Press Release Summary:
In addition to security, True P2PE solution allows omni-channel commerce, use of multiple point-of-sale property management systems within single environment, and use of various entry devices. Solution works in tandem with TrueTokenization to completely eliminate all cardholder data from merchant environment. Because solution does not leave merchant with burden of managing encryption keys, entire cardholder data environment is limited to encrypting devices where card data is initially captured.
Original Press Release:
Shift4 Introduces True P2PE Solution
Shift4's 'True P2PE' Delivers Functionality and Security Unavailable with Any Existing Point-to-Point Encryption Solution
LAS VEGAS – As the "year of the breach" spills over into its sixth straight quarter, merchants are in desperate need of security solutions that can actually protect them from the relentless tide of cyberattacks. Unfortunately, one of the most promising security solutions is being kept from many merchants who need it by an unnecessarily stringent standard.
The Payment Card Industry Security Standards Council (PCI SSC) has issued two security standards for point-to-point encryption (P2PE). Merchants that adopt a PCI-validated P2PE solution are promised simplified compliance with the PCI Data Security Standard and a significantly shorter self-assessment questionnaire (SAQ) for their future PCI assessments.
In spite of these proposed benefits, Shift4 Corporation, the world's largest independent payment gateway, warns that the PCI Council's existing P2PE standards are missing several key elements that today's merchants need.
"With the PCI P2PE standards, there is no capability for securing omni-channel commerce, since PCI has yet to validate a solution that works with card-not-present transactions," said Shift4 CTO J.D. Oder. "That means no company that sells any amount of product online can use the shortened SAQ P2PE-HW for their PCI assessment - whether they're using a 'validated' P2PE solution or not."
Likewise, Oder warned that PCI's rules limit merchants to using only the swipe devices that their solution is initially validated with. Want to add a new device type in the future? According the PCI P2PE Program Guide, the solution would have to be revalidated in order to add any additional devices.
"I'm sure the solution providers will end up passing these revalidation costs on to the merchant requesting the change," Oder said. "I just hope that doesn't discourage merchants from adopting new technologies and continuing to seek out cutting-edge solutions."
A Tradition of Doing Things Better
In 2005, Shift4 introduced the term tokenization to the payments industry at a Security Summit in Las Vegas. In the years that followed, tokenization became a buzzword and a go-to solution for security-conscious businesses. As tokenization gained popularity, more solution providers rushed to market with ill-conceived and incomplete solutions, which they hastily labeled as tokenization. Many of these solutions were little more than encryption or hashing trying to ride the coattails of tokenization and capitalizing on the buzz generated by Shift4's promising solution.
In the years that followed, Shift4 adopted and trademarked TrueTokenization(®) to denote the original, organic, non-mathematically derived, random tokenization technology that freed merchants from the burden of storing sensitive cardholder data.
Like TrueTokenization, True P2PE builds on Shift4's more than two decades of experience securing payment card data to far surpass the security guidelines accepted as "standard." In addition to security, Shift4's P2PE solution allows for omni-channel commerce, the use of multiple point-of-sale or property management systems within a single environment, and the use of various entry devices (encrypted at the swipe for both traditional and mobile POS, encrypted EMV, and even encrypted 10-key devices to allow for P2PE in a call center or back-office order entry environment.)
Best of all, Shift4's True P2PE solution works in tandem with TrueTokenization to completely eliminate all cardholder data from the merchant environment. Because Shift4's solution does not leave the merchant with the burden of managing encryption keys, the entire cardholder data environment (CDE) is limited to the encrypting devices where the card data is initially captured. This means even without PCI's "validated" stamp of approval, Shift4's solution drastically reduces the scope of merchants' annual PCI assessments.
Validation, Compliance, and Security
According to the qualified security assessors at Coalfire, "Shift4's P2PE solution provides merchants with a much more economical alternative to a validated and listed P2PE solution and offers dramatic risk reduction as well as dramatic scope reduction."
Other QSA firms have reported similar findings when assessing merchants using Shift4's True P2PE solution, including major scope reductions in 10 of the 12 PCI DSS sections, leaving only physical access controls and maintaining an information security policy fully intact - making validation with Shift4's solution identical to one using a SAQ P2PE-HW.
"The trouble with trusting the PCI validation is that it only provides for one part of your business to be secured. If your environment is not cookie-cutter, you may be much less secure with the validated solution than you would be with a solution that is not validated but actually fits your enterprise," Oder said. "The question merchants have to ask themselves is whether they want to check the boxes that say they're validated and compliant, or if they want to truly secure their environment and let compliance come as a byproduct."
Why Is True P2PE Not PCI Validated?
There are two primary reasons that Shift4 has not pursued PCI's validation with True P2PE. The first is that PCI currently requires all key management operations be done using a hardware security module (HSM), which is basically a hardened computer that is supposed to be tamper-proof. The problem with an HSM is that it is built by a third party and there is no way for the user to validate the software running on the device. Service providers must simply trust that the HSM vendor has done its job perfectly and that no unstable or nefarious code has made its way onto the device.
For us, this trust was irreparably shaken when a representative from one of the industry's largest and most respected HSM vendors told us that they could modify the software running on their HSMs and never have to revalidate it under the P2PE standards because, "The QSAs only care that an HSM model is 'listed' and they trust it." In their experience, no QSA had ever looked further into the software running on an HSM after its initial certification - despite the fact that this is in direct conflict with PCI P2PE standard requirement 5A-1.1.1, which states that any change to applications would render an HSM certification invalid.
The second primary issue Shift4 takes with PCI's current P2PE standard is that it attempts to force all businesses into a rigid, one-size-fits-all solution with no simple path to add new devices or technologies as they come available. Additionally, HSMs were not built for reliability and have no mechanism for redundancy. Adopting them into the Shift4 data center environment could create a single point of failure and place Shift4's industry-leading uptime at risk. Neither of these risks is acceptable to a sworn merchant advocate like Shift4.
Shift4 has been successfully managing keys outside of HSMs for 20 years and the technology and processes have been validated by multiple QSA companies for more than a decade - even before PCI existed.
"It's almost ironic," Oder said. "We've spent years trying to get PCI to be more stringent with the solutions they classify as tokenization. For starters, not allowing hashing or simple encryption solutions to falsely advertise that they carry the same scope-reduction and security benefits as real tokenization would be a step in the right direction. Now we find ourselves on the other side. We've got a solution that is every bit as secure as the P2PE standard they've put forth and that allows significantly more flexibility to the merchants, yet PCI won't even consider it because it doesn't fit into the schema they've designed."
About Shift4 Corporation
Shift4 Corporation makes it simple for merchants across all industries to securely process credit, debit, and gift card transactions. With connections to nearly every bank and processor in North America and integrations to hundreds of PMS/POS systems, Shift4's DOLLARS ON THE NET(®) is the world's largest independent payment gateway. Shift4 provides pre- and post-settlement auditing capabilities, fraud prevention tools, support for emerging technologies like EMV and mobile payments, and security solutions such as TrueTokenization(® )and True P2PE, which drastically simplify PCI compliance. Shift4 is a proud merchant advocate, maintaining complete bank and processor neutrality to ensure that their customers have the freedom to switch banks and processors as needed. For more information, visit www.shift4.com.
702.597.2480 ext. 43307