Listen to learn more about the basics P2PE (point-to-point encryption).
"Simply, point to point encryption is encrypting your data at the beginning, and not decrypting it until it reaches it's endpoint. This protects your data while it is being transferred."
P2PE or “point-to-point encryption” can be the best way for merchants to take card present payments.
Mark Miner (Director of P2PE/PIN Assessments at SecurityMetrics) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss the basics of P2PE.
Listen to learn:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone. I'm one of the principal security analysts here at SecurityMetrics.
Very excited today to talk to you about point to point encryption.
We're gonna be talking about it from the merchant's perspective, especially small and medium business, people who are taking cards at point of sale. In a future episode, we're going to talk about point to point encryption from the perspective of the solution provider, what it takes to become p two p e validated. Very excited about that one. So keep an eye out for that.
But today, p two p e, what does a merchant need to know and, and how how what are the why do they wanna do this thing? I have with me Mark Minor, who is the director of P2PE PN assessments Mhmm. Here at SecurityMetrics, has a ton of knowledge. And I I don't wanna skip over this.
I'm actually gonna read your bio, so brace yourself.
So Mark is a principal security analyst and assessor at SecurityMetrics. He has over sixteen years of experience in network security. Mark has current CISSP, CISA, QSA, QSA P2PE, PA QSA P2PE, and QPA certifications, and a lot more that you've actually listed.
That too. Yeah.
It's always a question like, should I list this? Is this relevant? Are people just gonna start thinking, you know, that I just collect these? But no. For our jobs, we actually need a whole series of certifications.
And if you're doing P2PE, you you need even more. Let me let me continue here. Mark's expertise has been focused on payment card industry security for the past fifteen years. He has performed over a hundred and eighty PCI, P2PE, and PA DSS assessments. That's not insignificant. I mean, each one of those reports is hundreds of pages long.
So before working at SecurityMetrics, Mark held several positions at Ibon. As a security analyst, he conducted various on-site network and computer security audits. He also designed secure conference networks as a a senior network architect. Finally, he managed the operations department where he determined best practices for system installers and field support personnel.
I always think people with, hands on operational experience make really good assessors. You know? You have a a perspective that other people might not have. Mark graduated from Brigham Young University in nineteen eighty eight with a BA in communications.
Welcome.
Thank you for joining me.
Thanks.
Super excited that you're here.
Yeah.
Did I miss anything?
Was there anything Oh, nothing exciting.
I I, I I love that the topic of point to point encryption because of the value that it brings, so many of our our our small and medium businesses that that listen to this show.
But a lot of people don't even know what and and we call it affectionately p two p. A lot of people don't know what point to point encryption is.
Can you give us just a basic rundown of what we're talking about?
Yeah. So, I mean, at the, the simplest point to point encryption is just encrypting your data, card data in our case, you know, at the beginning and not decrypting it until it reaches some endpoint so that it is protected in between. You know, you hear you hear the terms point to point encryption and you hear end to end encryption. Yeah.
And, you know, semantically, they're basically the same thing.
The same thing. Right?
Yeah. I mean, some people kind of define end to end as, you know, encrypting at the merchant and not decrypting till you get to the processor.
Mhmm. And point to point may not go to the processor. But but the thing to keep in mind is that, in PCI anyway, when we talk about point to point encryption, we're capitalizing it. It's it's the name of something.
PCI has a standard Mhmm.
That solutions that want to have a p two p e solution for merchants have to comply with. And so when we're talking a p two p e or point to point encryption solution, It's one of these, solutions that has been validated by by, p two p QSA and complies with all the PCI standards so that the merchant can, be protected and the card data can be protected and know that the solution is is secure.
Right. And so, like, a lot of things in in PCI, their specific words have specific definitions. I think that's that's good that we capitalize it because it it kind of drives that home. That point to point encryption in PCI has a very specific connotation. And so, you mentioned being validated.
I know that that when when a customer comes to me and says, hey. We have, p to p e scope that we want you to look at. We we have a p to p e solution. One of my first steps is to look at, whether it's listed or not. So Mhmm. Where do people go to find that?
