P2PE Revisited

David Froud is on a roll.  Tenable’s Jeffrey Man wrote a post regarding point-to-point encryption (P2PE) and it apparently got the juices flowing.

I have discussed P2PE (known to almost everyone else as end-to-end encryption or E2EE) a number of times (see my Post Series References page).  Also see my post on What Happens Once Merchants Get Rid Of Cardholder Data to understand how the risks will shift and that the terminal becomes a large attack point.  This is why we need to get to some sort of single use code for a payment which is easily handled with today’s smartphones.

Read the posts and decide.  I think you will find that they both make compelling cases for why P2PE certification is a non-starter and is really not needed.


2 Responses to “P2PE Revisited”

  1. 1 TB
    November 2, 2013 at 9:54 AM

    I would argue that if the acquirer approves a P2PE solution (even though it’s not the Council approved one) then P2PE can simplify compliance dramatically. Especially when the merchant has other apps running on the store network that talk to the Internet. You make good points but I see it as an option that serves it’s purpose well.

    • November 3, 2013 at 5:29 AM

      That is pretty much where we are at today. There are a lot of P2PE solutions already implemented by merchants and their processors. Most of those are in the convenience store sector between their gas pumps and their processor.

      The problem is that the processor controls what P2PE solutions are supported. That can be problematic for some merchants as it can require using only one processor and/or the wholesale replacement of terminals or other equipment. It can also obviously reduce the flexibility of a merchant to move from one processor to another because the new processor most likely will not support the P2PE solution used by the merchant. That is due to the fact that the P2PE vendors are signing exclusive agreements with processors limiting who uses what solution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

November 2013

%d bloggers like this: