In the cat and mouse game of payment security, P2PE represents the next level in sophistication. Today, achieving PCI P2PE (point-to-point encryption) compliance means a retailer has gone above and beyond minimal PCI requirements, but inevitably those extra protections will become PCI must-haves as well. That’s why Level 10 has become one of the early adopters of P2PE-related processes in our part of the payment security solution set, achieving PCI P2PE certification for our components.
The PCI Council says P2PE offers considerable benefits to retailers. P2PE solutions work by “encrypting cardholder data at the earliest point of acceptance, making that data less valuable to attackers even if compromised in a breach. Use of a PCI-approved P2PE solution can also allow merchants to reduce where and how the PCI Data Security Standard (called the PCI DSS) applies within their retail environment, increasing security of customer data while simplifying compliance with the PCI DSS.
Hard-to-Find Solution Providers
However, implementing a payment environment that complies with PCI’s guidelines on P2PE has been difficult due to a lack of compliant solutions. According to Coalfire Systems, one of a handful of organizations that perform assessments of P2PE solution providers, that’s because of the cost, time, complexity and stringent requirements involved in getting certified.
One of these requirements is that every partner that touches a P2PE payment environment ― one implemented by a P2PE certified solution provider or by a retailer themselves ― must also be P2PE certified by the PCI Council. This includes validated hardware, software, and solution provider environment and processes.
Level 10’s part in all that is called a P2PE Component. The PCI Council describes that as “a subset of P2PE services including encryption management, decryption management, and key injection, which are provided by a P2PE component provider and included in the P2PE component listing on the PCI website.”
What Deep Scrutiny Looks Like
At Level 10, that means that all the services and processes we use to support a retailer’s P2PE solution must follow stringent guidelines. For example, chain of custody of payment terminals is an important part of ensuring payment security. This means we need clearly documented processes and controls for how payment terminals move through our facility to ensure we transfer them securely: how we receive them from the OEM vendor, move them from receiving through key injection and other processes, deliver them to the store and perform the installation, without ever losing sight of or control over them.
PCI PIN 2.0 already includes guidelines for all that, but the processes required by the PCI Council for P2PE are even more exacting. Not only do we need solid processes and controls, but also detailed decision trees for every possible exception: If this goes wrong, we do this, and if that doesn’t work, we do this process, and if THAT goes awry, we do this ― and so on.
There are also detailed requirements around physical security, use of video monitoring, transfer of documentation, and so on. While security testing from a third party typically takes a day, the assessment Coalfire conducted as part of our P2PE certification lasted a full week ― and it took us 90 days to prepare for it.
PCI on Steroids
P2PE has been called PCI on steroids, because it’s more comprehensive, more exacting, and more secure than the bar set by current PCI requirements. But today’s high bar quickly becomes tomorrow’s minimum requirement. By becoming an early recipient of P2PE certification, Level 10 helps retailers at every step of their payment security journey: P2PE credentials for those who need that right now, and the benefits of certified, state-of-the art security for every retailer we work with as they adopt next-gen security protocols.