Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ E2EE ’


History shows us that two great things, when combined, make something truly spectacular.

In the world of payments security, the same theory applies.  There is something happening right now that is the equivalent of Lennon and McCartney sitting down to write their first song in Liverpool.

For the first time, hotels, restaurants and retailers can enjoy the benefit of a combined point-to-point encryption (P2PE) and tokenization solution that will dramatically lower the cost of attaining and maintaining PCI compliance and eliminate the hassle of managing credit card data.

The partnership between P2PE and tokenization brings something, that we believe is as good as a Reese’s Peanut Butter Cup, it allows merchants to get out of the credit card business and focus on their core missions.  And, heck, it provides the peace of mind a merchant needs knowing that their customer data is protected.

From the point of swipe to the completion of a transaction, Merchant Link’s comprehensive solution secures both “data in-flight” and “data at rest,” meaning both stored credit card data and transaction data flowing through networks will be protected from hackers and cyber criminals. This both dramatically reduces risk of a breach and reduces PCI scope  based on the PCI Self-Assessment Guidelines.

A combined solution that provides the ultimate coverage in payment security, while also reducing PCI scope for merchants?  Sounds like a hit song in the making…

By Sue Zloth

You like potato and I like potahto , You like tomato and I like tomahto;
Potato, potahto, tomato, tomahto! Let’s call the whole thing off!

When it comes to the security industry one thing is certain; there is a whole alphabet soup of acronyms used to talk about technology and many people often use different names to talk about the same technology.

This issue was brought in to sharp relief recently when the PCI Council released their first guidance document on Point to Point Encryption.   At first I was a little mystified, had there been some significant change in the types of technology the payments card industry was using?  As it turns out the PCI Council had simply created an alternate reference for End-to-End Encryption – a term that has been pretty well agreed upon by the payments card industry for some time now.  In fact, at Merchant Link, we’ve always used End-to-End and recently announced our E2EE solution.

While industry shorthand has certainly shaped our conversations and product naming, the terminology of End-to-End encryption is, if one was to dig deep, not technically correct.  End-to-End would mean all the way from the point of swipe, through the gateway, up to the processor, out through the card networks and all the way to the issuer.  The end point, past the processor is the part that is still a pipe dream; it may happen in the future, just not any time soon.

PCI’s key argument for the change in terminology was to redefine the cardholder data environment and to make it clear what is and is not secure, as well as define what is in scope. This clarification was needed.

So, despite some initial hesitation and some other vendors’ insistence that their products really do secure the end points, the PCI Council’s guidance on calling these technologies Point to Point is well taken. The new naming convention allows for greater flexibility in what we currently identify as points and what we might include in the future.

So if we consider the accuracy of the terminology and accept that the PCI Council has already taken a stand on what to call it, we’ve decided to make a change. Merchant Link  will now change from E2EE to P2PE to ensure consistency with industry norms and with guiding principles we agree with.

By Sue Zloth

I’ve been waiting for some time to read this document.  Yesterday, the PCI Council released the first in a series of documents that will delve into the issue of encryption as it impacts PCI DSS and scope reduction.

Being the first document in a series, it is a good start, but it really doesn’t provide too many details or specifics. But it does indicate that the Council is looking at establishing an evaluation process for products supporting end-to-end encryption (E2EE).

The document also offers merchants an understanding of what they should be evaluating to determine if an E2EE /P2PE solution may simplify PCI DSS compliance for their environment.  It is critical that merchants understand their entire card transaction environment.  As sensitive card holder information travels through the system and is identified, merchants must have a realistic understanding of the threats involved and put in place risk management measures that are appropriate.

Minimizing data within the environment can limit the scope of a PCI DSS assessment.  But the big question is whether or not an encryption solution can simplify PCI DSS compliance.

We believe that encryption is one of the ways to do this, although, as we’ve stated before, it is most effective when layered with tokenization.    According to the document, encrypted data is out of scope only if the encryption and decryption keys are not held by the same organization.  But what Bob Russo and Troy Leach, CTO of the PCI Data Security Standards Council have made clear is that validating correct implementation of each layer of security is the most likely way to reduce the scope.

I am now even more curious to read the next document in this series, Validation Requirements for Point-to-Point Encryption, which is not expected to be released until 2011.  Stay tuned for more on this topic, and if you have your own thoughts on the document after reading it, please share them below.

By Sue Zloth

The Merchant Link team is back in the office today after a great few days at the PCI Community Meeting in Orlando.  It was fantastic to catch-up with our customers, prospects, and partners on the show floor and my mind is busy mulling over what I learned in the sessions about the upcoming changes to the PCI standard.

What struck me most about this year’s show was how attendance has grown for the meeting; this year, there were more than 1000 participants.  From this level of participation it is clear that organizations are taking their PCI obligations very seriously.  The increased participation also changes the nature of the meeting from a niche event to one where there are a lot of networking opportunities and avenues for discussion.  I believe it demonstrates a maturity in the industry.

However, I also think the overwhelming attendance hints at how eager people are for clarification of the standard and for any additional information.  While there was still a lot of ‘wait and see’ at the meeting itself, the PCI  SSC has demonstrated a clear commitment to providing additional guidance with the announcement of guidance documents on End-to-End Encryption and Tokenization and a revamped, easier-to-use website.

The guidelines will be released on October 5th and will provide clarification on how a properly implemented End-to-End (E2EE) solution will simplify the PCI compliance process by reducing scope.

But now that this meeting is over, the hard work of making sure that good security practices guides every decision continues.  For me, I’m looking forward to getting back into working with our customers as they implement Merchant Link’s TransactionVault® and End-to-End Encryption solutions and continuing my work on the PCI Scoping SIG for Tokenization.