What is P2PE (Point-to-Point Encryption)?

There are several credit card networks, such as Visa, MasterCard, and American Express. These networks are universal, and have partnered with multiple banks around the world to create credit cards, debit cards, ATM cards, and even branded loyalty cards for businesses.

For your business to accept payments by credit card – either in person or online – certain security requirements must be met. Most of these security measures are instilled and implemented by PCI (Payment Card Industry) standards. While it’s not a legally binding institution, many networks (like Visa) won’t do business with you unless you comply with PCI.

The PCI has many components, including PCI DSS (Data Security Standard), QIR (Quality Integrator & Reseller), PTS (PIN Transaction Security), PED (PIN Entry Device), SRED (Secure Reading & Exchange of Data), and P2PE (Point-to-Point-Encryption). Every business has its own compliance requirements, and you don’t necessarily need all of them.

Understanding P2PE

This term refers to a comprehensive system of encryption and decryption from the customer, through the merchant processor, across both banks, and back to the merchant. There’s a comprehensive list of point-to-point encryption solution providers that are sanctioned, approved, and verified by PCI. Some systems offer good encryption but are not PCI certified, so they’re labelled as E2E (end-to-end) encryption instead.

Businesses don’t seek or achieve P2PE on their own. Instead, this qualification is sought by merchant processors. As a business, your task is to sign up with a merchant processor that already has proven PCPE. Both P2PE and E2E focus on safe credit card transactions by ensuring instant verification of customer card data.

This immediate processing speed prevents fraud because it doesn’t give hackers the room to intercept card data and redirect it for malicious use. It also reassures customers, which leads to repeat purchases and reduces the chances of abandoned carts, double billing, or fees from cancelled transactions.

Comprehensive security solutions

P2PE isn’t a one-step process. It’s a complete system that involves hardware, software, encryption, decryption, gateways, devices, and even the human component. For merchant processing software to be listed in the PCI P2PE, it must be thoroughly assessed, tested, and vetted. And although you often hear of P2PE certification, it’s not an actual document. Rather, it’s proven validation that gets payment processors onto the official PCI Council list.

Similarly, PCI itself doesn’t validate payment solutions for P2PE. This is done by third-party assessors called P2PE-QSAs (Qualified Security Assessors). The assessors themselves are tested and qualified by the PCI, and they in turn review merchant processors and submit them to PCI if they qualify.

P2PE encrypts data from the moment a customer swipes their card or types their information on a website. This means even if anyone intercepts the data and tries to steal it, they will see the information as an illegible code that cannot be deciphered. Decryption can only take place at the payment gateway processor. To ensure customers’ safety, get a merchant processor with P2PE.

For more information on point-to-point encryption solutions, or to sign up for a merchant account, please call (888) 924-2743 or go to Charge.com.

Leave a Comment