Bridge to Profitability
 

PCI-Validated Point-to-Point Encryption for Merchants

 
BridgePay and Bluefin have teamed up to offer BridgePay partners the ultimate in PCI-validated Point-to-Point Encryption (P2PE). Bluefin Payment Systems is the leading provider of PCI-validated P2PE solutions and secures credit and debit card transactions by encrypting all data within a PCI-approved point of entry swipe or keypad device. This prevents clear-text cardholder data from being available in the device or the merchant's system where it could be exposed to malware. Data decryption is only done offsite in a Bluefin hardware security module (HSM). Through the partnership with Bluefin, BridgePay can now provide merchants with the PCI-validated P2PE solution directly through the BridgePay Gateway, enhancing payment security and reducing PCI scope without changing the transaction flow.
 
What does a PCI-validated P2PE solution have to include?
A PCI-validated P2PE solution must include all of the following:
  • Secure encryption of payment card data at the POI / i.e., the payment terminal
  • P2PE-validated application(s) at the POI
  • Secure management of encryption and decryption devices
  • Management of the decryption environment and all decrypted account data
  • Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage
As a PCI-validated P2PE Solution Provider, Bluefin is responsible for the design and implementation of our P2PE solution, and management of the solution for our partners and their merchants. We are also responsible for ensuring that all P2PE requirements are met, including any P2PE requirements performed by third-party organizations on our behalf (for example, hardware manufacturers, certification authorities, and key injection facilities).
 
What is the difference between PCI-validated and non-validated P2PE solutions?
Encryption solutions that have not been validated by the PCI SSC, but still provide functions such as encrypting within the POI terminal and decrypting outside the merchant environment, are generally called unlisted P2PE solutions or End to End Encryption (E2EE) solutions.
 
PCI-Validated P2PE solutions have been assessed by a P2PE Qualified Security Assessor (QSA) as having met the PCI P2PE standard and are therefore listed on the PCI website under Approved P2PE Solutions. In addition to meeting the P2PE standard, the decryption component of the solution must operate within a secure environment that has been assessed to the full PCI DSS standard.
 
How does PCI-validated P2PE work with EMV and Tokenization?
  • PCI-validated P2PE protects data in transit by encrypting cardholder data upon point of entry in the retail device. Encrypting card data upon entry prevents the data from being available in the enterprise or merchant’s system as “clear-text” where it could be exposed in the event of a data breach.
  • Tokenization enables merchants and enterprises to safely “store” cardholder data at rest for use in future transactions. Tokenization, like P2PE, effectively renders the data useless to hackers.
  • EMV authenticates the credit or debit card at the point of sale by reading a chip embedded on the card and validating the cardholder with their signature. EMV makes it extremely difficult (though not impossible) to “white-label” or duplicate a physical credit card that could then be used by thieves to purchase items at the POS.
  •  
How does P2PE help prevent the loss of cardholder data in the event of a data breach?
By eliminating clear-text cardholder data from the payment process, P2PE is designed to help prevent the loss of cardholder data in the event of a data breach.
 
In the Target breach, for example, it was confirmed by CEO Gregg Steinhafel that malicious software – also referred to as malware – was installed at point of sale (POS) devices in Target’s retail stores. Malware uses a technique that parses clear-text data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card’s magnetic stripe in the instant after it has been swiped at the terminal and is still in the system’s memory as clear- text.
 
The whole purpose of PCI-validated P2PE is to immediately encrypt cardholder data using the validated POI device, thus eliminating any clear-text cardholder data, which could be picked up by hackers.
 
What are the benefits of a PCI-validated P2PE solution for merchants?
There are numerous tangible benefits merchants receive from using a solution that has been through the validation process.
 
PCI-Authorized Scope Reduction
Merchants who use a validated solution within their environment and keep this environment segmented from any card data from other channels (e.g., e-commerce) are eligible to complete the authorized self-assessment questionnaire SAQ P2PE that is known and accepted by all acquirers. Under PCI DSS v3.2, this represents a significant reduction of controls, reducing the number of questions by nearly 90% for merchants moving from the SAQ D (329 questions) to SAQ P2PE (33 questions).
 
Card Brand Programs
  • Visa Technology Innovation Program (TIP)
    Merchants who accept at least 75% of their transactions through a PCI-validated P2PE service may qualify to apply through their acquirer for the Visa TIP program, which allows approved merchants the ability to discontinue their annual assessment process to revalidate PCI DSS compliance.
  • Visa Secure Acceptance Program
    This program incentivizes acquirers by providing safe harbor for fees in the event of a compromise for Level 3 and 4 card-present merchants who use a PCI-validated P2PE solution.
  •  
Solution for Challenging Compliance Issues
  • Mobile Acceptance
    By encrypting all card data within a validated card reader before it passes through the mobile device, the consumer mobile device is rendered out of scope for PCI DSS compliance (so long as it is not used for any other payment function), ensuring compliant card acceptance via a consumer mobile device.
  • Foreign Networks
    Because systems and networks between the encryption point and the decryption environment are no longer in scope due to the P2PE encryption, this unique advantage can address complex network responsibility challenges for some merchants.
  •  
What is the cost-benefit and Return on Investment (ROI) of a PCI-validated P2PE solution?
Example 1: Bluefin Case Study with University of California San Diego (UCSD) Extension
  • Bluefin’s P2PE solution was determined to be an effective means of addressing UCSD Extension’s increased data security standards.
  • The solution was implemented on 20 work terminals leveraging a single MID
  • In just one year of implementation, UCSD Extension has seen significant savings and efficiencies:
    • Annual $60,000 savings in PCI penetration scanning/testing resulting from a reduction in PCI scope to the SAQ P2PE-HW
    • Reduction in IT infrastructure and staff to monitor and maintain compliant workstations
    • Greater efficiencies across all departments resulting from the Bluefin solution’s ability to serve UCSD Extension’s mixed processing environment
    •  
Example 2: ROI analysis conducted by Coalfire on example merchant
The following comes from Bluefin’s recent white paper, authored by Coalfire Systems, “The Impact of PCI P2PE.” It is available for download at https://www.bluefin.com/about/resources/.
 
To illustrate the process of reviewing the cost impact for PCI P2PE, Coalfire used a hypothetical small merchant with eight mobile sales representatives, a retail storefront office with a point-of-sale, a dozen or so non-payment related workstations, and WiFi.
 
For simplicity, they assumed that the merchant does not develop custom software or store cardholder data electronically or physically. The hypothetical merchant has identified their costs to implement a P2PE solution with eight mobile and two countertop devices, including initial setup costs, recurring costs, program investment, and ongoing compliance costs.
 
In summary, the findings on Total Cost of Ownership (TCO) and ROI for PCI P2PE and the Current Solution (without P2PE or with non-validated P2PE), assuming a 10-year lifespan, are:
  • TCO of Current Solution: $300,400
  • TCO of PCI P2PE: $193,350
  • PCI P2PE Return: $114,250
  • PCI P2PE ROI: 1,487%
  •  
How does Bluefin’s PCI-validated P2PE solution work on the BridgePay platform?
Bluefin and BridgePay have partnered to provide Bluefin’s solution through our Decryptx product, which has been integrated onto the BridgePay platform via PayGuardian. Decryptx is enabled through an API connection between Bluefin and PayGuardian, allowing BridgePay to offer PCI P2PE directly to their merchants. Nothing changes about the payment processing flow.
 
For more information on how to partner with BridgePay, please reach out to our Sales team for more information.

Bluefin