The Definitive Guide to P2PE
The Definitive Guide to P2PE
Whether you’re a veteran or a newcomer to the payments industry, you know that there is misinformation out there. One topic that has grown increasingly convoluted is the debate of P2PE (point-to-point encryption) and E2EE (end-to-end encryption). Why is it important to know the difference? The encryption solutions that educational institutions, healthcare systems, and merchants choose can?determine the level of PCI scope, IT infrastructure requirements, and much, much more. Follow the Arrow Payments team as we put this issue to rest (hopefully once and for all).
All the differences in the world
In technical terms, E2EE is a generic term that describes?any?solution that encrypts communications from one endpoint to another endpoint. This makes P2PE a subcategory of E2EE. Both are methods of encryption that process payment card data at a POS (point-of-sale) device or POI (point of interaction).
For a P2PE solution, the “packet” of transaction data is?encrypted at the POI?and then transported to an off-site solution provider. Data gets decrypted using a specific cryptographic key, and then the unencrypted, plain data is sent through an encrypted tunnel to the acquirer. On the other hand, an E2EE solution encrypts the transaction data at the POI and sends it directly to the acquirer.
Who’s got the keys?
At first glance, the E2EE solution may seem more secure. However, the difference is that a PCI-validated P2PE solution gets rigorously inspected and verified by an independent assessor. Besides assuring that the DUKUPT methodology is implemented, the integrity of a provider’s cryptographic key-management, encryption, decryption, and incident response protocols is ensured. Ultimately, an?E2EE solution cannot provide independent assurance that key management operations are secure.
The scope needs soap
With validated P2PE, the merchant, university, or healthcare system does not access encryption or decryption keys. From a scope reduction perspective, this means that the?payment network can be considered “out of scope,”?which is?great news. It allows businesses to gain a significant advantage in reducing PCI DSS validation efforts and maintaining security, as validated P2PE solutions undergo ongoing assessments and improvements according to a robust PCI council program.
Life in the fast lane
So how do P2PE solutions reduce PCI DSS validation efforts? Merchants that implement a PCI P2PE solution may be eligible to use a self-assessment questionnaire (SAQ) P2PE as a reference to prove they are compliant with applicable requirements for their P2PE environment. Although it does not remove the need for all controls, it reduces the ones that need to be validated, streamlining the compliance process. (The PCI SAQ can be shrunk from 12 sections to 4 and reduced from as much as 329 questions to just 35).
Think of it as a fast lane at an amusement park.
The bottom line
Finding a validated P2PE solution that meets the needs of your university, healthcare system, or business can be hard, but we can help. Let us make it easy.
Reach out to us at?[email protected], and let’s team up to reduce your PCI scope and provide cost benefits that your organization can enjoy for years to come.