In a Retail Times Q&A feature, Simon Gamble, co-founder and business development director at network security specialist, Mako Networks, looks at the role of Point-to-Point Encryption (P2PE) in relation to PCI DSS compliance and the difficulties retailers face ensuring they remain fully secure
Q. What is point-to-point encryption and why is it relevant to the retail sector?
A: Point-to-Point Encryption (P2PE) is the use of encryption to secure data from its device of origination through to its destination device. In the world of PCI DSS this means securing credit card data from the PIN Entry Device (PED) through to the payment processing system. P2PE is important because credit card data is often traveling through a merchant’s local network and across the Internet before it reaches the payment processing system. It’s an area of security that’s taken the spotlight recently as the Payment Card Industry Security Standards Council (PCI SSC) has recently released guidelines on P2PE as part of the industry Data Security Standards (PCI DSS).
Q: Is point-to-point encryption alone enough to secure a retailer’s data from falling into the hands of hackers?
A: No. There is no silver bullet solution when it comes to securing customer data. P2PE is a definite step in the right direction, but it is essential the environment in which PEDs and Point of Sale (PoS) systems reside is also secured.
Implementing layered security is by far the most effective way to protect against hackers, so the system is not dependent on only one component to protect customer data. Should one system fail or be compromised, there are redundant systems that can continue to operate and keep information secure.
Q: What else can retailers do to protect themselves from increasing security threats?
A: Security experts are constantly striving to stay one step ahead of the fraudsters, and while currently there’s no single unbeatable system that will truly eliminate the threat of fraud, it’s what all security specialists are working toward.
P2PE is a nice first step, but it is often incorrectly assumed this equates to complete protection and compliance with the PCI DSS. There are a variety of other steps that need to be taken in a multi-device POS system to adequately secure the network environment, including robust firewalls, change logging and control or elimination of stored cardholder data. In all there are 12 categories that need to be carefully considered and addressed to achieve PCI DSS compliance, and there is no single magic box that meets all of these criteria at once.
Q: Do you think retailers are up to speed with how to implement a fully secure payment network that’s PCI compliant? Are there any specific types of retailers that are falling behind more?
A: In our experience, merchants of all sizes just want to focus the vast majority of their time on running their business and have limited network security skills. The time spent on IT is not understood and seen as non-productive rather than an asset. Merchants often see payment security as their bank’s problem. The intricacies of payment systems and networking just aren’t a priority for business owners, and that can lead to complacency when it comes to effective network security. Whilst some merchants are aware of payment security to a degree, they are often unaware of the full picture. It’s not just payment terminals and POS systems that need to be up to standard, the network environment also needs to be properly secured. While many individual devices now come with some form of security certification, unless they’re deployed in the correct manner and the network is locked down, they’re still not protected from hackers.
Q: What could the payments industry do to educate them?
A: Steps have been made to raise awareness of the Payment Card Industry Data Security Standards, and this is certainly something that needs to continue with a joint approach from leaders across the industry. There is already a fair amount of guidance for the PCI DSS and network security available to merchants if they know where to look. The rules need to be simplified so merchants of all types and levels can understand them. Most merchants look to their banks for the way forward in the first instance.
Q: With the PCI DSS constantly changing, how can retailers keep up to date with new network security threats?
A: The PCI DSS set a minimum standard of security practices that must be met by any company that processes, stores or transmits credit card data. While these rules can be very effective in reducing the threat of fraud, it’s difficult for small business to keep abreast of developments.
PCI DSS mandates the criteria must be reviewed and/or audited annually, supplemented by regular network testing, patching and updating to keep everything up to scratch. For example, passwords must be changed at least every 90 days, and all system changes must be carefully recorded and logged. It all adds up to a lot of time, trouble and effort most business owners don’t have to spare. That’s why many simply ignore the obligations of PCI DSS, continuing their path of non-compliance. Others use the expertise of consultants to achieve PCI DSS compliance, a method notorious for cost overruns.
The penalties of non-compliance are real and significant. If card fraud occurs at a business, unless the owner can prove that they were PCI DSS-compliant, merchants can be held liable for the cost of the fraud, the cost of an investigation to determine how the fraud occurred, remedial costs to become compliant, and an additional punitive fine for non-compliance. That’s to say nothing of the cost of damage to reputation and loss of customer confidence – two effects that can linger for years afterward. Fines imposed for non-compliance with regulatory authorities can add further significant burdens.
All of this is why compliance using a managed service is a great option for retailers. Using new tools and technologies, bringing in a third party can help businesses achieve and maintain compliance for a reasonable, monthly subscription that’s well below the cost of hiring an independent consultant. A fully automated and managed system that can keep itself up to date and address tedious regular compliance requirements can take a large burden away from the merchant.