PCI P2PE – implement now, or wait for something better?
With the launch of Apple Pay for the iPhone 6 and Apple Watch, the payments industry could be witnessing the birth of the next big thing. Mobile payments have been on the cusp for some time now, but what about existing payment infrastructures. Should merchants and retailers move to Payment Card Industry (PCI) point-to-point encryption as they are being urged or should they wait a bit longer to see which way the market moves. Tim Holman, CEO of 2-Sec, one of Europe’s leading Quality Security Assessors (QSA) and Iain High, CEO of Anderson Zaks, an independent Payment Services Provider, debate the issues.
Iain High – There is currently a lot of discussion about the benefits of point-to-point-encryption (P2PE), with many merchants being encouraged to adopt this latest standard from PCI. However, P2PE is not mandatory and nor is it likely to become so, so why would merchants even consider it. What is in it for them?
Tim Holman – If deployed correctly a P2PE solution will de-scope a merchant’s stores from PCI Data Security Standard (PCI DSS) and help to eliminate the risk of card data loss in store, though there is a cost associated and merchants need to think carefully about the actual benefits they will achieve. Most retailers are already working in a relatively low risk environment having invested heavily in EMV (which stands for Europay, MasterCard and Visa, and is a global standard for inter-operation of payment cards) with card schemes such as Visa encouraging the Technology Innovation Program (TIP) approach.
For retailers starting from scratch, I would say that P2PE is worth considering, but to justify replacing an infrastructure (PIN Entry Devices should last between 5 and 10 years) that is reasonably secure and compliant, there needs to be a more compelling business reason. Indeed several high profile retailers are currently ripping out perfectly good solutions to install P2PE solutions for no real business benefit.
Iain High – These days, retailers face many more risks than simply to card data. Several recent industry security reports note that cybercriminals are now also looking to harvest personal data as well as card data. The extraction of personal data allows thieves to build a profile of an individual with the ultimate goal of committing identity fraud, something far more damaging to an individual than the loss of a credit card number. The recent Home Depot breach where zip code information was taken demonstrates this point where the perpetrators where able to hone their targeting techniques and so avoid detection from anti-fraud systems.
P2PE is only concerned with card information and therefore will not address this type of data breach issue. In fact, many POS systems already have end to end encryption even if they are not certified by PCI, so many current systems are already doing the job. Given the transient nature of many retail staff and the semi-public environments they operate in, the risk of data loss and cyber theft is not addressed by simply installing a PCI P2PE compliant system.
Tim Holman – Speaking to a well known acquiring bank recently they admitted openly that the only data breaches they’ve seen during the last five years have been via e-commerce. Since the adoption of EMV in Europe, store-level breaches have been eliminated. Which begs the question, why use P2PE to reduce a risk that EMV has already taken care of?
There is more of a case for P2PE in the US where EMV has not been widely adopted, where there is an issue because of the sheer number of acquiring banks, many of which have different formats for accepting data. Consequently, even in the US market adoption of P2PE is unlikely to happen quickly due to integration issues. Meanwhile retailers and merchants are going to be tired of the changes and security requirements and are more likely to look for other methods of payment.
I would further caution that installing P2PE could well be adding unnecessary risk as precious budget and resources are diverted away from tackling more pressing security issues, and lulling the board and senior management into a false sense of security.
Iain High – We are seeing banks launching new services to differentiate themselves and attract new customers. There is a lot of hope and expectation in the sector, however, the technology must to solve a need for the consumer. Many consumers are still reluctant to use mobile banking because of concerns about device security. Banks are casting around for the next game changer, and evidently are still unsure about what it might be. It was announced just recently that Orange and Barclaycard are discontinuing the use of their QuickTap contactless payment service in favour of EE’s Cash on Tap alternative.
Tim Holman – The next big thing could well be where Apple Pay and many other fledgling mobile payments services being touted by Google, Amazon and Paypal (to name the most obvious) come in. Indeed, even cyber currencies that cut out payment intermediaries altogether are gaining ground with Bitcoin now being accepted by Amazon. The iPhone has a huge user base, and high profile banks and retailers in the US are already queuing up to work with Apple.
While mobile payments and eWallets have been around for a couple of years, Apple and Amazon both have a reputation for making things work, certainly have the user base, and it is user adoption that will make all the difference.
Iain High – So, while the banks and hardware vendors continue to promote P2PE, it seems that when faced with the dilemma of upgrading to P2PE with its high associated costs, and questionable security benefits, or waiting for something completely new, and potentially game changing, most merchants and retailers should be quietly waiting to see what happens next. And who can blame them!