Simeon Tassev, MD and QSA at Galix.

Credit card and online payment fraud is becoming increasingly complex as criminals are constantly refining their tactics in response to changes in the financial services landscape in order to exploit weaknesses and vulnerabilities. As digital and contactless payments increase, ironically due to the perception that cashless is safer, the security for such transactions needs to be increased accordingly.

For companies that handle card payments, security is essential and compliance with industry regulations is imperative. Although such compliance is also becoming increasingly complicated, it cannot be overlooked. PCI Point-to-Point Encryption (P2PE) solutions can make a dramatic difference in the burden of compliance and the security of the digital payment ecosystem.

Alarming fraud statistics

Whether start-up or global enterprise, Payment Card Industry Data Security Standard (PCI DSS) is a requirement for companies handling cardholder data. Businesses must always be compliant, and compliance must be validated annually. Global credit bureau TransUnion detected an alarming surge in fraud and criminal activity in the financial sector with fraud increasing more than 187% between 2020 and 2021.

Securing every swipe

This makes a compelling argument for merchants to implement PCI P2PE, a security standard that requires credit card information to be encrypted instantly on swipe and securely transferred directly to the payment processor before it is decrypted and processed.

Although not in itself mandatory, P2PE is a standard from the PCI Security Standards Council that can play a vital role in reducing a company’s risk of financial services crimes as well as substantially reducing the scope for PCI DSS compliance. Point-to-point encryption entails protecting cardholder data, card terminals, and physical point of sale (POS) setups to prevent harm caused by device tampering, data breaches, and other external threats.

Additionally, there is the option of a generic End-to-End Encryption (E2EE) solution. Both solutions use encryption that process payment card data when transactions are made at a point-of-sale terminal, however, the difference is that a certified PCI P2PE solution has been rigorously tested and validated by an independent assessor.

Securing the digital payment ecosystem

Many providers offer end-to-end encryption, but this is not part of a PCI-validated P2PE solution. An end-to-end connection may indirectly link system one (the point of payment card acceptance) to system two (the point of payment processing) but with multiple systems in between, this obviously increases hacker opportunity and does not satisfy the chain-of-custody requirements of P2PE.

Theoretically, an E2EE solution could allow for decryption of the card data by the merchant since there is no standard to meet. If payment card data exists somewhere within the payment environment in an unencrypted form, this is risky to cardholders and merchants alike, as unencrypted data can be easily read and stolen.

When it comes to cardholder data and securing the payment ecosystem, nothing less than the most comprehensive security measures will do. This is where PCI-validated P2PE solutions become important. If a solution is certified by PCI, it can be used to reduce scope for other PCI standards, which is a huge deal in larger environments, such as banks and retail chains. In larger environments there are many components to manage from a remote perspective.

Such components will usually fall within scope for PCI compliance and includes, for example, networking and security infrastructure, such as firewalling. It also includes all machines linked to the system, such as POS terminals. Along with needing to maintain control over these components, other systems such as access control and surveillance also fall within scope for PCI compliance.

Making compliance straightforward

By utilising a certified PCI P2PE solution, it is possible to remove from scope everything except credit card machines and the various processes around their management. These PIN entry devices (PED) have to be constantly monitored and regularly inspected to ensure they have not been tampered with.

The benefit of reducing the scope for compliance and for maintaining that compliance as an ongoing business-as-usual exercise is massive and cannot be understated. Without such a solution not only is the burden of compliance too high, it is practically unattainable. Without compliance, the risk of harm materialising is high, bringing with it inevitable heavy penalties and making news headlines for all the wrong reasons.