Point-to-point encryption (P2PE) is a standard established by the Payment Card Industry (PCI) Security Standards Council that must be adhered to by merchant account service providers. P2PE instantly encrypts sensitive credit card data and information into indecipherable code as it is swiped to prevent fraud. It is a security solution designed to maximize card payment security.
The PCI standard defines the requirements as a solution that must comprise a complete set of hardware, software, gateway, decryption, device handling, and so on, that all combines to encrypt cardholder information. Only full solutions will be validated by the PCI standards and individual components will not be validated one-by-one. Further, P2PE solutions will only be validated by the PCI, but not certified, because no P2PE certification exists.
The PCI Security Standards Council does not validate solutions. Point-to-point encryption qualified security assessors are independent third-party companies that assess the standards. These assessors have met the PCI Security Standards Council requirements of education and experience and have passed the prescribed exams.
Under the PCI Security Standards Council rules, the P2PE solution provider is the third-party (processor, acquirer, or payment gateway) that carries overall responsibility for the design, implementation, management, and maintenance of a P2PE solution for its merchant customers.
What are the Benefits of Point-to-Point Encryption?
The technical and regulatory aspects can be mind-boggling, but the benefits are very real! point-to-point encryption significantly limits the risk of credit card payment fraud because of the instant encryption of sensitive data into an indecipherable code. This is whether the card is “swiped” (magnetic strip cards), or “dipped” (microchip-enabled cards).
The payment process with point-to-point encryption is faster than other transaction processes, simplifying customer-merchant transactions. Merchants with validated P2PE solutions save time and money because PCI requirements are less. Companies that use a P2PE validated solution provider have only to complete four sections of the PCI Self Assessment Questionnaire as opposed to twelve sections for companies that don’t use a P2PE validated solution provider. The controls are reduced from three hundred and twenty nine to thirty five. Also, in the event of fraud the P2PE solution provider is held responsible for data loss and not the merchant.
How Does it Help You?
If you’re still not convinced of the benefits of point-to-point encryption, a true P2PE solution is determined by three prime factors:
- The solution utilizes a hardware-to-hardware encryption and decryption process together with a POI device that has Secure Reading and Exchange of data (SRED) listed as a function
- The solution has been validated to the PCI P2PE standard which includes specific POI device requirements including strict shipping controls, tamper-evident packaging and installation
- A solution includes merchant education in the form of a P2PE instruction manual that guides the merchant on POI device usage, storage, repair and regular PCI reporting
If you are serious about the integrity of your business and the security of your customers’ sensitive card information, your business must ensure that your merchant service provider utilizes a P2PE validated solution.
For more information about point-to-point encryption or to sign up for a merchant account, please call (888)924-2743 or go to Charge.com.