Yesterday, PCI SSC published its first set of Point-to-Point Encryption (P2PE) solution requirements. This document, eagerly awaited by many, focuses on solutions that use cryptographic hardware to secure sensitive data at the point of encryption and at the point of decryption.
The latest PCI POI PTS standard introduced last year included for the first time a Secure Reading and Exchange of Data (SRED) requirements module specifying the security environment that POI vendors must build and test against to protect account data – one end of point to point encryption.
This new document addresses the decryption end as well, and says that Hardware Security Modules (HSMs) used for cryptographic key management functions and/or the decryption of account data “…must be either approved and configured to FIPS 140-2 (level 3 or higher), or approved to the PCI HSM standard.” Interestingly this is one of the first PCI SSC documents to make extensive reference to PCI HSM, which is likely to become the preferred standard for HSMs used to secure payments because of its comprehensive coverage of managing the complete HSM lifecycle and its extremely strong demands on secure key management.
The press release from PCI SSC also says that it will continue to explore the development of requirements for other solutions using software in part or in whole to conduct encryption and decryption. So why has it focused on a hardware to hardware solution first?
One reason is that using HSMs for encryption/decryption is far more secure than using software and is already well understood in the payments world (especially by issuers and card networks for securing their critical infrastructures). HSMs are for example specified by PCI SCC to secure PINs when on-line PIN verification is carried out. Another reason is that the new document looks to improve security by focussing at some length on specifying requirements for key management and key separation. Proving to an auditor that these requirements are met is difficult or impossible without the use of an HSM to carry them out.
The new document is a major leap forward in terms of specifying true point-to-point protection for sensitive account data (such as PANs). Solutions that meet the requirement will be much more secure as sensitive data is both encrypted and decrypted in a tamper resistant and responsive secure cryptographic device.