What's Wrong with P2PE
PCI Compliance Through Scope Reduction
The Payment Card Industry Security Standards Council announced at the European Community Meeting in Nice, France the first validated Point-to-Point Encryption (P2PE) solution. The P2PE application/solution validation programs were first introduced by the PCI SSC over two years ago, so while some might say “it’s about time a solution was validated” it at least appears that the P2PE validation program is quite challenging and complex. European Payment Services (EPS), being the first company to have a solution listed, should be commended.
The main selling point of P2PE has always been the hope of significant scope reduction for merchants – namely the belief that P2PE would essentially remove all retail locations and supporting network infrastructure from being subject to PCI DSS compliance. The way that P2PE has evolved it is highly likely that the desired scope reduction/elimination will not be achievable by many merchants, for a variety of reasons, and/or the P2PE solutions will be too costly based on this diminished return on investment.
The Solution - P2PE
In an industry that seems to bounce from one “silver bullet” solution to the next, P2PE has been anticipated more as the “Holy Grail” that would all but eliminate a merchant’s responsibility for PCI compliance by taking credit card data out of their hands. This belief is based on several conditions and assumptions:
- The PCI Data Security Standard (PCI DSS) provides security requirements that must be followed by all merchants that transmit, process or store customer credit card data in the course of doing business;
- Adherence to the PCI DSS is required for all systems involved with the credit card processing (remember: transmit, process, store) and involves things like secure configurations, regular patching, vulnerability management, running Anti-virus/Anti-malware, protecting credit card data in transmission and storage, vulnerability scanning, event logging and monitoring, secure administration, etc.;
- Demonstrating merchant compliance with the PCI DSS is accomplished through an annual validation process that involves either an independent third party assessment or self-assessment;
- Many merchants focus on minimizing the number of a) systems that require compliance with the PCI DSS or b) the systems that are subject to compliance validation (e.g. what QSAs review) – this is commonly referred to as SCOPE REDUCTION;
- The PCI Council has provided the following rules/clarifications over the years:
- the presence of the payment card account number or “Primary Account Number” (PAN) is the primary litmus test for determining a system is in scope for PCI;
- an encrypted PAN is still cardholder data because it is theoretically possible to decrypt and thus recover the PAN – so any system transmitting, processing, or storing encrypted PANs must still be considered in scope for PCI;
- BUT – the Council conceded that if an entity (read: merchant) has no ability to decrypt the encrypted data then the encrypted data is not card data and therefore systems that transmit/process/store may be taken out of scope;
- The logical evolution of the preceding clarifications led to the determination that the only way a merchant can take any of their systems out of scope for PCI was to take the encryption AND decryption out of their hands….which led to the P2PE program.
This progression of events has been roughly interpreted as follows: “If I (a merchant) don’t have any credit card data then I don’t have to do PCI, so if I invest in a P2PE solution then I don’t ever have to pay a QSA to validate compliance with PCI DSS again, and I probably don’t have to hire an ASV either – because what would they look at? I don’t have any credit card data in my environment so my PCI headaches are over.”
That really does sound like a Holy Grail doesn’t it? Of course, it’s not really true…
The Evolution of P2PE
The initial release of the “PCI Point-to-Point Encryption: Solution Requirements – Encryption, Decryption, and Key Management within Secure Cryptographic Devices (Hardware/Hardware)” in September 2011 stated that it contained “…the first set of validation requirements for point-to-point encryption solutions, and provides a method … for merchants to reduce the scope of their PCI DSS assessments when using a validated P2PE solution for account data acceptance and processing.” This initial requirements document also provided an appendix that outlined the expected PCI DSS requirements for merchants that implemented P2PE solutions provided they attested to very stringent and detailed qualifying criteria.
Today’s press release from the Council announced that the very first (and only) P2PE solution is now available for “merchants and acquirers looking to deploy a P2PE solution to help simplify their PCI DSS security programs by removing clear-text cardholder data from the payment environment.”
That’s quite a different statement from the initial requirements release.
Improving security and meeting/exceeding the PCI DSS requirements are great reasons to invest in P2PE but being primarily interested in scope reduction is almost certainly going to lead to disappointment.
Is it a good idea to encrypt payment card data using a P2PE solution? Sure, it’s better than not encrypting the data; the bad guys either have to target the card data at the swipe device (which P2PE and the “remaining” PCI DSS requirements address) or they have to target the point of decryption – which is at the validated PCI DSS compliant acquirer or payment processor (so they are protected too). Remember the liability for a breach or card data compromise of all merchants falls to their acquiring bank – so they compliance burden is really put back on the entity that is ultimately responsible any way. In fact, if you look at the P2PE documentation you will see that whatever responsibility for PCI compliance has been deferred by the Council to the acquirers as well – so it’s ultimately [still] up to the acquirers how to deal with their merchants.
P2PE will probably work pretty well for reducing/eliminating PCI scope for smaller merchants. Larger merchants that traditionally act as payment gateways or processors for their merchant locations, (especially franchisees) might have more difficulty in meeting all the qualifications to reduce scope using P2PE solutions. P2PE only addresses the payment authorization and settlement data flow – any other business processes involving payment card data would still be in scope for PCI and may negate any possible reductions. Merchants that are looking for scope reduction or elimination might be in for a bit of a surprise when they find out how difficult it is to qualify for the desired reduction in scope for their PCI assessments.
What’s really wrong with P2PE is the same thing as what’s wrong with PCI; the entities subject to PCI DSS compliance worry too much about reducing or limiting scope and not enough about the security of their enterprise – and using the PCI DSS as a benchmark.