What is Point-to-Point Encryption and Why Does Assessment Matter?
The pyramids of Giza may be a wonder of the world, but when you look more closely at them, they’re just a bunch of blocks that have been shaped into both something great and something lasting.
As complicated as it was for the ancient Egyptians to build those, it might be just as complicated to understand payment card security.
Luckily, we won’t explain the entire PCI industry pyramid to you in this article–just the very important building block that is point-to-point encryption (P2PE).
If you’re a point-of-sale vendor, a service provider, or a merchant, you may have already heard of P2PE, but we want to help you feel as comfortable as possible with the concept, no matter where you are in its orbit. At Schellman, we’ve done over 150 payment card security reviews of varying types in just the last year so we understand how complex the processes can be that involve this kind of sensitive data.
So let us do the hard work of explaining what could be a very beneficial tool for your organization–let us help shape your pyramid of understanding. In this article, you will learn what P2PE is, how it protects data, who holds the keys to its kingdom, and what compliance obligations you’ll have if you do decide to pursue this route.
With these fundamentals, you’ll have the full pyramid picture on P2PE. That way, you’ll understand if it could fit within your own payment security structure–or, if you’re trying to break into actually providing it as a service, what exactly is involved.
Let’s get started.
How Does P2PE Work?
So what is P2PE? It’s a specific type of encryption that’s different from end-to-end encryption, and we actually made a quick video (with props!) that details the process.
For those of you that would prefer to keep reading, here's what makes P2PE different:
- P2PE encrypts payment card data from the point of capture–those moments when someone swipes or inserts their card to be read by a payment terminal. That data will remain encrypted until it reaches what’s called the decryption environment.
- Back up, what’s encryption exactly? It’s the process of scrambling data into something unintelligible, and it relies on keys to convert that data back into something useful. Hence why it’s so useful against malicious hackers–encrypted data is worthless to those who would seek to steal that data because they don’t have the keys.
- So then who has the keys for P2PE encryption? Those physical payment terminals we mentioned, and the organization who manages the decryption environment–they’re the only ones. In a lot of ways, this is the core of P2PE, because no one else–not even the merchants–have the keys. Less access = less chance of a mishap.
- Once the cardholder data arrives at the decryption environment, it does what its name says it does and the clear-text (i.e., readable by humans) data is finally sent through an encryption tunnel to the acquirer for authorization.
All in all, P2PE can serve as a great solution that will absolutely lower the risk of your payment card data loss if you’re a merchant. That’s because the card data, which is encrypted immediately by the hardware at that initial point of capture, can’t be decrypted by you in your environment.
As we said before, that can only happen within that official decryption environment, and those will be managed by a completely separate organization:
- Those vendors that design, implement, maintain, and manage a P2PE solution are called P2PE Solution Providers.
- P2PE also includes what are called Component Providers, aka an organization that provides a subset of services that serve as part of a P2PE Solution.
(Component Providers versus Solution Providers is the equivalent of a piece of the pie or all of it.)
Either of those might sound like you. And it might be obvious, but if you’re providing this kind of security solution–or even just a piece of the pie–you will need to be assessed for its validity.
So how does that work?
What is a P2PE Assessment?
While the actual point-to-point encryption provides the protection, for this kind of security to actually become “a P2PE Solution,” it must be assessed by a qualified P2PE assessor and reviewed by the PCI SSC.
So, if you provide or wish to provide this kind of solution, you must have it independently assessed against the PCI Point-to-Point Encryption Solution Requirements and Testing Procedures. (Let’s just call it the P2PE standard going forward.)
This is what makes this kind of encryption arguably the highest level of security a merchant can have for their card data. It’s not enough just to encrypt–the entire process must be scrutinized from start to finish by a third party who will validate it as secure.
It’s also why the assessment matters so much. Without it, your solution does remain a viable encryption tool–meaning it’s still marketable to merchants for their use. But passing it through this assessment and its comprehensive security checks to earn that P2PE status will elevate it to a tier above the rest that is recognized by payments brands and banks
Now, what happens during said assessment?
- A PCI-qualified P2PE assessor will review not just the actual point-to-point encryption involved, but they’ll also look at hardware, software, your environment, and your relevant processes to ensure everything meets the requirements of the standard for protection.
- When they’ve completed that review, they will compile each of the P2PE Reports on Validation that will be reviewed by the PCI SSC. Once the assessment results pass their muster, the solution will be listed on their website.
- This process applies to both Solution Providers AND Component Providers. Everything has to check out to be approved, no matter if you manage it all or if you just handle a little part.
Next Steps For Your P2PE Assessment
P2PE can be a very valuable tool for those trying to facilitate card transactions, but that value is rooted in the third party assessment that is required.
For merchants, there’s actually more to gain through use of an approved P2PE than just top-of-the-line encryption for your card payments. Still need to know more? Read our P2PE FAQ where we address the wider compliance benefits for merchants.
Of course, merchants don’t have to go through the aforementioned P2PE assessment like solution and component providers. If that’s you–or you would like it to be you in the future–read these articles to help you become better acquainted with this particular brand of payment card compliance:
- What is the P2PE Assessment Process?
- P2PE Assessments: How to Build 3 Key Encryption Hierarchies and Streamline Your Process
- How to Prepare for P2PE Validation
They’ll help you set internal expectations and get ready to elevate your solution or component through the assessment. If you’d prefer to speak with someone directly about the details of your solution and what P2PE Validation will look like for you, we would love to set up a call in order to help you put any concerns you have to rest.
About Sully Perella
Sully Perella is a Senior Manager at Schellman who leads the PIN and P2PE service lines. His focus also includes the Software Security Framework and 3-Domain Secure services. Having previously served as a networking, switching, computer systems, and cryptological operations technician in the Air Force, Sully now maintains multiple certifications within the payments space. Active within the payments community, he helps draft new payments standards and speaks globally on payment security.