P2P Encryption

Articles about encryption technologies and encryption software.

P2PE (point-to-point encryption) seems to be emerging at the forefront of defense against security breaches and as a leader in encryption technologies in the wake of recent breaches in the payment card industry.

This particular technology and solution is seemingly gaining popularity not only as an encryption technology, but also as a solution to limit and reduce the cost of compliance with the PCI DSS (Payment Card Industry – Data Security Standard).

The complete adoption of the technology would result in encryption of the data along the complete path of the traversal - i.e. from the ATM, kiosk, or point of sale right through to the bank or card-processing facility.

But this approach is not possible presently, because of the number of card-processing companies, banks, ISOs, etc. that are involved in processing card data.

Because of the above limitation on end-to-end encryption of data, there are several methods that merchants opt for in processing card data.

First is the encryption of data at the point of sale. The current approach is, when user cards are swiped at the point of sale, they travel in clear text until the back office system. The back office system does some initial processing and then encrypts the data to send it to the card processing center.

Here, a hacker could intercept the data as it travels through the merchant’s network. To prevent such an attack, merchants are opting for encryption at the cash register itself using symmetric keys. The data is encrypted as it is read from the card and sent to the back office over SSL. This means that there is no scope for the hacker to intercept the data as it travels over the network. There are chances that the symmetric key could be hacked, but that hacker would need the persistence to try and break the symmetric key.

The second approach is more secure than the first one, and it involves an asymmetric key. The cash register and the payment processing center would share asymmetric keys, much like asymmetric encryption, which would make it even harder for any hacker to break the keys and intercept the data.

If we are considering the with the PCI DSS, both the first and the second approach do not provide any cost savings in regards to the testing that needs to be performed on the cash register systems for vulnerabilities or probable hacks.

The final option to consider, the most secure and cost-saving option in regards to PCI DSS compliance, is the encryption of data at the card reading terminal itself. The data would start getting encrypted as soon as the user swipes the data onto the terminal, and no readable data is left on the unit. This particular strategy completely defeats the online hacking attempt.

The only way to hack such a system would be to manually gain access to one of those systems, dismantle the unit, and alter the processing chips. This is best as security can get, and it will be helpful in narrowing down the scope of a PCI DSS audit considerably, as encryption algorithms embedded on the chips would remove the audit of cash registers and other system components.

The audit's scope would be the hardware modules, the key management and the manner in which the different encryption modules are loaded and handled onto the hardware unit. This would result in high cost savings in PCI DSS due to limitation of scope and devices.

More security articles