January 3, 2017

Executive Insight: True P2PE – What You Need to Know

Executive Insight: True P2PE – What You Need to Know

By Stephen Ames, CISA, CISSP – Senior Director, Security Compliance, Shift4 Corporation

Riding on the fantastic news that Shift4’s True P2PE (point-to-point encryption) solution will soon be PCI validated, I want to impart some important information you need to know, regardless of whether or not you choose to implement True P2PE.

Validated P2PE: Requirements for Merchants
First and foremost, did you notice this note in Shift4’s blog post?

There is no cost to you, aside from implementing PTS v2 (or higher) approved POI devices with SRED as a function.”

This is huge! Since I’m a Shift4 insider, I can tell you firsthand that the time and expense required to implement hardware security module (HSM) technology will represent a huge capital expenditure for us. But, that’s what Shift4 does. We’re constantly adding value to our payment gateway, DOLLARS ON THE NET, at no additional cost to you, our merchants. That’s right, no extra charge for P2PE services. I wonder if any other P2PE provider can say the same thing. I seriously doubt it!

Second, as with the many value-added services that come with DOLLARS ON THE NET, implementing True P2PE will not require you to change processors. Why is this important? Well, there are both PCI-listed and non-listed P2PE solutions that would actually require you to change processors. At first glance, that may not seem like a big deal to you. However, if you go back and review your agreement with your merchant services provider (MSP), you might be locked into their preferred processor arrangement. If that is the case and you want to get P2PE, your only course of action might be to either renegotiate or terminate your current agreement, which is easier said than done. Fortunately, with True P2PE, you can keep your current processor. So, why go with any other solution?

Third, you have to be mindful of the PCI SSC’s P2PE standard because not all “encryption-at-the-swipe” POI devices are created equal – and some don’t actually qualify to be included in a validated P2PE solution. To make sure that your devices will qualify, you’ll want to carefully review Shift4’s third-party device list and select “SRED” under the “features” filter. The POI device specifications and suppliers can be found by opening the PDF provided to the right of the device in the list.

Almost there! After you have done your research and have selected the best SRED POI model for your environment, you will need to contact your supplier of choice to ensure the devices you order are certified to at least version 2 of PCI’s PTS standard.

How to Qualify for Validated True P2PE
If you’re already using our True P2PE solution, you may be wondering what you need to do to qualify for validated P2PE. If you are using PTS-approved POI v2 (or higher) devices as described above, just sit back and relax, because there’s nothing else for you to do to except notify your MSP. All of the changes we need to make to validate P2PE will take place in our data centers and won’t have any impact on you at all. In fact, you won’t notice a thing.

If your POI devices are not approved as described above, don’t worry! The changes we make in our data centers will not affect you either. However, I encourage you to replace your current POI devices with a model that will qualify you for validated P2PE and the benefits it brings.

You now have all the information you need to know about the future of Shift4’s True P2PE solution. The next major announcement about True P2PE will be when it appears on PCI’s list of validated P2PE solutions. Should you have questions about any of the information I have provided, feel free to email [email protected].