David Froud is on a roll. Tenable’s Jeffrey Man wrote a post regarding point-to-point encryption (P2PE) and it apparently got the juices flowing.
I have discussed P2PE (known to almost everyone else as end-to-end encryption or E2EE) a number of times (see my Post Series References page). Also see my post on What Happens Once Merchants Get Rid Of Cardholder Data to understand how the risks will shift and that the terminal becomes a large attack point. This is why we need to get to some sort of single use code for a payment which is easily handled with today’s smartphones.
Read the posts and decide. I think you will find that they both make compelling cases for why P2PE certification is a non-starter and is really not needed.
I would argue that if the acquirer approves a P2PE solution (even though it’s not the Council approved one) then P2PE can simplify compliance dramatically. Especially when the merchant has other apps running on the store network that talk to the Internet. You make good points but I see it as an option that serves it’s purpose well.
That is pretty much where we are at today. There are a lot of P2PE solutions already implemented by merchants and their processors. Most of those are in the convenience store sector between their gas pumps and their processor.
The problem is that the processor controls what P2PE solutions are supported. That can be problematic for some merchants as it can require using only one processor and/or the wholesale replacement of terminals or other equipment. It can also obviously reduce the flexibility of a merchant to move from one processor to another because the new processor most likely will not support the P2PE solution used by the merchant. That is due to the fact that the P2PE vendors are signing exclusive agreements with processors limiting who uses what solution.