WIXLIB

The Value of Point-to-Point Encryption in Point-of-Interaction EnvironmentsPCI-validated P2PE solutionsThe PCI SSC created the PCI P2PE standard toestablish uniform encryption requirements. The PCIP2PE v1.0 standard was published in 2012, andthe improved v2.0 was published in 2015. Publicationof the PCI P2PE v3.0 standard is expected betweenQ4 2019 and Q1 2020.Before the PCI SSC established the P2PE securitystandard, many vendors created and adhered to theirown P2PE standard. These encryption solutions –not evaluated by the PCI SSC but that still provideencryption within the POI terminal and decryptionoutside the merchant environment – are referred toas unlisted P2PE solutions or end-to-end encryption(E2EE) solutions.PCI-validated P2PE solutions are the gold standardfor CHD protection. These solutions contain threeparts: validated hardware, validated software, andvalidated solution providers to cover paymentterminal, terminal application, deployment, keymanagement, and decryption environments.Depending on the size of the organization and itsneeds, a P2PE solution can be managed by aservice provider or the merchant themselves.Each solution is assessed by a P2PE QualifiedSecurity Assessor (QSA). If the solution meets thePCI P2PE standard, it is listed on the PCI SSC websiteunder “Approved P2PE Solutions.”4PCI P2PE-certified solutions include: PCI-Personal Identification Number (PCI-PIN)Transaction Security certified payment devices,with full device lifecycle history from manufactureto end of use Secure management of encryption and decryptiondevices, use of secure encryption methodologiesand cryptographic key operations, includingkey generation, distribution, loading and injection,administration and usage Secure encryption of payment card data at the POIWhat is P2PEPCI-validatedP2PE solutionsPOI threat landscapeHow criminalsobtain access topayment card dataP2PE compliancemanagement andscope reductionbenefitsSAQ P2PE PCI-validated P2PE application(s) at the POI Management of the decryption environment and alldecrypted account dataA semi-integratedapproachConclusion: Conquerthe challenges Use of a P2PE Instruction Manual (PIM)Besides meeting the PCI P2PE standard, the decryptioncomponent of the solution must operate within a secureenvironment assessed to the full PCI DSS standard.Merchants using a PCI-validated solution withintheir environment, and who keep this environment segmented from CHD in other channels (i.e., e-commerce),are eligible to complete the authorized P2PE selfassessment questionnaire (SAQ). The SAQ allowsmerchants to significantly reduce the scope of theirPCI DSS assessments (see page 14).Non-listed Encryption Solution Assessments (NESA)The PCI SSC does not endorse the use of non-listed encryption solutions. Only PCI-listed P2PE solutions are endorsed,as they have been validated as fully meeting the PCI P2PE standard for security and can ensure reduced PCI DSSvalidation efforts.Several encryption providers are still not PCI-listed for their P2PE solutions because they cannot currently meet therequirements of the standard. This is usually due to device operational gaps, or technical constraints with varioussoftware requirement limitations. Many of these solutions being used by merchants pre-date the PCI P2PE standard.By acknowledging that these solutions are available, the PCI SSC is encouraging the providers of these solutions toremediate gaps and eventually undergo a PCI P2PE assessment for listing on the PCI SSC website.In November 2016, the PCI SSC published a new document as part of the P2PE program titled Assessment Guidancefor Non-Listed Encryption Solutions; i.e., ‘NESA,’6 as well as a Frequently Asked Questions (FAQ) document.7The gap assessment guidance document offers an optional path toward a PCI-listed P2PE solution and guides P2PEQSAs on evaluating non-listed solutions against the PCI P2PE standard. A P2PE QSA can conduct a non-listed encryption solution assessment against the PCI P2PE standard to identify and document the gaps between the solution and thePCI P2PE standard, and to show how the use of the solution impacts a merchant’s PCI DSS assessment.It is important to note that a NESA assessment potentially may not result in any PCI DSS scope reduction. There is noguarantee it will result in fewer PCI DSS requirements for the users of the non-listed encryption solution. Only PCIP2PE solutions can guarantee a reduction in PCI DSS rg/assessors and solutions/point to point encryption ments/Assessment Guidance Non-Listed Encryption documents/FAQS Assessment Guidance Non-listed Encryption Solutions.pdfCo-sponsored by Bluefin Independent research by Verizon Enterprise SolutionsPage 6 of 20

