Guest Column | July 6, 2015

Considering Your Merchant IT Clients' Needs: Why PCI Needs To Add A Third P2PE Standard

By Dave Oder, president and CEO, Shift4 Corporation

PCI Add P2PE Standard

Perhaps the most tragic thing about the glut of data breaches last year is that the lion’s share of them could have been prevented. Or rather, had the breached companies managed its data properly, there would have been nothing of value for the cyber criminals to steal. The year 2014 could have been a year of slapped wrists instead of devastation for some major companies had merchants used the tools they needed to use.

Each of the breached companies (as well as most merchants) had been careful to comply with Payment Card Industry (PCI) standards, but it clearly wasn’t enough. The PCI Security Standards Council (PCI SSC) has been in dialogue with PCI members for almost four years regarding the different methods of point-to-point encryption (P2PE). So far, the PCI SSC has only validated two types of P2PE solutions. Both of these require P2PE hardware at the merchant location and a tool known as an HSM, or hardware security module, at the other end. One of these validated methods requires the HSM for hardware-based key management and decryption. The other allows for decryption operations outside of an HSM, but still requires the HSM to handle key management.

The flaw with the current PCI standards for P2PE is that by requiring an HSM for key management, they imply that an HSM-based solution is more secure than other solutions, even those managed by PCI-validated software within PCI-validated data center environments. This is confounding, not only because PCI validates this software to manage payment card data in the clear (not to say they ever would), but also because HSMs use the exact same kind of software. Why, then, might an HSM be perceived as more secure? One reason is tamper-proofing. If a hacker tries to access an HSM, it will essentially self-destruct, wiping out all the data contained within. While this is one security solution, it isn’t the only way to protect payment card data.

Please log in or register below to read the full article.