What your customers need to know about point-to-point encryption (P2PE).

Written by Jereme on

With continual reports of data breaches and unauthorized access to sensitive cardholder data, your merchants are likely all too aware of the need for the right payments security technology. However, they may not realize all the advantages of point-to-point encryption (P2PE).

Encryption is a valuable security tool in the digital world. This technology takes human-readable text and changes it to a random string of characters or “tokens” that require a decryption key to be understood. Encryption makes it possible to keep information private from anyone other than the sender and those with the proper decryption key, like the bank that issued the card, or one of the major card brands (Visa, Mastercard, etc). In payments, point-to-point encryption protects data throughout the entire payment processing environment until it is safely decrypted for approval.

The benefits of P2PE.

One of the drivers for P2PE adoption is it helps reduce merchants' PCI compliance requirements. Because readable payment card data is never stored or used by a merchant’s point of sale (POS) system or its broader IT network, less of the business’s environment must meet the standard's strict requirements.

However, compliance is just one of the benefits P2PE provides your merchants. It also helps protect payment data from cyberattacks. If a hacker should happen to gain access to a merchant’s network or POS system, they wouldn’t find any human-readable payment data. Instead, these cybercriminals will only gain access to encrypted information that they won’t be able to decrypt, understand, or monetize. P2PE also provides a safety net for human error, as there's no concern that an employee could accidentally share card data, or make it accessible to prying eyes.

Overall, P2PE can save merchants time and money related to PCI compliance, while protecting their brand reputations from the damage a data breach can cause.

How P2PE works.

Implementing P2PE requires that your clients use a payment device armed with a unique encryption key. The device must have a chain of custody that shows who: 

  • Manufactured the device.
  • Injected it with the key.
  • Tested it.
  • Shipped it to the end-user.

The ability to track a key-injected payment device is essential to ensuring it will properly protect payment data.

You’ll also need to assure your clients that their P2PE solution provider enforces access control.  That way only authorized employees will have access to keys and data. Furthermore, the two will never be stored in the same place or be accessible to the same person.

PCI-validated P2PE.

To help your merchants get the maximum benefits from P2PE (including reduced compliance scopes), you need to ensure the solution you are providing them is PCI-validated. These solutions have been evaluated against special requirements, including:

  • Securing payment card data at the point of interaction (POI).
  • Working with PCI-validated applications.
  • Featuring secure encryption and decryption device/data management.
  • Adhering to secure methodologies, including key generation, distribution, injection, administration, and use.

The time is now.

It has taken some time for P2PE technology to mature, and for PCI to establish validation requirements, and evaluate solutions. However, PCI-validated P2PE solutions are now available and more importantly, well within the reach of every small to mid-sized merchant.

Your clients need to know that when used as part of a total payment security solution that includes EMV technology and tokenization, network security, and perimeter defenses such as a firewall, PCI-validated P2PE can help provide peace of mind to merchants and their customers. To learn more about how you can help fortify your accounts’ security with the very latest in PCI-validated P2PE, contact us.