PCI updates P2PE standard, simplifies solution development

The Payment Card Industry Security Standards Council has updated a security standard to simplify the development and use of point-to-point encryption solutions. These make payment card data unreadable and less valuable if stolen in a breach by criminals.

The standard—one of eight from the council—is detailed in "PCI Point-to-Point Encryption Solution Requirements and Testing Procedures Version 2.0." It gives more flexibility to solution providers and companies that provide P2PE components, services that fulfill specific P2PE requirements, and can be integrated into P2PE solutions, PCI said in a statement.

The PCI Council now lists validated P2PE components in addition to validated P2PE solutions and applications. This will make it easier for providers to create solutions for merchant customers. Version 2.0 offers a new feature for merchants that act as solution providers, enabling them to implement and manage their own P2PE solutions for point-of-sale locations.

"Malware that captures and steals data at the point-of-sale continues to threaten businesses and their ability to protect consumers' payment information. As these attacks become more sophisticated, it's critical to find ways to devalue payment card data," said PCI Security Standards Council CTO Troy Leach. "PCI point-to-point encryption solutions help merchants do this by encrypting cardholder data at the earliest point of acceptance, making that data less valuable to attackers even if compromised in a breach."

By using a PCI-approved P2PE solution, merchants can reduce where and how the PCI Data Security Standard applies within their retail environment. This increases the security of customer data and simplifies compliance with the PCI DSS.

"Protecting your customers and your corporate brand continue to be the biggest challenges faced by IT executives," said Bill Bolton, VP of information technology for HoneyBaked Ham. "To meet that challenge, we've worked with a P2PE solution provider to adopt a PCI-validated P2PE payment solution across all our stores in a simplified and cost-effective way."

That provider, Bluefin Payment Systems, said PCI's P2PE standard simplifies security and compliance for retailers and protects cardholders from data breaches. "With version 2.0, PCI has made the development and implementation of P2PE Solutions easier," said Ruston Miles, chief innovation officer and founder of Bluefin. "Now solution providers and merchants can simply choose from individually validated components to build and manage their own P2PE Solutions. This increases flexibility and choice among vendors, and puts the merchant in the driver's seat." Bluefin is a participating organization of the PCI Council and Miles assisted in the development of the standard.

PCI and Bluefin also put out a case study about the Hillman Group, which operates self-service kiosks. "This updated merchant-friendly standard means there is now no excuse for merchants and solution providers that are seeking the best possible safeguards for their consumer payment data to avoid implementing PCI validated P2PE," said Bluefin CEO John Perry. "Furthermore, the standard is recognition of P2PE's critical role in a 'secure-all-channels' approach to data security, providing, alongside EMV chip cards and tokenization technology, the protections that American consumers deserve."

The standard was developed in response to input from early adopters. "With version 2.0 the Payment Card Industry Council is responding to market feedback to provide a simpler approach to validating solutions, while still maintaining a strong level of integrity in the validation process that will result in the most secure options for merchants," Leach said.

For more:
-See this PCI press release
-See this Bluefin press release
-See this PCI/Bluefin case study
-See this P2PE V2 At a Glance document
-See this PCI P2PE Merchant Guide

Related stories:
PCI June 30 compliance deadline looms; big fines possible for retailers
Verizon PCI compliance report a 'wake-up call'
New PCI guidelines 'a good thing for retailers'
On the Hot Seat: PCI Security Council's Stephen Orfei
Retailers still unprepared for security breaches