This white Paper discusses the basic differences between the current PCI-DSS and the P2PE rules in relation to the effort a trader needs to make to become compliant with one or the other. Reducing the scope of PCI by facilitating a P2PE solution might not necessarily really reduce the scope of the effort required from traders, but may simply shift this to a different place.
There is no doubt that data breaches are a rapidly increasing threat for businesses of all sizes, in any geographic region and in every market segment, particularly where consumer payments and account data are involved.
Businesses do, however, have to keep up by introducing and upgrading the specific measures that they take against such threats. If they do not, this can have a severe impact on their business. Imagine the kind of negative publicity a data breach in a trader's payment infrastructure could have if consumer payment card data were hacked, published or abused. Many consumers might never return to that trader again, clearly resulting in a loss of business and strengthening the position of that trader's competitors.Of course businesses have challenges in balancing the effort they invest in data security to protect their core business activities and the extent to which they uphold continuous compliance standards to keep the costs of security under control. Despite the fact that PCI-PSS is continuously changing to keep up with an everchanging security environment, traders should consider consistent, full and complete PCI-DSS compliance as the basis for their payment data security measures.
As a leading provider of self-service payment solutions within the various European unattended market segments, the mission of CCV is to make payment happen. For CCV this means that its solutions are evolving based on the changing security landscape, rapidly changing consumer behaviour and upcoming new payment technologies such as mobile payments, wearables and the like. It is CCV’s natural philosophy that system integrators, traders and, last but not least, consumers can expect a future-proof solution that will continue, even after it has been put in place, to keep up with the rapidly changing requirements of today’s extremely dynamic world.CCV therefore constantly ensures that it provides solutions to prevent any clear text consumer data being sent outside the PCI-DSS relevant area at all. This ensures that no unauthorized party can obtain access to such consumer data.
Does reducing the scope of PCI using P2PE really represent a reduction or is it only a shift?
P2PE is often claimed to significantly reduce the efforts required by traders as a result of compliance with the scope of PCI. The challenge with P2PE is the same as with PCI: The entities subject to PCI DSS compliance worry too much about reducing or limiting its scope but not enough about the security of their business by using the PCI DSS as a benchmark.
As a matter of fact, P2PE encryption reduces the amount of effort during the one-time PCI compliance application process by reducing the number of line items in comparison with the PCIDSS Self-Assessment Questionnaire (SAQ) form. At the same time it increases the amount of effort required from the trader, the system integrator and the service personnel. Even P2PE does not completely eliminate the scope of PCI compliance for a trader such as a car park operator. PCI-DSS remains applicable as long as non-P2PE and P2PE compliant payment systems are active in the same trader environment.
To obtain clarity about the role a trader will play and the efforts a trader has to make to achieve PCI-DSS and/or PCI P2PE compliance, it is necessary to obtain a copy of the P2PE Instruction Manual (PIM). Depending on your role, you will discover that a reduced scope may even require additional effort to satisfy the requirements set out in the PIM.
PCI scope reduction appears promising at first glance, but at what cost for your business? As part of the preparation and roll-out traders are asked to implement and maintain a number of additional requirements:
- Trader and Service infrastructure must maintain inventory control and monitoring procedures to identify and locate all devices, including those deployed, awaiting deployment or in transit.
- As part of the inventory process, multiple device characteristics must be tracked, including model and serial numbers, location and firmware version.
- Traders and respective service organizations must physically secure all devices in storage.
- Devices must be secured in transit; for example, between store locations.
- Procedures must be in place to detect unauthorized or substitute devices.
- It must be possible to detect any unauthorized or replacement device prior to installation.
- Traders will naturally need to log all these activities and produce an audit trail for removing POI devices for maintenance or repair and provisions for traders to physically inspect the devices on a regular basis.
- Trader never receives, stores, processes or transmits clear text account data outside a PCI certified POI device.
- Third party agreements, relevant trader policies and procedures are executed on POI terminals which must have physical access controls.
- Trader must have implemented and must continuously comply with the rules set out in the P2PE Instruction Manual (PIM).
- Trader must keep P2PE compliant equipment completely separate at all times from any legacy non P2PE compliant infrastructure, which requires specific attention for large trader infrastructures with mixed populations of payment solutions and equipment generations.