Well, the p two p solutions, validated solutions, are listed on the PCI website.
If you, go, you're gonna tax my knowledge of the website.
But, there's a solutions and assessors tab, and you go to that, and, it will list, point to point encryption solutions.
Right.
You can click on that, and it will bring up. You can search for a particular solution name Mhmm. Or or the name of the company, you know, if if that solution is a listed solution.
Meaning, that it has gone through the validation process, just like a merchant has to go through validating their PCI DSS compliance Right.
And then they are compliant Uh-huh. They're they're validated. Mhmm.
A listed or validated solution has gone through an assessment and is now listed on the PCI website so that merchants can find that information and validate it.
So I'm not a p two p EQSA, but from what I've seen, the work that you and some of the others do, it seems like it's quite an undertaking. So what does it mean to become what's that process like?
Yeah.
It is. The the, p two p standard so for example, let's let's just compare it a little bit to the PCI standard.
PCI requirement three Mhmm. Addresses encrypting card data at rest.
Right.
Right? And, in requirement three, there's sub requirements three dot five and three dot six that deal with aspects of managing keys.
Right. Because key management keys are are are part of the encryption process. Yeah. So managing keys is a super important part of that.
Super important. A an encryption solution is only as good as protecting the keys because if the keys are compromised, the encryption really is worthless because anyone can decrypt that data. Right? So PCI DSS Mhmm. Has some, key management aspects. They're about twenty five, sub requirements, three dot five and three dot six, that that go through how the merchant has to manage keys or solution provider.
If you compare that to the p two p standard, there are roughly, if I remember right, a hundred hundred to a hundred and fifty.
So significantly more.
Significant significantly more requirements that address aspects of how you securely, generate and manage and protect keys in a PCI DSS report.
That might be ten to fifteen pages Right.
Of, you know, documenting the merchant or solution provider's key management. Mhmm. In a p two p e, that could be a hundred and fifty to, hundred to hundred and fifty pages of documenting how they manage keys.
So it's So so to put it into perspective for especially for our merchants, you know, they're saying, okay.
Is this p two p e e listed validated solution?
Why? You know, is Yeah. Kinda looking under the covers a little bit. It's a big process.
It is.
It's something that takes Yeah.
Significant amount of time. Most solutions, that I've worked with, you know, from the time they come to us and say we wanna start working on a p two p solution till the time they're listed, that's usually about a year long process.
So so it takes time to get there, but then once it's listed, it gives a real degree of assurance to the pea the merchants that are using it that their cardholder data is going to be protected.
And and you can't just, you know, steal it if you steal the device, for example.
Yeah. And as as a matter of fact, we've had, occasions where a merchant that we work with using a p two p solution has been compromised. Mhmm. You know, someone has broken into their network, but no card data was compromised because there are no keys in the merchant environment to decrypt that data. Mhmm. All they get is ciphertext Right. That can't be decrypted and is really of no use.
Because they don't have the decryption key, and that's what it's all about. This episode is brought to you by the SecurityMetrics twenty twenty two guide to PCI compliance.
I personally helped with this guide and can highly recommend it to anyone going through PCI compliance. It goes through what the the requirements are and then tells you in the real world what they mean, how to meet them, recommendations from, auditors. So, it's a great resources to get the fundamentals of PCI compliance. You can get it on our website, www.securitymetrics.com.
Alright. So we we've talked a little bit about there's a process to become listed. And then when you go and look at for the listed solution, that's where I think a lot of, merchants who who maybe don't have a lot of familiarity with it kind of stumble a little bit because there's a lot of information under that listing. It doesn't just say, hey.
Get this brand.
Right?
Right. You and I both, I think, probably run into merchants that say, you know, I'm using this processor Mhmm. And this, PTS device. Yeah.
And, you know, I see that the processor has a listed solution that uses that device, so I must be using their p two p solution.
Right? My device says s r e d on it. So, therefore, it's a p two p e solution, but it's not.
Yeah. Let so let's talk real quick about what, what is a p two p solution. Yeah. You know, a listed solution.
