Why P2PE Is Pointless

Apparently an announcement was made at the PCI SSC ‘s Community Meeting in Nice that “European Payment Services (EPS), [is] the first company to have a solution listed…“, this according to Tenable’s Jeffrey Man in his new article ‘What’s Wrong with P2PE‘.

I’m not going to go into why P2PE is dead from a PCI perspective, Jeff covered that better than I can, instead I’ll cover it from an innovation and real-world perspective that the SSC simply cannot / will not include in their presentations.

Why P2PE is pointless, and dead before it reached the gate:

  1. If you have read the P2PE assessment procedures (which were about 2 years too late in being released), you’ll know that they make the PCI DSS look like a nursery rhyme. EXTREMELY complicated, and ENORMOUSLY expensive to achieve certification. I was, however, very surprised that PED / payment terminal companies with significant resources (like VeriFone and Ingenico) didn’t get into a race to corner the market early, but now it makes sense;
    o
  2. P2PE done the SSC’s way still requires PTS and SRED compliant payment terminals, which are massively expensive, and whose days are numbered. Mobile payments, and whatever comes next will, thankfully, kill retail’s reliance on payment terminals and bring secure, non-cash, payment capability to every merchant world-wide, no matter how small, or large and distributed;
    o
  3. Chip & PIN (EMV) technology is tied to the terminals and to the use of credit cards, which along with payment terminals, are dying technologies. Credit cards are 60+ years old, and EMV was a very poor patch to fill a gaping hole in credit card security, so innovation will, and in some cases already has, replaced the need for both;
    o
  4. Retailers are simply not going to make the massive investment in replacing their payment terminal estates before they end of life (EoL) just because of a possible reduction in PCI scope. And why would they then spend a fortune in expensive devices, tie themselves into a single service provider, as well as limit themselves to credit card transactions? Answer; they wouldn’t, not unless they’re irretrievable stupid;
    o
  5. The entire payment space is finally recognising the fact that it’s bloated, inefficient, enormously outdated, and complex. Innovation will simplify it back to its basics, which it that it’s not ABOUT payments, it’s about authentication. I don’t care how I access my funds, whether they be debit or credit (both of which are provided by the bank anyway), I just want to do it whenever I want, wherever I want, and without risk.

Any protection the card brands provide related to fraud and consumer protection can be provided cheaper and probably better by the banks, and this, along with the demand for better customer service, will drive the banks to compete for our business as never before. Gone will be the days that they can act as though they are doing US a favour.

As for the SSC’s announcement, I can’t blame them for wanting to announce any kind of success, God knows the DSS v3.0 is nothing to write home about.

[If you liked this article, please share! Want more like it, subscribe!]

7 thoughts on “Why P2PE Is Pointless

  1. David,
    I disagree with all the points made on you article, let me answer one by one.
    1.- P2PE is the easiest PCI assesment to achieve, if the terminal vendors did not achieve compliance before could have other reasons but not complexity. From begining to end we can guarantee building a multi vendor service in less tan six months, excluding the time required by the council to validate the assesment, this time in a worst case cannot be more than three or four weeks.
    2.- if you knew about electronics will understand that the hardware required is most of the time based in ARM 11 platform where everything is already there, all the terminals since two years ago were perfectly capable, meaning that in the UK every PED is P2PE capable no extra cost, so by basic install base renewall these capabilities will be there
    3.- I will not say that credit card are dying they are challenged by new competitors, but this does prevent retailers to accept credit card payments, I don´t think a feasible that a major retailer in the UK suddenly stop taking credit cards.
    4.- After the massive security breaches and taking into account the increase in security and reduced assesment costs for acquirers and retailers the payback on the terminal replacement if required is meaningless, and allows the retailer to add new payment functionality and obviously P2PE solution in most of the cases are multi-vendor
    5.- Fail to recognize the impact and good work of PCI and the card schemas isn´t fair, I am more critic with the lack of skill of the QSA´s and so call experts, not the organization, and just with a Little bit of work we can have an excellent framework to guarantee peace of mind

    • Miguel,
      There have always been 3 types of people in the world:
      1. Those who either create something new from scratch, or take an existing technology to a degree never foreseen by anyone else;
      2. Those who take an existing idea and make it work, and/or make it better than the original. They also combine ideas into something unforeseen by the creators of the original ideas, and;
      3. Those who get on with their jobs, and do neither of the above.

      We need all 3, and one is not better than another. You and I are in very different groups, and will likely never agree on anything (especially credit cards). Which is absolutely fine.

