In the wake of the recent Verizon report that shows that 80 percent are out of PCI DSS compliance between audits, some vendors are urging the PCI Council to consider approving software-based point-to-point encryption, in addition to the current hardware-based standard.
PCI-approved, hardware-based P2PE allows merchants to drastically shrink the systems subject to compliance, reducing both risks and costs, and will make it easier to stay compliant.
Self-destructing hardware is a “security bonus,” but in general, hardware-based P2PE technology is not as useful for merchants, says Shift4 CEO Dave Oder, whose company is one of the largest software-based P2PE providers.
MORE ON CSO: What is wrong with this picture? The NEW clean desk test
“The vast majority of retailers who have P2PE in use today are using a software-based decryption method provided by Shift4 or one of our competitors,” he said.
According to Oder, software-based P2PE, combined with tokenization, is a secure alternative to hardware-based encryption, and should be allowed under the PCI DSS standard.”The trouble is, PCI is refusing to validate certain types of security solutions even though they are more secure and more useful to merchants than what is currently validated,” he said.
Hardware-based encryption creates a potential single point of failure and is not designed to handle the level of transaction volume and uptime required in the payments industry, he said.
“The PCI Council has not released a software-based P2PE standard that would allow for both decryption and key management outside of a hardware security module,” he said. “Much of the industry is waiting for that and the delay is harming merchants.”
According to Shift4 marketing manager Nathan Casper, merchants with no encryption at all have a self-assessment questionnaire with more than 280 requirements. Merchants with hardware-based encryption have one with just 19 questions. Merchants with software-based encryption get the 280-question form — but only answer those same 19 and put “not applicable” to the rest.
“The part that makes this frustrating to these large merchants is that they are almost always required to employ the assistance of a Qualified Security Assessor to oversee their assessment,” he said. That’s tens of thousands of dollars, or more, spent on someone checking the same “N/A” box 261 times.
Another vendor promoting a software-based encryption alternative is Irvine, Calif.-based Secure Channels, Inc., which offers both hardware and software-based solutions.
“There are software based solutions where the decryption key is hidden in the packet,” said Secure Channels CEO Richard Blech. “There are means contained in the software to have a secure key exchange that completely bypasses the need for a hardware security module. Merchants are being harmed without this solution.”
However, according to Sam Pfanstiel, director of solutions at Atlanta-based Bluefin Payment Systems LLC, there is an excellent reason to stick with the hardware-based requirement.
“Through software-based encryption, you’re performing encryption in memory, and that memory is highly susceptible to memory scraping,” he said. “That is a vector of attack that has been used in almost every cardholder data breach of the last 18 months.”
Hardware-based encryption, by comparison, puts the encryption mechanism — the plain text data — inside a hardware security module that self-destructs if tampered with.
“Bluefin stands firmly on the belief that only hardware-based encryption provides adequate controls to address the attack vectors prevalent in the industry today,” he said.
Bluefin used to be on the other side, he added.
“When the PCI standard was first released, we had a software-based solution in place, and had to look at what PCI was recommending,” he said. “We decided that the new standard represented better cardholder protection.”
Two and a half years and several million dollars of investment later, Bluefin has replaced its software-based encryption with hardware.
“Ease of deployment is only a concern for encryption providers who fail to comply with the new standards and continue to use older technology to perform their encryption and decryption,” said Pfanstiel.
Today, there are currently over 160 validated devices that support hardware-based encryption, he said. “And the list grows every day.”