Expanding the growing range of Thales Data Protection on Demand (DPoD) services, DPoD now offers its first of payShield Cloud Services – P2PE (Technology Preview). Joining our already robust offering of Luna Cloud HSM, CipherTrust Key Management, and Partner Services, P2PE provides point to point encryption, decryption, key management and key distribution services.
This service is part of a broader Thales initiative to help enable existing and new customers in the payments arena to migrate to as-a-service offerings and soon to be released hosted services, with the proven assurance of over 30 years from leading Thales brands including payShield and Luna HSM that their data and transactions are secure.
Leveraging HSMs for P2PE
The PCI Security Standards Council P2PE requirements call for the use of hardware security modules (HSMs) with an appropriate security rating to protect access to the master keys. The P2PE Service, within payShield Cloud Services, utilizes a FIPS 140-2 Level 3 Luna HSM that protects the Base Derivation Key (BDK) master keys and enables a PCI P2PE compliant decryption environment to be established.
- Base Derivation Key (BDK) Management
Every payment network uses its own BDK encryption keys and all payment terminals using that network needs the relevant BDK in place before starting to process transactions. The keys used to encrypt payment data are derived from the BDK and typically change for each transaction.The service enables P2PE solution providers to use the keys generated for subsequent injection into the payment terminals as the initial BDK as part of the commissioning process
- Payment Data Decryption
Card data is encrypted at the point of card acceptance and remains in that state as it travels to the payment gateway and the processor. Interception of the data will be of no value to an attacker since the keys to decrypt are not accessible.Once the data reaches the secure confines of the DPoD P2PE service, the data is decrypted and passed to the bank or processor for authorization.
Secure transaction flow using P2PE
How do merchants benefit from using P2PE?
From a PCI DSS perspective, any system that has the capacity to decrypt account data comes into scope immediately, so the ability to insulate merchants by protecting keys within HSMs can have significant benefits for all concerned.
With DPoD P2PE, keys are decrypted in a FIPS certified HSM. At no time do merchants have access to the secure key needed for decryption. Since the merchants are not able decrypt cardholder data flowing through their networks, their compliance involvement is greatly reduced, therefore lowering the cost and time associated with those efforts. In addition, by using P2PE merchants are required to complete a shorter PCI Self-Assessment Questionnaire (PCI SAQ), making annual submittal faster and easier.
How does the Technology Preview work?
If you are interested in trying out the P2PE Technology Preview, sign up for a free DPoD evaluation, if you are not already registered. Once you are set up with an evaluation account, the P2PE Service, along with all the other DPoD services, will be visible and available to use from the marketplace. Until the P2PE Service status changes from Technology Preview to General Availability, it will remain a no-cost service.
Click here to learn more: