Where did it all go wrong for P2PE?

01 January 2015

When the Payment Card Industry Security Standards Council first introduced Point-to-Point Encryption (P2PE) as a means of reducing the burden of PCI compliance, many leading figures in the retail and payments industry hailed it as something of a security revolution.

Two years down the line, however, and what should have become a validated solution for increased security has developed into a complicated work in progress, which is yet to be embraced by retailers.

So where did it all go wrong for P2PE?

In theory, P2PE should have provided a viable way for merchants to increase security by encrypting credit and debit card details before taking them out of their hands. With no data stored within the business, scope for PCI DSS compliance would be reduced.

While data encryption is of course beneficial, P2PE was supposed to make security compliance easier for retailers, and this is where its practical evolution has become detached from the theory.

P2PE has been developed by commercial organisations, each of which have their own agenda. Rather than creating a universal solution that can be used across the board to support a range of Point of Sale hardware, many key driving forces behind P2PE have seized the opportunity to create a tailored solution applicable to the other products and services they sell.

Even for those retailers using compatible equipment, deploying P2PE still has its problems. Recent PCI SSC guidelines confirmed that in the event of a card breach, liability falls to the merchant’s acquiring bank rather than the council, who have a different set of processes in place regarding customer responsibility.

Maintaining the standards of P2PE to reduce PCI DSS scope also involves an ongoing programme of complicated maintenance. Requirements such as weighing Pin Entry Devices not only add to retailers’ workloads, but also shift the responsibility of remaining compliant back onto them – something they were trying to move away from in the first place.

It seems along the journey to implementation, the pioneers of P2PE have lost sight of its ultimate purpose, and its benefits for the end users. And though it is still maturing as an industry standard, many retailers have already become disenchanted and have started looking for an alternative solution that truly simplifies their security compliance.

Where did it all go wrong for P2PE?

When the Payment Card Industry Security Standards Council first introduced Point-to-Point Encryption (P2PE) as a means of reducing the burden of PCI compliance, many leading figures in the retail and payments industry hailed it as something of a security revolution.

Two years down the line, however, and what should have become a validated solution for increased security has developed into a complicated work in progress, which is yet to be embraced by retailers.

So where did it all go wrong for P2PE?

In theory, P2PE should have provided a viable way for merchants to increase security by encrypting credit and debit card details before taking them out of their hands. With no data stored within the business, scope for PCI DSS compliance would be reduced.

While data encryption is of course beneficial, P2PE was supposed to make security compliance easier for retailers, and this is where its practical evolution has become detached from the theory.

P2PE has been developed by commercial organisations, each of which have their own agenda. Rather than creating a universal solution that can be used across the board to support a range of Point of Sale hardware, many key driving forces behind P2PE have seized the opportunity to create a tailored solution applicable to the other products and services they sell.

Even for those retailers using compatible equipment, deploying P2PE still has its problems. Recent PCI SSC guidelines confirmed that in the event of a card breach, liability falls to the merchant’s acquiring bank rather than the council, who have a different set of processes in place regarding customer responsibility.

Maintaining the standards of P2PE to reduce PCI DSS scope also involves an ongoing programme of complicated maintenance. Requirements such as weighing Pin Entry Devices not only add to retailers’ workloads, but also shift the responsibility of remaining compliant back onto them – something they were trying to move away from in the first place.

It seems along the journey to implementation, the pioneers of P2PE have lost sight of its ultimate purpose, and its benefits for the end users. And though it is still maturing as an industry standard, many retailers have already become disenchanted and have started looking for an alternative solution that truly simplifies their security compliance.