The Value of Point-to-Point Encryption in Point-of-Interaction EnvironmentsWhat is P2PEWhat is POI?A point-of -nteraction (POI) is the initial point where data is read from a payment card. It consists of hardware and software that accepts electronic transactions and is hosted in approved equipment to allow a cardholder to perform a cardtransaction. The POI can be an attended or unattended POS payment terminal, ATM, kiosk, automated fuel dispenser,etc. Typically, POI transactions are card-based transactions done via integrated circuit (chip) or magnetic stripe.POI device:This device is used by the cardholder to swipe, insert, key or tap a payment card during the transaction. With P2PE, these8devices must be evaluated and approved by the PCI PIN Transaction Security (PCI PTS) program. Secure reading andexchange of data (SRED) should be enabled and listed as a “function provided.” The POI device is responsible for securely encrypting the data before it leaves the device.PCI-validatedP2PE solutionsPOI threat landscapeHow criminalsobtain access topayment card dataP2PE compliancemanagement andscope reductionbenefitsSAQ P2PEHardware/host Security Module (HSM):This device decrypts data encrypted by the POI device so it can be processed. It is physically and logically protected andprovides a secure set of cryptographic services used for cryptographic key-management functions and the decryption ofaccount data. For P2PE, these devices must be approved and configured to FIPS140-2 (level 3 or higher), or approved tothe PCI HSM standard.8A semi-integratedapproachConclusion: Conquerthe essors and solutions/pin transaction devicesCo-sponsored by Bluefin Independent research by Verizon Enterprise SolutionsPage 7 of 20

The Value of Point-to-Point Encryption in Point-of-Interaction EnvironmentsWhat is P2PEEMV does not secure data in transitEMV (Europay, MasterCard and Visa) describes the chips embedded in payment cards to make transactions moresecure. EMV is a global standard for processing credit and debit cards that works with P2PE and tokenization to createa holistic approach to payment fraud prevention.Unlike P2PE—which ensures payment card data is unreadable by cryptographically protecting it from the POI to thesecure point of decryption—the purpose of EMV is two-fold:1. Validate consumer identity2. Prevent fraudEMV technology is crucial in payment security because it validates consumer identity in real-time at the POS device.EMV provides authentication, ensuring that you are you, and that your card is being used by you. A significant amount ofdata is exchanged in real-time between the payment card issuer and the payment terminal to confirm that a transactionis not fraudulent. EMV prevents fraud because its chip technology makes it difficult to clone payment cards, whereasmagnetic stripe cards are easier to duplicate.PCI-validatedP2PE solutionsPOI threat landscapeHow criminalsobtain access topayment card dataP2PE compliancemanagement andscope reductionbenefitsSAQ P2PEA semi-integratedapproachConclusion: Conquerthe challengesEMV became a focal point following major PCI breaches in 2014. However, EMV is not a data security solution; it wouldnot have prevented the major retail breaches in the U.S., which made headlines. EMV is not designed to protect sensitivedata in transit through POS environments. It also does not encrypt or protect payment card data within POS systems.Encryption, as it relates to payment card processing, is a means of making sensitive data unreadable by unauthorizedparties. When consumers complain about fraudulent credit card charges, it’s often because their payment card datawas stolen due to a data breach within the merchant environment.Data interception methods are increasingly sophisticated, with malware now being used to steal payment card datafrom POS systems. A P2PE solution—not EMV—could protect against these attacks.Co-sponsored by Bluefin Independent research by Verizon Enterprise SolutionsPage 8 of 20

