PCI DSS scope reduction without the hangover?

Since the inception of the Payments Card Industry Data Security Standard (PCI DSS) my advice to merchants has been to keep it simple, to look to reduce scope as the most effective way to gain compliance and to mitigate risk through the use of encryption and tokenisation.

Contrary to popular misconceptions, there is a future for the PCI DSS beyond Point-to-Point-Encryption (P2PE), because for a start, P2PE only works in the customer present environment. Similarly, there is a way to implement strong encryption and reduce scope without P2PE.

P2PE was supposed to be the Holy Grail, the silver bullet, the best thing since sliced (white) bread but it has become something very different; the daughter of Frankenstein perhaps. P2PE is what happens when too many self-interested parties try to solve a problem.

The problem then was that the PCI DSS had been criticised as overly complicated for many merchants and that they needed a way to reduce the scope of their compliance whilst still taking credit and debit card payments. P2PE or end to end encryption should have been the answer; secure data at the earliest point - on the POI, Point Of Interaction, (Chip and PIN terminal / PIN Entry Device (PED) in EMV territories) and do not decrypt that data until outside of the merchant’s environment.

The problem now is that too many of the big players wanted to add value which results in expensive key injection and key management processes, extra costs for terminal management tools, extensive and onerous PED terminal lifecycle processes and a lack of real world common sense. In short the PCI DSS has been replaced with a separate standard that is overly complicated for many merchants (if in doubt please ask to read a PIM, P2PE Instruction Manual).

Perhaps ironically the Special Interest Group (SIG) that worked on P2PE overlooked what was the simple option. A number of Chip and PIN terminal manufactures already supported Transport Layer Security (TLS), which forms the basis of the Vodat Unified Payment Service, a secure alternative to P2PE. This delivers encryption from the POI without the security reading and exchange of data (SRED) dependency and is combined with a firewall to create network segmentation at the store level. The electronic point of sale (EPoS) is connected to the PED via a network link into the Vodat PCI DSS certified data centres and the solution ensures no sensitive data is ever passed to the EPoS.

Building solutions around SRED means building in dependencies on specific hardware vendors and removing flexibility later on. Indeed in some cases it may limit merchants to a specific PED.

Alternative approaches to P2PE typically result in a debate on scope and then a subsequent debate on which response to the PCI DSS should be used. This is not least because the encryption method used has not been validated. With this in mind Vodat worked with Coalfire and MWR InfoSecurity to have our solution validated and the findings are published in our white paper, the key takeaway being that there are the same benefits of scope reduction without the constraints of implementing P2PE.

We take the EPoS out of scope so we might even be able to save you having to complete that difficult XP upgrade you’ve been putting off?

If you want P2PE then go for it, if you want scope reduction with security and encryption and no cardholder data in your POS or data centre environments then talk to us.

If you must choose P2PE then just ensure you select a validated solution, although there isn’t much choice, and there are many others out there who are masquerading as P2PE and yet how can they be if their solution has not been listed as such? Shame on them.

As with any change, planning is key as the latest Verizon PCI Compliance Report highlights:

Challenges for merchants: Getting P2PE up and running can include upgrades to POS hardware and software; and increased fees from vendors ready to take advantage of businesses trying to reduce their compliance obligations. This can represent a sizeable financial investment. Another major difficulty is following the solution provider’s P2PE implementation manual (PIM), especially the device management process implementation. It can be cumbersome to track and protect devices effectively.

Finally, what is of utmost importance if implementing a P2PE solution, in my opinion, is to work hand in hand with a suitably qualified QSA to ensure that the promised scope reduction can be achieved. Implementing in the wrong way can result in disappointment, as highlighted by Jeffrey Man of tenable® network security in his blog “What’s Wrong with P2PE” October 31^st, 2013.