      BTW, I never said taking credit cards should “suddenly stop”, that cannot happen, but they WILL phase out, and I hope soon. As for the PCI framework and the card brands doing ‘good work’, yes, they have, but now their time is done. It’s time for real security, which the PCI DSS will never be, nor will credit cards ever allow.

  2. In line:

    >> 1.- P2PE is the easiest PCI assesment to achieve…

    It depends how you define easy. It’s tricky from a service provider point of view, as needs considerable investment in internal resource, hardware, people and marketing to construct a viable P2PE solution offering. But once in place, it’s moderately easy to audit a merchant using P2PE as long as they’ve configured the solution correctly. Well, it’s easier to assess a merchant’s F2F payment environment against P2PE, than it is PCI DSS for example.

    >> 2.- ….in the UK every PED is P2PE capable no extra cost

    Do you think Ingenico and Verifone will give away this technology FOR FREE?? 🙂 The technology might be there agreed, but if merchants don’t sign up to Ingenico or Verifone’s product roadmap, then Ingenico or Verifone don’t make any money…

  3. I hope, looking at the date of this article, time has changed your mind David.

    I will give you a real account of what I have done with P2PE.
    I was the one that told British Airways they they needed P2PE or they would be hacked imminently, they did not listen and they were hacked. This has now resulted in a £180m fine. This is apart from the visa fine. https://www.thetimes.co.uk/article/british-airways-hack-was-a-disaster-waiting-to-happen-m62rn05v0

    Another client was given a quote of £7.5m by a large consulting firm to achieve PCI compliance and they obviously did not have such a budget. We redesigned their architecture with P2PE with its equivalence on all payment channels and they achieved PCI compliance in 9 months for £1.6m

    Recent attacks clearly indicate a merchant has no business seeing or touching card data and as far as Card holder present is concerned, P2PE is the one and only and also the most affordable solution. On all other channels you need something similar that takes merchants completely out of scope.

    To actually achieve full compliance, a merchant needs to have P2PE equivalency across all its payment channels. That is when it makes a massive difference.

    Lastly, in my experience Information Security and PCI DSS specialist will never see eye to eye which is why you have those that agree with you and those that don’t.
    The two worlds should not mix.

    • Hi Ben,

      I can’t tell if you’re joking, or if this is some kind of test. I don’t retract a single thing because the only thing that P2PE has done in the last 6 years is reduce the PCI burden on merchants for a SINGLE payment channel. Everything I wrote that it DOESN’T do, and will never do, is still the case.

      As for your claims, these need to be addressed:

      1. “I was the one that told British Airways they they needed P2PE or they would be hacked imminently, they did not listen and they were hacked. This has now resulted in a £180m fine.” – The BA breach had absolutely NOTHING to do with their face-to-face payment channel, which is the ONLY thing P2PE applies to;
      2. The >£180M fine was related to GDPR, not PCI, it’s inclusion here is irrelevant given point 1. above;
      3. “We redesigned their architecture with P2PE with its equivalence on all payment channels and they achieved PCI compliance in 9 months for £1.6m” – There is no ‘equivalence’ to P2PE on ‘all payment channels’, the most you can achieve is end-to-end encryption on card-not-present channels, and they do not attract the scope reduction P2PE does. Risk reduction, yes, SCOPE reduction, no;
      4. “Recent attacks clearly indicate a merchant has no business seeing or touching card data…” – at last we agree, but only because NO ONE should be seeing cardholder data. It has no place in modern payment mechanisms which are all innovating toward authentication and identity management (under PSD2), because THAT is what makes a payment; trust. The card brands had trust for 50+ years, they will never have it again;
      5. “in my experience Information Security and PCI DSS specialist will never see eye to eye” – If an information security specialist does not agree with a PCI DSS specialist, they are having the wrong conversations; compliance does NOT equal security, and BOTH experts should know that. Achieving PCI compliance is a commercial obligation, nothing more, real security is a law with regard personal data. Therefore if PCI compliance does not give you a ‘demonstrably appropriate’ security posture, achieving PCI compliance alone is next to meaningless.

      From your profile on LinkedIn you clearly have a vested interest in promoting P2PE, which is absolutely fine as payment cards are not going anywhere anytime soon. But die they will, and not one P2PE solution I have seen is a stepping stone to what’s next. You only have to look at the Software-based PIN Entry on COTS (SPoC) standard to see where the market is going.

      I have nothing against P2PE per se, as a QSA it makes my life a damned sight easier, but I am a security person first and foremost whose job is to enable the business to reach its goals. Payment cards just don’t cut it any more.

      Best of luck to you.

      David

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.