network with network isolation, managed firewalls and strong TLS encryption improves data security protection levels and simplifies PCI DSS compliance. This is proving to be an acceptable alternative to P2PE for many retailers as it offers strengthened data security protection levels, industry standard encryption, regular audits, advanced key management and part completed SAQs but without many of the disadvantages of P2PE. As an example, G8 works with the Vodat managed payment network. More details of this approach can be found in the Whitepaper at www.thepaymentsnetwork.co.uk/
We think the most important thing for retailers to focus on is strengthening data security protection rather than trying to reduce the scope of an audit. Our approach remains to be consultative in nature and to explain the various options together with their advantages and disadvantages. We welcome the opportunity to discuss the most appropriate path for your particular situation.