Mhmm. So there are components of that. You you have the actual PTS device. Mhmm.
That so I actually brought one.
So Awesome.
Typical, you know, Ingenico PTS device.
You see these Super common. We see these a lot.
You see these at the grocery store or hotel, airport. Yeah. Everywhere. Right? And so that's a PTS device. PCI validates these.
Mhmm.
Right? So you have to have a validated PTS device as part of a solution that has shred or SRED, Secure Read and Encrypted Data Mhmm. Is what that stands for, has that validated as as a capability of that device.
So that's one aspect. You have to have the device. Mhmm. And then typically, running on these devices, there's some sort of application that, may be communicating with a p with a, point of sale system, or it could even just be stand alone. But that's the application that, you know, you say, well, I want a transaction for five dollars, and then it reads the swipe, and it, sends the data to the the shred function to encrypt. Mhmm.
So that application that runs on there and any application on this device with access to ClearText card data Mhmm.
Has to be validated as a p two p application. Mhmm. You have the device. You have the application.
Mhmm.
Then you have the back end, solution. Mhmm.
And you you have the decryption environment, which you have HSMs, hardware security modules that all those do is they generate and they store and protect keys Mhmm. So that, no one can access the the actual value of the key. Right. So you have this back end that decrypts the data, and you have all the key management, that gets assessed and also how the the solution manages these terminals. You know, if there's remote access to them, if there's, how the keys are injected into the terminal, all that is part of the solution.
And in order for a merchant to know that they have a validated solution, well, first of all, they should have, an agreement, a signed contract Right.
Agreement with the the solution that says, you know, we are providing you this solution, solution x y z, so that you know, by name so that you can go on And look it up.
Line and look it up. Right? And your QSA should be able to Yep. See that you have that agreement.
And, and then listed on the PCI website will be what devices the solution was assessed with Mhmm.
And what firmware versions, what hardware versions of those devices are acceptable, and what PDP application.
Right.
Right? So you should be able to go to the merchant's terminals and say, okay. Yes. I see that the solution list, you know, this Ingenico terminal with this hardware version and this firmware version, I can look and say, oh, yeah. That matches. So that helps confirm.
Right.
And, I see you're using this application, which has this version. Mhmm. That's listed on the solution. That helps confirm.
Mhmm.
And then the last bit is there is, what's called the p two p, implementation manual.
Right. The the PIM, we call it.
PIM Mhmm. That the solution is required to provide to the merchant. And that PIM also lists the same information about the solution, but it also and this is really critical. It gives, guidelines for the merchant, things that they that the solution requires them to do.
Mhmm. Keeping an inventory of the devices, how they inspect them, what they should look for when they're inspecting the devices. Mhmm. In some cases, solutions might require, you know, retention systems, cable retention, or Mhmm.
Pedestal retention systems.
And merchant needs to be following that PIM to show that they have correctly implemented the p the P2P solution.
Right.
And then the QSA can come in and see these things, the agreement, the correct hardware, the correct application, see that they're following the PIM, and be able to validate, yes, you have implemented a listed p two p solution.
Right.
And, occasionally, I'll run into, a situation where a merchant thought that they were getting the a validated point to point encryption solution, actually had it in their agreement with a service provider, and then turned out what they were getting was not a listed solution.
But I think looking for things like your, the PIM and and making sure that the PIM lists all of the things, you can match those up with the different components. But then, if you still want a little bit of extra guidance, I think it's a good idea to maybe get a little bit of consulting hours from a QSA to help match those because it's this is not something that you should expect yourself to just be able to go, oh, I'll just go figure this out. You can, but it just there's a lot of time and there's a lot of things that can trip you up to make sure.
Unfortunately, you know, we've seen merchants before that, you know, have basically been sold a bill of goods. Right? They they thought they were getting a listed solution.
Mhmm.
And they go down this road and and roll out all these devices, and then their QSA comes in and has to give them the bad news that Yeah. You don't have a listed solution. Yeah. So, again, the things that the merchant needs to look for, first of all, that signed agreement that that you have a solution. Mhmm.
They need to be able to provide you the PIM.
