The last few years have seen an explosion in new payment technologies and solutions for the retail industry. No longer are retailers confined to taking payments at the cash till in-store. However, just as modes of payment are evolving rapidly to include more channels and methods, including cryptocurrencies, retailers are increasingly under pressure to manage these payment systems, securely and efficiently. With the upside of more customer data comes the downside of having to secure and protect it. So it is no surprise that one of the major challenges facing retailers today is security and, more specifically, PCI compliance.
The cost, skills and resource demands and risks associated with PCI compliance are not insignificant. As with all standards, the industry evolves and regulations change. In the world of payments, the issue is further complicated as security standards are enhanced and barriers raised. For the majority of retailers, the demands and challenges of maintaining PCI compliance are only likely to increase.
However, there are good reasons for further investment in secure payment systems. Firstly, there is the cost of dealing with a major fraud or security breach and secondly, is the cost to reputation through a lack of consumer trust. That is why, over the coming year, Ingenico believes that Point-to-Point Encryption (P2PE) will likely be adopted by virtually all Tier 1 and 2 merchants.
P2PE encrypts card data from the entry point of a merchant’s point-of-sale (POS) device to a point of secure decryption outside the merchant’s environment, such as a payment processor. The PCI Council recommends P2PE for all merchants, and like tokenisation, it is of keen interest among retailers right now in light of recent breaches.
To this effect, the PCI Council has devised a dedicated certification programme for P2PE solutions. This certification programme encompasses many aspects of the P2PE solution, from the validation of the encryption algorithm by cryptography expert bodies to the management of encryption keys, including the tracking of the PIN entry devices (PED) at all stages of their lifecycle. Retailers can look for the list of certified P2PE solutions on the PCI website.
Using a PCI P2PE certified solution will significantly reduce the cost and effort of the retailer’s own PCI Data Security Standard (DSS) compliance. Without a certified P2PE solution, the retailer will have to perform penetration tests, to ensure it meets the 290 requirements of PCI DSS and to perform regular network scans. With a PCI P2PE certified solution, such as that provided by Ingenico, the PCI DSS compliance exercise is much simpler. The retailer needs to ensure the PEDs are deployed according to the P2PE implementation manual supplied from the solution provider; validate scope with their QSA; verify the P2PE provider is referenced in the PCI website; and, finally, fill in the PCI self-assessment questionnaire. Some providers, such as Ingenico, will provide additional tools that support the tracking of the deployment of the PEDs.
It’s fair to say that the security challenges facing today’s retailers are complex. However, they are by no means insurmountable. If retailers are prepared to prioritise payment security, then a certified PCI P2PE solution can provide an industry-certified protection against card data breaches and a means to reduce its PCI DSS compliance effort.
Patrick Juan, Director of Solutions, Ingenico Group