Point-to-Point Encryption

Over the last year, Coalfire has assessed some of the industry’s leading point-to-point encryption (P2PE) solutions. We want to share our findings for the purpose of educating merchants on how P2PE solutions can help reduce risk, PCI DSS compliance scope, and costs.

 Point-to-point encryption—also referred to as end-to-end encryption (E2EE)—ensures sensitive credit card data is protected while in transit from first card swipe (or other point of interaction) to the point of decryption. Utilizing extensive experience with threat analysis, computer forensics, data breach investigations, and security incident response, Coalfire assessed the critical aspects of risk mitigation that P2PE solutions can provide to merchants. We determined that a well-architected, properly deployed P2PE solution can nearly eliminate the current risk of credit card data compromise for a retail environment and provide a clear and dramatic reduction of PCI compliance scope that will, in turn, reduce the cost of PCI compliance assessment and validation.

PCI Compliance Scope Reduction
The Payment Card Industry has developed the PCI Data Security Standard (PCI DSS) to mitigate the risk of compromise to a specific data set. The standard is applicable only to the system components that are “within scope” of PCI. The PCI DSS is based on industry security best practices, but is not focused on the overall information security. To reduce PCI DSS compliance scope, merchants must reduce the potential security risk and access to payment card data.

The PCI Security Standards Council has incorporated scope reduction guidance within the PCI DSS framework and through guidance on specific technologies or architecture. Compliance scope reduction has commonly been addressed through the implementation of network segmentation where systems and environments that process, store, or transmit card data are “isolated” from other non-payment environments. This approach is not focused on reducing the applicability of any specific DSS control to a merchant’s environment, but rather on reducing the scope of the environment that the DSS controls apply to.

Most of the DSS controls are designed to manage card data risk from specific threats. Therefore, it is possible to reduce the control applicability by securing the card data in the merchant environment so that those threats are no longer a viable risk. By strongly encrypting card data at the point of interaction in a secure and restricted device, where the ability to decrypt the card data is removed, and by adhering to specific deployment scenarios, a large portion of the environment can be treated as “out-of-scope” similar to network segmentation.

The reduction of PCI compliance scope eliminates the cost of PCI control deployment for the purpose of compliance. It also reduces the cost and effort to validate PCI compliance of the merchant environment. Keep in mind, however, that reducing PCI compliance scope for payment card data does not remove the need for PCI controls to protect other information assets. Ignoring PCI and security best practice controls in a networked environment, even if they are out of scope for PCI compliance validation, can introduce other security or business continuity risks.

It is important to note that even the best encryption solutions cannot completely eliminate PCI compliance for a merchant. There will always be certain controls for PCI compliance that must be assessed, and PCI compliance will always apply to merchants who accept, process, transmit, or store credit card data. Also, PCI scope reduction does not eliminate a merchant’s responsibility to validate compliance to their Acquirer. However, based on our assessments, the PCI scope and controls required for a merchant can be significantly reduced by P2PE solutions.

Coalfire has had ongoing dialogue with the PCI Security Standards Council on the topic of P2PE and its impact on PCI DSS and compliance. Though the Council has not issued updates to the PCI DSS P2PE, they have published an emerging technologies white paper addressing P2PE and its impact on PCI compliance and merchant scope reduction. They will also provide the industry with further guidance including assessor validation requirements to be published in 2011.

Summary – PCI DSS Scope Reduction
The opportunity to significantly reduce security risk and compliance scope should put P2PE solutions on every merchant’s must-review checklist this year. Merchant environments and payment processes can differ, and it is important to work with your QSA before making assumptions on PCI control scope reduction.

The following summary chart provides a quick view of the potential impact to PCI DSS control requirements for a retail environment assuming certain deployment constraints outlined in our assessment whitepapers.

• Major – A significant number of controls are either removed from scope or a reduction in the number of IT assets requiring the controls.
• Moderate – A reduced number of controls are required and a significant reduction in the number of IT assets requiring the controls.
• Minor – Either no controls are removed from scope or minor impact to the scope of IT assets requiring the controls.

Coalfire can assist you with independent advice or input during your review process. For more detailed information on the impact of P2PE to PCI DSS requirements in retail environments, please contact us.