Point to Point Encryption
Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. Payment solutions which offer similar encryption but do not meet the P2Pe standard are referred to as end-to-end encryption (E2Ee) solutions. The objective of P2Pe and E2Ee is to provide a payment security solution that instantaneously converts confidential payment card (credit and debit card) data and information into indecipherable code at the time the card is swiped to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.
The Standard
The P2Pe Standard defines the requirements that a "solution" must meet in order to be accepted as a PCI validated P2Pe solution. A "solution" is a complete set of hardware, software, gateway, decryption, device handling, etc. Only "solutions" can be validated; individual pieces of hardware such as card readers cannot be validated. It is also a common mistake to refer to P2Pe validated solutions as "certified"; there is no such certification.
The determination of whether or not a solution meets the P2Pe standard is the responsibility of a P2Pe Qualified Security Assessor (P2Pe-QSA). P2Pe-QSA companies are independent third party companies who employ assessors that have met the PCI Security Standards Council's requirements for education and experience, and have passed the requisite exam. The PCI Security Standards Council does not validate solutions.
How it works
As a payment card is swiped through a card reading device, referred to as a point of interaction (POI) device, at the merchant location or point of sale, the device immediately encrypts the card information. A device that is part of a PCI validated P2Pe solution uses an algorithmic calculation to encrypt the confidential payment card data. From the POI, the encrypted, indecipherable codes are sent to the payment gateway or processor for decryption.[1] The keys for encryption and decryption are never available to the merchant, making card data entirely invisible to the retailer. Once the encrypted codes are within the secure data zone of the payment processor, the codes are decrypted to the original card numbers and then passed to the issuing bank for authorization. The bank either approves or rejects the transaction, depending upon the card holders payment account status. The merchant is then notified if the payment is accepted or rejected to complete the process along with a token which the merchant can store. This token is a unique number reference to the original transaction that the merchant can use should they ever be need to perform research or refund the customer without ever knowing the customers card information (tokenization).
The Solution Provider
According to the PCI Security Standards Council:
The P2PE solution provider is a third-party entity (for example, a processor, acquirer, or payment gateway) that has overall responsibility for the design and implementation of a specific P2PE solution, and manages P2PE solutions for its merchant customers. The solution provider has overall responsibility for ensuring that all P2PE requirements are met, including any P2PE requirements performed by third-party organizations on behalf of the solution provider (for example, certification authorities and key-injection facilities).[2]
Benefits of point-to-point encryption
Customer benefits
P2PE significantly reduces the risk of payment card fraud by instantaneously encrypting confidential cardholder data at the moment a payment card is swiped at the card reading device (payment terminal) or POI.
Merchant benefits
P2PE significantly facilitates merchant responsibilities:
- With a P2PE validated solution, merchants save significant time and money as PCI requirements may be greatly reduced. Payment Card Industry Data Security Standard (PCI DSS).[3] For organizations who use a P2PE validated solution provider, the PCI Self Assessment Questionnaire is reduced from 12 sections to 4 sections and the controls are reduced from 329 questions to just 35.[4]
- In the event of fraud, the P2PE Solution Provider, not the merchant, is held accountable for data loss and resulting fines that may be assessed by the card brands (American Express, Visa, MasterCard, Discover, and JCB). The PCI Security Standards Council does not assess penalties on Solution Providers or Merchants.
- The payment process with P2PE is quicker than other transaction processes; thus, creating simpler and faster customer-merchant transactions.[5]
Point-to-point encryption versus end-to-end encryption
Point-to-point
A point-to-point connection directly links system 1 (the point of payment card acceptance) to system 2 (the point of payment processing). Therefore, without the involvement of any other systems, not only do payment transactions take less time but there is greater security and confidentiality. A true P2PE solution is determined with three main factors:
- The solution uses a hardware-to-hardware encryption and decryption process along with a POI device that has SRED (Secure Reading and Exchange of Data) listed as a function.
