P2PE Solutions: 2 Big Ways They Can Benefit Both Merchants and Providers
If you ask any Olympic athlete, they’ll tell you that their selection to the Games is an achievement in itself–to be chosen demonstrates their caliber of athleticism as a tier above ordinary.
But of course, they know that to medal in their event would be the actual pinnacle. It would take more blood, sweat, and tears to achieve that, but being on the podium is a different level–the kind that earns them even more respect from those of us at home rooting them on.
The difference between point-to-point encryption (P2PE) and its comrades is similar. Encrypting your transactions is like competing at the Olympic Games, but P2PE gives you that gold medal status that elevates the experience for you who earn it, as well as those who use it.
Whether you’re a merchant who’s considering using a P2PE solution, or a provider wondering whether to validate your product as P2PE, you stand to benefit big the same way Olympic gold medalists do.
In this article, we’re going to explain why that is. A lot of it has to do with the compliance segment–we are qualified assessors of both PCI DSS and the P2PE standard, each of which affect merchants and providers respectively.
We know they aren’t easy to go through–either of them–but we’re going to detail some light at the end of the tunnel for you. Whether you’re a merchant or a provider, you’ll learn what an advantage it can be to switch to P2PE.
What are the Benefits to Using a P2PE Solution for a Merchant?
Let’s start with merchants. These days, credit and debit cards make payment so effortless now. But it’s not so effortless for you to keep the information linked to them safe.
If you’re someone who accepts these kinds of transactions all the time, every day–say at a grocery store–this data protection is a priority. It’s why compliance initiatives like Self-Assessment Questionnaires and the PCI DSS exist–to document all these security measures you take to protect the sensitive data constantly passing through your devices.
Why should one of these security measures be P2PE?
1. It Offers the Highest Form of Data Protection.
- P2PE is a standard that is designed to maximize the security of card present transactions.
- If you use a P2PE solution, every transaction is completely encrypted from start to finish.
- What’s more, as the merchant, you don’t have access to credit card numbers. The encryption keys are left to the verified devices that take in cardholder data and the P2PE provider–all of that critical information is scrambled from the moment the terminal reads it until decrypted for authorization.
But that’s an obvious reason to use P2PE. Here’s a less obvious, but no less beneficial, one:
2. It Will Simplify Your PCI Compliance Process.
- If you are one of those grocery chains with thousands of devices in use around the country or globe, the annual PCI DSS assessment process is arduous because it includes maintaining each point-of-sale (POS) device and their networks.
- However, if you instead use POI devices (think terminals) that are a part of a PCI-listed P2PE solution, that PCI DSS assessments get easier. Instead of assessing the environment against the hundreds of requirements in the full security standard, you are eligible for a vastly reduced set of controls.
- Why is that? To become P2PE validated for your use as such, that solution will have already covered a large array of controls that cover the flow of cardholder data from the POI device through the decryption environment. Because that process renders cardholder data unusable with encryption, most of the requirements in your PCI DSS or self assessment questionnaires (SAQs) will not apply. Those controls are effectively removed from scope, which saves you time, money, and stress.
What are the Benefits to Getting Your Solution P2PE Validated?
That’s plenty reason for merchants everywhere to upgrade to a P2PE solution.
But to do that, they need those options, which means they need solution providers to actually go through with that P2PE validation process. Those merchants may be the fans at home waiting for you to deliver, but you providers are the ones that will have to give blood, sweat, and tears to achieve the gold medal that is P2PE validation.
Yes, it’s work to upgrade your product to the kind of security those requirements mandate. We understand how you might want to avoid that labor load, but here are some reasons why you actually should go through with validating your solution as P2PE.
1. You’ll Be Selling the Best of the Best and Set Yourself Apart.
However, a P2PE Solution will only support terminals that can secure card data. This differentiator can ease concerns held by your merchant customers at a time when data breaches and credit card exposure is too common. Those kinds of leaks can bring ruin upon a merchant, so they’ll look to you as a provider of the most secure means for their transactions–one that alleviates the burden of security off of them.
2. You’re Set Up for Extra Recurring Revenue.
- When you are assessed to become a validated P2PE Solution, the final report is comprised of multiple reports that are completed from the same individual component templates. These multiple reports that are then aggregated as a whole to make your Validated Solution.
- This might sound confusing, but it’s also possible for these services to be evaluated as a component provider—meaning, as just themselves without the aggregation at the end.
- It would mean additional steps regarding monitoring, communications and incident response, but going through with those component assessments would allow them to be listed as validated P2PE Components.
- That means that you could sell these pieces to other P2PE solution providers who need them. So not only would you be able to sell your Solution as a whole, but also the secure parts that make it up. You’d expand your market beyond merchants and bring in extra revenue.
- The validation of components spreads out the assessment.
- Because a company providing a validated P2PE component can use this service in their own P2PE solution, these can be assessed independently and at different times. The offering of a KIF can be assessed in 2022, the decryption management service (DMCP) in 2023, and the solution as a whole in 2024. For the last part, this means that all functions not performed by the KIF and DMCP would be validated, but large sections would already be addressed.
- Costs associated with a P2PE Solution Provider validation can be divided among the components, making the up-front expenditures more manageable.
Deciding to Switch to a P2PE Solution
Anyone would tell you that getting a gold medal beats just being at the Olympics all day, every day. In the same way, the security standards of P2PE solutions represents a huge opportunity for you, no matter if you’re a merchant or provider.
For the former, you’ll be able to rest easier knowing you’ve got the pinnacle of payment security protecting your customers while looking forward to a simpler PCI DSS assessment when that time comes.
For providers, you know now that the grind of the validation process will be worth it twofold: you’ll be able to market a product that is widely considered more fortified against security and fraud risk, and the nature of the assessment process will open avenues to new revenue streams.
All that must sound pretty good, and so if you’d like to speak more about how P2PE can affect your compliance, reach out to us. We have staff that are well-versed in the particulars of both PCI DSS and P2PE validation, and we will set up a conversation to address any concerns you may have so you feel more comfortable about any changes to your process.
In the meantime, read our articles on P2PE to learn more about the particulars of this security solution and its assessment:
About the Authors:
Adam Perella is a Manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Adam now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.
Joe O'Donnell is a Manager with Schellman mainly dedicated to the PCI and PCI specialty service lines. Prior to joining Schellman in 2015, Joe worked at in industry within the Enterprise Risk Management consulting practice. He managed IT Reviews in support of the financial audit but helped with various engagements including but not limited to: SOC reports, penetration testing and vulnerability scanning, SOX, HIPAA, and bank audits.
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.