Deciphering payment security lingo: What is P2PE?
When it comes to payment processing security, merchants should be familiar with a few key terms. One of these is P2PE, or point-to-point encryption. Understanding the role P2PE plays in processing a payment transaction can help merchants take the necessary steps to protect themselves and their customers from a costly data breach.
Although P2PE isn't the only tool that helps protect sensitive payment data from theft, many experts rank it highly. When polled about security strategies, financial executives believe P2PE will have the highest impact on data security and reducing fraud. In fact, executives rate P2PE higher than tokenization and EMV. It takes more than one strategy to optimize security, but implementing the right solutions is a good first step. Let’s take a closer look.
What is P2PE?
Through a combination of secure devices, applications, and processes, businesses can encrypt data directly from the point of interaction to the P2PE solution provider’s secure decryption environment. This means the data isn't decipherable to anyone who might steal it during the transaction process, and thus lacks value for thieves.
Whenever a business swipes a credit card, a series of digital communications take place that leave the cardholder open to fraud. Once the merchant swipes or dips the card, the issuing bank determines if the cardholder has sufficient funds to complete the transaction and then sends a message back to the merchant to verify the purchase. P2PE protects credit card data in flight through merchant systems, to help prevent it from being compromised.
A P2PE solution is comprised of several components including hardware, software, and processes. Here are a few specific terms to be aware of:
- P2PE Solution Provider: A third-party payment processor, payment gateway provider, or acquirer that creates a solution that will protect customer data and reduce the merchant's risk.
- P2PE Solution: The solution itself contains encryption and decryption environments, configuration and design, Point of Interaction devices, and any other necessary components.
- Point of interaction (POI): This term refers to the technology merchants use to take the customer's credit card information, such as a magnetic strip or chip and PIN reader. Relevant applications on the POI must also be compliant with P2PE requirements.
Compliance with PCI standards
Any organization or merchant that accepts, transmits or stores any cardholder data must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply leaves a merchant vulnerable to a data breach and the ensuing negative fallout including fines, fees, and reputational damage. The PCI DSS includes requirements for security policies, procedures, management, software design, network architecture, and other protective measures.
Merchants using a PCI P2PE solution have the advantage of more simplified compliance efforts, because they are subject to fewer PCI DSS requirements.(3) However, a PCI P2PE solution is just one piece of PCI compliance. Merchants also have to meet other requirements. The most recent mandates are outlined in the PCI DSS 3.0, and include the key themes of education and awareness, increased flexibility, and security as a shared responsibility.
As data breaches continue to make news, alarming consumers and merchants alike, it is even more critical for businesses to stay informed about security terms like P2PE, and in compliance with PCI standards. Maintaining payment security is an ongoing process that is never finished, but keeping security top-of-mind benefits customers and merchants in the long run.