As we’ve outlined in the past
, there are many reasons why merchants should embrace P2PE to keep cardholder data as safe as possible from cyber-criminals. But in October, we were handed yet another: a newly discovered flaw in the Wi-Fi protocol WPA2 used by most networks and devices worldwide.
The so-called KRACK vulnerability could allow determined attackers to harvest customer card data and deliver malware to retail systems. It makes the case for P2PE even more urgent.
Unlocking Wi-Fi security
As explained in detail by Optomany partner Foregenix here
(Key Reinstallation Attack) exposes vulnerabilities in the WPA2 protocol used by the vast majority of businesses for ‘secure’ Wi-Fi. Unfortunately, the four-way handshake used to set-up encryption can itself be compromised. This means attackers within range could read data travelling over supposedly secure wireless networks, manipulate that data, or even insert malware.
What the hackers can do will depend on what technology providers the merchant is using, as many implement WPA2 in a slightly different way, leading to multiple variants of the attack. It’s true that many vendors have already prepared patches to fix the issue: Microsoft, Cisco, Intel, Apple, and Linux are just some of the big names to have acted quickly to try and halt the impact of KRACK attacks.
However, many merchants might be too busy focusing on growing their business to take time out to understand the technical details of yet another cybersecurity problem. Upgrading firmware and operating systems isn’t always as straightforward as it sounds and can impact productivity, while switching off Wi-Fi completely will not be a practical solution for many. As a result, there could be countless retailers out there exposed to the vulnerability without knowing it.
P2PE keeps card data secure
That’s where P2PE comes in. P2PE encrypts card data from the point of interaction until it reaches a secure third-party decryption environment, rendering it unreadable and unusable by any hackers that may be able to snoop your Wi-Fi traffic. The bottom line is, if you implement P2PE solutions, your cardholder data remains protected, even from KRACK-based attacks.
That’s not all. Merchants using P2PE have fewer applicable PCI Data Security Standard (PCI DSS) requirements, which helps to greatly simplify and substantially lower costs for what can be a time- and resource-intensive task. In effect, it can reduce PCI requirements from 300+ to fewer than 35.
So why aren’t more organizations using P2PE? Well, the truth is that many are mid-way through the life-cycle of existing systems, and can’t afford to absorb the hardware and implementation costs involved at this stage.
Optomany’s axept® platform is one of a small number on the market that is fully P2PE-approved; in fact, axept® was the first globally to receive certification with version 2 of the standard. All data is encrypted within the payment terminal, meaning it remains hidden from potential snoopers until it leaves the retailer’s environment and is securely decrypted in the Optomany environment.
However, be aware that you may send other data types within your environment over Wi-Fi that is not protected by P2PE. For those cases it would be advisable to patch your devices, PCs and Wi-Fi networks as soon as possible.