Yeah. That's a really good sign. And the PIM needs to have all of the information in it that they say in the agreement they're going to be supplying.
And then you should look at that PIM, and and you should go on PCI's website and validate and make sure that the hardware they're providing matches what the solutions hardware is required to be. You know, a q your QSA is an excellent resource to help you know, they're they're used to going through and validating this stuff, you know, and they can do it quickly. And Sure.
Getting some help and guidance from your QSA at the start to make sure you don't go down a long ways down this road and find out you're not getting It's yes.
Because it's timely and costly if you start implementing a solution, find out that you're not getting the P2PE solution that you thought you were getting, and then have to tear out old things and put in new ones. It's it's not it's not good. I think, actually I mean, we've been kind of carrying on about make sure it's the right p two p solution, but people might be wondering why. Why is this important?
What does having p two p offer me? I tell all of my customers, if you're taking credit cards at a point of sale, get p two p e. All of them. I actually have lost customers as audit customers because I told them to do this because I thought it was the right thing for their business.
Mhmm.
And and I I highly recommend it. But but why? Why is this something that's valuable?
First of all, I agree with you. I think for almost all card present Yeah. Transactions, a p two p solution is Yeah. Is ideal. We can talk about two things.
First and maybe most important, is risk reduction.
Mhmm.
With a p two p solution, a validated p two p solution, the merchant has no keys to decrypt that data. They never actually have access to full card data. Right.
If, again, if you're breached, if someone gets access to your network, there's not data there, at least cardholder data Yeah.
That can be compromised.
Right.
You know, we've seen time and time again small merchants that are compromised and, you know, with the cost of doing forensics and fines from card brands or whatever Mhmm. You know, it they're out of business. Yeah. Being able to put that risk onto someone else.
It's like buying insurance. Right? You're transferring risk Yeah. To someone else. That's a that's a important consideration.
Yep.
The the second consideration is, you know, this PCI stuff It's a lot.
It's a lot of work. Yeah.
It's a lot of work.
For, you know, small to medium businesses that maybe don't have large IT staff. Yeah.
You know, there's there's just, you know, hardening systems and Mhmm. And monitoring logs daily. Right?
That's a big one.
It is. Yeah. And and, you know, the testing, ASV scans, and penetration tests, and internal scans, and IDS, and we can go on and on with all the technical requirements.
Training for everyone that touches any of those systems.
Yeah. Yeah. All of that, takes time Mhmm. And means cost to your company. Right. Right?
So by And not only that, if you don't meet it, your your acquirer might say, hey.
We're not sure we wanna let you process credit cards for a while. So not only is it time and cost to your business, but the potential, difficulty in actually processing credit cards to keep your business paid. Right? So so there's a lot of reasons why you wanna make sure that PCI is taken care of.
Yeah. And, you know, we talk about that cost of of, achieving compliance and and keeping compliance going as part of your your day to day business. Right? But there's also the other aspect of of, bringing all your systems into compliance.
Mhmm. Right? And the the scope of your Right. Card environment.
And scope is that size. Scope is such a big word because we say, basically, you wanna use p two p e to reduce scope.
Mhmm.
What the heck does that mean?
So so scope, it's a, kind of a vague word because we use it for for different things. We use it to mean, you know, all the systems, but it also gets used. And and I like to, kind of change the verbiage, if you will.
Right.
I talk with my customers about scope reduction Mhmm.
And control reduction.
Right.
Scope reduction is reducing the number of systems that and and processes and people that are, part of your PCI environment, your your card data environment Yeah. And and that have to be assessed.
Mhmm.
Control reduction talks about reducing the number of controls, the number of PCI requirements Yeah. That you have to assess against.
Right.
PCI DSS, you know, there's somewhere, roughly speaking, let's say, three hundred and thirty.
I don't I know there's twelve main requirements, and then there's a whole ton of sub requirements I've encountered recently.
Long and short, it's about a ten ten x reduction in the number of controls Mhmm. That you have to be assessed against.
