What You Need to Know About Point-to-Point Encryption (P2PE)

//What You Need to Know About Point-to-Point Encryption (P2PE)

NOTE:  Raymark is now part of the Mi9 Retail team. Read the press release here

Raymark has been a PA-DSS certified software vendor since the first version of PCI. PA-DSS is a global security standard that was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications, like Raymark. It aims to prevent developed payment applications for third parties from storing prohibited secure data and dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS). (Source)

In an effort to extend our capabilities as a PA-DSS certified software vendor and in conjunction with our most recent product development work on Raymark Mobile POS, we have been extensively exploring Point-to-Point Encryption (P2PE) solutions in the past 12 months. With Raymark Mobile POS on the horizon, the need for a secure solution with P2PE was more urgent than ever.

P2PE solutions, generally provided by a third party, include a combination of secure devices, applications and processes that encrypt data from the point of swipe or entry to the third party secure environment for decryption and subsequent authorization. P2PE is intended to reduce the costs and efforts experienced by retailers and software vendors with regards to meeting the stringent PCI standard requirements and to greatly reduce the risk associated with POS payments at fixed workstations and on mobile devices.

Raymark is thrilled to announce that we will fully support P2PE for all our current POS applications; including Raymark Mobile POS (certification is currently underway). We are able to provide this benefit to our customers thanks to our business relationships with Shift4, a leading certified solution provider in the payments arena based in Las Vegas, USA, along with Ingenico, a leading provider of P2PE certified hardware.

The solution provides enhanced security to the merchant for all supported card types. The overall responsibility for ensuring that all P2PE requirements are met, including any P2PE requirements performed by third-party organizations on behalf of the solution provider (for example, certification authorities and key-injection facilities) have been validated to ensure that all the necessary requirements for the protection of payment card data are met for PCI.

Working in conjunction with Shift4 and an Ingenico P2PE injected device, thorough testing was done by our Qualified Security Assessor (QSA), Coalfire, using Raymark POS along with secure components from Shift4 and Ingenico.

According to the PCI Security Standards Council, PCI compatible P2PE solutions must include the following:
• Secure encryption of payment card data at the point-of-interaction (POI)
• P2PE-validated application(s) at the point-of-interaction
• Secure management of encryption and decryption devices
• Management of the decryption environment and all decrypted account data
• Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage.

All tests performed by Coalfire in the merchant environment running the combined Raymark POS, Shift4 and Ingenico P2PE solution have confirmed that:
• No cardholder data was in the merchant environment, except in the devices.
• The devices are secure and offer no opportunity to reveal card data through its interface
• Merchants should receive a major scope reduction in all 10 out of 12 PCI Requirements, with minor or no advantage in Requirement 9 – restrict physical access to cardholder data and Requirement 12- Maintain a policy that addresses information security.

For more information about Raymark Point of Sale, Mobile Point of Sale or E-Payment, please contact us today.

For more information about Shift4, please visit www.shift4.com.

2013-09-26T08:53:16+00:00