gears

PCI Validated P2PE – The Simple and Safe Path to PCI Compliance

Many of our clients take payments from their customers using credit cards.  In order to be able to do this, banks and the Payment Card Industry (PCI) require organizations to comply with the PCI Data Security Standard or PCI DSS.  This is a set of technical and policy/procedural requirements that when implemented properly help ensure the safe handling of cardholder data.  Non-compliance with these requirements is no laughing matter as credit card companies can assess penalties for non-compliance of between $5k-500K/month depending on transaction volume.  Other consequences such as compensation of victims, revenue loss, reputational loss, etc. can also occur.

To truly comply with the PCI Security Standards, this requires building and maintaining a very secure network. This includes the point-of-sale terminals (POS) as well as developing, utilizing and maintaining appropriate security policies and procedures that cover the maintenance and use of the cardholder data solution.

The technical requirements are typically beyond the capability of most small-to-medium businesses and means you cannot simply connect any old credit-card reader to a computer or your network and start swiping cards. (In spite of what your POS salesperson tells you.)  To do it right requires someone like BEI to configure your network and its security for you.

In response to this burden, the PCI Security Standards Council developed the Point-to-Point Encryption (P2PE) program to provide merchants the ability to implement a PCI-compliant payment system extremely easily and without necessarily needing professional IT services to do it.

In addition, merchants who properly implement a PCI validated P2PE solution are permitted to utilize the much shorter P2PE Self-Assessment Questionnaire (SAQ) to attest to their compliance

The P2PE SAQ contains about 35 questions that are centered on POS system employee security training and policies/procedures.

By comparison, a merchant that processes cardholder data via a payment application or web browser on a personal computer connected to the Internet must utilize a different SAQ (SAQ C-VT) that has about 80 questions including many that attest that the merchant has implemented stringent technical security controls on their card payment environment

Bottom line:  We would strongly recommend everyone look at the implementation of a PCI Validated P2PE solution for their credit card payments. 

For more information read this.