Breaching data has become extremely easy with the increased use of public and open networks to transmit cardholder data. A way to prevent cyber-criminals from gaining access to sensitive cardholder data is to encrypt it. Point to Point Encryption (P2PE) is a way to ensure that the information that is sent over public channels is encrypted adequately at the sending end, so it is decrypted when it is received. This renders the data unreadable to any unauthorized people who may intercept it. This simplifies achieving PCI compliance for a business as well.
There are, however, multiple reasons why businesses do not tend to have P2PE, and one of them is misinformation. This article is focused on addressing the fundamental questions that merchants or business entities may have concerning P2PE.
What is Point to Point Encryption?
Point to Point Encryption is a standard of security centered on the encryption of card information the very instant it is received by the merchant’s point of sale terminal. This allows the information to be transferred securely to the payment processor, where it can be decrypted and processed. Another benefit P2PE may have for the customers is that merchants do not have the data in the exact form, such as card number and security code. When entering the POS terminal, the data becomes encrypted instantly and becomes inaccessible to the merchant as well. Encryption and decryption keys are not given to the merchant.
P2PE is not the same as end-to-end encryption. In end-to-end encryption, an intermediary works in the encryption of data from one party to the other party. While in point-to-point encryption, the merchant’s point of sale ecosystem is connected directly to the payment processor. PCI recommends this as the best practice for cardholder data security. PCI has its standards to the level of P2PE encryption acceptable for PCI compliance. That is based on five criterias;
- Encryption of the payment data securely at the POS terminal of the merchant.
- Proper management of devices that encrypt and decrypt the data.
- Applications validated for P2PE to be used at the POS terminal.
- Properly authorized handling of decrypting environment and data.
- Use of secure methods of encryption.
P2PE is offered by numerous merchant service providers and usually a part of the sales hardware and software that they provide the merchant with.
Why does a Business Need P2PE?
One primary reason is that the risk of losing payment card data to breaches or even at your business becomes minimal. This happens because merchants cannot decrypt the encrypted data at the point of sale anywhere but with the payment processor. Here are a few other reasons why you should consider getting a P2PE system for your business.
Benefits in PCI Validation
- When your business and your systems are assessed for PCI compliance, PCI will automatically assess a lot of your hardware and software as compliant because of point-to-point encryption. PCI compliance aims to increase cardholder data security, and P2PE ensures a higher level of protection.
- A business with P2PE solutions has fewer requirements when it comes to being applicable for PCI compliance. There are simplified assessment criteria, which can also reduce the cost of maintaining PCI compliance.
Even though there can be a reduction in the assessment criteria for validation of PCI compliance, adding more methods of payments in the business environment will require additional requirements for PCI validation.
Programs by Card Brands
Visa Technology Innovation Program
This is a program for merchants processing 75% or more of their transaction volume through a P2PE service approved by PCI DSS. Merchants have to register for this program through their service provider. This allows merchants to skip the annual re-validation of their PCI DSS compliance.
- Visa Secure Acceptance Program
For merchants who are on level 3 or 4 of PCI validation, this program provides them with a safe harbor if there is a fraud or other compromise. In this case, the transaction type must be a card-present one. Also, the P2PE solution the merchant is using should be validated by PCI.
Lesser Complications in Compliance
- Mobile Acceptance
Suppose all the cardholder data is encrypted prior to going through a mobile device. In that case, the mobile device no longer falls in the required parameters of PCI validation. The merchant should not involve the mobile device in any other transaction type. The merchant can accept a compliant card through a consumer’s mobile device in this manner.
- Foreign Networks
In standard cases, merchants have to face much responsibility for networks when foreign networks are involved in transactions. But because of P2PE, the data between the encryption and decryption point is unreadable by a third party. This renders the network out of scope for PCI compliance.
Tokenization and EMV
Tokenization is a way through which the merchant can safely store cardholder data in the merchant’s system. This helps in future transactions and can help with in-store loyalty programs. In tokenization, a different value is used to represent card data. When the token is to be used again, it goes to the tokenization provider, who then retrieves the original cardholder data.
EMV is a way of authentication at the POS using an embedded chip. Criminals cannot easily duplicate these cards, and fraudulent transactions cannot be made using fake cards. These cards work well with P2PE as the POS terminal can immediately encrypt the cardholder data after receiving information electronically in the POS.
How are PCI Validated and Non-validated Solutions Different?
Encryption methods that are not validated are also known as unlisted solutions. These solutions still allow encryption of cardholder information at the POS terminal and decryption at the payment processor. Still, they are not approved by PCI SSC. These are also called end-to-end encryption other than unlisted P2PE solutions.
PCI-listed or PCI validated solutions are assessed under a P2PE QSA before they are listed as an approved P2PE solution. Approved P2PE solutions have met all the requirements that PCI SSC sets for cardholder data security. Also, other than meeting the needs of PCI SSC, the solution’s decryption must be done in a secure environment and assessed annually according to the PCI DSS.