The Perils of Relying on P2PE

August 21, 2018 • Published Categories PCI 101 Tags , , ,

Point-to-point Encryption (P2PE) is an awesome tool for securing retailers’ payment card data. ControlScan highly recommends it in every environment where it’s feasible and cost effective to do so. (We operate security infrastructure in many retail environments with integrated POS systems, where P2PE is either not available or not feasible from a cost perspective.)

However, even in those environments where P2PE is feasible, it is not a silver bullet for protecting your business. I’ll provide you with a scenario that we saw recently as an example…

A small business is engaged by their acquirer, and the acquirer tells them that implementing P2PE and paying the additional expense will drastically reduce their costs for overall security. In response, the customer integrates P2PE, and cancels a number of the security services that were helping protect their endpoints from attack. A couple of months later, the customer calls us in a panic, having been attacked by ransomware, which shut down their entire retail chain and headquarters.

Unfortunately, this is a situation we’ve encountered before.

Who’s watching your network?

Yes, P2PE is an awesome tool to secure your payment card data, but it is not meant to replace other security technologies, such as a UTM firewall. Even if your payment card data is protected, a sophisticated attacker will find other means to ruin your day, and ransomware is currently a big one whereby they try to extort money.

Don’t let P2PE at the POS cloud your judgement on the maturity of your business’s overall security posture. You still have many other assets to protect.