What is point-to-point encryption (P2PE)?
Last editedMar 2020 2 min read
Anyone who’s responsible for PCI DSS compliance at their business may be interested in point-to-point encryption (P2PE), an encryption method that offers the best protection for your customers’ payment information. Get the lowdown on point-to-point encryption solutions, from P2PE compliance to the difference between point-to-point and end-to-end encryption.
P2PE definition
So, what is P2PE? Put simply, point-to-point encryption is an encryption standard established by the Payment Card Industry Security Standards Council. It stipulates that cardholder information is encrypted immediately after the card is used with the merchant’s point-of-sale terminal and isn’t decrypted until it has been processed by the payment processor. This standard is met by point-to-point encryption solutions – comprehensive services delivered by specialist providers comprising of all the software and devices that are needed to meet the requirements of P2PE compliance.
What is a PCI-validated P2PE solution?
It’s worth noting that not all P2PE solutions receive validation from the PCI. For a point-to-point solution to receive validation – confirming that it meets the rigorous controls defined in the PCI P2PE Standard – it must undergo an assessment and audit from a P2PE Qualified Security Assessor (QSA). After that, it will be brought to the PCI Council for approval. So, what does a PCI-validated P2PE solution need to include? According to the PCI Council, the following PCI P2PE requirements must be present:
· Encryption of card information at the POI/payment terminal
· Secure management of all encryption and decryption devices
· P2PE applications at the POI
· Secure management of the description environment and decrypted data
· Use of encryption methodologies and cryptographic key operations
How does P2PE work?
Essentially, P2PE encrypts card information as soon as it’s taken from the payment processor, using an algorithm that turns the information into an unreadable code. This code is then transferred to the payment processor, where it’s decrypted using a secure key. As the decryption takes place electronically, the merchant doesn’t ever come into contact with their customers’ financial information, rendering it more or less invisible.
What’s the difference between P2PE and E2EE?
Although point-to-point encryption solutions and end-to-end encryption (E2EE) are similar, there is a key difference. Namely, that E2EE solutions don’t meet the standards of the PCI Council, mostly because there are other systems between the POI and processing point, increasing the chances of a hack or breach. In contrast, P2PE solutions transfer data directly, with no other systems in between. It’s also worth remembering that P2PE is assessable, whereas there aren’t any standards associated with encryption solutions that are branded as end-to-end.
Point-to-point encryption solutions and PCI DSS compliance
Assuming you’re using a point-to-point encryption solution that meets PCI P2PE requirements, you’ll be out of scope of PCI DSS compliance. Put simply, compliance will be the P2PE provider’s responsibility, and in the unlikely event of a data breach, the provider will be held accountable, not you. That means that you won’t need to worry about any of the potential penalties associated with PCI DSS, such as fines, suspension of your ability to receive credit card payments, and credit card replacement costs.
Final word
By ensuring that your business never touches card data, point-to-point encryption (P2PE) helps you to avoid the fallout from data breaches, whether that’s damage to your reputation or financial penalties. Bottom line: if you keep your customers’ data safe, you’ll keep your business safe too.
We can help
GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.