The Value of Point-to-Point Encryption in Point-of-Interaction EnvironmentsThe value of tokenizationTokenization is an integral payment technology forevery merchant, along with EMV and PCI-validatedP2PE. Each of these solutions plays an important rolein a holistic payment security strategy. Tokenization, likeP2PE, can effectively render sensitive data useless tohackers. However, tokenization and P2PE serve twovery different purposes within a merchant environment.Tokenization is the act of substituting sensitive data,such as a payment card number, with a random stringof characters, a “token,” that has no direct relationshipback to the original data. This means that if thetokenized data is compromised, it cannot be reverseengineered to identify the original sensitive data.During the past 10 years, numerous major retailers inthe U.S. experienced payment card data compromises.In the majority of cases, payment card data, estimatedat over 150 million records, would still have beencompromised regardless of whether payment carddata was tokenized. The reason? Most of the breachestook place at the POS terminals before the data wouldhave been tokenized. Tokenization occurs only afterthe transaction traverses from the POS system throughthe network and then to the processor for authorization. On the way back from the processor, a “token”is sent back to the POS terminal with the approvedauthorization. The payment card data is not protectedin the memory of the payment terminal.When properly implemented, the use of tokenization,instead of storing actual CHD, is valuable for securingdata at rest. Merchants should tokenize sensitive dataas quickly as possible and replace CHD with tokenswherever it is stored.Co-sponsored by Bluefin Tokenization enables merchants and enterprises tosafely store CHD for use in future transactions.Tokens are versatile—they can be engineered topreserve the length and format of the data that wastokenized. Tokens can also be generated to preservespecific parts of the original data values; by adaptingto the formats of conventional databases andapplications, tokens can eliminate the need to changethe database scheme or business processes. Themerchant can treat tokens as if they were the actualpayment card account numbers. Tokenizationallows merchants to perform all payment functions;for example, managing customer dispute resolution,recurring or subscription payments, conductingcard-on-file billing, performing targeted marketingand conducting analytics.There is merit in having a layered approach to datasecurity and fraud prevention. Effectively protectingpayment card data requires three different technologies:What is P2PEPCI-validatedP2PE solutionsPOI threat landscapeHow criminalsobtain access topayment card dataP2PE compliancemanagement andscope reductionbenefitsSAQ P2PEA semi-integratedapproachConclusion: Conquerthe challengesEMV, P2PE, and tokenization EMV is an authentication and fraud preventiontechnology for card-present transactions.As discussed on Page 8, it does not secure datain transit. PCI-validated P2PE protects sensitive data intransit by encrypting CHD upon the point of entryin the retail device. This prevents the data frombeing available as clear-text when transmittedthrough the environment where it could be exposedin the event of a security breach. Tokenization mainly protects the storage of carddata, securing payment card data against attacks ondatabases or servers, i.e., data at rest.Independent research by Verizon Enterprise SolutionsPage 9 of 20

