Are Retailers being left exposed to the weak link in the PCI/P2PE chain?

Since the creation of bank cards and electronic financial transactions, fraud and data security have been constant concerns for customers and organisations alike, but modern DSS and P2PE protocols are able to ensure customer finances and data are far more secure than ever before. 

The Payment Card Industry Data Security Standard, or PCI DSS for short, is a worldwide standard set up to help businesses process card payments securely and reduce card fraud, through tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle.

Due to the sensitivity of the data that is handled in the process, it’s seen as a high priority for retailers to adopt PCI DSS. If a Retailer isn’t PCI DSS compliant and loses customer card data, they risk the possibility of incurring Card Scheme fines, and may also be liable for the fraud losses incurred against these cards and the operational costs associated with replacing the accounts.

PCI DSS’s encryption technology ‘scrambles’ the card data as soon as the card is inserted into the PIN Entry Device (PED), even before the data is sent to the Payment Service Provider (PSP), meaning no unencrypted data is transferred – this is referred to as Point to Point Encryption, or P2PE.

To comply with PCI DSS, the PEDs have to be looked after carefully, checked for security breaches and registered onto the PSPs network – deployment and ongoing servicing of PEDs is often the weak link in the chain.

Barron McCann offers customers a unique, comprehensive P2PE service from when the PEDs arrive from the manufacturer right through the installation process and repair/service process. Currently around 55,000 tills are maintained by Barron McCann, and at least 80 percent of these are PCI compliant.

Our process is based around a continued process of checking in and reporting – we receive the PEDs, before scanning their serial numbers and checking them against the delivery report, meaning they are in our system and they can report on where they are and where they go. They are then allocated to a store and till lane, which is marked on the outside of the box.

Each time the box changes hands, the serial number is logged and a record is kept of who has them now. All handlers check the number, which is listed on a tamperproof label, and forward the PED onto the engineer. The box is then checked in by the engineer or logistics partners . If the PED fails on fit it is sent back to the workshops and then returned back to stock – at each stage the PED is monitored and tracked. We liaise with PED manufacturers over repairs, and again ensure the procedures followed comply and are signed off by the Retailer’s QSA.

This highly secure method dramatically reduces the risk of compromising cardholder data – along with DSS practices, there is very little room for any lapse in security, meaning retailers don’t have to worry that they will be the cause of any serious financial issues for themselves and their customers