E2EE (End-To-End Encryption) is not a bad thing, but it does have its own set of risks. And it is those risks that do not get discussed that concern me. The reason for my concern is that if you discuss E2EE with any merchant, most see it as this panacea, something that will get them out of the PCI compliance game altogether. However, nothing could be further from the truth. If anything, E2EE may make PCI compliance even more daunting than it is today.
However, the end-point device that accepts the credit card is in scope! And it’s difficult to prove that the end point has not been tampered with.
The PCI Guru has a set of recommendations for securing the end point.