Cardholder data is a tempting target for hackers, and with at least 19 major consumer companies reporting data breaches since January 2019, many merchants are looking to bolster their payment security strategies. One of the ways they can achieve this is by implementing point-to-point encryption (P2PE).
What is P2PE and Why Do Merchants Need It?
P2PE helps protect against fraud and data theft by preventing hackers or other third parties from reading and exploiting sensitive payment data. Encryption does this by encoding data (making it unintelligible) so that only authorized parties with the decryption key can decode it.
With P2PE on payment terminals, cardholder data is immediately encrypted from the point of interaction until it reaches the payment gateway. As the only party with the decryption key, the payment gateway is able to decrypt the data and authorize the transaction.
How Does P2PE Impact PCI Compliance?
All systems that transmit, process, and/or store cardholder data must be Payment Card Industry Data Security Standard (PCI DSS) compliant. P2PE helps to greatly reduce the scope of this compliance effort by eliminating the ability for merchants to decrypt cardholder data flowing through their networks, as they don't have access to the secure key needed for decryption. As a result, the cost and time associated with security compliance for payment systems is reduced.
How Does P2PE Differ Between Integrated vs. Semi-integrated Payment Systems?
The main difference between integrated and semi-integrated payment systems, when looking through the lens of P2PE, is the communication path.
- INTEGRATED. In the traditional, fully integrated environment, card data travels through all of the elements within the payment system – the terminal, electronic cash register (ECR) and the merchant back office – before it reaches the transaction gateway for authorization. There is a huge value for P2PE in integrated systems as there are more access points to cardholder data if left unencrypted. With P2PE, the risk of exposing cardholder data at any of these points within the merchant environment is eliminated. This also helps to reduce the number of elements within the merchant environment that need to be reviewed for compliance, thus reducing the time and costs usually associated with certification.
- SEMI-INTEGRATED. With a semi-integrated payment system, payment terminals are connected with the POS software, maintaining separation between payment information transmission and other systems (such as ECR, back-office systems, etc.). With this separation built into the payment system by design, many merchants have switched to a semi-integrated payment environment as it keeps sensitive card data out of the POS environment and the back office, thus reducing points of access for hackers. But there’s still value for P2PE as it protects data during transmission to the gateway and eliminates the need for PA-DSS certification of the payment application on the terminal.
Invest in Validated-P2PE Solutions
Investing in good payment security technology is one of the major pillars for success for your business. By opting for validated-P2PE solutions, you not only safeguard your customers’ data, but you also protect your brand. By implementing strong technology in a balanced security approach, you can lessen the burden on other elements (people and process).
If you’re interested in learning more about P2PE for your payment systems, drop us a line!
Steven Bowles is the Regional Security Officer & Director of Security Solutions at Ingenico Group, North America
