Myth: Shopping for a Point-to-Point Encryption Solution is as Dreadful as Fighting Crowds on Black Friday
November 9, 2011 | 1 Comments | PCI Compliance
With the holiday shopping season fast approaching, most of us are dreading the full parking lots, long lines and busy malls. Finding the perfect gift amid the frenzy can be a challenge. Similarly, when merchants set out to purchase a new technology solution, it can invoke a certain amount of dread.
As merchants grapple with the ongoing challenges of payment security and PCI compliance, now is the time to embrace new technologies such as point-to-point encryption (P2PE) as part of an overall risk management strategy.
Merchants can ease the shopping process by arming themselves with the following questions. By asking these questions first, it will be easier to find a solution that meets their unique needs.
- Is the P2PE solution a hardware or software solution or both?
- Is the vendor well established in the payments industry?
- Does the solution encrypt both swiped cards and manually entered cards?
- Does the solution encrypt online transactions, as well as on-site or card-present transactions?
- Has the vendor solution been evaluated by a trusted Qualified Security Assessor (QSA)?
- Is the P2PE solution integrated with the property management or point-of-sale system or is the encrypting device standalone?
- What happens if the encrypting device fails? What is the fall back scenario?
- Where is the HSM located in the solution? Where is the data decrypted exactly?
- Does the P2PE solution integrate with a tokenization system?
- Can the solution function effectively without tokenization?
- How does the encrypting device handle non-payment cards such as employee cards, gift cards and airline/membership cards?
- How does the vendor secure communication between their network and the merchant’s systems?
- Is the solution tamper resistant? What happens if an attempted breach occurs?
- Does the solution support format-preserving encryption?
As we all know, hackers are continually targeting merchants with new and creative tactics. Merchants must stay one step ahead of them and employ the best means and methods available. According to Bob Russo, general manager, PCI Security Standards Council, “If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant’s card data environment, mitigate potential breaches and simplify PCI DSS validation efforts.”
So don’t let solution shopping overwhelm and stress you out. Submit these questions to prospective vendors to help ensure a painless experience.