The past 15 years have seen a dramatic shift in the way we pay for goods and services. Gone is the era when cashiers in the UK would ring in purchases by swiping a credit card on the side of Point of Sale (PoS) systems or by taking a carbon copy of a credit card. A major catalyst in the changing landscape of retail payments is the Payment Card Industry Data Security Standards (PCI DSS), which have been implemented by the Payment Security Standards Council over the past decade to result in the current version 3.1.
As each iteration of PCI DSS is implemented, the security related to credit card data and the devices and software applications that handle, store or transmit the data is improved. Each new version of the standards brings changes to security requirements of store network infrastructure, Chip and PIN devices and associated payment systems.
In order to remain compliant with PCI standards, many Chip and PIN devices will need to be upgraded periodically by retailers, which can end up being a significant investment for any business owner. These investment decision can, and often do, go wrong.
For example, only two years ago a retailer purchased new Chip and PIN devices from a reseller, implementing them throughout its 500 PoS system estate. It wasn’t long until the “new” systems were declared to be end-of-life by the manufacturer, who announced they would not be compatible with the latest set of PCI standards. As a result, the retailer had no other choice than to replace all of their newly acquired devices in order to ensure PCI compliance.
Today, many retailers are already considering upgrading their legacy Chip and PIN devices so they can provide their customers with high level security and utilise additional payment functionalities, such as contactless and wearable payment systems. Doing so will be a substantial investment for companies, who will want to guarantee their pounds are well-spent and will allow them to provide their customers with peace of mind over their payment card data.
To meet these ends, retailers must look towards Point-to-Point encryption (P2Pe). P2Pe is a set of security domains that is quickly on its way to becoming an industry standard, and provides a significant reduction of retailers’ scope of PCI compliance. It involves using encryption technology to encrypt payment card data at the moment it is inserted into a PIN entry device (PED), meaning the encryption is executed before the data is even sent to the payment service provider.
As a total lifecycle security standard, P2Pe ensures all hardware, infrastructure and payment applications comply with PCI. Additionally, it also includes an added security level concerned with tracking the PED, or Chip and PIN devices as they are more commonly known, for the entire lifecycle of the device.
The most enticing argument in favour of P2Pe adoption has been its ability to greatly reduce the scope of PCI DSS requirements that retailers are responsible for following, as it transfers much of the responsibility to the payment solution or service provider.
For example, after the manufacturer has delivered a Chip and PIN device to the service provider, it becomes the service provider’s responsibility to make sure the device is properly installed, its location and serial number data is tracked and that it is stored securely once it has been replaced. This means that both the retailer and the service or payment solution provider will have total visibility of the PED at all times and can be assured that there are no devices that have been compromised or tampered with during the lifecycle. As an additional benefit, the PCI requirements that retailers are responsible for maintaining, and must have signed off by a Quality Security Assessor, are greatly reduced from 60 pages of standards and guidelines to a much simpler 16-page document.
Retailers must be completely sure that they are meeting the strict set of standards laid out by PCI compliance. IT is therefore crucial for potential adopters of P2Pe to adopt the guidance of a specialist. Retailers who make their decisions based on nothing more than cost of implementation risk investing in a subpar solution that could be sending out inaccurate data. The result would be an expensive re-auditing process as the retailer backtracks in an attempt to achieve optimal and fully compliant P2Pe.
Many retailers have already implemented or are considering adopting P2Pe, and as the year goes by even more companies will be making their investments, particularly those with PED that are no longer supported by their respective manufacturers. The introduction of new retail technology, including biometrics and wearables, means new hardware investments are inevitable for many businesses. These companies would be wise to embrace a new technology that will both simplify PCI compliance and guarantee a long lifecycle.
James Pepper, technical services director, Vista Retail Support
Image Credit: Shutterstock/Andrea Danti