Skip to content

If it must be secured, let's be smart on how we go about it

Blue Knot

As a retailer that accepts card payments, you are obliged to spend a considerable amount of money on securing your payment systems (as stated in my previous post), but just like tying knots, there are many different ways to secure something, and knowing which approach to follow could prevent a disaster.


Your Qualified Security Assessor (QSA) should already have taken you through the standard questions to identify what sensitive data your organization has, where it is, and whether you need to store or even process it. And then the standard approach they recommend would typically be to segregate the network, encrypt data, and restrict access. But are there smarter approaches to consider (and is it in the QSA’s interest to simplify your PCI audits?)

In our upcoming white paper, we not only discuss descoping systems, outsourcing, tokenization, and point-to-point encryption (P2PE), we also capture the current sentiment and future expectations of retailers with respect to these. If you’re interested to read more, please register to receive your copy.

Unlike tying knots, there is no single best approach and it may be fruitful to implement a combination of multiple approaches; bear in mind too that your environment is unique, and will change over time. In my next installment, I will talk about outsourcing, and answer the question about whether it is possible to outsource your payments system without being shoe-horned into a one-size-fits-all solution (spoiler alert: it is!)

So I’d like to touch here on P2PE and tokenization. Earlier in the year, we ran a webinar, Keep the Hackers Out and Reduce Your PCI Scope with Point to Point Encryption, which explains the concepts; if you’re unfamiliar with them, you can watch a webinar replay here. They are often grouped together as complementary technologies and the questions you should consider before choosing a supplier are similar; however P2PE and tokenization can be implemented independently, and can be provided by different suppliers. The questions center on who owns the data, i.e. who controls the encryption keys loaded onto the PED, and where are they used to decrypt the data? And in the case of tokenization, where is the original sensitive data stored?

By its very nature, P2PE requires the PED manufacturer’s involvement, but should the PED manufacturer also provide the decryption appliance, and the inventory management? Delegating too much responsibility to one supplier could result in you being locked in. Similarly if the decryption keys and/or token vault are held by a 3rd party or PSP, how easily can you move to another provider? What about being able to add support for new payment types like closed loop / prepaid cards, PayPal, etc.? Will you be reliant on your PSP, and what will they charge you per transaction?

If you have any anecdotes to share (anonymous or otherwise), questions or advice, I’d love to hear from you. Thanks for reading this far, and until next time…