December 6, 2016
Shift4’s P2PE Solution Will Soon Be PCI Validated
Our True P2PE is already faster, more secure, and more reliable than any other point-to-point encryption solution in the industry. And, it will soon be one more thing: PCI validated!Yes, you read that right. If you’re already using True P2PE with PTS-approved, SRED compliant devices, you’ll soon be benefiting from a listed, PCI-validated P2PE solution – without making any changes to your existing setup.
Security Without Compromise
We have never advocated a “checkbox” security mindset (don’t worry, we never will). But, we also know that ticking this particular checkbox is very important to many of you, our merchant customers, because it potentially makes it possible for you to use the SAQ P2PE “short form” – and makes things easier for your Qualified Security Assessors (QSAs), which could end up saving you time and money on assessments. Therefore, we’ve been working behind the scenes to create a solution that allows for PCI validation while retaining the security posture that we’ve created via our 100% proprietary products.
We’ve Worked With the Industry’s Top QSAs
True P2PE has been repeatedly assessed to perform as well as or better than the currently listed P2PE solutions. As QSA company Dara Security has reported in a recent assessment:
“Shift4’s True P2PE solution meets, and in most cases, exceeds all other security requirements of PCI P2PE 2.0 domains 5 and 6, key management and decryption processes.”
We’ve previously taken issue with the PCI P2PE guidelines because they require a hardware security module (HSM), which is basically a tamper-proof computer server, to be installed in our data center for encryption key management. This gave us pause for a couple reasons: HSMs have the potential to negatively impact the speed we’ve worked so hard to develop and take pride in delivering; and, HSMs could create a single point of failure – a threat to our unrivaled uptime.
Dara Security also noted that our P2PE data decryption keys (DDK) exceed the security available in HSMs:
“[True P2PE] employs a software-based key management system in the decryption environment and does not utilize HSMs for any other P2PE process. In the end, that is a distinction without a difference. In fact, introducing an HSM to the key management system would actually diminish DDK security and introduce more attack vectors.”
Without getting into the technical mumbo jumbo, we’ve resolved every concern we had about using HSMs thanks to the hard work our team has done with some of the payments industry’s top QSAs. This enables us to implement an HSM in a unique way that preserves our highest standards for speed, security, and reliability while meeting PCI’s standard as well.
Don’t Wait to Be Secure
If you’re not currently using True P2PE, we encourage you to start. Here are a few reasons why you should not delay:
- There is no cost to you, aside from implementing PTS-approved POI v2 (or higher) devices with SRED as a function.
- True P2PE is faster and more reliable than any other P2PE solution in the industry. In fact, we have numerous patents on the point-to-point encryption process, so there isn’t another payments provider out there that can do what we can.
- Although True P2PE hasn’t previously been PCI validated, QSA assessments of our P2PE solution by Coalfire and Dara Security show that no cardholder data has been found in our merchant customers’ payment processing environments or POS/PMS partners’ systems when True P2PE was correctly implemented.
- Since True P2PE will soon be PCI validated, making a switch to another solution would take longer and cost more to implement – not to mention you would sacrifice the service level and feature set you’ve grown accustomed to with Shift4.
And soon, you’ll be able to add PCI validation to that list of benefits. So if you aren’t already using True P2PE, what are you waiting for?
As QSA company Coalfire noted, DOLLARS ON THE NET users can receive the scope reduction and security benefits of True P2PE for no additional cost:
“Shift4’s P2PE solution provides merchants with a much more economical alternative to a validated and listed P2PE solution and offers dramatic risk reduction as well as dramatic scope reduction.”
Contact our Customer Support team today at firstname.lastname@example.org or 702.597.2480, option 2, to learn more about how you can implement True P2PE.
We’re aiming for validation early next year, so stay tuned for more updates in our 4Sight newsletter!