What is P2PE?

P2PE stands for point-to-point encryption. From the moment payment card data is taken by a Point of Sale (POS) device, the data is immediately encrypted. Encryption is the process of converting information into an unintelligible form. Holders of specific cryptographic keys can read, or decrypt, the information, however. With P2PE, the data remains encrypted until it reaches that secure decryption endpoint.

 

What is the benefit of immediate encryption?

Since card data is encrypted throughout its transfer from the POS to the secure decryption endpoint, the data provides no value to anyone who may wish to steal it. A would-be thief would not have the ability to revert the data back to the original payment card data form and instead would be left with an unintelligible string of characters.

 

How does a device become a P2PE solution?

For a device to receive validation from PCI as a “P2PE solution,” it must meet the P2PE standard set forth by PCI and be independently assessed against the PCI P2PE Solution Requirements and Testing Procedures. This assessment includes hardware, software, and solution provider environment and processes. The validation of this standard is done by a PCI qualified P2PE assessor.

PCI publishes a list of all validated and approved P2PE solutions. You can find it here.

 

What is the P2PE Standard?

The PCI Security Standards Council defines this as “a comprehensive set of requirements focused on providing the requisite security requirements necessary to support the deployment of secure P2PE solutions.”

 

What does a P2PE solution include?

• Secure encryption of payment card data at the POS
• P2PE-standard met at the POS
• Secure management of encryption and decryption devices
• Secure management of the decryption environment and all decrypted account data
• Secure encryption procedures and cryptographic key operations, which includes key generation, distribution, loading/injection and administration

 

Who is responsible for ensuring the P2PE solutions upholds its standard?

A PCI-validated solution provider would be responsible for the implementation of their P2PE solution and the oversight of said solution for any of their partners or merchants. In other words, the PCI-validated solution provider would be responsible for ensuring that all previously mentioned P2PE requirements were met, even those performed by third parties, such as key injection facilities and hardware manufacturers.
What are the benefits of using P2PE solutions?

Immediate encryption of cardholder data lowers the negative effects of a possible breach, therefore lowering the risk of cardholder data loss.

Solutions that meet the P2PE standard and have been confirmed by the Payment Card Industry Data Security Standard (PCI DSS ) will no longer be in the assessment scope for PCI assessment. That is because they will be surpassing the minimum requirement set by PCI DSS.

This will then simplify the steps you must take to be PCI DSS compliant and end up reducing the cost of maintaining compliance.

 

How Can P2PE Help reduce PCI DSS Assessment Costs and Scope for merchants?

P2PE helps descope and reduce PCI DSS Assessment costs since it is the PCI validated solutions provider’s responsibility to ensure PCI DSS compliance for P2PE solutions. As mentioned above, this minimized the scope of a merchant’s PCI DSS assessment since these companies would only have to address four sections and 35 questions. In contrast, for the PCI DSS compliance self-assessment questionnaire (SAQ), a company is responsible for its own encryption and has to go through 12 sections and 329 questions.
This P2PE solution provider accountability also means that if a fraud or data breach occurs, the responsibility would lie with the P2PE solution provider, not the merchant. The provider would be held accountable for any fines or penalties that came from such a breach

 

Are end-to-end encryption (E2EE) and point-to-point encryption (P2PE) the same thing?

No. While they are similar, P2PE only includes solutions that meet the PCI SSC requirements. Though E2EE does encrypt data, many E2EE solutions include other systems between the point of interaction and the point of processing the payments. This increases the probability of risk and fraud, and ultimately does not meet the P2PE standard.

In contrast, P2PE has no systems between the point of interaction and the point of processing. By minimizing the amount of touches the card data must go through, this process is more secure and quicker than E2EE.

Finally, there is no “E2EE standard” for companies to hold themselves accountable. This makes it difficult to determine if each company is implementing the same level of security. In the case of the P2PE standard, it has been set by PCI. If a company wants to claim they have a P2PE compliant solution, they must prove they are providing a P2PE standard solution and this must be confirmed by a PCI qualified P2PE assessor.