P2PE Challenges – Looking at Endpoint Devices
The Payment Card Industry Security Standards Council (PCI SSC) made several significant developments in their point-to-point encryption (P2PE) program this year, with assessor training, releasing the program guide, and opening up their report submission portal for P2PE assessment reports.
Somewhat interestingly, the market hasn’t shown much enthusiasm for this. I think we can attribute this to a few particular factors, most of which center around endpoint devices. This proves somewhat convenient, as I said in my last blog post that I’d discuss the first of the six domains in my subsequent post.
New P2PE SAQ and Program Guide Released
Merchants and service providers curious about point-to-point encryption (P2PE) will be interested in two documents recently released by the PCI Security Standards Council. One of the documents is a new Self-Assessment Questionnaire (SAQ) for P2PE merchants. The other is version 1.0 of the P2PE Program Guide. Each has information worth your attention, and each is available now in the Council’s Documents Library.
403 Labs Becomes P2PE Qualified Security Assessor and P2PE Payment Application Qualified Security Assessor
Brookfield, WI – June 1, 2012 – 403 Labs, LLC, a leading information security consulting and services company, has been certified as a Qualified Security Assessor for Point-to-Point Encryption (QSA (P2PE)) and Payment Application Qualified Security Assessor for Point-to-Point Encryption (PA-QSA (P2PE)) by the Payment Card Industry Security Standards Council (PCI SSC).
P2PE Hardware Solution Requirements and Testing Procedures
A few weeks ago, the Payment Card Industry Security Standards Council (PCI SSC) released version 1.1 of the P2PE Hardware Solution Requirements and Testing Procedures. Shortly thereafter, the PCI SSC held its first training session for assessors. 403 Labs attended and we are now officially certified as a Qualified Security Assessor for Point-to-Point Encryption (QSA (P2PE)) and Payment Application Qualified Security Assessor for Point-to-Point Encryption (PA-QSA (P2PE)) by the Payment Card Industry Security Standards Council (PCI SSC).
Like much of the industry, we’ve waited for P2PE like kids waiting for Christmas, and though it’s finally here, it has some complexities and challenges worth discussing. This post marks the first in a series of explanations and discussions of P2PE.
As of right now, solution providers can obtain P2PE approval for a hardware/hardware solution, which means a hardware point of interaction (POI) with PCI PTS approval, and a hardware security module (HSM) doing decryption on the backend. The PCI SSC does not permit software encryption or decryption as of yet, and will likely not do so for a while.
Probably the easiest way to try to understand this is to start with the stakeholders and what elements of a functional solution they address. After that, we’ll talk about the domains (requirements) a little more.
2011 Toorcon Seminar on Transparent Data Encryption
Jacob Ansari from 403 Labs conducted a seminar this past weekend at Toorcon 2011 in San Diego, CA titled “The Emperor’s New Cryptosystem: How Transparent Data Encryption Doesn’t Really Do Anything.”
PCI Council Issues Point-to-Point Hardware Solution Requirements
Point-to-Point Encryption (P2PE) is a technology that has many merchants interested and excited. The reason is that a properly configured P2PE solution can reduce a merchant’s PCI scope significantly and, therefore, lower their cost to validate and maintain PCI compliance.
The problem is that, so far, merchants have not had any P2PE products approved to reduce their PCI scope. However, given the PCI Council’s recently released requirements for hardware solutions, this situation may now be changing.
Reducing Encrypted Swap Size with LVM
Swap space is virtual memory, using space on a hard disk drive as a fallback to standard RAM. Encrypting swap is a necessary evil to help prevent encrypted files from being leaked to disk in an unencrypted format.
The standard Ubuntu installer makes the process of encrypting swap a piece-of-cake. Users installing an encrypted home drive will automatically get their swap encrypted.
Alternatively, if you find yourself without encrypted swap, and you’d like to encrypt it, the following script comes baked-in and makes the process pretty mindless:
Logical Volume Manager (LVM) makes it simple to change partitions and their sizes, which means we can take advantage of it if we ever find ourselves needing to reduce swap size.
Anticipating PCI SSC Guidance on Point-to-Point Encryption
Along with the start of the NFL season (and the welcome end of the baseball season for my Giants), this autumn should bring the PCI Security Standards Council’s much anticipated guidance on Point-to-Point Encryption (known by its complicated acronym, P2PE). The Council has had a task force examining this technology for about two years, and their final report is promised before the end of the year.
Thinking About Scope and Scope Reduction Techniques
When dealing with PCI DSS compliance, one of the first and most essential steps is addressing scope. My colleague, Walt Conway, calls it Requirement 0: reduce the scope of your payment environment to reduce your compliance burden.
This is good advice; reducing your scope by eliminating data stores, simplifying your transaction process, or segregating your payment-related networking from other stuff does, in fact, reduce your scope and, if done correctly, will actually help you secure your really important assets from attack.
Disk Encryption and PCI Requirement 3.4.1
Disk encryption is a bit of a tricky subject. Like many things in the PCI realm, disk encryption is a double-edged sword. On one side, you have the ease of setting up the system once as well as a single authentication to open the crypto store. On the other side, the bad guys have that exact same ease-of-use at their disposal.
Let’s see what the PCI DSS v2.0 has to say…