Comparison of terminology of point-to-point versus end-to-end encryption
A point-to-point connection directly links system one (the point of payment card acceptance) to system two (the point of payment processing). Therefore, without the involvement of any other systems, not only do payment transactions take less time but there is greater security and confidentiality. A true P2PE solution is determined by three main factors:
- The solution uses a hardware-to-hardware encryption and decryption process along with a POI device that has SRED (Secure Reading and Exchange of Data) listed as a function.
- The solution has been validated to the PCI P2Pe Standard which includes specific POI device requirements such as strict controls regarding shipping, receiving, tamper-evident packaging, and installation.
- A solution includes merchant education in the form of a P2PE Instruction Manual, which guides the merchant on POI device use, storage, return for repairs, and regular PCI reporting.
Many providers offer end-to-end encryption, which is not part of a PCI-validated P2Pe solution. An end-to-end connection may indirectly link system one (the point of payment card acceptance) to system two (the point of payment processing) but with multiple systems in between. This increases hacker opportunities and they may use software encryption, or may not meet the chain-of-custody requirements of P2Pe. Although not typical, an E2Ee solution could allow for decryption of the card data by the Merchant since there is no standard to meet. If payment card data exists somewhere within the Merchant environment in an unencrypted form, it is risky for both cardholders and Merchants as the unencrypted data can be easily read and stolen.
Additional Info on P2PE
Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. Payment solutions that offer similar encryption but do not meet the P2Pe standard are referred to as end-to-end encryption (E2Ee) solutions. The objective of P2Pe and E2Ee is to provide a payment security solution that instantaneously converts confidential payment card (credit and debit card) data and information into indecipherable code at the time the card is swiped to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.
As a payment card is swiped through a card reading device, referred to as a point of interaction (POI) device, at the Merchant location or point of sale, the device immediately encrypts the card information. A device that is part of a PCI-validated P2Pe solution uses an algorithmic calculation to encrypt confidential payment card data. From the POI, the encrypted, indecipherable codes are sent to the payment gateway or processor for decryption. The keys for encryption and decryption are never available to the merchant, making card data entirely invisible to the retailer. Once the encrypted codes are within the secure data zone of the payment processor, the codes are decrypted to the original card numbers and then passed to the issuing bank for authorization. The bank either approves or rejects the transaction, depending upon the card holder's payment account status. The Merchant is then notified if the payment is accepted or rejected to complete the process along with a token that the Merchant can store. This token is a unique number reference to the original transaction that the merchant can use should they ever be needed to perform research or refund the customer without ever knowing the customer's card information (tokenization).
The P2PE solution provider is a third-party entity (i.e., a Processor, Acquirer, or Payment Gateway) that has overall responsibility for the design and implementation of a specific P2PE solution, and manages P2PE solutions for its Merchant customers. The solution provider has overall responsibility for ensuring that all P2PE requirements are met, including any P2PE requirements performed by third-party organizations on behalf of the solution provider (for example, certification authorities and key-injection facilities).