- The solution has been validated to the PCI P2Pe Standard which includes specific POI device requirements such as strict controls regarding shipping, receiving, tamper-evident packaging and installation.
- A solution includes merchant education in the form of a P2PE Instruction Manual, which guides the merchant on POI device use, storage, return for repairs and regular PCI reporting.
End-to-end
Many providers offer end-to-end encryption, which is not part of a PCI validated P2Pe solution. An end-to-end connection may indirectly links system 1 (the point of payment card acceptance) to system 2 (the point of payment processing) but with multiple systems in between and this increases hacker opportunity; may use software encryption; or may not meet the chain-of-custody requirements of P2Pe. Although not typical, an E2Ee solution could allow for decryption of the card data by the merchant since there is no standard to meet. If payment card data exists somewhere within the merchant environment in an unencrypted form, it is risky for both cardholders and merchants as the unencrypted data can be easily read and stolen.
PCI point-to-point encryption requirements
The requirements include:
- Secure encryption of payment card data at the point of interaction (POI),
- P2PE validated application(s) at the point of interaction,
- Secure management of encryption and decryption devices,
- Management of the decryption environment and all decrypted account data,
- Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage.[6]
Validated point-to-point encryption solutions
The following payment companies provide security through point-to-point encryption:[7]
- Bluefin Payment Systems[8]
- paymentcall[9]
- Cubic Transportation Systems
- Element Payment Services
- European Payment Services[10]
- FIS Payment Solutions
- FreedomPay
- Ingenico
- IPS - International Payment Services
- Worldpay
- The Logic Group[11]
- Mercury Payment Systems
- VeriFone
- ACI Worldwide[12]
- Payment Express[13]
- CardConnect[14]
Qualified Security Assessors of point-to-point encryption
- Amentor
- Coalfire Systems
- CompliancePoint
- Control Case, Control Gap
- Europoint Networking
- Foregenix
- FortConsult
- K3DES
- NCC Group
- Nettitude
- Payment Software Company (PSC)
- SecurityMetrics
- Sikich
- SISA
- SRC Security Research & Consulting
- Sysnet Global Solutions
- Trustwave Holdings
- TÜV SÜD Management Service
- UL Transaction Security
- usd AG [15]
- Verizon/CyberTrust[16]
References
- ↑ "Point-to-Point Encryption (P2PE) | Payment Technology". Creditcall. Retrieved 2014-08-25.
- ↑ "P2Pe FAQs" (PDF). August 2012.
- ↑ "Frequently Asked Questions". PCI Compliance Guide. Retrieved 2014-08-25.
- ↑ "Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance". Retrieved 2015-04-19.
- ↑ "Tokenization | Element Payment Services". Elementps.com. Retrieved 2014-08-25.
- ↑ "PCI SAQ P2PE-HW | Point-to-Point Encryption | Hardware Terminals | PCI Compliance Policies". Pcipolicyportal.com. Retrieved 2014-08-25.
- ↑ "Validated Point-to-Point Encryption (P2PE) Solutions". PCI Security Standards Council, LLC. Retrieved 2015-04-19.
- ↑ "Bluefin Releases White Paper Review on PayConex P2PE Conducted by Coalfire Systems - Bluefin Payment Systems : Bluefin Payment Systems". Bluefin.com. Retrieved 2014-08-25.
- ↑ "Creditcall obtains PCI P2PE certification for ChipDNA".
- ↑ "EPS Total Care First Fully-Validated PCI P2PE Solution - WINDSOR, England, Oct. 30, 2013 /PR Newswire UK/". england: Prnewswire.co.uk. 2013-10-30. Retrieved 2014-08-25.
- ↑ "The Logic Group Achieves World's First Accreditation for PCI P2PE". The-logic-group.com. 2013-05-23. Retrieved 2014-08-25.
- ↑
- ↑
- ↑
- ↑ "P2PE Assessor Companies". Pcisecuritystandards.org. Retrieved 2016-06-24.
- ↑ "P2PE Assessor Companies". Pcisecuritystandards.org. Retrieved 2014-08-25.