Back in 2011, a major gaming network was hit with a massive fraud attack. Names, addresses, and payment data belonging to 77 million user accounts were breached. It was a disaster for the company’s reputation, and damaged trust from gamers everywhere. From the payments side, it spurred the industry to reflect deeply, not just about online payments but also how card-present, or in-store payments are protected.
A result of this reflection was the introduction of the Payment Card Industry Security Standards Council’s (PCI SSC) PCI P2PE program.
This sounds like a happy ending, but we’re not there yet.
Businesses were slow to adopt the new P2PE technology, and in 2013, a huge attack occurred on a major US retailer, stealing data from 70 million shoppers, all from the physical retail space.
Today, more businesses and payment service providers have started utilizing P2PE more readily, to protect cardholder data and give both businesses and shoppers peace of mind. It’s also why we developed our own end-to-end encryption (E2EE).
In this blog we wanted to take the opportunity to announce that we’re P2PE certified, what that means for merchants, and explain the benefits and challenges P2PE brings. This is a blog of many acronyms, so hold on tight.
What is P2PE?
P2PE protects cardholder data when a payment is made. In the milliseconds the information travels between the payment terminal and the acquirer, P2PE takes the sensitive card information and encrypts it. This sensitive information includes the shopper’s account data, such as the account number, and the track data. Once the sensitive information is received by the P2PE-validated terminal, the information is directly encrypted.
P2PE is a way for merchants to reduce the complexity of theirPCI compliance. PCI is an independent organization guarding the security of online and in-store payments and Adyen is a validated solution. Now let's look at why a business would use it.
Why do businesses use P2PE?
The P2P in P2PE stands for point-to-point. The sensitive account data is protected from when the payment card is presented at the payment terminal until it reaches the acquirer. In case of an attempted breach at any point, the E in P2PE, or encryption, means there is no impact to the customer, or their data.
Meeting compliance more easily
To meet PCI compliance, businesses must complete a questionnaire, also known as an SAQ (Self Assessment Questionnaire). An SAQ is like a checklist, one that tells your acquirer you’re taking the appropriate security measures to keep data safe and meet compliance.
The questionnaire can take you down two roads. There’s the one for businesses that have implemented P2PE, and the other for businesses that haven’t. And that’s where we get to one of its key benefits.
Not an Adyen customer, not using P2PE?
The questionnaire for non-Adyen merchants that are not using P2PE could have up to 12 requirements and 329 questions. Here are some examples of the jargon you WILL encounter when completing the SAQ:
Are router configuration files secured from unauthorized access and synchronized?
Is your inventory maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each?
Is there a written policy for access control that defines access needs and privilege assignments for each role, including restriction of access based on responsibilities, with documented approval and description of what they need access for?
Now imagine 326 more similar questions, and then imagine having to answer them every 12 months. It’s hardly a task you can complete while you’re enjoying your breakfast.
If you’re a business that uses P2PE, you only need to answer 35 questions. This means you’ll be better protected from card fraud than before, and your compliance requirements will be a LOT less time-consuming.
The PCI stamp of approval
P2PE solution providers must be validated by the PCI SSC, to make sure universal standards are met. This means there’s an independent, third-party organization validating that the solution from your payment service provider is secure.
Businesses that we think will immediately benefit from using P2PE
We see common challenges among businesses that turn to a P2PE solution:
How P2PE can help
In more centralized businesses, the effort of maintaining certification falls on the shoulders of the main operational teams
More time to focus on your main business, as the scope of PCI compliance is reduced
Businesses that need full operational control can struggle to continually educate new staff on the threat of breaches, and have them follow proper data handling procedures
Provides more structure around how store staff are meant to handle terminals, limiting data exposure with proper procedures and centralizing processes
Risk-averse businesses are constantly worried about non-compliance and the risk of financial liability
It offers an independently verified solution that reduces the risk of a data breach
Businesses with old, complicated legacy systems are often less focused on security
It introduces compliant technology and consolidates data exposure
Is there a downside?
With all the data security benefits that P2PE brings, businesses should also be aware of the operational burden it can carry with it. While there is a reduction in the number of requirements for the SAQ, there is conversely an increase in requirements when it comes to making sure that payment terminals are physically secure in-store. This is done through the P2PE Instruction Manual, also known as a PIM. This manual is provided to businesses by their solution provider, and must be closely followed and properly implemented to meet PCI compliance.
The PIM guides businesses on how to secure payment terminals in-store, and includes activities such as:
A regular inventory check to detect the required removal or replacement of devices
Security cameras installed at the correct angles to view terminals and ability to alert store staff in case of tampering
Monthly site checks to be performed by store staff as visual examinations looking for any device tampering
Ensuring the terminals reach the store in tamper-proof, sealed boxes, with a serial number that is emailed separately
A fully documented record of all of these activities must be completed by the merchant. Their acquirer is then required to conduct several audits per year to ensure compliance with the PIM. As an acquirer for our merchants, this is something Adyen does as well.
There is no right or wrong, but ultimately it’s up to you and your business to weigh the benefits of P2PE against the time and resources it takes to follow the PIM.
We’re seeing many more conversations aroundtokenization and data encryption. So we wanted to use this blog to confirm that, yes, Adyen is now a P2PE-validated solution provider, and this is in place to complement our existing E2EE solution.
If you want to learn more about our solution, get in touch. We’ve also covered the differences between our solutionshere.