August 19, 2016
Guest Perspective: Software-Based P2PE a Stronger, Better Approach
By Dave Oder, President and CEO, Shift4 Corporation
The vast majority of last year’s widespread data breaches were preventable. While merchants were busy checking boxes to ensure they were compliant with the standards dictated by the Payment Card Industry, security risks were proliferating.
Checking boxes isn’t enough. There needs to be a new solution. PCI’s Security Standards Council has been in dialog with PCI members for almost four years regarding the different methods of point-to-point encryption (P2PE). So far, PCI has only validated hardware-based P2PE solutions that require P2PE hardware at the merchant location and a hardware-based key management and decryption tool—known as an HSM, or hardware security module—at the other end. They later released a hardware-hybrid standard that allows for decryption operations outside of an HSM, but still required the HSM to handle key management.
Only merchants with in-house “switch” solutions have these set-ups, and for those who don’t, the infrastructure costs can be prohibitive. As a result, the benefits of P2PE are being denied to more than 90 percent of PCI members.
PCI hasn’t released the software P2PE standard that allows for both decryption and key management outside of an HSM. Much of the industry is waiting for that, and the delay is harming merchants.
PCI’s current position is that a hardware security module-based solution is more secure than a software-based solution, even though HSMs run using the same kind of software. The answer must come down to tamper proofing. If you try to get into an HSM, it will essentially self-destruct, wiping out all the data contained on the server. That’s certainly a security bonus, but it isn’t the only way to protect data.
The Law of Unintended Consequences Hits Home
There’s an irony here: PCI’s claim that software isn’t as secure as hardware shoots its own certification programs in the foot. Software as a Service (SaaS) providers can be assessed as PCI DSS validated, Level 1 Service Providers. This means that the vendor’s software—according to PCI’s most stringent PCI DSS and PA-DSS requirements—and its back-end data center systems are secure enough to process merchants’ non-encrypted cardholder data and to manage the keys necessary to decrypt that data as it is received. However, according to PCI’s P2PE standards, that same software isn’t secure enough to perform P2PE key management operations outside of HSMs.
To suggest that PCI DSS and PA-DSS validations for Level 1 SaaS providers are inferior to the PCI P2PE standard calls into question the security not just of SaaS providers, but of card issuers, card processors, card acquirers, gateways and others in the transaction flow—and even the card brands themselves. By this confusing double standard, all of these organizations must be deemed not fully secure because they all fall under that same Level 1 Service Provider certification that is now somehow less secure than the P2PE certification.
It surely wasn’t the goal of PCI to besmirch the security validations of the payment processors, gateways, and third party agents, but that is exactly what has happened when it declared that HSMs somehow trump other PCI security standards for its largest stakeholders. In the process, they have denigrated the efficacy and potentially tarnished the reputation of each of the assessors who have spent the last decade validating these solutions and service providers.
Software-Based P2PE Key Management is Secure
It’s important to remember that P2PE solutions benefit the merchant, not the other “point” where cryptographic decryption and key management operations occur. Some of those other points are payment gateway service providers that have been managing end-to-end encryption keys outside of HSMs for over 20 years. Just because technological advances have provided merchants with more robust security solutions, such as encryption at the swipe, there is no reason to force those “points” to change how they manage keys in their data centers if they want their P2PE solution validated and listed. That goes especially for service providers that have never been breached or caused the breach of another entity.
Solutions that implement tokenization and P2PE are stronger, and could have prevented the recent string of major data breaches. This is another unfortunate, unintended consequence of the PCI Council’s refusal to validate P2PE solutions with software based key management operations. It’s driving merchants away from the very solutions that could help them and the PCI Council.
The vast majority of retailers who have a P2PE solution in place today rely on service providers who manage encryption keys outside of an HSM, nearly all of which are Level 1 Service Providers who meet and exceed PCI’s most stringent security standards. To deny thousands of merchants the benefits of a validated P2PE solution merely because their service providers came up with a different (and arguably more secure) method than the PCI Council would have liked is truly a travesty.
Rectifying this inaccurate stance requires action from three groups:
- PCI-SSC – Deliver on the promise to publish a P2PE security standard in which key management outside of an HSM is allowed. Previously, PCI officials said a software-based key management standard was slated for release last year. That never happened. We also request that the council issue a clarification regarding the unfounded stance that software cannot be as secure as hardware when that software is running in a PCI DSS validated Level 1 Service Provider.
- Service providers – Continue creating and offering innovative security tools that keep cardholder data out of the hands of malicious actors. If your innovations take a different route than PCI would like but lead merchant customers to a more secure future, then it is your duty to make those leaps and let PCI catch up.
- Merchants – See beyond your PCI assessments’ check boxes and determine which solution is most likely to truly keep your customers’ data secure.
The major retailers who were hit by huge data breaches last year were PCI compliant, but they lost millions of dollars and consumer and shareholder trust because they hadn’t fully secured their card data environments. Though PCI continues to ignore the viability of software-based P2PE key management, there are software solutions in use today that are able to fully secure cardholder data. Merchants who look beyond the misguided, minimum compliance requirements will find potent solutions to protect data AND remain compliant.
Dave Oder has more than 35 years of experience in software development and accounting, spent mainly on overseeing software companies. Shift4, the world’s largest independent payment gateway, provides powerful, Web-based applications that allow merchants to turn their customers’ credit, check, debit, and gift card transactions into dollars in the bank quickly, accurately, and securely.