Posted August 19, 2014 by FreedomPay

Industry Misconceptions about PCI Certified Point-to-Point Encryption

Proper education in the payment industry is crucial in today’s world of transactions, yet many merchants have fallen prey to misinformation about the security of their payment solutions – resulting in disastrous hacking incidents.

In fact, disseminated solution security information is so inaccurate that merchants have been misled into believing their payment systems feature PCI certified point-to-point encryption (P2PE) when they do not.

How do you know if your payment system does indeed feature PCI certified P2PE?

Just check the PCI Security Standards Council website. The “Approved Companies and Providers”section lists every PCI certified P2PE provider.

To receive PCI certification for a P2PE solution, a vendor must satisfy three criteria in addition to passing a 1,000-point PCI DSS audit check. Below are the requirements that must be in place for a vendor to offer true PCI certified P2PE.

  • Use a hardware-to-hardware encryption and decryption process, along with a point-of-interaction (POI) device that has SRED (Secure Reading and Exchange of Data) listed an enabled function.
  • PCI-validated secure distribution channel, meaning the entire chain of custody of the POI devices follows strict controls regarding shipping, receiving, tamper-evident packaging and merchant installation.
  • Include merchant education in the form of a P2PE Instruction Manual (PIM). This guides the merchant on POI device use, storage, return for repairs and regular PCI reporting.

Without meeting all of these criteria, a vendor is likely providing a merchant with an un-certified tokenization or end-to-end encryption solution.

Why is that solution bad for business?

In short, it does not remove a merchant’s point of sale (POS) and network from the scope of PCI DSS compliance leaving systems vulnerable to attack. The result is that a merchant is still responsible for ensuring compliance with all 300 or so PCI DSS standards instead of the 19 required in a true P2PE solution.

A PCI certified P2PE solution puts a merchant’s POS and supporting infrastructure, including network, 100% out of scope for PCI DSS compliance by encrypting payment information from the moment of swipe all the way to the processor. This ensures that the payment data is never made available in clear-text, meaning it is never unencrypted in a merchant’s POS, network or memory.

Knowledge is power when investing in solutions that protect your brand and customers. Be sure to check that your payment provider offers PCI certified P2PE or be ready to pay the ultimate cost. And while you’re making this decision, keep in mind the pending EMV requirements too.

To learn more about the PCI certified FreedomPay Commerce Platform P2PE solution, feel free to contact us. We’d love to provide you with the latest information on payment channel security.

To learn more about payment security best practices and PCI certified P2PE, consider reading the following articles.