Today, more than ever, consumers want a fast, frictionless, and secure payment experience. At the same time, businesses need to protect customer data. But ever-changing compliance requirements and payment technology have increased the operational and technical complexity for businesses.
Point-to-point encryption (P2PE) protects cardholder data, makes it easier for organizations to ensure payment data is secure, and helps them meet the requirements of PCI compliance by enabling them to comply with the latest security standards, reducing the risk of fraud.
What is point-to-point encryption (P2PE)?
P2PE protects sensitive cardholder data when a consumer makes a transaction by instantly encrypting the sensitive card and customer data. This process keeps that data encrypted as it travels between the payment terminal and the payment service provider, where the data is then decrypted using a secure key.
P2PE ensures that customers’ sensitive payment information isn't exposed even if there's a data breach. This sensitive data includes consumers' account information, including their names, account numbers, and expiration dates, as well as sensitive authentication details, including full magnetic strip data and validation codes/values (the three- or four-digit value printed on the front or back of a payment card, such as CVV2 and CVC2). P2PE also helps businesses reduce the complexity of their PCI compliance.
How does P2PE work?
The PCI Security Standards Council (PCI SSC) released the first version of the P2PE standard in 2011 to offer businesses an easier way to meet all the requirements of the PCI Data Security Standard (PCI DSS). The PCI SSC is an association of major organizations created to secure payments, payment data, and processes and drive the widespread use of electronic payments. In 2019, the PCI SSC released PCI P2PE Version 3.0 to simplify "the process for component and solution providers to validate their P2PE products for cardholder data protection efforts."
P2PE encrypts payment card data when a business accepts a payment card. This information is then transferred to the payment processor. At this point, the payment processor decrypts the information using a secure key and approves or declines the transaction. Since the decryption happens electronically, the business never comes into contact with its customers’ financial data.
Similarly, threat actors aren't able to capture and exploit the transaction data because it is completely encrypted throughout the process. Even if a cybercriminal intercepted a specific transaction, they wouldn’t be able to decipher the data because it's encrypted. Only authorized parties that have the secure key can decrypt the information.
Requirements for receiving PCI validation
A PCI P2PE solution can significantly help reduce the PCI DSS validation effort of a business' cardholder data environment. But the business must still ensure that it also meets PCI DSS requirements.
Using a P2PE provider that meets the requirements of PCI P2PE means that PCI compliance will mainly fall to a company's P2PE provider, rather than the business. The reason: using a P2PE provider means the company won't have to handle or store sensitive information within its internal systems.
However, the company is also responsible for ensuring that its payment terminals are free of risk and that all shoppers' payment card data gathered from anywhere other than a payment terminal—for example, via a call with a customer service representative—is adequately protected. To keep customer cardholder data secure, it's essential that businesses maintain secure systems for any data that's outside of the P2PE flow—still, a much less onerous undertaking than they would otherwise face without implementing P2PE.
Conversely, if companies select P2PE providers that are not properly certified or whose systems are not validated by the PCI SSC, then they are responsible for ensuring compliance with the PCI DSS. Consequently, it's important for companies that want to reduce their scope for PCI compliance to seek out certified P2PE providers.
The PCI P2PE standard requirements are:
- Encryption at the payment terminal - to prevent data theft during transit, encryption must begin at the payment terminal prior to transmission. Also, to ensure the integrity of the encryption environment, it should employ software and devices that have been validated by a PCI-qualified P2PE assessor
- Complex encryption - payment terminal encryption should possess a high level of complexity to safeguard payment data. Robust encryption ensures that fraudsters cannot read the original data even if they do manage to breach your systems
- Encryption key management - you must store all encryption keys securely and separately from the encrypted data, so that the former cannot be used to decode the latter in the event of a breach
- A secure decryption environment - decryption of the encrypted data must also take place in a secure environment
P2PE vs. E2EE (end-to-end encryption)
When comparing P2PE vs. E2EE, it's important to note both are standards for encrypting cardholder data, and companies can use either system to ensure their customers’ cardholder data remains secure. But they differ in that an independent assessor has thoroughly inspected and verified PCI-validated P2PE solutions as well as their applications and components, e.g., payment terminals and technologies.
Since P2PE solutions can be fully certified by the PCI DSS standard, the scope of regulations that businesses need to comply with is reduced. E2EE, however, is not certified, which means those solutions don't have to meet any specific standards. Nevertheless, both these solutions can be equally secure.
In addition, P2PE encrypts data from the point-of-sale terminals to the payment processors and doesn't need to use third parties during the process. Therefore, all of a company's data goes directly from one point to the other, and no other companies can access it. When information reaches the payment processor, the processor uses a secure key to decrypt the data and sends it to the issuing bank to be approved. Businesses have no control over this data, and they can't access the secure key to decrypt it. The responsibility for handling the data and ensuring that it is secure falls to the third-party payment processor.
Although E2EE encrypts the payment process from end to end, E2EE doesn't have to meet any standards, so companies can unlock this data during the process. And, unlike with P2PE, third parties aren't responsible for securing the data; instead, merchants must ensure the data is secure.
Benefits of using P2PE
The key benefits of using P2PE for merchants are:
- Protect your business - P2PE significantly enhances data security by encrypting payment card data right from the start of a transaction and throughout the payment process. This encryption makes it extremely difficult for cybercriminals to intercept and steal sensitive information during transit
- Build trust with cardholders - P2PE can enhance customer trust and confidence in your ability to protect their payment card information. Knowing that their data is encrypted from the point of sale can reassure customers and encourage them to make repeat purchases
- Reduced risk of financial and reputational damage - P2PE reduces the risk of financial loss associated with data breaches, as well as the potential for damage to your reputation and serious legal consequences
- Reduced PCI compliance burden - implementing P2PE can help you meet regulatory requirements, such as PCI DSS. Also, by encrypting data from before transmission, P2PE reduces the burden and cost of compliance, as fewer systems and processes fall within the scope of PCI assessment
- Streamline your operations - P2PE can streamline your payment processes by reducing the need for complex data handling and storage. This can result in operational efficiencies, lower operational costs, and quicker payment processing times
Is Checkout.com a P2PE-validated solution provider?
The short answer is yes, Checkout.com is a P2PE-validated solution provider. Checkout Technology Ltd, a company within the Checkout.com group, is certified per the PCI DSS as a Level 1 service provider, which is the highest standard set by the payment card industry to ensure that credit card data is processed, stored, and transmitted in a secure environment. Checkout.com uses payment tokenization, 3D secure authentication, and PCI-validated point-to-point encryption to secure the acceptance of payments.
You can learn more about our overall solution here and get a deeper overview of Checkout.com’s PCI compliance here.