Point to Point Encryption (P2PE) is the encryption standard for all cardholder information as required by the PCI SCC (Payment Card Industry Security Standards Council). The standard dictates that cardholder information is encrypted immediately after it is read by a payment terminal and remains encrypted until it is processed by the payment processor. This means the data is secure while it is in transit from point to point and is unable to be used if stolen.
PCI P2PE Standard Requirements
A complete point to point encryption solution will include a strong encryption software, as well as all the other hardware and software needed to utilize P2PE. Whether you choose a complete P2PE solution or piece together P2PE applications and components, the system must be validated by a PCI-qualified P2PE assessor. If a P2PE solution receives PCI validation, that means it meets all of the requirements laid out in the PCI P2PE Standard.
PCI P2PE standard requirements include:
- Encryption at the Payment Terminal
Encryption must happen at the payment terminal before it is sent anywhere else, ensuring the data is not stolen en route to encryption. The encryption environment must be secure, using software and devices validated by a PCI-qualified P2PE assessor.
- Complex Encryption
The encryption used at the payment terminal must be complex enough to keep payment data secure. A high level of encryption will ensure that malicious actors cannot decrypt the data with brute force if the data is stolen.
- Encryption Key Management
All encryption keys must be kept in a secure location, apart from the encrypted data, so they cannot be stolen and used to access encrypted data.
- A Secure Decryption Environment
Whenever the encrypted data is decrypted for use, it must be done in a secure environment.
These requirements are put in place to ensure that data is only decrypted when essential and only in secure environments. They ensure that every element, from the devices used in the encryption process to the kind of encryption being used, are up to the PCI CSS’s rigid standards for payment processing.
How does P2PE Work?
Simply put, P2PE encrypts data as it is gathered by the payment processor. This turns the sensitive data into a code, which is useless to any party that does not carry the key to decrypt the code. This key will be used to decrypt the data once it has been delivered to the payment processor’s secure environment. This accomplishes in several key things:
- Protects The Point of Entry
Cardholder data is encrypted inside of the card reader, rendering the information it gathers useless to skimming attacks that target the data at its point of entry.
- Protects Data in Transit
Encrypted data is safe to transfer over networks on its way to a secure payment gateway, which will be able to securely pass the data on to the bank necessary to complete the transaction.
- Reduces a Merchant's PCI Scope
Because cardholder data is immediately encrypted and then transferred to the bank, it never needs to be handled by the merchant. If the merchant stored this sensitive data within their systems, that would widen their scope for PCI compliance dramatically.
P2PE and PCI DSS Compliance
Using a P2PE provider that meets PCI P2PE requirements will mean that the burden of PCI compliance will rest heavily on your provider, not you as the merchant. If you're looking to reduce your system's scope for the PCI Security Council, P2PE is one of the best solutions. This is because a P2PE provider will remove the need for your business to handle or store sensitive information within your internal systems.
However, this does not mean your business is free from any PCI Compliance requirements. As the merchant, you must ensure that your payment terminals are free of risk and that any card payment data received outside of a payment terminal (such as at a call center) is adequately secured. Maintaining secure systems for any data that remains outside of the P2PE flow will be crucial to keeping cardholder data secure. This is still a much smaller burden than merchants without P2PE would face.
If you choose a P2PE provider that is not properly certified or systems not validated by PCI CSS, then these costly compliance concerns become yours once again. Finding a certified P2PE provider should be a top priority for merchants looking to reduce their scope for PCI.
Looking for a flexible and secure P2PE solution? Check out the TokenEx P2P Encryption solution that secures sensitive data while preserving data utility.