Why P2PE Is Pointless

Apparently an announcement was made at the PCI SSC ‘s Community Meeting in Nice that “European Payment Services (EPS), [is] the first company to have a solution listed…“, this according to Tenable’s Jeffrey Man in his new article ‘What’s Wrong with P2PE‘.

I’m not going to go into why P2PE is dead from a PCI perspective, Jeff covered that better than I can, instead I’ll cover it from an innovation and real-world perspective that the SSC simply cannot / will not include in their presentations.

Why P2PE is pointless, and dead before it reached the gate:

  1. If you have read the P2PE assessment procedures (which were about 2 years too late in being released), you’ll know that they make the PCI DSS look like a nursery rhyme. EXTREMELY complicated, and ENORMOUSLY expensive to achieve certification. I was, however, very surprised that PED / payment terminal companies with significant resources (like VeriFone and Ingenico) didn’t get into a race to corner the market early, but now it makes sense.
    o
  2. P2PE done the SSC’s way still requires PTS and SRED compliant payment terminals, which are massively expensive, and whose days are numbered. Mobile payments, and whatever comes next will, thankfully, kill retail’s reliance on payment terminals and bring secure, non-cash, payment capability to every merchant world-wide, no matter how small, or large and distributed.
    o
  3. Chip & PIN (EMV) technology is tied to the terminals and to the use of credit cards, which along with payment terminals, are  dying technologies. Credit cards are 60+ years old, and EMV was a very poor patch to fill a gaping hole in credit card security, so innovation will, and in some cases already has, replaced the need for both.
    o
  4. Retailers are simply not going to make the massive investment in replacing their payment terminal estates before they end of life (EoL) just because of a possible reduction in PCI scope. And why would they then spend a fortune in expensive devices, tie themselves into a single service provider, as well as limit themselves to credit card transactions? Answer; they wouldn’t, not unless they’re irretrievable stupid.
    o
  5. The entire payment space is finally recognising the fact that it’s bloated, inefficient, enormously outdated, and complex. Innovation will simplify it back to its basics, which it that it’s not ABOUT payments, it’s about authentication. I don’t care how I access my funds, whether they be debit or credit (both of which are provided by the bank anyway), I just want to do it whenever I want, wherever I want, and without risk.

Any protection the card brands provide related to fraud and consumer protection can be provided cheaper and probably better by the banks, and this, along with the demand for better customer service, will drive the banks to compete for our business as never before. Gone will be the days that they can act as though they are doing US a favour.

As for the SSC’s announcement, I can’t blame them for wanting to announce any kind of success, God knows the DSS v3.0 is nothing to write home about.

Innovation

How PCI Has Driven Innovation in Payments

If you came this far you did one of the following when you read the title:

1. Scoffed;

2. Screwed up your forehead in confusion, or;

3. Laughed.

Good, these all mean you’re cynical and therefore a perfect audience, so let me put you out of your misery; this is a story of unintentional cause and effect, and has started a trend that will not stop until credit cards as we know them are dead and buried.

About time too. 60+ year old technology in payments is akin to leaches in medicine (no offence card brands, but this analogy is particularly relevant).

When PCI was first drafted, it was very clear for whom it was geared; e-commerce organisations running Windows. How do you translate the configuration standard requirements (for example) to someone working on a mainframe. For Windows, you take out what you don’t need (hardening), for zOS, you build in only what you need. What about logging? Can syslog record everything you need in 10.2.X?

This is one of the most minor issues that drove organisations to seek alternatives to compliance, cost / effort / ROI, you name it, PCI is a burden any way you look at it. Yes, cardholder data should be protected, but enforcement of a single standard across all industry sectors and business types was never going to work.

At first, organisations became VERY creative in making their PCI burden go away. From outsourcing, to revamping all business processes in favour of truncated card numbers (except authorisation of course), to going back to cash only (not kidding). While almost EVERY merchant organisation should consider the first 2 anyway, it really didn’t help either retail, or e-commerce.

So the first foray into a technical ‘innovation’ was to make PCI go away for areas where they could not fix their systems to a degree that supported PCI compliance. Organisations started looking for alternatives to processing the full cardholder data; tokenisation was born (poetic licence, we’ve had forms of tokenisation for centuries). But this does nothing for authentication traffic which requires the fill account number.

Then came my personal favourite; Point to Point Encryption (P2PE), a.k.a. – and before the SSC decided to kibosh it – End to End Encryption (E2EE). The theory is very sound; encrypt the data for the point of interaction (usually a Pin Entry Device, or PED) all the way to the point of decryption, but the eventual PCI-approved solution is as complex as the DSS, limited (currently) to approved hardware devices, and requires a degree of certification few have even looked at.

A lot of organisations put their entire PCI programme on hold until such times as the P2PE standards were defined, and now that the first one (hardware/hardware) cannot apply to them, they continue to do nothing until such times as a hybrid standard is released.

So what you have here is; PCI forced the innovation, which in turn caused a justifiable delay in doing anything at all, which means that cardholder data is no better protected. Brilliant.

So P2PE, which had so much promise, is now stagnant. Organisations SHOULD have developed software solutions for legacy PEDs 3 years ago, which would have almost forced acceptance. But no-one did, and now it’s too late. How do you standardise a P2PE solution for an infinite number of scenarios? You don’t obviously, but with the advent of the next innovation, even PEDs themselves are becoming redundant…

We have the ultimate PCI and card brand killer; Mobile Applications / Mobile Payments. Still fairly new, growing exponentially – and to add the ultimate piece of irony – but cannot be PCI complaint unless the device was built for purpose. In other words, smart phones and tablets, by themselves, can never be PCI compliant. Not that this will stop their use.

Mobile payments, in all its forms, is already forcing the CARD BRANDS to innovate, or in the case of Visa, buy interest in vendors like The Square. But the SSC, as a standards only body, can never keep up. Eventually, as credit card numbers decline, so will the SSC and ALL it’s standards, and a replacement will be formed when people realise this massive drive for innovation has set us BACK in security…again.

That’s my final point of this blog; unless security is built in from the ground floor of this wave of innovation, the innovators will be directly responsible for the impossible-to-follow standards of the future.

As long as there are profit drivers, and Windows OS, I will always have a job…