PCI updates key security standard to simplify P2P encryption

In a bid to make payment card data unreadable in the event they are stolen, the Payment Card Industry Security Standards Council (PCI SSC) has updated a key security standard.

One of eight security standards, PCI Point-to-Point Encryption Solution Requirements and Testing Procedures version 2 will provide more flexibility to companies that develop solutions and provide P2PE components, said the PCI SSC.

New with version 2 is the option for merchants acting as solution providers to implement and manage their own P2PE solutions for their own point-of-sale (POS) locations.

“Malware that captures and steals data at the point-of-sale continues to threaten businesses and their ability to protect consumers' payment information. As these attacks become more sophisticated, it's critical to find ways to devalue payment card data,” said PCI SSC chief technology officer Troy Leach. “PCI Point-to-Point Encryption solutions help merchants do this by encrypting cardholder data at the earliest point of acceptance, making that data less valuable to attackers even if compromised in a breach.”

The outcome of revised standard should be to reduce the overheads associated with complying with the PCI Data Security Standard (PCI DSS). PCI-approved P2PE solutions allow merchants to reduce where and how the PCI DSS applies, increasing security of customer data while simplifying compliance with the PCI DSS, the organisation said.

PCI SSC said that feedback from early adopters of P2PE v2 had been positive because of the added options for reducing risk and protecting customer data by using encryption. In addition, they can manage their own P2PE solutions, securely separating duties, systems and functions between merchant encryption at the retail sites and decryption environments – or they can work with a solution provider to manage it on their behalf.