The Value of Point-to-Point Encryption in Point-of-Interaction EnvironmentsThe POI threat landscapeThe Verizon Data Breach Investigations Report (DBIR)highlights attacks on POI systems (i.e., PoS Intrusions)and shows most POI attacks occur at smaller retailorganizations not properly equipped to addresssecurity. Although merchants of all sizes must complywith PCI DSS, smaller organizations generally are lesscompliant due to limited resources.Payment card data is highly sought after by criminalsbecause it is easily monetized. To access paymentcard data in merchant systems, the primary targetfor hackers has mostly been POS technology,including server, payment card terminals, and PINentry devices (PEDs).The mistake many organizations make when securingand monitoring POS technology is placing too muchfocus on endpoints and not enough on back-endsystems. To improve security, businesses shoulddesign and maintain security to address applicationand database layers. A holistic security approach isneeded as the cyber threat landscape continues toevolve in tactics and motivations.What is P2PEPCI-validatedP2PE solutionsPOI threat landscapeHow criminalsobtain access topayment card dataP2PE compliancemanagement andscope reductionbenefitsSAQ P2PEA semi-integratedapproachData breach trends93% 90% 86% 33%The Verizon DBIRcategorizes incidentsinto nine classificationpatterns, which accountfor the majority of databreaches. The 2018 DBIRindicates 93% of thedata compromised waspayment-related.Outsiders are behind themajority of cyberattacks –73% of cases. Organizedcrime groups carried out50% of all data breacheswith 12% involving actorsknown as nation-state orstate-affiliated. Meanwhile,28% of data breacheswere perpetrated byinternal actors. Nine out often times, the main driversmotivating threat actorswere financial gain andespionage.It takes cybercriminalsjust minutes, or evenseconds, to compromisea system – but only 3% ofbreaches are discovered as quickly. In mostcases, breaches are notdiscovered for months.When the breaches arediscovered – typically byexternal sources suchas by common point ofpurchase (CPP) analysisor trough law enforcementinvestigations – the datathieves usually are longgone, and in doing so,sometimes leaving behinda trail of destruction.Co-sponsored by Bluefin POS Intrusions are over40 times more commonin accommodation andfood services businessesthan in other businessindustries. POS intrusionpatterns account for 90%of all breaches within theaccommodation and foodservices industries. Some86% of the accommodation industry breachesoccurred at small businesses. These attacks areoverwhelmingly motivatedby financial gain and oftenperpetrated by organizedcrime groups.Restaurants and smallstores are targetedmore frequently thanhotel reservation systems,according to Verizoninvestigations. Of thesehospitality breaches, only1% involve insiders, whotypically compromisePOS systems throughhacking and malware thatcaptures and exportsCHD. Furthermore, 96% ofmalware-related breachesutilize RAM scrapers tostealthily collect creditcard data.For retailers, webapplication attackstaking advantage of inputvalidation weaknessesor stolen credentials arefairly common. Roughlyone-third of all confirmedbreaches in retail involveda web application. Common attack types includeSQL injection and stolencredentials to compromisesystems. Slightly morethan half (53%) of thebreaches recorded in theretail industry affecteda server, which may berelated to the frequency ofweb application attacks.Independent research by Verizon Enterprise SolutionsConclusion: Conquerthe challengesAnother one-third ofbreaches follow a patternthat is specific to brickand-mortar retailers:payment card skimming.Most skimmers werediscovered on gas stationpumps (87%). Aboutone-third of the assetscompromised in retail databreaches were kiosks orterminals.Business data protectionstrategies must includea defined approach toaddress all four keypayment infrastructurevulnerabilities: configuration, volatile data (data inmemory), data in transit,and application code. PCIsecurity standards, suchas PCI DSS, paymentapplication data securitystandards (PA-DSS) andPIN, provide only partialprotection against thesevulnerabilities by offeringminimal protection forCHD temporarily residingin memory.Page 10 of 20

The Value of Point-to-Point Encryption in Point-of-Interaction EnvironmentsHow criminals obtain access to payment card dataThreat actors take advantage of organizations that failto reduce the size of their attack surfaces. Theseattackers attempt to steal data from POS systemsusing various methods. Some of the most popularmethods are described below:Payment card skimmers:Card skimming is a popular method used to capture payment card data. It usually involves installingadditional hardware at the POI, which is then used toread track 2 data from the magnetic stripe on paymentcards. Often, this hardware has been modified by theattacker and swapped out using the PED and Bluetooth, or it is overlaid on the legitimate hardware. Physical tampering of POI devices to implant external skimming devices is still an issue, especially for unattendedpayment systems, such as ATMs and fuel pumps,according to the 2018 Verizon DBIR. Today, organizations take active risk mitigation actions to preventthreat actors from implanting external skimmers on POIdevices. Detection requires frequent physical inspections of devices to check for signs of tampering. With aPCI SSC validated solution, unauthorized replacing orswapping of POI devices makes the devices nonoperational. P2PE validation requires each POI device toauthenticate, and opening the POI device will instantlyrender the device unusable.POS intrusions:POS intrusions require physical access to the retail andaccommodation environments, rendering these attackson a large scale impractical. Some hackers may attacha monitoring device to the POS system, but remotehacking elicits more gains and does not require highlyspecialized skills. Criminals can optimize POS malwareto stealthily steal payment card data. It is relativelyeasy to create malware to run on POS systemsbecause most are Windows-based. Malware can sneakpast antivirus progra

security infrastructure to incorporate P2PE. The number of PCI-validated P2PE solutions grew by over 700% in the first four years since the PCI SSC announced the PCI P2PE standard in 2011. In March 2014, Bluefin introduced the first PCI P2PE solution to be listed by PCI SSC in North America. According to the PCI SSC P2PE Solutions register,4