Point to Point Encryption (P2PE) for Credit Card Data entry in the Call Center
High visibility credit card breaches have impacted thousands of companies recently. While most recent media focus has been on Point-of-Sale (POS) systems, Call Center security concerns have not received same attention. Call Center credit card acceptance can be just as significant a risk for your business as POS. These Call Center challenges are two-fold. The first is managing the human aspect of what Call Center employees do with credit card data. Secondly, the impact of credit card data on your IT infrastructure is also a major concern for many companies. This article will focus on the IT systems challenge with a focus on Point to Point P2PE keypad solutions for the entry of credit cards reduce this risk.
The old way of accepting credit cards
Historically, call centers collect credit cards over the phone, fax, and mail. Long ago those credit cards were entered into device connected directly to a phone which eliminates the card information from passing through your network. While that keeps internal systems out of the cardholder data environment (CDE), those solutions are often error prone and time consuming due to their disconnect from internal systems.
More recently companies have upgraded Call Center systems to accept credit cards directly into the back office accounting systems. The credit card data in this case is sent through an internal IT systems to the processing network, typically via a payment gateway. This can result in unencrypted credit card data being exposed on internal company networks, where criminals may be able to steal this data.
Companies today are looking to integrate payment acceptance with existing internal systems while minimized the security and PCI impact on their internal systems. One major challenge with credit cards entered via a PC keyboard is that credit card data is exposed in the open on your internal systems, on both on desktop systems and internal servers. There is a better way.
Keypad entry using a P2PE SRED keypad
One way to avoid credit card data in the open on your network is to use P2PE keypad for entry of card data. As shown in diagram below, the credit card data is encrypted before it leaves the device and is encrypted. Unencrypted card data is no longer stored, processed, or transmitted on your network.
Only the gateway/processor has the ability decrypt the card data; the merchant cannot decrypt the credit card. This approach relieves the merchant of key management responsibilities, which simplifies PCI DSS scope around key management requirements.
What is SRED?
SRED is an acronym for Secure Reading and Exchanging of Data. SRED gives the keypad device manufacturers standards on how the device must be built, These guidelines include tamper resistance. If a keypad is PTS 3.0 certified it by definition meets SRED requirements. For more information on SRED, see https://www.pcisecuritystandards.org/documents/pci_pts_faqs.pdf
Why is P2PE so Important?
P2PE stands for Point to Point Encryption. This differs significantly from encrypting credit cards or other data in your organization that people normally think of. In the case of encryption that you perform, someone in your organization (the key master) can always decrypt the credit card data. This is a risk factor and places additional PCI DSS burden on your organization. In the case of P2PE, as the name implies, one party can encrypt and another party can decrypt. For our purposes, the encrypting party is the keypad and the other decrypting party is the payment gateway. The keypad in this case a has key injected into by the manufacturer. The decryption key is only known to the payment gateway. No one in your organization can decrypt the credit card value as passes across you network. This can simplify PCI DSS certification efforts.
What Keypad should I use?
The keypad chosen must one certified to the recent PTS 3.0 (or later) standard. The PCI PTS 3.0 standard is the first that certifies these devices for use with for entry of credit card data. (Note that PTS 2.0 certified devices, while encrypted, are only certified for the pin entry).
Features of systems using PTS 3.0 certified P2PE keypad should include:
- Card data is encrypted when it leaves the keypad.
- Pinpad is tamper resistant
- Decryption can only be done by a trusted party, typically a payment gateway.
- Keypad integrates with your payment application.
- You payment application disallows keyboard entry of card data (otherwise, it is just an honor system)
- Tamper resistance
For a list of approved devices see the https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices. This list include devices certified for 2.0 also. Be sure to check the version number on the product listing.
How can CDI help?
In conjunction with our parent company BluePay, we offer the only payment solution from one company for JD Edwards and SAP customers that spans the entire order to cash process. We offer a PTS 3.0 keypad devices along with our payment offering, SnapPay.
I hope this demystifies one solution that simplifies your PCI DSS obligations. In order to reduce the risk of credit card breaches emanating from in your Call Center, strongly consider entry of credit cards via keypad with encryption capabilities.