P2PE is not what your CIO thinks it is

All of the things you wanted to know about point-to-point encryption (P2PE), but were too afraid to ask.

FinTech and Financial Technology
Thinkstock

I have been traveling around the world since late 2013 speaking at conferences on Point-to-Point Encryption (P2PE). It has taken me to places like Bangkok, Singapore, Sau Paulo, Vancouver, Banff, Barcelona and London.

Early on, I would get a lot of blank stares and nods but little interest or interaction from the audience. At that time, it seemed that the general response was that security was just something that merchants had to do for compliance. The risks were largely unknown. After a few card data breaches from major merchants like Target, Home Depot and UPS, merchants started to take notice as the risks of getting it wrong took center stage.

There were about 1,600 breaches last year, that’s an average of 30 per week. And, those are only the reported breaches. A “breach” only hits the press when the hacker does something wrong and gets found out. And, this is bad news for the hacker because once their Malware is found, the holes are shortly plugged and the flow of card data stops. The ultimate goal for hackers is to hide in the weeds of unsuspecting and unprotected merchant systems and silently exfiltrate valuable card data over as long a period of time as they can.

Don’t confuse P2PE with EMV

Before we talk about P2PE, let’s discuss the technology that stole the show in the wake of the high-profile card breaches: chipcards aka EMV. EMV helps a merchants’ Point of Sale (POS) system tell the difference between a fake plastic card and a real credit or debit card. Unfortunately, because of the timing of the release of this technology in the US, a lot of merchants confused chip cards, an anti-fraud tool that helps protect against physical fraud, with other data security technologies that protect the data from being stolen in the first place. Security and Fraud are two very different concepts. Data insecurity exposes the card data to cyberattacks by hackers. Hackers then sell the card data online to fraudsters who then use the card data to commit fraud.

Fraud is at the tail-end of the process; it is the actual using of the hacked card data. Card breaches feed fraud; breached card data is the raw material used to commit fraud. So, why then would an anti-fraud tool, like EMV chipcards, be expected to do anything to secure the data in the first place? It’s like stamping your name and address on a bar of gold and setting it out on the lawn, instead of just locking the gold up in a vault. One tells you who owns the gold, the other secures the gold from theft.

Many technology professionals are surprised to see the full, clear text sixteen-digit card numbers on their network after implementing EMV chip card readers. Counterfeit cards represent less than 0.05% - that’s 5% of 1% of all transaction dollar volume. That’s a relatively small issue compared to thousands of major merchants and millions of cards being exposed every year because of a lack of encryption. However, both technologies have their place and I am glad to see that P2PE is finally getting its time in the spotlight. In a perfect world, merchants would have added encryption to their card acceptance machines simultaneously when upgrading to accept chip cards. But it’s not a perfect world. To make things worse, probably 80% of all devices that support chip cards can already support P2PE. Most merchants just haven’t turned it on because of a lack of education and priority.

Demand for P2PE is growing

Over the past year, we have seen a sizable and organic increase in demand for P2PE across many sectors such as higher education, healthcare, hospitality, retail, transportation and contact centers. In fact, there are now 116 payment gateways and merchant software platforms that offer PCI-certified P2PE Solutions with their payment processing. Of that total, 65 of these providers (or 56%) are powered by Bluefin’s P2PE Solution. I say this not to brag, but to let you know this particular security technology is trending up rapidly. And, you don’t want to be the slowest security adopter. That’s a recipe for a breach disaster.

P2PE is not PPTP

One thing that is peculiar and is also the reason for me writing today’s blog, is that while P2PE has been popular among financial, operational, and security professionals, it is often met with a level of skepticism from information technology leaders, especially those with a strong networking or telecom background. Imagine that the security technology that many have called the Malware-killer is actually being held back from adoption by networking technology professionals? It sounds almost unbelievable. However, I believe that this posture is based largely on a point of confusion I would like to clear up.

Since 2013, I’ve participated in thousands of calls and meetings about P2PE with stakeholders across the client and partner spectrum. One point that comes up all of the time with network admins is confusing P2PE with PPTP. As humans, it is natural for us to use information we already know to frame and understand new information. That’s what happens with P2PE. I have seen many smart folks confuse the concept of P2PE (Point-to-Point Encryption) with PPTP (Point-to-Point Tunneling Protocol). Both terms have the same first three words and both involve encryption. The major difference is where and how the technologies are used.

