Media Kit
  • Why credit card stystems will always be in scope


Fb Share

There is a growing trend in the retail industry for some merchants and technology providers to hope that someday the PCI standard will give guidance that says, "If you implement this new silver bullet, your systems will be completely out of scope."

While they are not the first, the latest group trying to pull this off is the people touting their Point to Point (P2P) encryption technology with or without tokenization. In this post, I am not going to go over the details of how these technologies work. The important part of both of these technologies is that they help merchants reduce their risk associated with storing credit card data by either making it impossible to read if it is stolen or by removing it from the environment completely.

As a security firm, we highly recommend and endorse these technologies as being a good way to thwart Internet hackers, who are out there trying to steal credit card data. What we hate to see in the industry are companies that try to claim that after implementing a set of technologies, the merchant is no longer in scope for PCI. This is simply not the case because even the best technology cannot remove all of the ways that credit cards are stolen (or mitigate all that PCI requires).

I recently had this discussion with a manufacturer of one of the P2P technologies that is gaining traction in the industry. Since they cannot defend themselves in this post, I will be fair and not list any names. To summarize our conversation, the P2P vendor was positive that it would be impossible for a hacker to break the company's encryption technology. Again, I do not want to dive into a technical discussion, so just to clarify, the encryption technology changes the credit card data so that it is unreadable without the decryption key. The decryption key is secret and nearly impossible to guess, so the data is safe once it is encrypted (is the argument).

On the face, this argument is not valid because credit card data could be obtained before the P2P system encrypts it, or there might multiple avenues for storage (not just POS). However, for the sake of this post, let us simply assume that as long as the key is secret that the data is secure. There have recently been two serious breaches related to security key management. One of them was at the security company RSA that makes a wide range of security products including security key management. The bottom line, several "secure" installations were hacked as a result of the RSA breach. Also, the SSL certificate provider DigiNotar was also breached. This means that if the P2P system used one of their certificates a hacker could potentially gain access to the system and decrypt those credit cards in transit.

The bottom line is this – P2P is an excellent technology that protects credit cards reliably. Hackers will have a hard time gathering the data, but to assume that things like firewalls, anti-virus programs, policies and procedures, physical security, and all of the other things that PCI requires will suddenly become obsolete is not likely going to happen any time soon.

User Comments – Give us your opinion!
  • Buddy Dog
    How about just using stand alone terminals and get it off your network!!!! Tell me that won't reduce scope?????
  • Marc Massar
    Brad - Not sure which of the vendors you talked to, but none of the vendors should be saying that something is or is not in scope for PCI DSS. That's for the QSA (or acquirer for small merchants) to say.
    I agree that the point of capture will always be "in scope" but when a QSA says that cardholder data isn't present outside of that point of capture from a PCI DSS perspective some of those prescriptions in the DSS just aren't going to apply. Will this make AV or firewalls obsolete? Of course not. Cardholder data is just a small part of the sensitive data world.
    As a vendor of one of the E2E solutions, when we talk with QSAs, merchants, and acquirers we are clear as to the benefits of E2E – it removes cardholder data from systems. Does it remove all card data? Maybe, maybe not depending on all of the inputs a merchant might have. We also don’t like to see product vendors claim that a merchant is completely out of scope. That’s just not correct in most cases.
    As far as the crypto side of things goes, I think we, as security professionals, need to make a distinction between key compromise and algorithm compromise. It is extremely unlikely – to the point of saying it is very near impossible – to think that an attacker after card data would ever be able to compromise a modern cipher. Let’s face it; it’s just not going to happen. Could an attacker compromise a key? That’s more likely, but still difficult if implemented properly. Your argument about compromise is misleading in my opinion and for less crypto-savvy readers this could lead them to conclusions about cryptography that are not correct. On the surface, your argument suggests that even PIN debit keys could be compromised due to an unrelated SSL certificate compromise from DigiNotar. This just isn’t the case.
    Thanks for writing this blurb on E2E/P2PE and scope, it’s good to see security professionals call out less responsible vendors on their “in-scope/out-of-scope” claims.

    -Marc Massar CISSP, ISSAP, NSA-IAM
  • Brad Cyprus
    Buddy Dog - Of Course if you remove the rest of the environment away from a stand alone credit card machine, it will reduce the scope. In fact, simply adding a P2PE device to the environment has the potential to reduce scope significantly. The point of my post is to clarify that this technology will not remove a location's obligation under PCI. As far as being able to simplify the PCI process and reduce what needs to occur, it is everyone's hope that this technology will have a major impact.
  • Brad Cyprus
    Marc Massar - It was never my intention to make a claim about the ability to break a cypher. In fact, I agree that breaking a modern cypher using any method like brute force or reverse engineering is nearly a mathematical impossibility. I was simply demonstrating that there are other methods of compromising the integrity of encryption by detailing some modern security breaches that became possible after the repositories of the root keys or SSL certificates were breached. In other words, if a root or master key is stolen, it can lead to hackers having the ability to decypher data. There is no doubt that the theft is unlikely, but in the past 6 months, there have been two breaches as I mentioned in my post that are related to this issue. It looks like hackers are focusing on penetrating protected key storage, and that might be an issue depending on the exact methology of encryption used by a P2PE solution.

    Furthermore, the company I had been talking to was a hybrid solution using both software certificate based encryption along with intelligent encryption credit card readers which integrate into a network POS system. Stand alone P2PE terminals are basically a segregated network all unto themselves, and if they authenticate their communication path, one could even agruge that they are performing the necessary firewall duties as required in PCI. In this case, PCI would probably still include the requirement of a firewal, but a merchant would probably have little to do in order to meet the compliance. Of course, it will depend on the exact environment, but I could easily see that as being the case.
Products & Services

POS health test: do a quick check


PeopleMatter HIRE™




MVR Reports


Custom Digital Signage Templates


Business Performance Management


Quote decoder: how to compare restaurant POS systems






Online Ordering


PCI Compliance & Network Security

Latest posts by Brad Cyprus
Brad Cyprus
Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.
Digital Menu Boards and ROI
Fast Casual Executive Summit
Request Information From Suppliers
Save time looking for suppliers. Complete this form to submit a Request for Information to our entire network of partners.