Alternative end-to-end encryption schemes leave security gaps
When considering encryption at the point of sale, there are two options: PCI-validated point-to-point encryption (P2PE) solutions and nonlisted encryption solutions, which lack several key requirements.
There are 60 P2PE solution providers validated by the PCI Security Standards Council. In contrast, there are hundreds of nonlisted encryption solutions, also known as end-to-end encryption (E2EE) solutions.
Validated P2PE solutions are assessed by a P2PE qualified security assessor as having met the PCI P2PE standard and are listed on the PCI website under Approved P2PE Solutions.
Here are some of the points often missing from nonlisted solutions:
Key management: Poor key management can leave the door wide open for hackers to compromise keys and unlock encryption. Strict key management processes are audited regularly with PCI P2PE.
Key injection facilities: Additional physical and process protections must be present and audited by a P2PE assessor.
P2PE devices: Most device manufacturers offer certified versions of their devices that work with validated P2PE solutions. These devices include SRED (secure reading and exchange of data) and tamper-resistant security modules, and are validated against the PCI PIN transaction security standard.
Key storage: Key storage and decryption happens in hardware security modules that have been validated by PCI and/or FIPS 140-2 level.
"The trouble with unlisted solutions is that there may be no way for a merchant to know whether the provider has fully addressed the controls identified by the PCI Security Standards Council as necessary to properly protect the account data," according to Coalfire, a P2PE assessor. "Many of the unlisted solution providers Coalfire has reviewed do use very secure processes; however, since unlisted solutions have not been assessed under the standardized PCI P2PE framework by qualified assessors, merchants using these solutions may still need to implement additional security countermeasures to ensure threats associated with the absence of these controls."
Unlisted solutions do not qualify for the short-form SAQ P2PE which has only 33 questions. This is a big difference compared to SAQ D’s 329 questions.
Businesses should implement solutions that immediately encrypt card data at the point of entry. EMV (chip cards) alone will not protect retailers, restaurants and organizations from card data compromises. This is because EMV does not require encryption of the card data. EMV acceptance can help businesses prevent counterfeit card fraud, but since the card data is not encrypted, it is still left vulnerable in the point of sale. The good news is that many modern card readers that accept EMV already have P2PE capability built in. It just has to be configured and injected by a P2PE key injection facility and connected to a PCI-validated P2PE solution.
Assess your payment environment. Credit card terminals are not the only vulnerable devices. Consider that many back offices and call centers are wide open and unencrypted. P2PE keypads can protect these card-not-present environments.
Consider your options. The common consensus is that, compared with nonlisted encryption, P2PE offers a higher level of security assurance, reduces compliance requirements by up to 90% and is the clear winner in mitigating the risks of card data compromise.