The best way to protect cardholder information is to never let anyone see it. A point-to-point encryption (P2PE) solution encrypts data immediately when a consumer dips a card or keys in their account numbers and throughout the payment process, changing it from a human-readable form to a code that requires decryption to understand.
P2PE solutions provide consumers with the assurance that their payment card information is protected, but they also offer some significant benefits to merchants. Point-to-point encryption can greatly reduce the risk of a data breach from a cyberattack. If a hacker gains access to a merchant’s network or systems, they will find encrypted payment card data that has no value to them. P2PE also helps protect merchants from internal threats. An employee could accidentally (or intentionally) make unencrypted payment card data available to the wrong people, leading to a data loss and putting the business’ reputation on the line. A solution that allows only the cardholder to handle the card and then protects data with P2PE eliminates that possibility.
In addition, P2PE can reduce the merchant’s Payment Card Industry (PCI) scope. Because readable card data never passes through the merchant’s point of sale (POS) system or network, it isn’t subject to compliance requirements, making compliant operations easier to achieve.
What Makes P2PE Solutions Work
To provide your clients with the benefits of a P2PE solution, you need to confirm that their payment terminals are injected with encryption keys unique to their businesses, leveraging optimal encryption technologies:
- Advanced Encryption Standard (AES) for data at rest
- Pretty Good Privacy (PGP), the standard for data in motion
These two encryption technologies work together to protect data throughout digital payment processes.
A chain of custody will accompany a device secured with P2PE. The chain of custody, which is necessary for PCI compliance, will show where the device was manufactured, key injected, tested, packaged, and shipped so that there is no question of its authenticity and that it will perform as promised.
Skilled people are also a part of the P2PE ecosystem. Any solution you provide to your clients should be protected by strict access control and common-sense measures. For example, the person managing keys should not also have access to the merchant’s data, and data and keys should never be stored in the same place. In general, the P2PE solution provider should be able to provide proof of secure key generation, injection, and protected encryption and decryption administration.
Your clients will also need to choose between PCI-Validated Point-to-Point Encryption, which is verified to include special controls to meet PCI standards, and non-validated point-to-point encryption solutions. It’s important to recognize that non-PCI-validated can be just as effective as those that are validated – in fact, they may be in the process of validation. As a trusted advisor, use your tech expertise to evaluate the options available to your clients. Help them weigh the pros and cons of their choices, including how it will impact their PCI Data Security Standard (PCI DSS) compliance status and reporting requirements.
Increase Your Knowledge Base
P2PE technology may be outside your wheelhouse, but educating yourself so you can implement the optimal solutions for your clients can help you provide merchants with the best advice – and a higher degree of data protection.
The Datacap Systems team is available to point you to the resources you need to understand this technology, assist with PCI compliance issues, and help provide you with the information you need to give your merchants peace of mind regarding cardholder data security.
Contact us to learn more about P2PE and the solutions we offer.