MegaplanIT
Security & Compliance
Key Management Systems for P2PE and E2EE
What is Cryptography?
Cryptography in the data security sense is the use of mechanisms to transform data to a state that is indecipherable unless appropriate keys are used to decipher the contents. We have spoken about symmetric and asymmetric cryptography on this blog before, but today we will tackle cryptographic keys and key management from the perspective of Point-to-Point Encryption (P2PE) and End-to-End Encryption (E2EE) solutions.
General Encrypted Data
Data is encrypted often while at rest or in transit within a production environment, this may be enacted via transmission layer like TLS or SSL or data layer like AES-256 or 3-DES. The issue encountered with an in-house encryption scheme is that all components of the system are present within the system. Assuming the system is compromised, an actor may leverage cryptographic key stores or force specific insecure transmission layer configurations to harvest data within the network. A system with a backend decryption environment would be susceptible to this type of attack and therefore not considered P2PE as all components of the system are available to decrypt data entered or stored.
Point to Point Encryption
A point-to-point encryption solution works in such a way that the entity, such as a merchant, using the P2PE solution does not have access to the decryption keys or decryption environment. Typically keys are held by the service provider of the P2PE solution or the processor for decryption when a transaction is sent. In this way, the entity can benefit from a reduced PCI DSS scope, including descoping of network and system components handling the messaging and routing of the encrypted Account Data throughout the merchant environment.
Encryption keys for the P2PE solution are injected at a KIF (Key Injection Facility) or remotely injected into the POI device without knowledge of the key to the entity. This ignorance of the key is paramount to the solution as despite how corrupt or compromised the merchant’s systems may become, the original keys will not be exposed in any manner. The key itself is typically stored within the POI device; this tamper-resistant hardware stores and holds the data encrypting key and may only be leveraged when the payment application is used to accept cardholder data. There are also deployments of “Hybrid” decryption environments with slightly different application. Appropriate policies, procedures, and processes are in place to ensure that data encrypting keys are protected from both malicious use and from the entity leveraging the solution.
These P2PE encryption solutions may be merchant managed (MMS) where the merchant is deploying a specific solution and encryption to achieve PCI-P2PE scope reduction. This deployment may be a higher level of effort as the merchant must fulfill and prove that the solution is deployed as appropriate with the Product Implementation Guide with additional information provided by a P-ROV (P2PE Report of Validation). Additional information may be found on the MMS FAQs of the PCI Council website.
End to End Encryption
Unlike validated P2PE solutions, E2EE does not have a defined standard, architectures and implementations can vary by vendor and solution. E2EE can work similarly to P2PE, however the required P2PE controls may not be in place or validated. In addition, the endpoints are undefined on where encryption take place. E2EE mechanisms may transmit data to a processing server for encryption and likewise a decryption server within the merchant environment for decryption. These technical variances can significantly broaden the PCI DSS scope of merchant using an E2EE solution as the merchant is now in control of cryptographic keys and is subject to all controls related to key management including generation of keys, rotation, and security thereof. Some elements of the encryption/decryption process may exist inside the merchant environment causing increased scope.
Conclusion
Validated Point-to-Point Encryption (P2PE) solutions that utilize compliant Point of Interaction (POI) devices provide the most effective way to minimize PCI DSS scope. These solutions are formally recognized and validated by the PCI Security Standards Council, ensuring compliance and reducing the associated security burdens. On the other hand, Non-standard Encryption Solution Assessments (NESA) or End-to-End Encryption (E2EE) implementations often require additional testing, validation, or the acceptance of risk by the processor, as these systems are not validated against the PCI SSC P2PE standards. By choosing validated P2PE solutions, organizations can streamline compliance efforts, reduce risk, and adhere to industry standards more efficiently.
Looking for a knowledgeable and trusted partner for your cybersecurity and compliance efforts? We're Here To Help!
We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!
Share this post
Subscribe To Our Newsletter
Most Popular
Post By Topic
Industry Leading Certified Experts
Subscribe
Subscribe To Our Newsletter & Stay Up-To-Date
Explore Our Blogs
Whitepaper | 10 min Read
Developing An Effective Compliance Program
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.
New Service Offering | Contact Us
Ransomware Preparedness Assessment
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems.
ResourceGuide | 8 min Read
Cybersecurity Roadmap For 2022
Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals.
We're Here To Help
We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services.
Make Our Team, Your Team!
Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.