P2PE – Is It Really Protecting Your Business?
Point-to-Point Encryption (P2PE) is a technology that is being utilised by a lot of companies in their battle to reign victorious against cyber criminals. It has the purpose of turning all cardholder information into an indecipherable code when any debit or credit card is swiped. It is a great preventative measure, but is it enough on its own? Unfortunately, the answer to this is no.
A lot of business owners mistakenly believe that they are fulfilling all of their PCI commitments and that their sensitive data is secured because of the use of P2PE. Unfortunately, hackers can still find a way in, and we are not talking about using payment card skimmers. You only need to look at The Home Depot breach of 2014 to see that encryption on its own is not sufficient, and the effects can be devastating.
Last year, The Home Depot announced that it had been the victim of a monumental data breach, which saw the data of approximately 56 million cardholders being compromised. The breach occurred in April. However, it went unnoticed until September. And, just to add insult to injury, The Home Depot had embarked on the implementation of an encryption program since January of that year. But, hackers still found a way in.
They were able to access The Home Depot’s payment system because they found a way into the network via third party credentials. Once they were into the network, they are able to access the payment systems used in-store. They then installed custom malware, which had the ability to extract all cardholder information from the company’s registers in stores across the US and Canada. Once the data was extracted, it was then sent back to the cyber criminals via servers overseas.
So, what could The Home Depot have done to stop this data breach? All they needed to do was segregate the network efficiently, and this, alongside P2PE, would have been enough to prevent the breach from occurring. Network segregation is of paramount importance, as it ensures all cardholder information is separated from everything else on the network. When the hackers entered the Home Depot network, they wouldn’t have got access to the in-store payment systems, as they would have been located in a separate Cardholder Data Environment (CDE) where access is completely restricted.
Network segregation is one of the main features of our cloud-based cyber security system, RetailCompli. If The Home Depot had our solution in place, the information of 56 million cardholders would not have been compromised, and the company would have not lost monumental sums of money and took a huge reputational hit. To discover more, click here.