Data breach has become extremely easy with the increased use of public and open networks to transmit cardholder data. One way to prevent cybercriminals from accessing sensitive cardholder data is to encrypt it. Point-to-point encryption (P2PE) is a way to ensure that information sent over public channels is properly encrypted at the sending end, so that it is decrypted when received. This makes the data unreadable to any unauthorized person who might intercept it. It also simplifies PCI compliance for a business.
ContentsWhat is Point-to-Point Encryption?Why does a business need P2PE?Benefits of PCI ValidationPrograms by Card BrandsVisa Technology Innovation ProgramLess Compliance ComplicationsTokenization and EMVWhat are PCI Validated Solutions and unvalidated different?There are, however, multiple reasons why companies don't tend to have P2PE, and one of them is misinformation. This article aims to answer basic questions that merchants or business entities may have regarding P2PE.
Point-to-point encryption is a security standard focused on encrypting card information the instant it is received by the merchant's point-of-sale terminal. This allows information to be securely transferred to the payment processor, where it can be decrypted and processed. Another advantage that P2PE can have for customers is that merchants do not have the data in the exact form, such as card number and security code. When entering the POS terminal, the data is encrypted instantly and also becomes inaccessible to the merchant. The encryption and decryption keys are not communicated to the merchant.
P2PE is not the same as end-to-end encryption. In end-to-end encryption, an intermediary works to encrypt data from one party to the other party. Whereas in point-to-point encryption, the merchant's point-of-sale ecosystem is directly connected to the payment processor. PCI recommends this as a best practice for cardholder data security. PCI has its standards at the acceptable P2PE encryption level for PCI compliance. This is based on five criteria;
P2PE is offered by many merchant service providers and is usually part of the hardware and sales software they provide to the merchant.
One of the main reasons is that the risk of losing payment card data due to breaches or even in your business becomes minimal. This happens because merchants can only decrypt encrypted point-of-sale data with the payment processor. Here are a few more reasons why you should consider getting a P2PE system for your business.
Although there may be a reduction in the evaluation criteria for validation of PCI compliance, the addition of more payment methods in the commercial environment will require additional requirements for PCI validation.
This is a program for merchants processing 75% or more of their transaction volume through a PCI DSS-approved P2PE service. Merchants must register for this program through their service provider. This allows merchants to avoid the annual revalidation of their PCI DSS compliance.
For merchants who are at level 3 or 4 of PCI validation, this program provides them with a safe harbor in the event of fraud or other compromise. In this case, the transaction type must be card present. In addition, the P2PE solution used by the merchant must be validated by PCI.
Assume that all cardholder data is encrypted before passing through a mobile device. In this case, the mobile device no longer meets the required PCI validation parameters. The merchant must not involve the mobile device in any other type of transaction. The merchant can accept a compliant card through a consumer's mobile device in this manner.
In standard cases, merchants face great liability for networks when foreign networks are involved in transactions. But because of the P2PE, the data between the point of encryption and decryption is unreadable by a third party. This puts the network out of PCI compliance range.
Tokenization is a means by which the merchant can securely store cardholder data in the merchant's system. This helps in future transactions and can help with in-store loyalty programs. In tokenization, a different value is used to represent the card data. When the token needs to be reused, it is passed to the tokenization provider, which then retrieves the data from the original cardholder.
EMV is a means of authentication at the point of sale using an embedded chip. Criminals cannot easily duplicate these cards and fraudulent transactions cannot be made using fake cards. These cards work well with P2PE because the POS terminal can immediately encrypt cardholder data after receiving the information electronically at the POS.
Encryption methods that are not validated are also referred to as unlisted solutions. These solutions still allow encryption of cardholder information at the point-of-sale terminal and decryption at the payment processor. Yet they are not approved by PCI SSC. These are also referred to as end-to-end encryption other than unlisted P2PE solutions.
PCI listed or PCI validated solutions are evaluated as part of a P2PE QSA before being listed as an approved P2PE solution. Approved P2PE solutions have met all requirements set by PCI SSC for cardholder data security. Also, in addition to meeting PCI SSC requirements, the decryption of the solution must be performed in a secure environment and evaluated annually according to PCI DSS.