Is Point-To-Point Encryption Ready For Prime Time?

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Are you looking at point-to-point encryption? Maybe you should. From vendor presentations to Congressional testimony, point-to-point encryption (or P2PE, to use the PCI Council's unfortunate acronym) has been hailed as the merchant's PCI savior. Is it really?

Can this powerful emerging technique simplify retailers' PCI compliance to the point of it being a minor annoyance? That seems to be one of P2PE's promises, but how much it and the others are realized depends greatly on each retailer's internal processes and requirements.

Almost a year ago, I asked if P2PE and tokenization were really substitutes. What I am realizing is, although that may be the case for some retailers, for many others the two technologies will be complements. That is, instead of choosing between them, retailers—especially larger retailers—may find they need to implement both technologies to meet PCI requirements.

The PCI Council recently released a white paper describing P2PE. The paper is a well-designed roadmap for everyone—merchants, acquirers, processors, vendors, QSAs—interested in using this technology to reduce PCI scope. It represents the work of a special interest group (SIG) that has been laboring since last year to come up with practices and standards for implementing this exciting technology.

I am a big fan of P2PE. What is important to realize—and the paper points out—is that P2PE addresses only the transmission of cardholder data. That is, it does not address data storage. Therefore, if you store electronic cardholder data today or use cardholder data in any marketing or loyalty application, P2PE is not going to reduce that part of your PCI scope.

The white paper states that "if an entity can validate that the encryption and decryption environments and methods used meet industry best practices included in the forthcoming Validation Requirements for point-to-point encryption, then an entity may consider their [cardholder data environment] reduced to the encryption and/or decryption environments, subject to validation."This means that, properly implemented, P2PE could potentially reduce a merchant's PCI scope to the card reader at the POS. Implementation may be complicated and will likely involve an upgrade to the POS. Once the payment card is swiped though, the data is encrypted and remains encrypted until it reaches the destination. Decryption must not be feasible at any point between the point of encryption and the destination. Because only the P2PE provider (i.e., the "destination") can decrypt the data, the plan is that the rest of the merchant's systems (excluding any cardholder database) should be out of PCI scope.

Retailers need to allow for key-entered transactions, either because of failure to read the magnetic stripe or chip or because of a mail or telephone order, so the POS will likely remain in PCI scope. Note, too, that for the encrypted data to be out of scope the merchant must have no ability to decrypt the data. That function has to reside with an unrelated entity; in most cases, the P2PE provider.

P2PE has the potential to reduce PCI scope to a minimum for retailers that have no need to retain cardholder data. But what about the many retailers that do use cardholder data? Those merchants face a more complicated scoping challenge.

The PCI Council's white paper addresses this question in an important warning about PCI scope: "It is essential that merchants understand their entire card transaction environment and ensure that all cardholder and sensitive authentication data is identified, that there is a realistic understanding of the threats, and that the organizational security posture and risk management are appropriate."

Let's consider a retailer that implements P2PE properly and reduces its "transmission" PCI scope to the POS. Like many retailers, it has a number of marketing and other back-office applications that use cardholder data. Assuming the retailer wishes to keep these applications, it faces a choice.

The retailer could have its acquirer return the transaction detail, including the required cardholder data. Unfortunately, that action just threw at least some of the retailer's firewalls, network and any number of servers, switches and other devices back into PCI scope. Alternatively, the retailer could have the data returned in the form of tokens, instead of encrypted cardholder data. Properly executed (are you getting tired of that phrase yet?), this tokenization may avoid or minimize the increase in PCI scope.Implementing tokenization on top of P2PE may not be easy. For example, is the acquirer capable of or even interested in providing tokenization? Alternatively, can or will the acquirer or the P2PE vendor send the cardholder data to a retailer's preferred token vendor? What will that cost? What if the acquirer offers a tokenization product different from the retailer's preferred vendor? How many more service providers are now storing cardholder data for the retailer, and is the retailer prepared to manage all of them?

Maybe we need to add these to my previous list of 10 tokenization questions, either the first five or the second five.

None of these issues is insurmountable. Some very smart vendors are active in this space, but we lack standards and guidelines. This means retailers need to make any decisions on P2PE (or tokenization, for that matter) with their eyes open. Maybe it is not like being a beta site, as some people have described it. But making a commitment now should definitely put you in the early-adopter category.

The PCI Council's white paper identifies several future actions it "will consider," including additional training and testing standards. The most interesting to me is the possibility that the Council would develop "tools for merchants, such as a list of qualified P2PE solutions and/or revised self-assessment questionnaires." I don't know if the Council is talking about the equivalent of a PA-DSS or PCI PTS for P2PE, but—if so—it could be a great benefit for retailers and merchants of all sizes. Implementing a new standard could prove a nightmare, so I would not count on it happening soon.

For now, we all will have to await the follow-up paper, tentatively entitled "Validation Requirements for Point-to-Point Encryption," to be released sometime in 2011. The Council's plan is to send this paper only to participating organizations (yet another benefit of being one of these companies), at least initially.

In the meantime, if you are contemplating P2PE, I'd suggest you start by finding all your cardholder data. After you do that, go back again and make sure you really have found all the data: paper forms, databases, CDs, thumb drives, call center recordings, laptops, logs, system backups, E-mail backups and the myriad other places where data can hide. Then address the 10-plus questions I have raised. Remember, no magic will make PCI go away. But this technology has great promise to reduce PCI scope. Oh, did I mention to be sure to find all your data?

What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].