But but the and it's not just the number of controls. It's the type of controls that you take out of scope. So, for example, we talked about having to review logs. That is a daily review, and that's all of the the activity that's coming across your, your network is subject to logging.
Right? Well, if you take your network out of scope, that means not only do you not have to consider those network devices, but also the requirements applied to to your network. So if you have a p two p e solution, you're taking your network out of scope. That means not only do you not have to look at your, network networking devices, but also you don't have to do the daily log reviews.
You don't have to have, basically, a secure operation center that that looks at activity on your network. You don't have to have, intrusion detection, intrusion protection on your network. So all of these things that you would typically have to prove for PCI become business decisions based on, you know, your security program, your security appetite, but not related to proving it for PCI. Yeah.
And I think that's the real value there of a PHP e solution.
Yeah. And a lot of lot of times when when people are saying I want scope reduction, they're really talking about that control reduction. Mhmm. Right?
I wanna I wanna answer fewer questions Right.
Which is, you know, which is great and and requires much less effort.
Mhmm.
But let's not forget about the scope production. I've worked with merchants that, you know, there's just the the effort that would be required I had a merchant I've worked with recently that they'd acquired a number of different businesses, and they had, you know, three hundred and some odd locations, different networks at the locations.
And on those networks, they have their payment terminals, but they also have, you know, p POS systems. Mhmm. They have back office computers Mhmm. You know, all sitting on a small network.
Right.
I mean, you know, this location, you know, you may have ten, twelve devices.
Right? But you're mixing all this stuff together. And the effort for them to go out and reconfigure their networks and and segment their networks, you know, with a small IT staff is just, you know, almost insurmountable.
Yeah. It's very, very difficult.
And so by moving to a p two p solution Mhmm. You reduce that scope Yes. Of all those networks down to that PTS device.
Yeah. And suddenly, you can make different choices and have, maybe a a different timeline for, some of the other systems and networks. But but there it's not affecting your ability to be PCI compliant, which which is a I mean, it's an annual thing that is it's time sensitive, and it's very difficult to meet if you have a small IT staff, if you have multiple locations, if you have kind of a complex environment, if you don't have any network segmentation at all. These are all things that can make it really hard to meet PCI compliance. So a lot of franchisees, for example. You have a lot of, locations, say, throughout a few different states. If you have p two p e devices on that, becoming PCI compliant is a much easier task than if everything, every system, all of your networks are in scope.
Yeah. And especially if you have the acquirer kind of breathing down your neck. Right. The acquirer is saying you've got till this date to validate your compliance, and you've got all these changes you have to make.
Yeah. You know? And and rolling out a p two p solution, it's not a a small effort. You have to change out all your terminals, and there's costs.
There are costs.
Yep.
Involved with that. But, most of the time, those costs are much less significant than what you would spend to, you know, maybe have to buy new firewalls for all your locations and segment and have the expertise.
Adding how count is not something that most organizations really wanna do under, you know, not knowing how many they're going to need to do all of these activities for the different requirements. Yeah. So from from a small merchant perspective, is there anything else you wanted to to maybe mention about p two p e?
Well, the you know, and we touched on a little bit, but, you know, the other common question we get is, well, you know, I've got this end to end encryption, this non validated solution, and it's gonna cost less. And we really get the same benefit. Right?
Because it's still encrypted from any what I hear.
It's it's just as good. Right? And, technically, you know, it may be using strong encryption. Yes. It's it's AES encrypted from end to end. Mhmm. And and isn't that just as secure?
Yes.
But Or maybe.
Maybe. They technically, I mean, the encryption, yeah, is just as strong.
Be. Yeah.
But there are lots of other things to consider. For example, I, you know, I mentioned a a validated solution has to use a PTS listed device. Right?
And in in in encrypted solution, you could you know, this is just, you know, your bog standard USB Yeah. Mag strap and then later. Right?
You could put this on a POS system Mhmm.
Have encryption done on the POS Mhmm. Sent to the processor.
Technically, yes. That's an end to end encryption solution. Mhmm. Right?
But the difference is, first of all, you know, maybe the key maybe, you know, the acquirer processor sent you a key to encrypt the data with. Mhmm.
