The Definitive Guide to P2PE
Whether you’re a veteran or newcomer to the payments industry, you know that there is a great deal of misinformation out there. One topic that has grown increasingly convoluted is the debate of P2PE (point-to-point encryption) and E2EE (end-to-end encryption). Why is it important to know the difference? The encryption solutions that educational institutions, healthcare systems, and merchants choose can determine level of PCI scope, IT infrastructure requirements, and much, much more. Follow the Arrow Payments team as we put this issue to rest (hopefully once and for all).
All the difference in the world
In technical terms, E2EE is a generic term that describes any solution that encrypts communications from one endpoint to another endpoint. This makes P2PE a subcategory of E2EE. Both are methods of encryption that process payment card data when transactions are made at a POS (point-of-sale) terminal, or POI (point of interaction).
For a P2PE solution, the “packet” of transaction data is encrypted at the POI, and then transported to a solution provider that is off-site. There, the data is decrypted using a specific cryptographic key, and then the unencrypted, plain data is sent through an encrypted tunnel to the acquirer. On the other hand, an E2EE solution encrypts the transaction data at the POI and sends it directly to the acquirer.
Who’s got the keys?
At first glance, the E2EE solution may seem more secure. However, the difference is that a PCI-validated P2PE solution, and all of its applications and components (payment terminals and technologies), have been rigorously inspected and verified by an independent assessor. Besides for providing assurance that the secure DUKUPT methodology is implemented, the integrity of a provider’s cryptographic key-management, encryption, decryption, and incident response protocols is ensured. Ultimately, an E2EE solution cannot provide independent assurance that key management operations are secure.
The scope needs soap
With validated P2PE, the merchant, university, or healthcare system does not access encryption or decryption keys. From a scope reduction perspective, this means that the payment network can be considered “out of scope”, which is great news. When implemented properly, this allows businesses to gain a significant advantage in reducing PCI DSS validation efforts and maintaining security, as validated P2PE solutions undergo ongoing assessments and improvements according to a robust PCI council program.
Life in the fast lane
So how do P2PE solutions reduce PCI DSS validation efforts? Merchants that implement a PCI P2PE solution may be eligible to use a self-assessment questionnaire (SAQ) P2PE as a reference to prove they are compliant with applicable requirements for their P2PE environment. Although it does not remove the need for all controls, it reduces the ones that need to be validated, streamlining the compliance process. (To be exact, the PCI SAQ can be shrunk down from 12 sections to 4, and controls can be reduced from as much as 329 questions to just 35).
Think of it like a fast lane at an amusement park.
The bottom line
Finding a validated P2PE solution that meets the needs of your university, healthcare system, or business can be difficult. We can help. With a proven track record of revamping payment processing at complex organizations, we know how hard it can be. Let us make it easy.