PCI Validated P2PE – The Simple and Safe Path to PCI Compliance

Many of our clients take payments from their customers using credit cards.  Banks and the Payment Card Industry (PCI) require organizations to comply with the PCI Data Security Standard or PCI DSS if they accept credit cards.  PCI DSS is a set of technical and policy/procedural requirements that help ensure the safe handling of cardholder data.  Non-compliance with these requirements is no laughing matter. Credit card companies can assess penalties for non-compliance of between $5k-500K/month depending on transaction volume.  In addition other consequences such as compensation of victims, revenue loss, reputational loss, etc. can also occur.

PCI Compliance

To truly comply with the PCI Security Standards  requires building and maintaining a very secure network. This network of course includes the point-of-sale terminals (POS). In addition, it requires developing, utilizing and maintaining appropriate security policies and procedures. These must cover the maintenance and use of the cardholder data solution.

The technical requirements are typically beyond the capability of most small-to-medium businesses. You cannot simply connect any old credit-card reader to a computer or your network and start swiping cards. (In spite of what your POS salesperson tells you.)  In fact, to do it right requires someone like BEI to configure your network and its security for you.

P2PE – a Lighter Lift

In response to this burden, the PCI Security Standards Council developed the Point-to-Point Encryption (P2PE) program. With this in mind, merchants can implement a PCI-compliant payment system extremely easily and without necessarily needing professional IT services to do it. Additionally, merchants who properly implement a PCI validated P2PE solution can use the much shorter P2PE Self-Assessment Questionnaire (SAQ) to attest to their compliance

The P2PE SAQ contains about 35 questions that are centered on POS system employee security training and policies/procedures. By comparison, a merchant that processes cardholder data via a payment application or web browser on a personal computer connected to the Internet must utilize a different SAQ (SAQ C-VT). That questionnaire has about 80 questions including many that attest that the merchant has implemented stringent technical security controls on their card payment environment

Bottom Line

In conclusion, we strongly recommend everyone look at the implementation of a PCI Validated P2PE solution for their credit card payments. 

For more information read this.