Gary Fletcher, Secure Retail: Will P2PE lock down payments security?

The PCI SSC (Security Standards Council) has created a set of standards to secure the lifecycle of payments technology, known as P2PE (point-to-point encryption). It is early days, and few technology and services providers in the industry fully understand the requirements, let alone are able to deliver their systems in a P2PE compliant manner, but there is no denying that they must start.

P2PE has not yet been made mandatory, but similar to PCI DSS compliance, it is likely to become an industry standard that all trading merchants need to abide by once it becomes more widely recognised. In this article, Gary Fletcher, Technical Services Business Manager and P2PE expert at Secure Retail, demystifies P2PE, explains why the standard should become an industry requirement and outlines how merchants can prepare themselves for its arrival.

So what exactly is P2PE?

In simple terms, it’s basically a set of standards (or domains) that ensure that payment devices, applications and services are securely delivered and maintained in a business. The P2PE standards apply to the initial transportation delivery methods, installation of payment devices, right through its use by customers and the transfer of data, encompassing a variety of different requirements along the way. These include everything from the way in which hardware is stored and the software is configured, to how the solution is packaged and delivered to a merchant.

The adoptions of these requirements are down to the technology provider or merchant and even though the process is not straightforward, it certainly creates a highly secure environment for merchants and customers alike. The set of standards encompass the maintenance of systems from creation to end of life; which includes hardware storage, software configuration, secure packing and distribution to a merchant. Also includes managing the swapout and repair cycle, and allows full traceability of the payment devices.

Once a system is live, it is imperative that customer card holder data is encrypted from the point at which a customer inserts or swipes their card to when that data reaches the bank, where it is decrypted and processed. And when this happens, the merchant will no longer need to ensure compliance across their entire network, so the PCI scope for compliance is reduced, as is the associated costs.

However, the main advantage that comes with implementing P2PE standards into a business is the level of security that will surround your payment processes. A P2PE compliant solution will not only manage the encryption of data but keep track of all payments hardware across the retail estate throughout its life cycle, making any issue with your payments far easier to manage should they arise.

So what does this mean for the payments industry?

Well, in terms of the service providers, it is fast becoming their responsibility to understand the requirements surrounding P2PE, so that when the P2PE standards become mandatory they can advise the merchants who are buying their solutions.

And from the merchant’s side, those who adopt P2PE early will be at an advantage, when the rules come into place. Preparation for this change is fairly simple for a business that understands payments security, so merchants should consider working with a payments provider and hardware partner that is working towards delivering their services in a P2PE compliant manner, to ensure a smooth transition when the deadline is announced.