Why P2PE Is Pointless

Apparently an announcement was made at the PCI SSC ‘s Community Meeting in Nice that “European Payment Services (EPS), [is] the first company to have a solution listed…“, this according to Tenable’s Jeffrey Man in his new article ‘What’s Wrong with P2PE‘.

I’m not going to go into why P2PE is dead from a PCI perspective, Jeff covered that better than I can, instead I’ll cover it from an innovation and real-world perspective that the SSC simply cannot / will not include in their presentations.

Why P2PE is pointless, and dead before it reached the gate:

  1. If you have read the P2PE assessment procedures (which were about 2 years too late in being released), you’ll know that they make the PCI DSS look like a nursery rhyme. EXTREMELY complicated, and ENORMOUSLY expensive to achieve certification. I was, however, very surprised that PED / payment terminal companies with significant resources (like VeriFone and Ingenico) didn’t get into a race to corner the market early, but now it makes sense.
  2. P2PE done the SSC’s way still requires PTS and SRED compliant payment terminals, which are massively expensive, and whose days are numbered. Mobile payments, and whatever comes next will, thankfully, kill retail’s reliance on payment terminals and bring secure, non-cash, payment capability to every merchant world-wide, no matter how small, or large and distributed.
  3. Chip & PIN (EMV) technology is tied to the terminals and to the use of credit cards, which along with payment terminals, are  dying technologies. Credit cards are 60+ years old, and EMV was a very poor patch to fill a gaping hole in credit card security, so innovation will, and in some cases already has, replaced the need for both.
  4. Retailers are simply not going to make the massive investment in replacing their payment terminal estates before they end of life (EoL) just because of a possible reduction in PCI scope. And why would they then spend a fortune in expensive devices, tie themselves into a single service provider, as well as limit themselves to credit card transactions? Answer; they wouldn’t, not unless they’re irretrievable stupid.
  5. The entire payment space is finally recognising the fact that it’s bloated, inefficient, enormously outdated, and complex. Innovation will simplify it back to its basics, which it that it’s not ABOUT payments, it’s about authentication. I don’t care how I access my funds, whether they be debit or credit (both of which are provided by the bank anyway), I just want to do it whenever I want, wherever I want, and without risk.

Any protection the card brands provide related to fraud and consumer protection can be provided cheaper and probably better by the banks, and this, along with the demand for better customer service, will drive the banks to compete for our business as never before. Gone will be the days that they can act as though they are doing US a favour.

As for the SSC’s announcement, I can’t blame them for wanting to announce any kind of success, God knows the DSS v3.0 is nothing to write home about.

5 thoughts on “Why P2PE Is Pointless

  1. David,
    I disagree with all the points made on you article, let me answer one by one.
    1.- P2PE is the easiest PCI assesment to achieve, if the terminal vendors did not achieve compliance before could have other reasons but not complexity. From begining to end we can guarantee building a multi vendor service in less tan six months, excluding the time required by the council to validate the assesment, this time in a worst case cannot be more than three or four weeks.
    2.- if you knew about electronics will understand that the hardware required is most of the time based in ARM 11 platform where everything is already there, all the terminals since two years ago were perfectly capable, meaning that in the UK every PED is P2PE capable no extra cost, so by basic install base renewall these capabilities will be there
    3.- I will not say that credit card are dying they are challenged by new competitors, but this does prevent retailers to accept credit card payments, I don´t think a feasible that a major retailer in the UK suddenly stop taking credit cards.
    4.- After the massive security breaches and taking into account the increase in security and reduced assesment costs for acquirers and retailers the payback on the terminal replacement if required is meaningless, and allows the retailer to add new payment functionality and obviously P2PE solution in most of the cases are multi-vendor
    5.- Fail to recognize the impact and good work of PCI and the card schemas isn´t fair, I am more critic with the lack of skill of the QSA´s and so call experts, not the organization, and just with a Little bit of work we can have an excellent framework to guarantee peace of mind

    • Miguel,
      There have always been 3 types of people in the world:
      1. Those who either create something new from scratch, or take an existing technology to a degree never foreseen by anyone else;
      2. Those who take an existing idea and make it work, and/or make it better than the original. They also combine ideas into something unforeseen by the creators of the original ideas, and;
      3. Those who get on with their jobs, and do neither of the above.

      We need all 3, and one is not better than another. You and I are in very different groups, and will likely never agree on anything (especially credit cards). Which is absolutely fine.

      BTW, I never said taking credit cards should “suddenly stop”, that cannot happen, but they WILL phase out, and I hope soon. As for the PCI framework and the card brands doing ‘good work’, yes, they have, but now their time is done. It’s time for real security, which the PCI DSS will never be, nor will credit cards ever allow.

  2. In line:

    >> 1.- P2PE is the easiest PCI assesment to achieve…

    It depends how you define easy. It’s tricky from a service provider point of view, as needs considerable investment in internal resource, hardware, people and marketing to construct a viable P2PE solution offering. But once in place, it’s moderately easy to audit a merchant using P2PE as long as they’ve configured the solution correctly. Well, it’s easier to assess a merchant’s F2F payment environment against P2PE, than it is PCI DSS for example.

    >> 2.- ….in the UK every PED is P2PE capable no extra cost

    Do you think Ingenico and Verifone will give away this technology FOR FREE?? 🙂 The technology might be there agreed, but if merchants don’t sign up to Ingenico or Verifone’s product roadmap, then Ingenico or Verifone don’t make any money…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.