The last 15 years have seen a major transformation in the way we pay for goods and services. Long gone are the days when cashiers would take a carbon copy of a credit card or swipe it through the PoS system. Today’s changing retail environment is partly due to evolving Payment Card Industry Data Security Standards (PCI DSS).
As each new iteration of PCI DSS, which is now at version 3.2, is introduced, we see an incremental improvement in the security of credit card data and the devices and software charged with handling, transmitting and storing it. For retailers, each version also means new security requirements for payment systems, store network infrastructure and chip and PIN devices.
As a requirement for keeping up with PCI standards and upholding compliancy, many chip and PIN devices will need to be upgraded periodically by retailers. The cost of such upgrades can often be substantial, representing a significant investment for many companies. Despite the hefty price, retailers are always at risk of these investment decisions going wrong.
Two years ago, a retailer acquired new chip and PIN devices from a reseller, installing them throughout its 500 PoS system estate. Shortly after purchasing and implementing these new systems, the manufacturer declared them to be end-of-life, announcing that they would not be compatible with the upcoming series of PCI standards. This meant the retailer’s only option, in order to remain compliant, was to make an even more substantial investment in replacing all of their newly purchased devices.
Many retail companies are now considering making an upgrade to their legacy chip and PIN devices in order to guarantee their customers the top level of security and make use of new payment functionalities, such as contactless and wearable payment systems. This upgrade will mark a huge investment for retailers, who will want to ensure their investment goes smoothly and will provide their customers with peace of mind when it comes to their payment card data.
In order to achieve this goal, retailers must embrace Point-to-Point encryption (P2Pe), a set of security domains that is already on its way to becoming an industry standard for payment card security. In addition to greatly reducing the scope of PCI compliance for retailers, P2Pe also provides them with a higher standard for payment card data security by encrypting this data as soon as it is inserted into a PIN entry device (PED), before any data is even sent to the respective payment service provider.
P2Pe is a total lifecycle security standard that guarantees all hardware, payment applications and infrastructure is compliant with PCI standards. P2Pe also provides an additional level of security by tracking the PED/chip and PIN device for its entire lifecycle. Perhaps the most attractive feature of P2Pe for many retailers is that it significantly reduces the scope of PCI DSS requirements that they are responsible for following. By adopting P2Pe, many of these responsibilities are transferred to the service or payment solution provider.
For example, after the chip and PIN device has been sent by the manufacturer to the service provider, it is up to the service provider to ensure that the device is securely installed, its serial number data and location is accurately tracked and that it is stored properly once it is no longer in use. This ensures both the retailer and the service or payment solution provider can maintain full visibility of the PED at all times. They can also be assured that there are no rogue devices that have been tampered with or compromised during the entire lifecycle. As an added bonus, the PCI requirements that retailers would normally be responsible for maintaining, and having signed off by a Qualified Security Assessor, are significantly reduced from a vast 60-page document of standards into a much more manageable 16 pages.
Retailers must be absolutely certain that they are in line with the strict set of standards required for PCI compliance. With that in mind, it is vital for those seeking to adopt P2Pe to seek the guidance of a specialist. If a retailer were to base their decision purely on the cost of implementation, they would risk ending up with a substandard solution that could even be transmitting inaccurate data. If this were the case, the retailer would be forced to invest in a costly process of re-auditing as they backtrack in an attempt to achieve completely compliant P2Pe.
Many companies have already implemented, or are planning to implement P2Pe, and as 2016 continues even more retailers are expected to adopt it, especially those using PEDs that are no longer supported by their manufacturers. With the growing popularity of new retail technologies, such as biometrics and wearables, new hardware investments are seemingly inevitable for many retailers.
In order to get the most from these investments, these retailers must embrace a new technology that will both simplify PCI compliance and enjoy a long lifecycle.
James Pepper, Technical Services Director, Vista Retail Support
Image source: Shutterstock/Devrim PINAR