Cutting Hidden Costs With Validated P2PE


After some challenging times for retailers, the UK economy is looking like it may have finally turned the corner: official figures show that recent growth has taken us past the pre-recession peak. While no one would claim this is anything but good news, for many businesses, we’re not quite out of the woods yet, which is further emphasised when you read the stats that say growth is at its weakest rate in three years.

Retailers know they cannot afford to simply rest on their laurels and hope to reap the rewards of the economic upturn. They also need to find ways of minimising operational costs to ensure they remain competitive and maximise profitability. However, with competition for customers so fierce, they must do so in such a way that doesn’t negatively impact on the overall customer experience, which is increasingly critical to customer on-going loyalty.

Fortunately, for many retailers, the cost of compliance is one that can be significantly reduced without having a negative impact on customer experience. By implementing a Payment Card Industry (PCI) validated Point to Point Encryption (P2PE) solution for in-store card payments, businesses can cut their on-going costs and drastically reduce the time associated with their annual audit.

A PCI-validated P2PE solution is the only way retailers can take in-store cardholder data out of scope, with card data being encrypted before it even reaches the retailer’s Point of Sale (POS). The corollary of this is that businesses’ annual PCI audits are made significantly easier and streamlined, with the total number of questions reduced from more than 250 to a far more palatable 18. This generates an enormous resource saving for businesses, creating a much more efficient process. In fact, it is estimated that the correct implementation of a PCI-validated P2PE solution can reduce on-going costs by around 50%.

Above all, P2PE enables retailers to minimise their risk of a data breach, where customer cardholder data is compromised. In terms of customer confidence, such an occurrence could cause irreparable damage and completely jeopardise their relationship with a brand. The icing on the cake is that for the consumer, everything is business as usual.

Although Point to Point Encryption is on many retailers’ agendas already, one thing I learnt at PCI London on 1st July is that there is some confusion as to whether they have PCI-validated P2PE solution in place already. The confusion stems from the fact that while vendors have been offering P2PE solutions for some time, the PCI Council only issued guidelines and started validating solutions in 2011 with the first validated solutions being available last year.

Retailers may think they have a fully validated P2PE solution but this is actually not the case. As a result, they aren’t receiving the cost and resource savings that a proper PCI-validated solution brings. My clear advice to retailers seeking to realise the cost savings from having a P2PE solution is to check whether their solution is validated on the PCI website. While this alone should be reason enough for businesses to pursue a validated solution, they’re also actually at risk of incurring additional costs in the form of fines from their acquirers by not having one in place.

Once a business has their validated P2PE solution in place, the next step is to ensure that it is accredited by their industry Qualified Security Assessor (QSA). As part of this they will be required to adhere to a Solution Provider’s P2PE Instruction Manual (PIM).

The PIM outlines processes that a retailer should implement in order to maintain compliance, such as the proper handling of PIN Entry Devices (PED). The PIM will outline a provider’s suggestions for operational procedures and best practice for using a P2PE solution. It’s important, however, that retailers discuss this with their QSAs to find the options that their specific business needs best.

P2PE solutions are a great option for retailers looking to minimise costs but only when implemented correctly. If your solution isn’t PCI-validated, you’re not just missing out on savings; you’re potentially exposing yourself to additional costs.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Jon Banks, Director of Payments and Customer Loyalty at The Logic Group and is responsible for looking at how to enhance and develop the payments ecosystem to support better consumer interactions. Jon’s expertise is built on a career spanning 17 years in the cards and payments industry, including Client Director at Santander Cards, Head of New Product Development at GE Money and Product leader at NatWest. Jon has a track record of developing innovative retail financial services payment and rewards propositions that drive business growth and has worked with many leading retails brands.