But your your developers or maybe your IT people have had access to that key.
People you know, it's not secure. It's the key is compromised.
Yes. Once once somebody knows the secret, then it's not a secret.
Then it's not a secret.
Secondly, the encryption if the encryption's happening in the POS system Mhmm.
It's happening in an application in software Yep.
That, you know, a hacker can much more easily compromise Right.
Than they can a hardened device like this.
Sure. And sometimes it's in clear text until it gets there.
Yeah. So So and and the merchant also has the decryption key on their system. Mhmm. So that decryption key can be compromised. Mhmm. Well, yes, maybe that solution, you know, seems at first glance to be the same.
Mhmm.
You know, I'm in I'm encrypting the data here.
We're sending it there. It's really not as far as the level of assurance.
Right. I I've even had a group that, very recently that was using all of the same devices and encryption and even the same, key injection facilities or or KIFs, as we call them, to to supply all of the, all of the different components for their encryption solution, but it was not a listed solution. And they said, this is you should just accept this. Well, that's the whole point of going through p two p e Yeah. And assessment is somebody needs to determine whether it was done correctly and at the right encryption levels and all of those things. I I'm not gonna take that on. As a matter of fact, as a QSA, I'm not supposed to take that on.
Yeah. So, again, they you're right. They could be using the same devices, and it could appear on the front like the same thing. Right? Yeah. Same application, same device.
Mhmm.
But it it's hard to tell underneath what is happening there Yeah.
Particularly as regards to key management. Yeah. And and, again, almost half, not quite, we'll call it a third of the requirements in p two p relate to how keys are managed and protected. Mhmm.
And if those aren't, then the solution is not secure. But but the other thing that the merchant should really think about in deciding between a validated PPP solution and a non validated solution is that a validated solution, you automatically get the the scope and control reduction. Mhmm. Yep.
Built in. You use the validated solution.
Is there.
You get the reduction.
Mhmm.
Can you get it with a non validated solution?
Maybe.
Yeah. Right? Yep. Maybe.
If they've, if the solution and there's a couple of steps. You have a validated solution. You have a solution that has what's called a NASA, a a non validated encryption solution assessment. Mhmm. Which means that solution has gone through a full p two p e assessment by p two p q s a. And, most almost everything is in place, but maybe there are a few things that are are not in place yet. Mhmm.
So there's a higher level of assurance. And then Right. You have a solution that's just, hey. We have a white paper.
And, the the thing that the merchant should keep in mind is, again, you get that built in automatic scope and control reduction with a validate solution.
With the others, you can present the argument to the acquirer Yep. And ask for reduction. And, typically, the acquirer wants to hear from QSA and how they have, you know, looked at the solution, you know, whether it's I've looked at this NASA Yeah. Report or I've looked at this white paper that's documented really well and and how that solution stacks up against a full solution so that the acquirer can understand the risk Right. Of using that solution.
The acquirer may decide to grant some level of control reduction. Sure. But That year. That year.
Right.
Every year you have to go back to the acquirer and say, you know, this is a solution. Are you still good with this? And the acquirer, you know, at some point, maybe the acquirer, in their risk Mhmm.
Process looks and says, you know We're not doing that anymore.
We're not doing that anymore. Yeah.
But you don't run into that with p two p e listed solutions.
No. Because it's built in and and the PCI Council and the card brands have agreed that you get that reduction.
Right.
You may have invested a lot of money in this solution anticipating getting these these control and scope reductions.
Sure.
And suddenly, it's not there.
Anymore.
So I think the the the moral of this story is, we both recommend p two p e solutions. It's a great a great way to to deal with risk at the, card present locations.
And and making sure that it's validated is worth the extra time and cost before you go down the road of of PPE. Yeah.
Well, I would love to have you back and and talk about what it takes to become listed Yeah.
And the from from that the solution provider's perspective. But, I sure appreciate your time today, and and I hope people Yeah. Got something Yeah. Some good information out of it. Yeah. Well, thank you for joining us once again at the SecurityMetrics podcast, and hope to see you again in a couple weeks.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
