Understanding the purpose behind P2PE and why some solution providers heavily promote it can help ISVs and VARs best position their solution to be competitive in the marketplace. Read on to learn more.
A Payment Card Industry Security Standards Council (PCI SSC) validated P2PE solution is required to officially remove a POS application and the endpoint it runs on from the scope of PCI DSS compliance when that POS application or endpoint has cardholder data traversing it. If the payment solution uses P2PE that is not officially validated by the PCI SSC, the cardholder data is still much more secure compared to not using P2PE, but an opinion from the end users qualified security assessor (QSA) is required to render the POS system endpoint officially out of scope of PCI DSS.
Validated or not, P2PE is primarily designed to secure cardholder data when it is traversing internal networks and endpoints in otherwise unencrypted format. More specifically, most breaches these days occur where unencrypted data in transit is stolen from systems and networks with large attack surfaces. For instance, POS endpoints running PC, iOS or Android have large attack surfaces since in their native format they are multi-purpose devices with the ability to perform a variety of functions like email, web browsing, execution of third party applications, person to person communications, file sharing, data storage, networking and more. Systems with large attack surfaces are highly susceptible to infiltration and malware infection since there are a multitude of attack vectors that can be used to compromise them. When a POS endpoint or other endpoint residing on the same POS network is compromised, hackers can easily install sniffer applications and steal cardholder data that traverses them. P2PE is designed to make it safer to send sensitive data through or across inherently vulnerable systems and networks. In other words, P2PE makes it possible to continue to process payments using the traditional workflow but in a more secure manner.
With Paygistix, we go a step farther than P2PE by making it so sensitive cardholder data whether encrypted or not never traverses the POS application or endpoint in any fashion. Instead, the POS application makes a call to the single purpose payment device that has a very small attack surface. The payment device collects the sensitive cardholder data and sends it to us via an encrypted TLS channel. With Paygistix, sensitive cardholder data never traverses the internal network unencrypted and it never touches the POS system application or endpoint in any form. The only thing better than using P2PE is to remove the reason why P2PE is necessary in the first place which is what Paygistix does.
Other than some isolated device tampering cases which would defeat P2PE anyways and only lead to small amounts of data being stolen by extremely brazen criminals who have to be physically present at the payment device to perpetrate the hack, we just do not see cases of cardholder data being compromised at merchants who use standalone payment devices and do not store or process sensitive cardholder data in other ways. Nearly all merchant cardholder data breaches involve the use of integrated processing in POS systems or improper storage/handling of sensitive cardholder data. The Paygistix solution gives merchants the best of both worlds – the benefits of integrated processing in the POS application with the security posture of a standalone payment device.
It is our experience that payment solution providers who heavily promote the use of P2PE are frequently advertising a payment solution where sensitive cardholder data runs through the POS application or endpoint. They use P2PE as a means to demonstrate that cardholder data is still secure despite the fact it is running through hard-to-secure endpoints. The moral of the story is validated P2PE is great for merchants that use POS applications or endpoints that process the sensitive cardholder data themselves. For merchants using POS applications and endpoints that do not ever touch sensitive cardholder data, P2PE (validated or not) doesn’t provide any significant material benefit. While Paygistix does utilize a form of P2PE, it’s not something we widely promote as it would otherwise overshadow the main security benefit of our solution which is removing the sensitive cardholder data from being exposed to the attack vectors that are used to steal it in the first place.