Wednesday, November 17, 2010

PCI AND POINT TO POINT ENCRYPTION (P2PE)

You have probably read or heard about any one of the P2PE technologies available today. While they may make the job of security easier, Bob Russo, the general manager of the PCI Security Standards Council, sums up his concerns, “It is important to remember there is no silver bullet to securing a payment environment.” and, “Implementing one of these technologies will not automatically make you compliant with the PCI DSS.” Bob goes on to say, “Focus on good security and compliance will follow.”


A recent document https://www.pcisecuritystandards.org/pdfs/pci_ptp_encryption.pdf posted by the PCI Security Standards Council (PCI SSC) discusses P2PE and several of the factors to consider when evaluating the technology for your location.

Since P2PE is an immature technology, implementation may result in vendor lock-in; products from one vendor cannot communicate to or be replaced by products from another vendor. Additionally, your credit card processor may only support devices from one vendor and not another.

P2PE solutions will not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify validation efforts by reducing the number of system components to which PCI DSS applies. Any network attachment that is not segmented from the device performing the encryption is still required to be PCI DSS compliant. Bank charge-back data still requires a PCI DSS compliant environment and handling procedures, as well as any imprinted or legacy card data.

Being compliant with the PA-DSS guidelines is an ongoing process and grocers need to be ever vigilant. You can find up-to-date PA-DSS and PinPad information at http://www.pcisecuritystandards.org.