1. PCI-validated point-to-point encryption (P2PE) solutions have grown 700% in the past 4 years and can reduce the number of PCI requirements a merchant must comply with from 329 to 33.
2. P2PE provides a substantial return on investment (ROI) of 1,500% according to a recent white paper analysis.
3. Merchants now have more options for implementing PCI-validated P2PE, including working with a processor's validated solution, using a merchant-managed approach by selecting from over 75 validated P2PE components, or going through a P2PE "connected" provider like Bluefin's Decryptx product.
1. bluefin.com
What We Will Discuss Today
1
PCI-Validated P2PE Is Trending
The number of available PCI-validated P2PE
solutions has grown 700% in the past 4 years
Scope Reduction Up to 90% for Many Merchants
You can manage 329 PCI Requirements
throughout your organization or you can lower
that to 33 requirements with PCI P2PE
The ROI is Substantial
A recent white paper analysis done by Coalfire
Systems Inc. demonstrated a 1,500% ROI for PCI
P2PE
2. bluefin.com
You Can’t Escape Data Breaches
Data Breaches: 2007-2016
2
Why the escalation? Hackers want
payment and personal data to resell
on the black market for fraudulent
use.
Average cost per breached record
Healthcare: $355
Education: $300
Retail: $172
Transportation: $129
0
200
400
600
800
1000
1200
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Industry Sectors: % of Overall Breaches
Data Breach Statistics provided by the Identity Threat Resource Center (ITRC)
Data Breach Costs provided by the Ponemon/IBM 2016 Cost of Data Breach Study
Average Cost of a Data Breach: $4M, up 29% since 2013
3. bluefin.com
Malware Defined
Malware is an umbrella
term used to refer to a
variety of forms of hostile or
intrusive software, including
computer viruses, worms,
trojan horses, ransomware,
and other malicious
programs. It can take the
form of executable code,
scripts, active content, and
other software.
Malware
The Evolution of Breach Techniques
4. bluefin.com
The attackers backed their way into Target's corporate network
by compromising a third-party vendor – Fazio Mechanical, a
refrigeration contractor.
Malware, code-named Trojan.POSRAM, was used to infect
Target's POS system. The "RAM-scraping" portion of the POS
malware grabbed card information from the memory of POS-
devices as cards were swiped.
A phishing email duped at least one Fazio employee, allowing
Citadel, a variant of the Zeus banking trojan, to be installed on
Fazio computers. The attackers waited until the malware offered
Fazio Mechanical's login credentials.
Once the credit/debit card information was secure on a dump
server, the POS malware sent a special ICMP (ping) packet to a
remote server. The packet indicated that data resided on the
dump server.
The attackers then moved the stolen data to off-site FTP servers
and sold the card information on the digital black market.
Malware in Action at the POS – The Target Breach
What have we
learned?
5. bluefin.com
There are Two Choices: Defend the Data or Devalue the
Data
5
Implement more firewalls
Implement more network perimeters
Implement more monitoring systems
Hire additional security staff
Encrypt the data so if the hackers do get
into the system – they get nothing
VS
6. bluefin.com
PC-Validated Point-to-Point Encryption (P2PE), which
differs from end-to-end encryption, is a payment
security solution introduced by the PCI SSC in 2011 that
encrypts cardholder data at the Point of Interaction
(POI) in a PCI-approved P2PE device and decryption is
done off-site in an approved Hardware Security Module
(HSM).
PCI-Validated P2PE Devalues the Data
8. bluefin.com
The Major Differences Between PCI-
Validated and Non-Validated P2PE
8
PCI-Validated P2PE Non-Validated P2PE
PCI Scope Reduction X
Certified Device Key
Injection
X
Device Chain of
Custody
X
Tamper Proof Terminals X
Online Device
Management System
X
PCI P2PE solutions encrypt card data immediately upon card entry, preventing
RAM scraping and thus preventing any clear-text data from entering the POS
Only PCI-validated P2PE solutions have been certified to have the necessary
device and security controls in place to reduce PCI scope and allow merchants
and enterprises to qualify for the 33 question P2PE SAQ-HW
9. bluefin.com
From 4 Validated Solutions in 2014 to 28 Today
What to Look For in the
Listings
Listed solutions are found at
https://www.pcisecuritystandards.org/assessors_and_solutions/po
int_to_point_encryption_solutions
10. bluefin.com
Processor P2PE
The processor (or
gateway) has
received validation
for their P2PE
solution. You must
be processing with
the company to get
P2PE. Examples
include
FreedomPay and
CardConnect.
