SEM01A-Point-to-Point Encryption and PCI Compliance: Big Promise, Hard Questions (separate registration required)

Monday, April 15 | 9:30AM–1:00PM | Salon A
Session Type: Professional Development
While there might not be any silver bullets to make your campus PCI compliant, Point-to-Point Encryption (P2PE) looks like it might come pretty close, at least in some situations. It can reduce a merchant's PCI scope to the card reader, thereby removing payment applications and databases from PCI scope. The PCI Council has published its P2PE program details, and we can expect the first approved solutions soon. The questions for campuses are: what does it take for a P2PE solution to deliver the expected benefits; what will it cost; and, importantly, what alternative "approved solutions" might offer a better cost/benefit tradeoff with the same benefits?

In this session we will dive into the requirements and inner workings of P2PE, assess the real costs of implementation, and identify which campus merchants will benefit most. Then we will explore how campuses might achieve many of the same scope-reduction benefits from existing third-party encryption solutions. We will identify the hard questions to ask and describe the contract terms you must include. We also will look at possible changes to PCI version 3.0, which will take effect in 2013.

There are no silver bullets in PCI, including P2PE, but schools may have some practical options to reduce PCI scope and the cost of PCI compliance.


  • Walt Conway

    QSA, 403 Labs, LLC