As incidences of data breaches continue to plague businesses, many are looking to shore up security. For those who accept card-present payments, Point to Point Encryption (P2PE) is essential.
What Is Point to Point Encryption?
P2PE is a solution that cryptographically secures cardholder payment data and authentication information from the point of entry, throughout the transaction lifecycle, to the point of decryption. Account data is unreadable, making it useless if stolen in a data breach. With P2PE, because payment data is encrypted at the device and the merchant has no mechanism to decrypt it in the network, exposure is minimized and there is a potential for scope reduction.
Without P2PE, merchant’s systems are in scope and will be reviewed during an audit, for example registers/POS, services, network devices, and more. It takes significant resources for merchants to keep these systems up to speed for PCI.
What Is PCI-Validated Point-to-Point Encryption?
In order to ensure the highest level of data protection when using encryption, the PCI Security Standards Council (PCI SSC) created a standard for P2PE. This standard defines the rigorous set of controls, more than 600, which must be met to be accepted as a PCI-Validated P2PE solution. A PCI-Validated P2PE solution includes validated hardware, software, and solution provider environment and processes. Validation is completed by an independent P2PE Qualified Security Assessor (P2PE-QSA). PCI-approved solutions are listed on the Council’s website.
TrustCommerce’s P2PE Validation is due to be completed in Q3 of this year. With it, cardholder data is encrypted at the card reader level, encrypted again by TC IPA and passed along the Client network in a dual encrypted state until received by TrustCommerce and decrypted within our secure P2PE Validated environment.
As TrustCommerce’s P2PE Validation is on its way, now is a good time to begin preparing for what this will look like with your environment.
Getting Started with Validated P2PE
Implementing a P2PE Validated solution comes with new requirements and clients will benefit from planning ahead. Here are some important considerations:
- You will want to become familiar with the TrustCommerce P2PE Instruction Manual (PIM). The PIM will be provided to clients to assist them in adhering to the requirements of our P2PE validated solution.
- To ease the burden of PIM adherence, PCI-Validated P2PE will be available through TC IPA allowing TrustCommerce to do the heavy lifting since our applications will manage the data from swipe/dip/tap. Speak with your TC Representative to learn more about TC IPA.
- The TrustCommerce P2PE Validated solution will support Ingenico and ID TECH SRED devices.
- For customers who already have supported devices, they will need to be re-injected with a P2PE key in accordance with the PIM. Be aware of how many devices you will need re-injected to better understand turnaround time. In addition to a new encryption key(s), Ingenico devices will need to have OnGuard activated.
- Device tracking for P2PE is a requirement. You will need a mechanism to ensure that the security of the device is maintained. But don’t worry, we’re working on a solution to take on that requirement as well.
Note: Epic EHR software and GE Centricity are semi-integrated with TC IPA Session (v4.3+). Only P2PE key injected devices are supported under these integrations as required for a P2PE Validated solution. The cardholder data is encrypted at the card reader level, encrypted again by TC IPA and passed directly to TC IPA’s cloud services until received by TrustCommerce and decrypted within our secure P2PE Validated environment. It’s important to note that any keys injected PRIOR to TrustCommerce’s approved validation are not considered compliant and will require re-injection.
If you are interested in TC IPA and PCI-Validated P2PE with TrustCommerce, contact us.