Reduce PCI Scope by up to 69 Percent
Leading PCI QSA finds a properly deployed E3 wedge solution is one of the most effective data security controls available today and provides significant scope reduction for merchants and POS developers
A security assessment released by leading independent Payment Card Industry (PCI) Qualified Security Assessors (QSA), Coalfire Systems, confirms that Heartland Payment Systems’ E3 end-to-end encryption magnetic stripe reader (MSR) wedge can eliminate the scope of the Payment Application Data Security Standard (PA-DSS) for POS developers. This makes Heartland the first data security supplier in the payments industry to have the scope-eliminating capabilities of its technology validated and published by a third party assessor.
The PA-DSS is designed to eliminate the use of non-secure payment applications that store prohibited data elements, like full magnetic stripe, CVV2 and PIN data, ensuring payment applications support compliance with the PCI DSS. E3 prevents plaintext data from being available to the payment application by encrypting sensitive payment card data at the moment of swipe. This facilitates the removal of the payment application from PA-DSS scope. To fully eliminate PA-DSS scope, Coalfire specifies provisions: for example, no encrypted data can be stored locally; no other payment systems can be supported; and merchants cannot possess or have access to decryption keys in their retail or corporate environments.
Coalfire’s assessment also documents the e# wedge’s ability to reduce the scope of PCI compliance for merchants by up to 69 percent, based on PCI DSS controls that are reduced or removed from scope with proper E3 MSR wedge deployment. This scope reduction significantly lowers the associated costs of PCI compliance assessment and validation for business owners. Last month, Coalfire released a separate assessment that found similar scope-reducing capabilities of Heartland’s standalone E3 terminal.
Commercially launched in November 2010, Heartland’s E3 wedge is the first MSR in the industry that encrypts sensitive cardholder data in a tamper-resistant security module (TRSM) much like that of a PIN debit encrypting device. Heartland developed the wedge to offer merchants a variety of security options using computer-based POS systems, as well as address the epidemic of data breaches in the retail and hospitality industries — two of the “Big Three” industries affected by data breaches because of the frequent use of POS systems. These sectors account for 15 and 23 percent, respectively, of investigated data breaches, according to the 2010 Verizon Business Data Breach Investigations Report.
“Providing the highest level of data security has always been at the core of E3’s value proposition, but the byproducts of drastically reducing PA-DSS and PCI scope — as well as the associated complexities and costs — are also highly desirable to POS developers and business owners,” said Steve Elefant, Heartland’s chief information officer. “We estimate developers can save tens of thousands of dollars by leveraging E3 wedge technologies to reduce or eliminate PA-DSS scope for their applications. And for merchants, E3 not only provides an easy solution for safeguarding customer data with the most secure data security solution currently available, but also enables them to save substantial amounts of money and resources. We can attribute the adoption of E3 technology by nearly 10,000 business owners in less than a year’s time to these key benefits.”
“Heartland is expert at anticipating the needs of the industry and its merchants and delivering to them with effective and cost-efficient technologies,” said Kennet Westby, president and COO of Coalfire. “The fact that E3 — with tamper-resistant, hardware-based encryption, unique encryption keys for all devices and frequent key rollover, among other features — is well aligned with the security roadmap outlined in the PCI Emerging Technology Whitepaper on encryption is a perfect example of that.”
Other significant points in the Coalfire report:
- A properly deployed E3 wedge solution can provide significant risk mitigation of data compromise and is one of the most effective data security controls available to merchants today.
- The E3 wedge’s use of Format Preserving Encryption (FPE) meets encryption best practices and standards for cryptographic algorithms and key strength and meets industry standards and VISA best practice guidance.
- The use of Identity-Based Encryption (IBE) key management processes removes most of the challenges of key management for the merchant that have been found in many other end point encryption solutions.
The full report can be read at E3secure.com/Coalfire.
If you liked this article, also try: