How big will P2PE’s wings grow this year?

Brandon Benson, CISSP, QSA, P2PE-QSA
By: Brandon Benson
Point-to-Point-Encryption (P2PE) is a crucial part of payment security that the PCI Council recommends for all merchants. For more information on how P2PE works, check out this blog post. But is P2PE gaining purchase among businesses?

As a P2PE-QSA, there are five things I expect to see in 2015 with regard to P2PE solutions.

1. More solution providers will start offering P2PE

P2PEP2PE had a slow start. I didn’t see any traction in the first 1.5 years of its existence. The problem was, no solution providers wanted to go through the work required to create a P2PE solution. Now seven solution providers support P2PE, and I predict that number will double by the end of 2015.

Why am I so confident in P2PE?

A new P2PE standard (v.2.0) is being released this year, and service providers are trying to get on the bandwagon. 2014’s hacks led to more discussion of the future of security. P2PE was brought up by many security professionals as the recommended solution for merchants. Now, more merchants are specifically looking to make the switch to enjoy the security freedoms of P2PE (like reduced PCI scope, etc.)
As this method of security gains more popularity, service providers know that early providers of P2PE will have greater competitive advantage.

2. E2EE solutions will go out of style

Right now, merchants looking for encryption solutions are either adopting verified P2PE solutions, or they’re working with their acquirer to adopt an end-to-end encryption (E2EE) solution. E2EE solutions do not go through the rigorous P2PE validation from the PCI Council, but still offer end-to-end security on pin transaction security (PTS) devices.

Typically, it’s large merchants that adopt E2EE solutions. Unlike P2PE solutions, E2EE solutions allow merchants to process transactions in their own processing environment, which reduces processing fees and costs. Large merchants don't want to give up their own processing backend.

That being said, P2PE version 2.0 will likely allow merchants to use their own decryption environment, which would then allow those originally attracted to E2EE solutions to begin seriously looking at P2PE.

Another ding against E2EE solutions is that they are set up strictly between a single acquirer and a merchant. Because E2EE binds merchants to a certain acquirer (and their associated fees), it is less appealing. P2PE solutions typically allow merchants flexibility with choosing their acquirer, since the solution providers that offer the P2PE solution have contracts with multiple acquirers.

3. More EMV-capable P2PE terminals will be created

I haven’t actually seen a significant amount of merchants integrate P2PE and EMV, which is disheartening. A few large merchants have seen the vision, but not the small merchants.

The main culprit behind this lack of integration is this: as of this article, in the U.S. there is only one P2PE solution provider with a terminal that also supports EMV.

However, I am confident that in Q2 of 2015, we will see additional P2PE solution providers with EMV-capable terminals, making it easier for merchants looking to make the October 2015 EMV deadline and take advantage of P2PE’s additional security.

My recommendation has always been to couple your P2PE and EMV solution. Look for a P2PE service provider that also supports EMV as soon as possible! It’s not likely that a merchant buying an EMV-only terminal will turn around just two years later and replace everything for a P2PE/EMV combo. That’s why it’s important to cover both your bases now.

Free ebook: 2015 security trends

4. Merchants will continue to be confused by P2PE

P2PE is an island. What I mean by this is, to implement P2PE in an environment, a merchant can’t use any other processing solutions unless they are specifically created to work with a P2PE terminal. What about mobile? If merchants want to use mobile processing solutions, they must use a P2PE-approved solution.

To implement P2PE correctly and reap the benefits of its secure nature, merchants must get rid of their current devices. Right now, this is extremely difficult for merchants to swallow, especially if they just purchased new EMV-enabled terminals in preparation for EMV’s October 2015 deadline.

5. P2PE will continue to decrease the security workload and cost to merchants

P2PE reduces security footprint, which is one of its biggest benefits but also the hardest concept to grasp, especially for those who have dealt with PCI for a long time. Unbeknownst to most merchants, the cost of implementing a P2PE solution is equal to or less than the same cost to implement all security controls required of the PCI DSS.

Think of it this way. You can either pay a third party or internal IT person to configure and support your firewalls, monitor your logs, segment your network, and perform access control, or simply implement P2PE and pay for the terminal. With P2PE, your PCI scope is now reduced only to your terminal, instead of your entire store network.

If you truly lived by everything PCI DSS requires, implementing a P2PE solution would very possibly cost you less money, no matter your size.

Just remember, P2PE doesn’t remove you from the responsibility of PCI DSS. You still have cards present in your environment, and security controls must be in place. With P2PE, security controls revolve about protecting terminals instead of network environment.

Do you agree with my P2PE predictions?

Brandon Benson, Senior Security Analyst at SecurityMetrics, is responsible for providing security consulting services and PCI compliance assessments for organizations across the globe. He holds CISSP (Certified Information Systems Security Professional), P2PE-QSA (Point-to-Point Encryption Qualified Security Assessor), QSA (Qualified Security Assessor), and PA-QSA (Payment Application Qualified Security Assessor) security certifications and has completed over 74 PCI DSS, PA-DSS, and P2PE assessments. Benson assessed the world’s first P2PE-validated solution in 2013.

1 comment:

  1. Very good article. I especially like your last sentence since many retailers still think they don't need PCI when implementing P2PE.