Industry

Point-to-Point Encryption (P2PE) Guide

Everything you need to know about point-to-point encryption, including why only P2Pe solutions can be PCI validated

On This Page

What is point-to-point encryption (P2PE)?

Point-to-point encryption (P2PE) is a technology standard for converting sensitive data — in this case electronic financial transactions — to an unintelligible form to protect it. Encrypted data cannot be read or tampered with by anyone who doesn’t have the right decryption key to revert the data back to its original form. In a P2P transaction, the data is fully encrypted from the time a customer enters their information to the point where it is received by the payment processor. 

While the concept of encryption has been around for centuries, P2P encryption is a specific form of hardware encryption that occurs via a secured, fit-for-use payments device. These devices are considered “hardened,” which means they’re resilient against threat actors and difficult to break into. P2PE was developed by the Payment Card Industry Security Standards Council (PCI SSC), a consortium of major companies and payments industry stakeholders involved in developing standards and supporting services for the global electronic payments network.

How does point-to-point encryption work?

When a cardholder makes a purchase at a point of sale (POS), they’ll swipe the magnetic strip or dip the chip through a point of interaction (POI) device, which is usually a card-reading PIN pad made by a major manufacturer such as VeriFone, PAX or Equinox

The POI device is considered a tamper-resistant security module (TRSM) as it incorporates physical protections to prevent any security compromise of the software or hardware. The device’s P2P encryption software immediately uses an algorithmic calculation to encrypt confidential payment card data, such as the account number and tracking data. This payment encryption ensures that the data is not exposed even if it is intercepted or if the network or POS system is breached.

The encrypted codes are then sent to the payments gateway or processor for decryption within an HSM (hardware security module) device, also called a safe harbor. Once the data is decrypted back to the original card information, it is sent to the issuing bank for authorization and can even be re-encrypted to another format. The bank either approves or rejects the transaction, depending upon the cardholder’s payment account status.

The merchant then receives a notification if the payment is accepted or rejected. This notification may also include a unique number reference — called a token — that the merchant can store. These payment tokens are generated specifically for the merchant and are used to represent that original transaction. The merchant can use the token to refer back to the transaction or even refund the customer without needing the customer’s card information.

For a more technical look at how the P2PE technology works, as well as a debunking of some myths around P2PE, see Episode 1 of our web series Busted: Dispelling Today’s Top Payment Myths.

What are validated P2PE solutions?

A validated P2PE solution refers to PCI-validation, which is a confirmation that all the devices, applications and processes used to encrypt and decrypt payment data are secure.

Essentially, the solution provider ensures that:

  • All data is securely encrypted immediately upon swipe or dip in the POI until it arrives at a safe harbor for decryption. 
  • Any hardware involved in the offering is hardened and securely managed.
  • Any cryptographic keys used in the process are securely generated, transmitted and stored.

While a non-validated P2PE solution can use the same technology as a validated one, it may not offer the same assurance of security.

For a P2PE solution to receive PCI validation, it, the provider and all associated parties must be assessed and audited by a P2PE Qualified Security Assessor (QSA), before final approval by the Security Standards Council. P2PE-QSA companies are independent third-party companies that have met the PCI Security Standards Council’s requirements for education and experience and have passed the requisite exam.

As for validation requirements, the P2PE solutions must:

  • Have a secure encryption of payment data occur within the POI/payment terminal’s TRSM. The solution must use a technology that conforms to standards set by PCI council for key distribution, including Secure Reading and Exchange of Data (SRED) compliance and the use of secure encryption methodologies and all cryptographic key operations.
  • Have secure management of all encryption and decryption devices, as well as the decryption environment and all decrypted account data. They must have a set of controls and processes to ensure P2PE integrity — including inspections, chain of custody management and audits.

Additionally, any time a P2PE instruction manual needs to be updated, due to adding a device or changing a process, it has to be updated through a designated change. Visit the PCS Security Standard Council’s site to read the full list of PCI-validated products and solutions.

Point-to-point encryption vs. end-to-end encryption

End-to-end encryption (E2EE) is a form of asymmetric encryption where the system creates two separate sets of cryptographic keys — public and private for each user. Users can share their public keys with others, but their private keys are secure. 

A sender uses their public key to encrypt the data and send it to the owner. When the owner receives the encrypted information, they use a related private key to decrypt the message. Like the P2PE, the information is encrypted while in transit and cannot be understood by unauthorized users. 

While E2EE solutions provide similar functionality to P2PE solutions such as encrypting within the POI terminal and decrypting outside the merchant environment, they have not been validated by the PCI SSC. Only PCI-validated P2PE solutions have been assessed by a P2PE-QSA to determine if the entire encryption process is secure and the solution can be accepted as a PCI-validated P2PE solution.

Challenges with P2PE

Though it is highly secure, there are points of vulnerability in the process. Because card information is unencrypted between two endpoints — the payments gateway and the issuing bank — there is an opportunity for data to be intercepted or accessed at the processing bank. Tokenization can protect against this by ensuring that when sensitive information is decrypted the account information and other personally identifiable information related to the consumer is replaced with a token. At that point, data such as the card number can only be accessed through a secure token vault by the system that generated it.

