One of the most important tools for protecting payment data is point-to-point encryption (P2PE) technology. It replaces plain text with code only those with the key can decipher. Furthermore, it protects payment data, in transit and at rest, from the moment the consumer inserts the card into the card reader until transaction approval.
5 Things to Know About P2PE
To help your clients benefit from P2PE, however, you need to educate your technical and sales teams on what this technology does – and doesn’t – do.
1. It’s Not Automatically Included with Payments Solutions
Just because a merchant is using EMV chip technology to process transactions, it doesn’t necessarily mean that payment data is protected by P2PE. To deploy P2PE, merchants need to have payment terminals compatible with unique encryption keys for data at rest and in motion. If a merchant’s payments terminals can’t support these keys, they will need to upgrade to newer terminals even if the current ones are EMV capable.
2. There Are Different Types of Encryption Solutions
Ensure that you understand options for encrypting payment data. In general, there are two types: encryption solutions validated by the Payment Card Industry (PCI) and E2EE (end-to-end encryption). Both types are secure as they encrypt data at the point of interaction, which is the payment terminal, from the moment the card is swiped or dipped. However, during PCI-validated transactions, a third-party processor reviews the data in transit. There are also more stringent security rules with PCI-validated transactions, including annual inventory checks, monthly site checks on equipment, and other compliance measures like on-premises camera monitoring of terminals.
In E2EE, the data is encrypted at the payment terminal and sent directly to the processor that decodes it. Additionally, with E2EE, a business can decide how much data beyond cardholder data gets encrypted. This provides greater flexibility for the business but also a greater liability if there is a data breach.
3. PCI-validated P2PE Has Evolved and Advanced
You also need to stay up to date on PCI-validated P2PE versions:
- Version 1.1
In 2011, P2PE became an official program of the PCI Standards Council. The first version of PCI-validated P2PE contained more than 900 requirements to be considered a P2PE solutions provider. Adding this designation was a tall order, and participation was low.
- Version 2.0
By 2015, version 2.0 was released, allowing partnerships with outside companies to implement technical components like key placement facility, certificate/enrollment authority, and decryption management services. Version 2.0 was much more quickly adopted since partnerships with qualified third parties allowed VARs and ISVs to incorporate P2PE into their offerings while leveraging the experience of others for the most technical aspects.
- Version 3.0
In 2019, PCI released version 3.0, adding four new types of component providers to the standard. The benefit to VARs and ISVs was that they could now build total solutions while choosing the best component provider depending on supported devices and software.
4. Reduced PCI Scope Doesn’t Mean No PCI Scope
P2PE solutions make it easier for merchants to comply with PCI requirements since no human-readable payment card data passes through its networks or point of sale (POS) systems. This allows merchants to focus security only on solutions and systems necessary to protect payment data.
While encryption solutions reduce risk, they don’t eliminate all risks or meet all compliance requirements. Merchants will still be responsible for the PCI Self-Assessment Questionnaire, but P2PE will reduce the number of questions they must answer. Additionally, merchants must remember to address other elements of PCI compliance, such as protecting the network with a firewall, using strong passwords, implementing antivirus, and restricting access to cardholder data.
5. Encryption is Just One Piece of a Safe Payments Environment
Encryption is an effective tool for protecting payment data, but it’s only part of a comprehensive security strategy. P2PE solutions work with EMV and tokenization to further fortify a payments environment. Ideally, EMV solutions verify the authenticity of credit or debit cards to protect against duplicate or stolen cards, tokenization enables businesses to “remember” a customer’s account information for easy reuse without re-entry for future purchases, and P2PE ensures that data in transit is protected and secure.
Equip Merchants with Secure Solutions with the Help of Your Payments Partner
After you educate your clients on the benefits of encrypting payment data, you also need to work with a payments partner with the expertise to help you implement it successfully. You need a partner you can rely on for technical support and advice and one with experience implementing solutions for clients in your market.
Contact us to learn more about the advantage of working with Datacap Systems for P2PE and E2EE.