pci compliant vs point-to-point encryption - white paper
DESCRIPTION
Your Customer’s Security is Top Priority • Target’s loss of customer information resulted in major fees, lost sales, and a negative public image because of a security breach in their system. • Out-dated operating systems like Windows XP will make your business vulnerable to attacks similar to what Target experienced. • The number of POS Systems that run on XP are staggering. If your business has one of these operating systems, it is recommended to invest in more secure options to protect your customers.TRANSCRIPT
SkyWire, Inc. Presents
PCI Compliant VS
Point-to-Point Encryption
Tips for using POS Systems:
• Target’s loss of customer information resulted in major fees, lost
sales, and a negative public image because of a security breach in
their system.
• Out-dated operating systems like Windows XP will make your
business vulnerable to attacks similar to what Target experienced.
• The number of POS Systems that run on XP are staggering.
If your business has one of these operating systems, it is
recommended to invest in more secure options to protect
your customers.
Your Customer’s Security is Top Priority
To understand Point-to-Point Encryption you must first understand what it means to
be compliant with PCI Data Security Standards (PCI-DSS). The PCI Security Stan-
dards Council (PCI-SSC) is the governing body that oversees the ongoing develop-
ment, enhancement, storage, dissemination and implementation of security standards
for account protection.
What does that mean to you? PCI-DSS imposes regulations on a merchant to ensure
all credit cards are handled in a safe and secure manner. For any merchant responsible
for processing credit cards, this can become overwhelming. Servers need to be
upgraded regularly, network security needs to be tightened down, and policies need
to be in place for handling credit cards. Any systems that may store, process, or
transmit card holder data are considered in PCI scope. The cardholder data
environment (CDE) extends to any system connected to the processing environment
(even if it is not directly connected). To limit the scope of the PCI-DSS assessment,
many companies will look to limit access to the processing server by segmenting their
network. While this keeps the remaining network Out-of-Scope, it in most cases
limits productivity.
What Does PCI Compliant Mean?
If a security breach was to occur, and the merchant was found to have a non-PCI-
DSS compliant environment, the merchant would be held accountable. At that point
the merchant may be subjected to fines, card replacement costs, forensic audits, etc.
Many merchants are seeking to implement a Point-to-Point Encryption solution
where system components that simply process and transmit encrypted data, are
adequately isolated from the encryption and decryption environments, and have no
ability to decrypt the data be excluded from the scope of a PCI-DSS review.
Fig. 1
The PCI-SSC has previously clarified that encrypted data is out of scope if, and only if, it
has been validated that the entity that possesses encrypted cardholder data does not have the
means to decrypt it.
Since the Magnetic Strip Reader’s are pre-injected with the processor’s key, and the keys do
not reside on the POS, it is considered Out -of -Scope. However, if an entity can validate
that the encryption and decryption environments and methods used meet industry best
practices included in the Validation Requirements for Point-to-Point Encryption, then an
entity may consider their CDE reduced to the encryption and/or decryption environments,
subject to validation.
So, can P2PE really simplify the PCI-DSS process?
In short, Yes.
P2PE is a great solution for merchants who have been faced with unclear Self-Assessment
Questionnaires (SAQ) or costly PCI audits by Qualified Security Assessors (QSAs). P2PE,
if deployed in a compliant manner, can reduce if not eliminate your business from PCI-DSS
scope. Leaving the merchant to concentrate on their business and ease the burden of
PCI-DSS compliance.
What is Point-to-Point Encryption (P2PE)?
Yes. The beauty of SkyWire POS is not only the Windows 8 Industry platform and
easy to use cutting-edge software. It’s the fact that our credit card processor uses point-
to-point encryption.
Without going into too many boring technical details on what point-to-point means,
the gist is that your customer’s credit card information never gets stored to be at risk in
the first place.
All credit card info is sent directly and securely to the credit card processor or bank.
For a demo of SkyWire POS or to see how we can get you secured for a fraction of the
cost call now. 866.514.5888
Does SkyWire POS offer P2PE?
www.skywire.com