Executive Guide to Payment and Credit Card Tokens

Moving from understanding tokens to benefitting from owning omni-tokens

P2PE also can’t protect against physical threats — such as data skimmers and shimmers — that can be used to capture magstripe or chip data at POI terminals. This is why the inspection of physical devices and the environment is part of PCI validation to ensure proper controls and security.

There are also some operational burdens for merchants that use P2PE:

  • Businesses must complete the SAQ P2PE annually to achieve PCI compliance
  • The P2PE Instruction Manual (PIM) must be closely followed and adequately implemented to meet PCI compliance
  • Merchants must complete a fully documented record of all activities that secure payment terminals inside their store
  • Purchasers need to perform several audits per year to ensure compatibility with the PIM

However, these requirements are minor inconveniences compared to the advantages provided by P2PE solutions. 

Advantages of P2PE

Significantly reduced risk of fraud.

Data encryption within a PCI-approved POI device ensures that sensitive information never enters a merchant’s system, network or even the device itself. The data is fully encrypted until it arrives at the designated safe harbor, so it remains secure throughout the transaction process

Less burdensome than other transaction processes.

Because card data is kept separate from the POS and merchant network, P2PE has a reduced PCI scope and fewer controls that need to be managed and documented. With fewer costly PCI audits and penetration tests, PCI compliance saves merchants time and money with a simplified compliance assessment and maintenance requirements

Protection for merchants.

Again, because the sensitive data never reaches any of a merchant’s systems, they will not be held accountable for data loss or resulting fines in the event of fraud — provided the card data environment is PCI compliant

Resistance to brute force hacks.

P2PE uses a key rotation, so the same encryption key isn’t re-used for multiple transactions, making P2PE solutions resistant to brute force hacks and similar cyber attacks. P2PE uses a key rotation, so the same encryption key isn’t reused for multiple transactions, making P2PE solutions resistant to brute force hacks and similar cyber attacks

Reduced PCI compliance scope.

Merchants that handle payment cards and don’t have a validated P2PE solution in place will have to answer up to 328 questions with the Self-Assessment Questionnaire D (SAQ D) every year. Businesses that use a P2PE solution are eligible to fill out the much shorter PCI SAQ version P2PE, which has just 33 questions — 90% fewer than SAQ D

Additional savings.

Having a validated P2PE solution can reduce cybersecurity insurance premiums and other risk costs, as the merchant demonstrates that they have proper security controls in place

P2PE FAQs

Does having a P2PE card payment terminal mean that a merchant has a P2PE solution?

Not necessarily. Terminals are just one component of a P2PE solution. To be valid as a P2PE solution, a provider must follow strict adherence to all processes, including shipping, handling and deploying.   

Does a merchant have to validate PCI DSS compliance if they are using an approved P2PE Solution?

Merchants using a validated P2PE solution may still be required to validate PCI DSS. It’s recommended they contact their acquirer or payment brands to determine their PCI DSS validation requirements.

What is P2PE encryption based on?

Point-to-point encryption is typically based on the public key Rivest-Shamir-Adleman (RSA) encryption algorithm, which uses two different but linked keys. It may use one of two key management schemes:

TDES DUKPT
Triple data encryption derived unique key per transaction applies the Data Encryption Standard (DES) cipher algorithm three times to each data block.

AES DUKPT
Advanced encryption standard derived unique key per transaction, which offers greater processing speed than TDES.

What does a merchant have to do to maintain a P2PE Solution?

The merchant’s P2PE solution provider should have informational material in the form of a P2PE Instruction Manual (PIM), which will detail the merchant’s responsibilities for using POI devices, including steps for proper storage, repairs and regular PCI reporting. To maintain a validated P2PE solution, a merchant must fulfill all the controls set out in the PIM.

How does P2PE avoid the loss of cardholder data during a data breach?

By encrypting cardholder data immediately at the point of payment through to where it is decrypted at the solution provider’s secure environment, no clear text data ever enters a business network. If there is a data breach, the encrypted data has no value if stolen.

What can I do if my solution provider tells me my deployment is not a valid P2PE solution?

Determine why your solution is not valid. It’s possible that your solution provider did not follow the strict P2PE requirements for deployment or has not provided the PIM. Talk to your provider about your options to reset or rebirth your terminals and implement the PIM requirements to validate your P2PE Solution.

Can I save P2PE data in my database and decrypt it for subsequent transactions?

No, as you have to retain all additional metadata, such as specific season keys, to decrypt the data. More problematic, the repeated use of session keys is an indicator of fraud, which could shut down the related terminal.

Does ACI Provide P2PE Solutions?

ACI’s proven, scalable and secure P2PE solution is available across most devices ACI supports, including VeriFone, Ingenico and PAX devices. ACI P2PE can either be provided in our cloud environment or for you to host on your own premises.

ACI also offers PCI-certified validated point-to-point encryption (VP2PE) to give merchants additional PCI-compliance relief. VP2PE ensures that PCI-mandated P2PE protocols are correctly observed to maintain the integrity of the merchant’s P2PE process.

Contact us today to learn more about ACI Worldwide’s point-to-point encryption solutions.