PCI Strives for Updated Encryption Standards
Great news comes from Payment Card Industry Security Standards Council (PCI SSC) for encryption enthusiasts. PCI has issued the Point-to-Point Encryption Solution Requirements (P2PE) and Testing Procedures version 2.0 (PDF). This document is a revised version of the key encryption standard which aids with the development of solutions to make payment card data unreadable in the event of a breach.
According to PCI counsel:
“A point-to-point encryption (P2PE) solution cryptographically protects account data from the point where a merchant accepts the payment card to the secure point of decryption. By using P2PE, account data (cardholder data and sensitive authentication data) is unreadable until it reaches the secure decryption environment, which makes it less valuable if the data is stolen in a breach. With version 2.0 the Payment Card Industry Council is responding to market feedback to provide a simpler approach to validating solutions, while still maintaining a strong level of integrity in the validation process that will result in the most secure options for merchants”
The revision adds flexibility to P2PE solution providers and to companies that provide services. It is intended to lower the cost of maintaining compliance with the PCI Data Security Standard (PCI DSS) by helping P2PE solutions reduce the scope of operations covered by the standard, and increasing the security of payment card data overall. The PCI Council will now list validated P2PE components along with validated solutions and applications to make it easier for solution providers to serve merchants.
Merchants will also be allowed to implement and manage solutions for their own point-of-sale (POS) locations even if they are their own P2PE.
Malware that captures and steals data at the point-of-sale continues to threaten businesses and their ability to protect consumers’ payment information. As these attacks become more sophisticated, it’s critical to find ways to devalue payment card data.