In this post, we get insights from Tracey Long, Senior Payment Security PCI DSS Compliance Manager, WorldPay. Here she discusses the panel discussion “A Customers Journey of Implementing a Validated P2PE Solution, the Problems, Dilemmas and Benefits – A Merchant Experience Case Study” from the Europe Community Meeting in Barcelona.
What is point-to-point encryption and how does it work?
Tracey Long: A point-to-point encryption (P2PE) solution is provided by a third party solution provider, and is a combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe or dip) until the data reaches the solution provider for secure decryption.
What’s the benefit of using a PCI P2PE Solution versus other solutions out there?
Tracey Long: With the data being encrypted from the PED or point of sale device, directly through to the payment service provider, this means that the data can flow securely without the fear of being intercepted by any unscrupulous person(s). This offers peace of mind to the business and the customer, and can assist in preventing fraud losses, which cost the payments eco-system vast sums of money each year.
How does using a PCI P2PE Solution make PCI DSS compliance easier?
Tracey Long: By implementing a validated P2PE solution, this can reduce the number of applicable PCI DSS requirements by fully removing clear-text cardholder data from the merchant’s payments systems.
What steps do organizations need to take to establish a P2PE solution within their organization?
Tracey Long: The organisation firstly needs to identify its payment processing landscape. This may sound obvious, but in my experience, some organisations are not fully sure of the payment methods they use. They will need to engage with a QSA, one who is qualified to advise the business of the merits of adopting P2PE technology. Together the QSA will discuss the de-scoping opportunities when assessing the organisation’s landscape and security profile. The organisation should engage with their Acquirer to discuss their PCI DSS compliance plans, as the Acquirer needs to be in support of the organisations plans, as the Acquirer has the responsibility to apprise the Card Brands on a regular basis of the progress that each of its merchants is making towards achieving and maintaining PCI DSS compliance.
What are you most looking forward to at the Europe Community Meeting?
Tracey Long: I am looking forward mostly to presenting with one of Worldpay’s largest Level 1 retailers that has implemented Worldpay’s listed P2PE solution into their retails stores. The opportunity for the audience to listen to a firsthand account of the merits of P2PE is something that I am very much looking forward to facilitating. As always, the PCI Community Meetings are an excellent opportunity to meet with industry professionals who are like minded.
