The State of Data Security
In the past few years, the rate of merchant data breaches has grown dramatically. In many cases—from high-profile merchant breaches such as Target and Home Depot to much smaller merchants—forensic investigations have confirmed that the preferred method for extracting account data from point-of-sale (POS) systems has been the use of RAM-scraping malware.
This breed of malicious software is able to access clear-text card data as it is processed within system memory, even if the system uses encryption to receive and re-transmit this sensitive data. While card data may be received by the POS system in encrypted form, encrypted when stored, and encrypted when transmitted, it is unencrypted while in memory and therefore is highly vulnerable to this type of attack.
And stolen credit card account data is also very costly in terms of fines, penalties, consumer notification and credit monitoring for those affected, forensic investigation, remediation, loss of business, damage to relationships, and damage to consumer reputation and trust. Studies of retail data breaches report that costs range from $172 per record to volume-specific average costs, ranging from $67,480 for 1,000 records to $8.8 million for 100 million records.
Common Tools for Securing Payment Transactions
There are three valuable technologies to protect credit card transactions:
- EMV authenticates the credit or debit card at the point of sale by reading a chip embedded on the card and validating the cardholder with a PIN or their signature. EMV makes it extremely difficult (though not impossible) to “white-label” or duplicate a physical credit card that could then be used by thieves to purchase items at the POS.
- PCI-validated P2PE protects data in transit by encrypting cardholder data upon point of entry in the retail device. Encrypting card data upon entry prevents the data from being available in the enterprise or merchant’s system as “clear-text” where it could be exposed in the event of a data breach.
- Tokenization enables merchants and enterprises to safely “store” cardholder data at rest for use in future transactions. Tokenization, like P2PE, effectively renders the data useless to hackers.
The Differences between PCI-Validated P2PE Solutions and Non-Validated P2PE Solutions
Recognizing the presence of existing encryption solutions and the growing need for guidance on their proper implementation, the PCI Security Standards Council (SSC) sought to identify the specific impact of transaction encryption within its standards framework and provide a structure for companies to receive PCI SSC scope reduction from implementation of approved encryption solutions.
In 2012, the PCI SSC released the first version of the PCI P2PE standard, the P2PE program guide, and the special P2PE self-assessment questionnaire (SAQ) for merchants.Updated in 2015, PCI P2PE version 2.0 establishes a specific list of controls that encryption providers must enact in order to be listed as an approved P2PE solution or component.
Non-Validated (Unlisted) Encryption Solutions
Encryption solutions that have not been validated by the PCI SSC, but still provide functions such as encrypting within the point of interaction (POI) terminal and decrypting outside the merchant environment, are generally called unlisted P2PE solutions or End to End Encryption (E2EE) solutions.
PCI-Validated (PCI-Listed) P2PE Solutions
PCI-Validated P2PE solutions have been assessed by a QSA (P2PE) as having met the PCI P2PE standard and are therefore listed on the PCI website under Approved P2PE Solutions. In addition to meeting the P2PE standard, the decryption component of the solution must operate within a secure environment that has been assessed to the full PCI DSS standard.
The Benefits of PCI Validation for Merchants
There are numerous tangible benefits merchants receive from using a solution that has been through the validation process.
PCI-Authorized Scope Reduction
Merchants who use a validated solution within their environment and keep this environment segmented from any card data from other channels (e.g., e-commerce) are eligible to complete the authorized self-assessment questionnaire SAQ P2PE that is known and accepted by all acquirers. Under PCI DSS v3.2, this represents a significant reduction of controls, reducing the number of questions by nearly 90% for merchants moving from the SAQ D (329 questions) to SAQ P2PE (33 questions).
Card Brand Programs
Visa Technology Innovation Program (TIP)
Merchants who accept at least 75% of their transactions through a PCI-validated P2PE service may qualify to apply through their acquirer for the Visa TIP program, which allows approved merchants the ability to discontinue their annual assessment process to revalidate PCI DSS compliance.
Visa Secure Acceptance Program
This program incentivizes acquirers by providing safe harbor for fees in the event of a compromise for Level 3 and 4 card-present merchants who use a PCI-validated P2PE solution.
Solution for Challenging Compliance Issues
By encrypting all card data within a validated card reader before it passes through the mobile device, the consumer mobile device is rendered out of scope for PCI DSS compliance (so long as it is not used for any other payment function), ensuring compliant card acceptance via a consumer mobile device.
Because systems and networks between the encryption point and the decryption environment are no longer in scope due to the P2PE encryption, this unique advantage can address complex network responsibility challenges for some merchants.
The Return on Investment (ROI) and Total Cost of Ownership (TCO) of a PCI-Validated P2PE Solution
Total Cost of Ownership (TCO) analysis is a means of calculating the costs of an asset, service, or initiative over its lifespan. TCO formulas may vary depending on the solution being reviewed, an effective calculation must include all visible costs directly related to the project, as well as a reasonable and consistent measure of hidden or indirect costs.
- Common visible costs include the acquisition cost, setup cost, operating cost, maintenance cost, security cost, regulatory cost, repair cost, disposal cost, financing cost, and depreciation savings.
- Hidden costs may include opportunity cost, cost of impact to corporate culture or processes, or other costs associated with business risk such as downtime or weighted costs due to impact of new risks.
An alternate approach is to perform an ROI analysis. The ROI (also known as Rate of Return or ROR) is an expected gain that may be realized through the investment over a specific time period and is expressed as a net gain (or loss) associated with a project over the designated period of time.
Sample TCO and ROI Analysis for PCI P2PE Solutions
To illustrate the process of reviewing the cost impact for PCI P2PE, the ROI and TCO analysis in our white paper considers a hypothetical small merchant with eight mobile sales representatives, a retail storefront office with a point-of-sale, a dozen or so non-payment related workstations, and WiFi.
For simplicity, we assume that the merchant does not develop custom software or store cardholder data electronically or physically. In the paper, the hypothetical merchant has identified their costs to implement a P2PE solution with eight mobile and two countertop devices, including initial setup costs, recurring costs, program investment, and ongoing compliance costs.
- TCO of Current Solution: $300,400
- TCO of PCI P2PE: $193,350
- PCI P2PE Return: $114,250
- PCI P2PE ROI: 1,487%
We hope you have enjoyed our informational blogs on our new white paper, The Impact of PCI P2PE. Please contact us directly with any questions or if you are interested in learning more about our PCI-validated P2PE solutions.
Today’s guest post comes from Ruston Miles, Senior Vice President and Chief Innovation Officer for Bluefin Payment Systems. Bluefin, a Delego partner, specializes in PCI-validated point-to-point encryption solutions. Ruston discusses Bluefin’s newest white paper, authored by Coalfire Systems – The Impact of PCI-Validated P2PE.