P2P encryption solution gets PCI SSC approval

European Payment Services (EPS) in Berkshire has become the first vendor to have its point-to-point encryption (P2PE) hardware certified under global security standards used to protect consumer card data.

P2P encryption solution gets PCI SSC approval
P2P encryption solution gets PCI SSC approval

European Payment Services (EPS) in Berkshire has become the first vendor to have its point-to-point encryption (P2PE) hardware certified under global security standards used to protect consumer card data.

Back in April 2012, The Payment Card Industry Security Standards Council (PCI SSC) released a hefty 210-page document (PDF) offering updated requirements and testing procedures for P2PE solutions – and now one hardware seller has led the pack in winning the council's seal of approval.

On Wednesday, the council announced at its 2013 European Community Meeting in Nice, France, that the solution called ‘EPS Total Care P2PE' was the first to be verified.

The PCI SSC P2PE Standard offers in-depth guidance on securing payment card data from the time consumers swipe their cards, to the point that a third-party processor or acquirer decrypts the sensitive financial information.

On Tuesday, Bob Russo, General Manager of PCI SSC, told SCMagazine.com that other vendors are in the process of having their hardware-based P2PE solutions assessed. He also added that the council's move to create a list of certified products would help guide merchants in selecting technology that can safeguard users' card data.

“The more layers of security you can put on this [card data], the better off you are,” Russo said. “Point-to-point encryption has the ability to make a merchant's job a little bit easier, by possibly reducing the scope of their PCI compliance,” he continued.

“There are a lot of solutions out there, but none of them had been certified. This is the first listing that we've had, and now that we've got it, we expect to see quite a number of solutions listed on our website,” Russo said.

To obtain certification, a vendor must be evaluated by companies qualified by the council to assess PCI P2PE solutions.

Troy Leach, CTO of the council, told SCMagazine.com on Tuesday that the verification process won't provide an easy fix for staving off data leaks, but that it does give merchants a sense of reassurance as they aim to keep customer and client information from getting into the wrong hands.

“There's no technology by itself that will be a silver bullet for security,” Leach said. “But merchants need to understand their relationship with these providers.”

The council is also in the midst of creating requirements that will help certify software-based encryption products protecting card data.

Sign up to our newsletters