Free Internet Security

P2PE (point-to-point encryption) seems to be emerging at the forefront of defense against security breaches and

leader in encryption technologies in the wake of recent breaches in payment card industry.

This particular technology and solutions is seemingly gaining popularity not only as an encryption technology but also as a solution which would be able to limit and hence reduce the cost of compliance with the PCI DSS (Payment Card Industry – Data Security Standard).

The complete adoption of technology would result into encryption of the data along the complete path of the traversal i.e. from the ATM or the Kiosk or the point to sale right through to the bank or the card processing facility.

But this approach is not possible in the current times because of the number of card processing companies, banks, ISOs, etc. that are involved in processing of the card data.

Because of the above limitation on end-to-end encryption of data, there are a couple of methods that merchants opt for while processing card data.

The first is the encryption of data at the point of sale. The current approach is that when user cards are swiped at the point of sale, they travel in clear text until the back office system. The back office system does some initial processing and then encrypts the data to send it to the card processing center.

Here the hacker would be having the opportunity to intercept the data as it travels in clear text at the merchant’s network. To prevent against such an attack the merchants are opting for encryption at the cash register itself using symmetric keys. The data shall be encrypted as it is read from the card and sent to the back office over SSL. This means that there is no scope for the hacker to intercept the data as it is travelling over the network. Here there are chances that the symmetric key could be hacked, but that hacker would need to persistent enough to try and break the symmetric key.

The second approach is more secure than the first one and it involves the use of asymmetric key. The cash register and the payment processing center would be sharing asymmetric keys much like the asymmetric encryption which would make is even harder for any hacker to break the keys and intercept the data.

If we are considering the compliance with the PCI DSS, both the first and the second approach do not provide any cost savings in regards to the testing that needs to be performed on the cash register systems for any vulnerabilities or probable hacks.

The final option that can be considered the most secure and invariably provide cost savings in regards to the PCI DSS compliance is the encryption of data at the card reading terminal itself. The data would start getting encrypted as soon as the user swipes the data onto the terminal and no data that is readable is left on the unit. This particular strategy completely defeats the online hacking attempt.

The only way to hack such system would be to manually getting access to one of those systems, dismantling the unit, altering the processing chips. So this is the best as security can get and it will be helpful in narrowing down the scope of the PCI DSS audit considerably as encryption algorithms that are embedded onto the chips would remove the audit of cash registers and a list of other system components.

The audit scope would be entirely the hardware modules, the key management and the manner in which the different encryption modules are loaded and handled onto the hardware unit. This would result in high cost savings in PCI DSS due to limitation of scope and devices.