The evolution of card payments has done wonders for the world of commerce. But as the industry has grown, so has the prevalence of data breaches and fraudulent activity. In 2018, the hotel group Marriott International announced that attackers had stolen data from approximately 500 million of its customers. But thanks to encryption, no money was stolen.
Data breaches feed the fire of fraud – especially when that data contains card details or other personal information. When you don’t take the proper precautions, not only do you risk your customers’ data and bank accounts being breached, but you also risk fines and other business penalties – not to mention your public image.
Thankfully, the Payment Card Industry Security Standards Council (PCI SSC) has established point-to-point encryption (P2PE). P2PE is an encryption standard that stipulates that cardholder information is encrypted immediately at the point-of-sale (POS), as in the moment when a card is tapped or swiped on your POS terminal, and isn’t decrypted until the payment is processed by your payment processor.
“Point-to-point” encompasses the journey that data takes between the terminal and the acquirer, and “encryption” is the process of converting that data into an unintelligible form.
So, in the milliseconds after any payment is made, sensitive information travels between the POS terminal and the acquirer. P2PE encrypts that sensitive information and protects cardholder data, both in transit and at rest.
Find out how POS terminals work:
Read on for our experts’ answers to some of the frequently asked questions that we hear from our merchant customers about P2PE.
What are the PCI council’s P2PE requirements?
- Encryption of card information at the POS payment terminal
- Secure management of all encryption and decryption devices
- P2PE applications at the POS
- Use of encryption methodologies and cryptographic key operations
To meet these standards, you need a P2PE solution. And not just any P2PE solution, but one that is PCI-approved. PCI-validated P2PE solutions include not just P2PE itself but also ‘validated hardware, software, and solution provider environment and processes. Validation is done by a PCI-qualified assessor’. Check out more about PCI SSC and P2PE solutions here.
How does P2PE work?
P2PE encrypts card information at the POS, which means as soon as a card has been tapped or swiped. An algorithm turns the information into an unreadable code which is then transferred to the payment service provider (PSP) where it is decrypted using a secure key.
The electronic decryption means that you, as a merchant, never have to see your customers’ personal financial information. And, as mentioned in the introduction, P2PE solutions run on both hardware and software.
The hardware of a POS device used to capture card information, such as a contactless reader, chip and PIN or magnetic stripe, must be compliant with P2PE standards as defined by the PCI CSS. Software solutions contain encryption, application, decryption and key management environments, configuration and other components.
What are the benefits of a P2PE solution?
PCI Data Security Standards (DSS) and PCI compliance are mandatory for any business or entity that accepts, transmits or stores cardholder data. Therefore, the main benefit of P2PE is that it helps reduce the scope of your PCI compliance – which includes security policies, procedures, management, software design, network architecture and other elaborate protective measures – and drastically simplifies the entire compliance process. This saves your business time and money.
Here’s a list of the benefits of implementing a PCI SSC listed P2PE solution:
- Reduce the risk of payment card data loss;
- Remove any personal liability by rendering all cardholder data invisible to you (it can only be decrypted in your solution provider’s environment);
- Minimise the scope of your PCI DSS compliance;
- Simplify PCI DSS compliance overall – save time and money.
As a merchant, am I responsible for P2PE?
No, merchants are not liable for P2PE compliance. That responsibility lies with your PSP who provides your P2PE solution. In the unlikely event of a data breach, the provider will be held accountable for all potential penalties like fines and card replacement costs.
How to implement a P2PE solution
When looking for a PSP to work with, make sure they can provide the tools and software necessary to monitor transactions in real time and ensure that encryption is implemented correctly and in full compliance with the PCI DSS.
emerchantpay is a leading global payment service provider for online, in-app and in-store payments. Our global payments solution is available through a simple integration, offering a wealth of features, including global acquiring, alternative payment methods, fraud and risk management and performance optimisation. We enable businesses everywhere to create a seamless and engaging payments experience for consumers anywhere with P2PE compliance.
If you’re looking for a PSP to help optimise your payment mix, with one of our payments experts.