Friday, October 3, 2014

PCI P2PE – implement now, or wait for something better, like Apple Pay?

UK: With the launch of Apple Pay for the iPhone 6 and Apple Watch, the payments industry could be witnessing the birth of the next big thing. Mobile payments have been on the cusp for some time now, but what about existing payment infrastructures.

Should merchants and retailers move to Payment Card Industry (PCI) point-to-point encryption as they are being urged or should they wait a bit longer to see which way the market moves.

Tim Holman, CEO of 2-Sec, one of Europe’s leading Quality Security Assessors (QSA) and Iain High, CEO of Anderson Zaks, an independent Payment Services Provider, debate the issues.

High said there is currently a lot of discussion about the benefits of point-to-point-encryption (P2PE), with many merchants being encouraged to adopt this latest standard from PCI. However, P2PE is not mandatory and nor is it likely to become so, so why would merchants even consider it. What is in it for them?

Holman added that if deployed correctly a P2PE solution will de-scope a merchant’s stores from PCI Data Security Standard (PCI DSS) and help to eliminate the risk of card data loss in store, though there is a cost associated and merchants need to think carefully about the actual benefits they will achieve.

Most retailers are already working in a relatively low risk environment having invested heavily in EMV (which stands for Europay, MasterCard and Visa, and is a global standard for inter-operation of payment cards) with card schemes such as Visa encouraging the Technology Innovation Program (TIP) approach.

For retailers starting from scratch, I would say that P2PE is worth considering, but to justify replacing an infrastructure (PIN Entry Devices should last between 5 and 10 years) that is reasonably secure and compliant, there needs to be a more compelling business reason. Indeed several high profile retailers are currently ripping out perfectly good solutions to install P2PE solutions for no real business benefit.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.