The worst cases I have seen of this confusion were two nationally known consultancies that get paid to summarize “deep” concepts into digestible soundbites and suggest strategy to their clients. In both cases, the consultant dismissed P2PE out of hand because it was irrelevant to protecting the merchant against Malware. Thankfully, in both cases, I was heard and ultimately persuaded the merchants to take neither my word nor the consultant’s word for it, but rather to go to the source. The PCI Security Standards Council (SSC) published an infographic on Malware, what it is, and how to protect merchant environments from it. Two of the three recommendations in the infographic were P2PE and SRED (a required component of P2PE). And since PCI SSC was created by Visa, MasterCard, Discover and American Express, I think they know a thing or two about payment security.

Many IT professionals with a networking background assume that PPTP is the same thing as or is somehow based on P2PE. In truth, the two concepts are unrelated. I can tell when I’m talking to an individual relying on their understanding of PPTP to make assumptions about P2PE when they say things like, “by the time the card data reaches the encryption process it could have already been exposed to Malware.”

This statement makes perfect sense for PPTP, because PPTP network security technology creates a secure encrypted tunnel between two points, usually firewalls or VPN’s. And it’s actually true that by the time the card data reaches the network, it could have already been exposed to Malware like RAM Scrapers, Screen Scrapers, and Key Loggers. No wonder network professionals don’t readily jump on the “PPTP bandwagon” as a means of stopping Malware. I agree with them that PPTP would do nothing to protect against the leading attack vector, Malware in the Point of Sale. Recent research from the Identity Theft Resource Center (ITRC), shows that more than 60% of 2017 breaches were due to hacking, specifically malware and ransomware.

The truth is, P2PE has nothing to do with PPTP and in fact, P2PE is not a network security technology at all. P2PE is an encryption and key management solution that exists in hardware. In essence, P2PE is immediate encryption in the firmware of the card acceptance device. P2PE encrypts card data in the firmware of the magnetic stripe reader head, NFC (near field communication) radio, ICCR (integrated chip card reader), or keypad. This encrypted firmware is segmented from the application and communication area of the card entry device so that even if Malware gets into the device, it can’t get to clear text card data.

So, it’s obvious that with P2PE, the card data is encrypted long before it reaches the workstation, PC or POS where it could be exposed to Malware and long, long before it reaches the network where PPTP would even come into play. I come from a telecom background with six years working in data centers at MCI-WorldCom, so I made this same mistaken assumption myself back in 2011 when the P2PE Standard was published by the PCI Security Standards Council. Eventually, in 2012, I read the standard and became a believer. It led my company to become the first North American provider of this technology back in early 2014.

Keys are key

Now that I have explained that P2PE is immediate, firmware-based, hardware encryption in the card acceptance device, let’s finish up with one more encryption concept to help make the distinction even more valuable. Certificate-based encryption makes a lot of sense for VPN’s and PPTP, because you are creating an unbroken, private tunnel between two endpoints. In the payments world, this is not generally possible because the card data may need to traverse several hops including the software platform, the payment gateway, the payment processor, etc. So, if you want the data to be secure through a number of handoffs, you must encrypt it on one side and decrypt it on the other. To solve this issue, instead of trying to encrypt a private tunnel between two endpoints with a certificate that does not change, P2PE encrypts each transaction with a unique symmetric encryption key (AES or TDES) using a key rotation methodology called DUKPT (Derived Unique Key Per Transaction). This means that every transaction that comes out of the firmware of the device has a unique encryption key effectively rotating the key with each transaction. This really frustrates hackers and blocks them from the good stuff.

Devalue the data vs. defend the data

A final intellectual comment I get all the time is that P2PE doesn’t actually prevent Malware or breaches because the hackers may still get into the system and get the data. The practical response to that one is easy: by encrypting each transaction with a unique strong encryption key, the card data is rendered useless and of no value to the hacker and of no value to the fraudster on the black market. I would say that is the ultimate in data security. The whole point behind P2PE is to encrypt the data so that even if the hackers get in, what they get is useless to them.

P2PE is at the heart of a new approach to payment security called data devaluation. And, it’s something other industries should look at. The data devaluation approach was forged by payment security pioneers on the front lines of the Malware wars and is now helping companies turn the tide and protect their customer’s data.

In my next post, I’ll discuss tokenization, another data devaluation security technology, and how it complements rather than competes with P2PE.

This article is published as part of the IDG Contributor Network. Want to Join?

Copyright © 2018 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!