C-Note: The Convergence of Mobile, P2PE and the Cloud
By Rick Dakin, CEO and Chief Security Strategist, Coalfire
When it comes to maintaining technology compliance, the most talked-about things are mobile, point-to-point encryption (P2PE) and the cloud. These are big trends in their own right, and they are converging.
Several manufacturers have demonstrated mobile devices that address payment risk via encryption. Imagine accepting payments in this new way, stripping out toxic cardholder data, and having your data stored in. and accessible from, the cloud. It promises to be convenient, relatively secure and much less expensive to deploy and operate.
As a QSA company, it’s encouraging to see that merchants and vendors are making progress in advance of the PCI compliance reporting curve. As you probably know, there is a shortage (actually, an absence) of validated P2PE solutions, but smart merchants are still considering the solutions. In fact, several of our clients are piloting and deploying these systems already, and we are working through their Reports on Compliance (ROCs) and self-assessment questionnaires (SAQs) with these solutions in the mix. PCI compliance validation is still a best practice, and it’s helping them to invest wisely.
But buyer beware of un-validated payment applications! Only a select few technologies have gone through PA-DSS validation, and this is going to pose a challenge for PCI compliance efforts. We’ve seen a significant number of iPad and other mobile POS platforms that will never get PA-DSS validation under the Council’s current guidelines. This isn’t stopping eager merchants from acquiring the devices, but those merchants could face compliance penalties if they do not carefully consider compliance programs within their internal PCI programs. Our recommendation is to work with your QSA to investigate solutions and compliance implications before you dive in too deeply; it will save you time, money and aggravation.