Datacap Logo

4 Reasons to use PCI-Validated P2PE

4 Reasons to use PCI-Validated P2PEPCI-validated P2PE (point-to-point encryption) is a vital part of a merchant’s network security strategy. Cybercrime is a continual threat to retailers, restaurateurs, and other consumer-facing businesses — accepting payment cards and storing payment data put them in hackers’ cross-hairs.

P2PE encrypts payment data from the moment the consumer initiates payment until it is decrypted by the payment processor. If hackers gain access to a merchant’s point of sale (POS) system, instead of human-readable payment information, they’d only find encrypted data. Therefore, P2PE greatly reduces the likelihood that hackers could steal any data they could use or monetize.

With different encryption technologies available, however, the Payment Card Industries Security Standards Council (PCI SSC) recognized the need for standards to ensure the greatest protection for payment data and established a program to validate encryption solutions.

Here are four reasons to choose PCI-validated P2PE solutions:

1. They conform to best practices.
A PCI-validated P2PE solution conforms to PCI’s standards for encryption strength, security requirements, and testing protocols. They also comply with key management best practices. Although a merchant could choose P2PE technology that is not on PCI SSC’s list of validated solutions, selecting a PCI-validated P2PE solution ensures the vendor is following best practices.

2. They are verified to meet standards.
PCI Qualified Security Assessors (QSAs) evaluate solutions to ensure they meet PCI standards and are effective throughout the entire merchant payment environment. QSAs evaluate aspects of the technology, including:

  • Key generation, loading and injection, and management
  • Reading and exchange security
  • Key injection facilities (KIFs)
  • Resistance to tampering

PCI-validated P2PE solutions are listed on the PCI website.

3. It’s easier than using a P2PE solution that’s not listed.
If a merchant — and their solutions provider — choose a P2PE solution not designated as PCI-validated, they must ensure the solution meets criteria established the PCI SSC and PCI DSS requirements. Listed solutions reduce questions on the Self-Assessment Questionnaire (SAQ) by up to 90 percent.

Additionally, merchants that use PCI-validated P2PE for at least 75 percent of their transactions may also qualify for programs such as Visa Technology Innovation Program (TIP), which eliminates the requirement for annual assessments to revalidate PCI DSS compliance, or the Visa Secure Acceptance Program, which provides safe harbor for fees for Level 3 or 4 merchants that experience a breach.

4. They reduce PCI scope.

Because readable payment card data is not stored or used in a merchant’s POS system when they use PCI-validated P2PE, PCI scope is reduced.

Explore the Options

As trusted advisors, ISVs and VARs need to educate themselves about solutions available to their clients from the nearly100, solutions listed on the PCI website. Datacap’s PCI-validated P2PE solution, is unique, protecting data by:

  • Initiating the process at the point of sale by sending an XML request or HTTPS post to Datacap’s NETePay/GIFTePay.
  • NETePay/GIFTePay then passes encrypted card data to NETePay Hosted.
  • Next, NETePay Hosted sends encrypted card data to BlueFin’s Decryptx, which returns data to NETePay Hosted, then passes the data to the appropriate payment processor.
  • The payment processor’s response is then sent to NETePay Hosted.
  • Finally, NETePay/GIFTePay sends an approve, decline, or error response to the merchant’s point of sale system and PIN pad.

Contact us to learn more about PCI-Validated P2PE!