You do not need to
be processing with
the PCI-validated
provider to get P2PE.
An example is
Bluefin’s Decryptx
Solution.
These solutions are
software based and
provided through a
SaaS company with
processing. Examples
include Instamed for
healthcare.
P2PE
“Connected”
Integrated P2PE
The New Options for PCI P2PE: Processor, “Connected”,
Merchant-Managed and Integrated
Merchant-
Managed P2PE
Merchants can build
their own custom
P2PE solution from a
list of PCI-validated
P2PE component
providers.
11. bluefin.com
P2PE “Connected”: Bluefin’s Decryptx
The only solution that enables acquirers, processors and gateways to offer
PCI-validated P2PE via their platform and direct to their merchants
12. bluefin.com
Merchant Managed P2PE
Enables Merchants to Manage Their Own P2PE Solution Rather Than Being
Locked Into a Processor’s Solution
Device Chain
of CustodyChoose your
Vendors (must
be certified by
PCI SSC for
P2PE)
Current component providers can be found at https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_components#tab-abc
Certification/Registration
Authorities
Decryption Management
Services
Key Injection Facilities
Encryption Management
Services
MMS
13. bluefin.com
New in 2.0 – Remote Key Injection
• The majority of merchants have purchased new hardware for
EMV; all new terminals are also PCI-validated for P2PE
acceptance
• Previously, the only option for merchants that wanted PCI P2PE
but had already purchased terminals was to take the terminals
out of service and ship them to a certified Key Injection Facility
(KIF) for P2PE key injection
• Remote Key Injection (RKI) solves this problem by enabling the
keys to be injected at the POS through a remote server
– RKI is currently only available through a handful of PCI P2PE
providers with more being added
14. bluefin.com
01 02
03
04
05
06
07 Example: Bluefin
Management
and Reporting
Authorized merchant
representative places
order
P2PE validated terminal
is injected at KIF
KIF ships terminal to
merchant under strict
controls
Authorized merchant
representative confirms
receipt of terminal
Merchant records terminal custody transfer in the P2PE
Manager
All transactions confirmed
to originate from
approved device
Annual PCI Chain of
Custody report
generated from P2PE
Manager
P2PE Implementation Should be Plug and Play
14
15. bluefin.com
PCI-Validated P2PE Reduces PCI Scope…..
15
The PCI SSC states that ONLY PCI-validated P2PE Solutions can reduce a
merchants SAQ scope down to 29 questions
0
50
100
150
200
250
300
350
Non P2PE Merchants
P2PE Merchants
329 Questions in the PCI
SAQ D or ROC
To 33 Questions for
P2PE Merchants
16. bluefin.com
….And Provides a Significant ROI
The detailed calculations are found in Section 3 of our Coalfire white paper, The Impact of PCI-Validated
P2PE, released January 2017. Download the paper at https://www.bluefin.com/about/resources/
TCO = Visible Costs + Hidden Costs
TCOcurrent = $22,400 + ($27,800 x 10)
TCOcurrent = $22,400 + $278,000
TCOcurrent = $300,400
TCOP2PE = ($7,200 + $9,650) + [($4,200 + $13,450) x 10]
TCOP2PE = $16,850 + $176,500
TCOP2PE = $193,350
ReturnP2PE = (Initial Cost Savings) + (Annual
Cost Savings x 10)
ReturnP2PE = ($22,400 - $9,650) + [($27,800 -
$13,450 - $4,200) x 10]
ReturnP2PE = ($12,750) + [($10,150) x 10]
ReturnP2PE = ($12,750) + ($101,500)
ReturnP2PE = $114,250
ROIP2PE = [(Return - Cost of Investment) / Cost of Investment] x 100
ROIP2PE = [($114,250 - $7,200) / $7,200] x 100
ROIP2PE = 1,487% ROI over ten years
Return on Investment (ROI) and Total Cost of Ownership (TCO)
Analysis Conducted by P2PE QSA Coalfire, Inc.
17. bluefin.com
Final Thoughts
• PCI-validated P2PE is alive and growing with version 2.0
• Remote P2PE Key Injection (RKI) will simplify deployments
• Merchants can now access PCI P2PE by:
• Designing P2PE Solutions from more than 75 available PCI-
validated Applications & Components
• Selecting from 28 Validated P2PE Solutions
• Selecting from 23 P2PE-connected Payment Gateways and
Software Providers through Decryptx
• Download or ask for a copy of our P2PE Whitepaper by
Coalfire, The Impact of PCI-Validated P2PE