Simple PCI compliance for in-person payments

Point-to-point encryption (P2PE) is the Payment Card Industry (PCI) standard for using cryptography to securely collect and exchange payment information from an in-person device or terminal. By using P2PE, payment information is unreadable until it reaches a secure decryption environment. An in-person payment solution isn’t considered ‘P2PE’ unless it has been reviewed and validated by the PCI council. Solutions that aren’t PCI-validated certified are not considered P2PE and will incur additional PCI scope.

A ‘PCI-validated’ P2PE solution, like the one offered by TokenEx, has passed a rigorous evaluation from the PCI SSC to confirm that it meets the P2PE standard. This is important in not only ensuring appropriate security for in-person payments, but also reducing PCI scope related to in-person payments.

TokenEx uses AES encryption to provide modern, strong cryptography for payment transactions. However, our solution also supports TDEA (“Triple DEA”) encryption which is common for existing hardware.

Yes, when you accept credit card information using the P2PE solution, you will receive a Universal Token that be used across your different payment processors. This eliminates the burden of storing payment information in multiple systems and makes it easier to unify customer insights across your in-person and online channels.

Yes, you do. Encryption does help with securing payment data, but encryption alone does not reduce PCI scope. Utilizing a solution that isn’t PCI-validated means that your in-person payment flows will be under increased scrutiny during your PCI audit. This will require a big effort from your team to build, document, and audit processes to ensure that in-person payment data is handled appropriately.

Using a PCI-validated P2PE solution can remove your in-person payments from scope and reduce the number of PCI requirements you need to meet by up to 90%. This reduced scope translates to less time your team spends on preparing for audits and more time on other critical security initiatives.

Transactions using P2PE are priced per operation, similar to our other acceptance methods for Universal Tokens. A typical P2PE transaction will require two operations: one to decrypt the payment info and send it to a processor, and one to tokenize the data for future use. To learn more about our pricing, please visit: token.com/pricing.

The TokenEx P2PE solution can support any payment device or terminal that is on the list of PCI-approved PIN Transaction Security (PTS) devices. You can find a listing of PCI-approved PTS devices here.

You can find technical documentation at docs.tokenex.com.