P2PE is the current hot topic surrounding card payments in retail, hospitality and leisure. It is understandable why P2PE is of interest to any business that accepts card payments via a pin entry device as it significantly reduces the scope of PCI-DSS compliance.
In the last few weeks the Vista P2PE team and I have been approached on several occasions by retailers asking for our assistance or even being asked to intervene in P2PE projects that have either been planned or partially implemented by other service providers.
So why are these P2PE projects going wrong?
The common theme here is that there appear to be a number of project service companies offering P2PE services to retailers when they don’t have the processes and credentials to do so and the result of which is that they install the pin entry devices in a non-compliant manner. There is also another common trend where the service provider does not have a good understanding of P2PE and therefore its processes are not fit for purpose or simply do not comply with P2PE Domain 3 standards.
Needless to say these projects would not have achieved PCI compliance if the Vista P2PE team had not intervened when it did, Vista has been able to work with the retailers and get these projects back on track.
Having reviewed some of the P2PE project documentation that had been given to these retailers by the project provider there were major gaps and it is easy to see why they ran into trouble.
The worst example I have seen was from a project service company that had been recommended to the retailer by the manufacturer on the basis of cost, this I find worrying and frustrating, especially when the P2PE process starts with the manufacturer. When I explained to the manufacturer that the retailer had actually paid out far more in QSA audits and site revisits than it would have cost them to do it right first time they declined to comment.
There are also project companies in the field that haven’t a clue how to comply with PCI and P2PE yet they are selling these services to retailers. It will only be a matter of time before the retailers’ compliance is tested and will probably fail.
Vista and our P2PE team
Vista has invested a lot of money, time and effort into designing a P2PE service which exceeds the requirements of P2PE, it is not simple to provide and needs investment in people and security measures.
Ever since the PCI-SSC released the first P2PE white paper over 2 years ago, the Vista team and I have built a very strong knowledge and understanding of the domains of P2PE.
We have designed and built the best of breed solution in P2PE deployment and maintenance services which one leading payments industry professional has referred to as “the most robust P2PE service they have seen”. I have worked with payment solution providers, QSAs and retailers who are all contemplating, planning, implementing or have implemented P2PE and they have all either achieved PCI compliance or are currently going through certification at present.
My advice would be that if you are considering implementing P2PE, you need to ensure the service provider is able to demonstrate that they have achieved PCI compliance for P2PE within a customer estate, that they have a good understanding of P2PE and should be able to work with your QSA and have a full and detailed understanding of P2PE and PCI-DSS. They should also be able to provide evidence and references of P2PE projects they have managed that achieved attestation.
I you would like to implement P2PE in a fully compliant manner please get in touch with us directly and I will be happy to help.