- Trader must have ensured and must be able to prove that no legacy account and cardholder data is being kept, stored, processed or transmitted from the P2PE installation.
As CCV we fully support the implementation of adequate data security and data protection measures as required by PCI-DSS. Nevertheless we strongly believe that all-or-nothing implementation of the P2PE requirements is not always the ideal approach for traders. In fact it is each trader’s existing infrastructure, future plans for their business, type of business and the system integrators’ capabilities that define the need for the final security measures required to achieve full PCI compliance.
CCV’s solution to keep data secure
CCV understands the complexity involved for you in becoming and remaining fully PCI-DSS compliant. CCV has therefore implemented a number of security tools in its terminal and processing solutions that help traders to become and remain compliant.
The definition of P2PE solution aims to eliminate any clear text account data from the trader’s environment and to mainly align surrounding processes and procedures. For years now, the CCV solution has ensured, as a standard procedure, that no account data or card holder data is sent in clear text form from the POI to the trader environment at any time.
Using appropriate and certified measures, CCV ensures that all data are automatically fully encrypted and never leave the PCI relevant areas without such encryption. Such critical data are always kept secure in a way that is specifically PCI-compliant.
Nevertheless, there are situations where some kinds of data need to be returned to the traders’ ECR, Parking Management System or the like. To meet the needs of businesses and customers while also maximizing data protection and security, CCV has put some great technology in place that combines both perspectives for the benefit of cardholders and traders.
- Cardholder-specific PAN data, which need to be sent to the ECR e.g. for receipt printing are truncated and only show the allowed absolute minimum information to give the consumer confidence about the payment transaction, but making it impossible for the trader or any third party to revoke the cardholder's data by any means.
- In parking situations such as drive in / drive out, any cardholder-related data which needs to be referenced is transmitted to the PMS in a tokenized format only, whereas the secure token is created by a PCI-compliant algorithm to guarantee full consumer privacy and cardholder data protection, while enabling the trader to provide new services and convenience to their customers.
Within the POI, all sensitive cardholder data is managed in a secure, PCI-certified environment, protected by state of the art technologies preventing those data and any other sensitive information such as security keys from attacks, sniffing or manipulation.
The CCV solution uses a hardware-to-hardware encryption and decryption process along with a POI device that has SRED (Secure Reading and Exchange of Data) listed as a function. This is also part of PCI Point-to-Point encryption requirements. The CCV solution therefore offers advanced security components that drive PCI-DSS compliance.
It is common practice for CCV to ensure that, on top of state-of-the-art data encryption, keys are only valid for a single transaction. This fully secures the communication of payment-related data between the POI and the processing host. In other words the communication between two PCI-relevant elements, e.g. the POI and the processing host, is also fully protected to make sure this data is of no use to any unauthorized third party. This means that CCV uses exactly the same security measures as recommended by P2PE.
Of course, at some point in the overall process the secure keys need to be injected into the POI. The key injection into POI terminals is an important, yet critical step in the overall hardware distribution chain and transportation flow. Having implemented certain transport security measures such as:
- transport key mechanisms
- electronic and mechanical device protection during transport
- tracing events which might be subject to illegal attempts
CCV ensures that all our terminals and components are fully protected, even when underway from CCVs’ highly secure environment to our customers’ highly secure environments.
CCV’s Solution: Provides full security by minimizing the burden of PCI
CCV’s approach to data security and data encryption has been designed strategically to keep consumer-related information entirely within PCI-regulated areas, never to send this data to the trader in a clear form and not to store consumer data at all. In other words, the CCV solution does not even prevent consumer clear text data. It takes this to the next level and keeps PCI-DSS relevant clear-text cardholder data away from traders’ POS environments altogether. On top of that, CCV is continuously working on the latest data security and encryption technologies to help to minimize the burden of PCI for traders.
About CCV Group
CCV applies in-store payment solutions, powerful online solutions and self-service payment terminals throughout Europe. We support our customers in creating an optimal omni-channel shopping experience, so consumers can pay when it suits them, using the payment method of their choice: online, in-store, by card or smartphone.