The Digital Strongbox – Securing Your Payment Data with Point-to-Point Encryption

by Moderator Moderator on ‎10-04-2018 01:28 PM


Shahzad Khan, Senior Director, Global Acquirer Processing, CyberSource

Whenever money travels from one point to another, theft inevitably follows. Throughout history, it’s been common for pirates and brigands to stake out well-traveled commerce lanes to intercept valuable traffic.

Today’s Digital Commerce Lanes

In today’s world, this kind of physical heist is rare, and when it does occur, the novelty makes it highly newsworthy. But that doesn’t mean it has disappeared. Increasingly, this kind of “highway robbery” is migrating to the digital lanes of commerce, where bits of data can be intercepted without the need for ships, cannons, or bandits in black hats.

The More Things Change

Historically, merchants, bankers and others took steps to guard their valuables against theft in the form of caravans, armed escorts, safes and strongboxes. Today, armored cars are a common sight in cities across the world, and stand as a modern representation of an age-old practice.

In the digital age, while the tools differ, the same paradigm still applies. Instead of strongboxes and military escorts, encryption is used to secure valuable data in transit.

Point-to-Point Encryption

The PCI Security Standards Council (PCI SSC), a standards body established by card brands calls this Point-to-Point Encryption, or P2PE. P2PE is a terminal-based encryption standard, where payment data...

On the List

In order to meet the PCI SSC standard, a P2PE solution must meet three high-level requirements:

  • Card data must be encrypted using strong cryptography
  • Encryption must be performed in a PCI P2PE-approved hardware device
  • Decryption must not be possible within the merchant environment

    Solutions that have been validated by the PCI SSC as meeting its P2PE standards are referred to as “listed” solutions. Solutions that have not been validated, but provide similar functionality, are commonly referred to as “unlisted” solutions.

    Unlisted solutions hold a degree of uncertainty, as there may be no way for you to know whether a solution provider has fully addressed the controls that constitute the PCI P2PE standard. They may also mean a lot more effort on your end, in the form of needing to perform a thorough compliance assessment and potentially needing to implement additional security measures.

    With a listed solution, you have the confidence of meeting the criteria of the PCI P2PE standard. Furthermore, you can substantially reduce your PCI compliance requirements, saving you a great deal of time and effort.

    CyberSource Point-to-Point Encryption

    In order to bring you the security and compliance benefits of Point-to-Point Encryption, we are now offering our own PCI-validated P2PE solution. CyberSource P2PE helps protect payment data across all segments of your network, and prevents unencrypted transaction data from touching your systems.