What is Point to Point Encryption?
Point to Point encryption or P2PE is the method by which data is encrypted from the point of interaction (POI) such as a swipe or chip and pin read, to a third-party solution provider such as a payment gateway, where the data is then encrypted for processing.
PCI validated P2PE is the standard set out by the PCI Security Standards Council (SSC) – the body behind PCI compliance. This is the most secure form of P2PE and is not be confused with other P2PE solutions that claim to offer secure point to point encryption but are missing some of the fundamental criteria.
The PCI P2PE standard criteria states that for it to be validated, P2PE must adhere to the following:
Secure encryption of payment card data at the point-of-interaction (POI)
P2PE-validated application(s) at the point-of-interaction
Secure management of encryption and decryption devices
Management of the decryption environment and all decrypted account data
Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage.
The protocols of true P2PE compliance are that the customer’s credit or debit card details are not stored on the merchant’s devices and encryption data is of no use if it is intercepted en route to the payment processor.
Ensuring you follow PCI validated P2PE standards will ultimately save you time and money when or getting certified for PCI compliance because it covers off a lot of the requirements set out in the certification process.
Point to Point encryption vs End to End encryption
Essentially both point to point encryption (P2PE) and end to end encryption (E2EE) are processes that encrypt data at the point of interaction (POI) and transfer them to an environment to be decrypted – the point of payment processing. However, there are some technical differences with E2EE.
- E2EE may pass through other processes before reaching the decryption environment
- The merchant may be able to decrypt the data
- The merchant may be able to store the data
These differences make end to end a less secure method of encryption because they are easier to hack than point to point.
Point to point encryption ensures that the encryption / decryption keys are not available to the merchant. Effectively this means that the data in its true form can never be visible to the merchant, which is a much more secure method of encryption. It’s not to say that the merchant would intentionally decrypt the data, it’s more about whether there is a vulnerability for the merchant to be hacked and data to be stolen.
Only the payment processor possesses the keys to be able to decrypt the data, which it then passes to the customers bank for payment. The bank then either accepts or rejects the transaction in real-time.
End to end is not validated by PCI standards and is therefore not part of PCI compliance.
Point to Point Payment Solutions
A point to point payment solution is advisable if you are a merchant who processes card payments. This could be online payments where users input card details or it could be offline transactions through a point of sale machine, either where the customer is present or over the phone. If you process any kind of card details as part of a transaction, P2PE immediately converts sensitive information to indecipherable code ready to be sent to the payment processor.
A P2P payment solution provider is a third party who uses a combination of secure devices, applications and processes to encrypt the card data. They are responsible for the solution design and security. Look for solutions that claim to be PCI validated P2PE companies as this isn’t always the case. They need to have been validated by QSA P2PE (Qualified Security Assessors for P2PE) or PA-QSA P2PE Companies (Payment Application Qualified Security Assessors for P2PE).
A good point to point provider will help you to navigate the P2PE minefield, helping to advise on a strategy to meet your security needs. They will manage the solution through design and roll out, and will be on hand for advice and troubleshooting.
Benefits of Point to Point Payment Solutions
It goes without saying that the PCI validated P2PE standards set the benchmark in the industry, but here are some of the benefits:
A much more secure method of encryption
The data cannot be decrypted between payment interaction and payment processing environment, so you can forget worrying about data protection and focus on what you do best as a business.
Less burden with compliance when you apply for PCI certification
Many of the requirements for PCI compliances are negated when a P2PE system is integrated. This makes things much more simplified and less costly.
More protection for your customers, which fosters trust
Conversion, especially online, relies on two main elements – price and trust. If you are using secure methods to protect your customers’ data, they are more likely to trust you.
Proof to card issuers that you take a responsible approach to data protection
This mitigates liability for data breaches and lowers the risk of banks refusing transactions or barring future transactions from your enterprise.
Lower risk of hacking and fraud
PCI standard P2PE can virtually eliminate data breaches with payment card information.
Seemingly there are a few different methods of encryption out there that can make things confusing if you’re just starting out, but if you want a system that’s PCI validated and one that will simplify the PCI compliance process, ensure you go for a solution that meets the standards set out by the PCI Security Standards Council. It will save you a lot in the long-run if you are the target of online fraud.