Monday, March 7, 2011

Is P2P Encryption the Answer to PCI Compliance?

Point to point encryption is an appealing solution to the issue of control over payment systems. Establishing the first point of encryption within the payment terminal itself ensures that the data are encrypted at the time of the initial transaction. If the final encryption point is set far enough back in the system, the data can be secured throughout its lifecycle.

This, however, is where P2P falls short of its objective. It is usually not practical to maintain the encryption throughout a system because the system components vary and are not all compatible with a single encryption standard.

But even the ability to encrypt at the point of capture is worthwhile, since it reduces the risk of fraud or error at the terminal, which is an important advantage and can reduce the scope of a PCI audit by removing the terminal from the list of components that require detailed evaluation.

So while P2P Encryption may not be the whole answer, it makes a very good starting point, and can be used as a building block for an integrated and comprehensive security system down the road. For a good commentary on P2P, check out this article.

No comments: