Skip to main content

PCI P2PE unencrypted: what you need to know about encryption



Encryption is a hot topic in payments today. But it’s not an entirely new concept. Human beings have been using forms of cryptography to protect sensitive information for thousands of years. While today’s payment encryption technology, particularly point to point encryption, is a far cry from earlier rudimentary methods of securing information, the end goal remains the same: render sensitive data non-sensitive so if it is stolen, it cannot be used.



One of the most common misconceptions about encryption is that it is the be-all end-all for protecting cardholder data—that having an encryption solution in place is enough to protect a business from data theft. The fact is that criminals continue to find ways to breach merchant systems and access account data.

Credit card security and fraud protection is a complex and detailed discipline that requires dedication and focus beyond encryption technology. The type of encryption, where the encryption happens, and how the encryption keys are managed are all considerations in the effectiveness of a particular solution. (An encryption key is used to both encrypt and decrypt data and is designed using a particular algorithm to ensure that each key is unique.)

Good technologies that are implemented poorly result in a false sense of security. An effective encryption solution not only relies on encryption keys, but also secure device requirements; key management that is in line with security requirements and best practices; properly implemented, trusted applications; and device deployment operations.



Why encrypt credit card data?
There are two main reasons for a merchant to implement a payment solution that includes encryption:
Although there are many encrypted payment solutions available, they are not all the same. The two most common options for small and medium sized businesses are non-validated, and PCI P2PE. Let’s take a look.

Non-validated encryption solution
A non-validated encryption solution is “risk reducing” against attackers, but it does not reduce the merchant’s scope of PCI compliance. This is because although data is encrypted, the hardware where the solution resides is not defined as secure by the PCI PTS-PIN, and the handling of encryption keys is not aligned with security best practices and standards. This means merchants and hackers could potentially have access to the encryption keys, and ultimately access to clear cardholder data.

One of the reasons smaller merchants often go this route is because non-validated solutions offer the most flexibility in choice of credit card hardware and payment applications. They can also be less expensive than PCI P2PE solutions. But more often than not, a merchant is simply unaware that their payments solution uses a non-validated encryption solution in the first place. Mag stripe readers, ROAM readers, Square dongles, keyboard emulators, and non-EMV enabled readers are all examples of on-validated solutions.



PCI Point-to-Point Encryption (PCI P2PE)
A PCI P2PE solution is PCI certified and offers the most benefits for most SMBs. With PCI P2PE, the service provider bears the responsibility for adhering to a full range of PCI mandates including secure hardware and application management; encryption schemas; the decryption environment; and encryption key management including the key injection facility.

Although the merchant still has to adhere to a required set of PCI mandates, their scope of compliance is much smaller with a PCI P2PE solution. Merchants using a PCI P2PE solution qualify for a simpler PCI DSS Self-Attestation Questions (SAQ) that is significantly shorter, and they benefit from the confidence that the solution they are using is PCI compliant.

While PCI P2PE provides merchants with risk reduction, PCI scope reduction, and even a shortened SAQ, it is also more restrictive than other solutions. Merchants must use the device, payment application, P2PE schema, and key injection facilities that were certified. Otherwise, they won’t get the benefit of the SAQ P2PE.

In addition, they must accept Merchant P2PE Implementation Responsibilities in order to be eligible for the SAQ P2PE. This includes implementing device management policies, ensuring the devices are not tampered with and are kept secure when not in use.

Due to the complexities and restrictions with PCI P2PE and the associated certifications, there are only a handful of P2PE solution providers. The list of providers is expected to expand, however, as the standard is rewritten in order to gain more adoption among solution providers.



Questions to ask
When evaluating your options for payment solutions that use encryption, here are a few questions to ask yourself:

Do you have the time and resources to maintain a P2PE compliant environment? If you are not regularly completing security check-ups and task checklists, PCI P2PE may not be the right way to go.
Are you able to get the hardware you want and work with your preferred processor? Not all devices are certified to meet P2PE standards, but more options are becoming available.
What is your budget? Cost can be a consideration, since a PCI P2PE device is generally more expensive than a non-validated device. But these costs can be offset by the benefits of reduction in compliance scope and risk.
Although it is impossible to remove all risk from any payment processing environment, implementing secure processing technologies like PCI P2PE offers greater protection and ease of meeting compliance mandates. To learn more, check out these steps to more secure payment solutions.

#awepay #awesomepayment #paymentssolution  #Payout #friction #compliance #risk #NPFMalta #banking #blockchain #cryptocurrency #AI #mobilebanking #regulations #PSD2 #GDPR #businessevents #nextgenpayments #money #investments #bigdata #IoT #bitcoin #MachineLearning #tech #crypto #digital

Comments

Post a Comment

Popular posts from this blog

12 Startups Utilizing Blockchain Technology in New Ways

Author: Awepay Cryptocurrency created quite the buzz this past year. Although the technology has been around for a few years, 2017 was the year it really took off. Bitcoin, the first application of cryptocurrency technology, hit $20,000 a coin, while coins like Ethereum also saw their prices increase. However, the technology behind these tokens, blockchain, has far more applications than just cryptocurrencies. Through a network of smart contracts that operate utilizing decentralized information on a ledger, blockchain is able to provide unmatched security and speed for data transfers. This means that blockchain technology has an application in nearly every industry where value is exchanged. For this reason, many startups have started to explore how this technology can change the way the world works. Here are twelve of those startups, each of which are utilizing blockchain technology in new ways. Related: 10 Reasons Why Good Customer Service Is Your Most Important Metric
6 comments
Read more

4 Trending Digital Payment Methods: Is Your Business Ready For Them?

Businesses and consumers alike are interested in faster, safer, and more convenient payment methods. Are you ready to go digital?   Demographics across the world are shifting. Millennials are now the most diverse and prominent generation in the US population.   As a generation heavily influenced by technology, their buying habits and expectations are all formed via the immediacy that smartphones, Internet, and modern conveniences engender.   Businesses and consumers alike are interested in faster, safer, and more convenient payment methods, as cash is becoming obsolete and credit cards are being phased out. Mobile and social payment options could be the future of millennial-driven purchasing, creating the sort of instant gratification that millennials expect.   Here are a few trending digital payment methods that Millennials will prefer to use in the coming year.     1. Mobile In-Store Payments & Apps The development and usag
Post a Comment
Read more

EMV transactions: Is it time for you to upgrade?

Even if your business has not yet adopted an EMV-enabled solution, you’re probably somewhat familiar with the technology since it's among the most talked about developments in payments. EMV has proven to be an effective tool to fight card present payment fraud in Canada and many European countries. While EMV is new to the U.S., payment card fraud is not, with nearly $8.5 billion in fraudulent transactions in the U.S. in 2015 alone. What’s more, the U.S. represents nearly 40 percent of worldwide fraud, despite having less than 25 percent of transaction sales volume. EMV defined So what is EMV? EMV technology is based on specifications developed to ensure worldwide acceptance of secure payments by an organization called EMVCo, a group of leading companies in the payments industry including American Express, Discover, JCB, MasterCard, UnionPay, and Visa and supported by dozens of other companies in the industry. EMV has become the global standard for authenticating credit
Post a Comment
Read more