P2PE - Point-to-Point Encryption Solutions Explained

This data breach led to the creation of both the Security Standards Council and their early draft of Point-to-Point Encryption (P2PE) standards for accepting and transferring payment card data. Since then, there have been several updates and improvements to the original standards. The PCI’s hope is that improvements will help protect card data as well as make it easier for merchants to adopt and employ security standards.

Even though the Council has worked hard to make meeting security requirements doable, it can still be confusing for merchants. So today, we'll break down the basics of the Payment Card Industry’s (PCI DSS) Security Standards. We’ll also talk about how P2PE works to keep customer’s sensitive data safe. And how, by employing a P2PE solution, merchants can help to reduce their liability for PCI Compliance.

Who is the Payment Card Industry Security Standards Council (PCI SSC)?

The Payment Card Industry mandates that “Maintaining payment security is required for all entities that store, process or transmit cardholder data.” That means every merchant that accepts payment cards must maintain their security. It also meant that they needed to know how to do it - they needed some guidelines.

The Payment Card Industry created the Security Standards Council to draft these “guidelines”, and maintain and update them as needed. The PCI SSC created

 a set of Security Standards that merchants must implement when accepting card payments. They call this set of standards Payment Card Industry Data Security Standards, or PCI DSS. 

The security standards encompass operational and technical requirements for merchants, software developers, and application and device manufacturers. This guidance aims to help merchants create a secure enviro

nment for payments and to ensure protection of sensitive card data. One way to protect sensitive data is through Point-to-Point Encryption.

What is P2PE, Point-to-Point Encryption?

Every business that accepts, transmits, or stores cardholder data must abide by PCI Data Security Standards and maintain PCI compliance annually.

Point to Point Encryption (P2PE) is an encryption standard created to protect cardholder data when collected and transferred for payments. It requires that cardholder data be encrypted from the moment it is collected and throughout its journey from the terminal to the acquirer.

To protect card information, it must be encrypted the second it is collected - at the Point of Sale. Encryption refers to the conversion of the payment information to an unintelligible form. It is only decrypted by the payment processor in order to process the transaction. 

The PCI Council’s standards for point-to-point encryption:

All processes must also be compliant with P2PE standards. In addition, all encryption and decryption devices must be maintained in a secure manner. Whether you capture cardholder information over NFC tap contactless, chip dip, or mag swipe, hardware must be compliant with PCI CSS standards. 

Same holds true for eCommerce sites running software that collects sensitive data. 

But, the scope of PCI compliance reaches much farther than just your immediate hardware. It also includes your entire network architecture, software design and implementation, as well as policies and procedures. And more. 

In order to accomplish this, it's best for merchants to employ a point-to-point encryption application. 

How do you implement P2PE?

Meeting each and every one of the requirements of the PCI Data Security Standards isn't easy. But it's a lot simpler when you have a solution that encompasses a majority of the requirements in one solution. 

This is where a validated P2PE Solution provider comes in. They build and provide merchants with a complete terminal-based Point-to-Point Encryption solution.

Always make sure to use a P2PE solution provider that is PCI-validated and approved. Before any P2PE solution provider can sell their solution they must be validated by the PCI. PCI mandates that this validation be done by a PCI Qualified Security Assessor who will thoroughly inspect the solution, hardware and software, and all processes involved. This way you know that their solution meets all required PCI Data Security Standards.

P2PE solutions reduce the merchant’s scope of PCI compliance obligations. 

A validated P2PE solution simplifies the process of meeting PCI compliance. They've essentially “taken care of” a majority of the requirements included in the Data Security Standards that merchants must meet when accepting card payments.

With a validated P2PE solution, merchants are no longer liable for meeting P2PE requirements. Those liabilities now fall on your Merchant Service Provider who implements your P2PE Solution. If a merchant were to experience a data breach using P2PE, liability, fees and penalties all fall on the provider.

So, not only do P2PE solutions help you meet PCI Compliance, they also help to reduce merchant liability.

You can find the list of all validated and approved P2PE Solution Providers here on the PCI SSC’s website.

At MonerePay, we take data security seriously. Our hosted payments page was built to take most of the headaches of PCI Compliance off your plate. Our PCI Level 1 Gateway was built to meet or exceed the most stringent levels of industry security standards. Robust Fraud Protection tools round out the solution and are customiz

able to each merchant’s acceptable risk level.

With MonerePay on your side, you get a lot more than just the ability to accept card payments securely. You get a Merchant Service Provider dedicated to protecting and advancing the success of your business. From our innovative payment processing model, to our proprietary Business Intelligence Tools, our solution was created with the merchant's success 

in mind. 

If you expect more from your Merchant Service Provider, call us. MonerePay gives you more.