Skip to content
Go to GoCardless homepage
Pricing
LoginSign up

What is point-to-point encryption (P2PE)?

Cardholder data is a frequent target of hacks and data breaches, and according to the IT Governance UK Blog, a total of 1.5 billion records were breached in January 2020. Put simply, businesses that accept credit cards need to be extra careful when it comes to their data security and anti-fraud processes.

Anyone who’s responsible for PCI DSS compliance at their business may be interested in point-to-point encryption (P2PE), an encryption method that offers the best protection for your customers’ payment information. Get the lowdown on point-to-point encryption solutions, from P2PE compliance to the difference between point-to-point and end-to-end encryption.

P2PE definition

So, what is P2PE? Put simply, point-to-point encryption is an encryption standard established by the Payment Card Industry Security Standards Council. It stipulates that cardholder information is encrypted immediately after the card is used with the merchant’s point-of-sale terminal and isn’t decrypted until it has been processed by the payment processor. This standard is met by point-to-point encryption solutions – comprehensive services delivered by specialist providers comprising of all the software and devices that are needed to meet the requirements of P2PE compliance.

What is a PCI-validated P2PE solution?

It’s worth noting that not all P2PE solutions receive validation from the PCI. For a point-to-point solution to receive validation – confirming that it meets the rigorous controls defined in the PCI P2PE Standard – it must undergo an assessment and audit from a P2PE Qualified Security Assessor (QSA). After that, it will be brought to the PCI Council for approval. So, what does a PCI-validated P2PE solution need to include? According to the PCI Council, the following PCI P2PE requirements must be present:

· Encryption of card information at the POI/payment terminal

· Secure management of all encryption and decryption devices

· P2PE applications at the POI

· Secure management of the description environment and decrypted data

· Use of encryption methodologies and cryptographic key operations

How does P2PE work?

Essentially, P2PE encrypts card information as soon as it’s taken from the payment processor, using an algorithm that turns the information into an unreadable code. This code is then transferred to the payment processor, where it’s decrypted using a secure key. As the decryption takes place electronically, the merchant doesn’t ever come into contact with their customers’ financial information, rendering it more or less invisible.

What’s the difference between P2PE and E2EE?

Although point-to-point encryption solutions and end-to-end encryption (E2EE) are similar, there is a key difference. Namely, that E2EE solutions don’t meet the standards of the PCI Council, mostly because there are other systems between the POI and processing point, increasing the chances of a hack or breach. In contrast, P2PE solutions transfer data directly, with no other systems in between. It’s also worth remembering that P2PE is assessable, whereas there aren’t any standards associated with encryption solutions that are branded as end-to-end.

Point-to-point encryption solutions and PCI DSS compliance

Assuming you’re using a point-to-point encryption solution that meets PCI P2PE requirements, you’ll be out of scope of PCI DSS compliance. Put simply, compliance will be the P2PE provider’s responsibility, and in the unlikely event of a data breach, the provider will be held accountable, not you. That means that you won’t need to worry about any of the potential penalties associated with PCI DSS, such as fines, suspension of your ability to receive credit card payments, and credit card replacement costs.

Final word

By ensuring that your business never touches card data, point-to-point encryption (P2PE) helps you to avoid the fallout from data breaches, whether that’s damage to your reputation or financial penalties. Bottom line: if you keep your customers’ data safe, you’ll keep your business safe too.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.

GoCardless makes it easy to collect recurring payments

Sign upContact sales

Interested in automating the way you get paid? GoCardless can help

Contact sales

Contact Us

Sales

Contact sales

+44 20 8338 9539

Support

Request support

+44 20 8338 9540

Seen 'GoCardless Ltd' on your bank statement? Learn more

GoCardless Ltd., Sutton Yard, 65 Goswell Road, London, EC1V 7EN, United Kingdom

GoCardless (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services. GoCardless SAS (23-25 Avenue Mac-Mahon, Paris, 75017, France), an affiliate of GoCardless Ltd (company registration number 834 422 180, R.C.S. PARIS), is authorised by the ACPR (French Prudential Supervision and Resolution Authority), Bank Code (CIB) 17118, for the provision of payment services.