Article

The A to Z on P2PE: Why should merchants use PCI point-to-point encryption (P2PE)?

October 12, 2020

Why is it so important to invest in P2PE (Point to Point Encryption) account data protection? We recently sat down with Brant Peterson, Head of Global Data Security Products at Worldpay, Andrew Barratt, Managing Principal – Solutions & Investigations at Coalfire, and Ruston Miles, founder of Bluefin, to find out. All three are leading experts in P2PE, so they’re well placed to comment on the benefits of this high-level security standard. Along the way, we explored the features merchants should be looking out for if they want to minimize risks and maximize customer confidence.

What is P2PE?

Brant: P2PE is a data protection service that organizations use to ensure that at no time do they, or any entity in the payment processing chain, have access to cleartext data. It requires retail merchants to protect sensitive data by encrypting it through certified payment acceptance devices, and keeping it encrypted until it arrives at the P2PE solution provider’s certified decryption environment. Because the data is immediately encrypted, criminals are unable to use it should they gain access to the merchant’s POS or middle systems.

P2PE is far more than just an encryption technology with strong key management. P2PE-listed solution providers are fully accountable for the total deployment, including security management policies and incident response procedures. They are also responsible for defining clear, secure payment terminal handling instructions for retailers, and strong alignment with any third-party partners they use to offer their solution. The last point is crucial: This ensures that each partner meets its security obligations in different stages of the P2PE process.

What are some of the main benefits of P2PE?

Andrew: P2PE was established by the Payment Card Industry (PCI) Security Standards Council back in 2013, and it’s been protecting businesses and customers ever since. Dominic White, head of Merchant, Sales and Acquiring services at Visa, says that: “Working in partnership, multiple layers of security, including point-to-point encryption, can help take merchants out of harm's way while mitigating fraud throughout the payment system."

What should merchants be aware of when searching for payment security solutions for their retail environment?

Ruston: Not all encryption programs are created equal. Non-P2PE solutions (commonly referred to as End-to-End, or E2E, Encryption solutions) often appear to meet the same criteria as listed ones. The key difference is that the P2PE-certified solutions are tried, tested and validated on a regular basis.

The only way to ensure that a merchant, their P2PE service provider and their third-party partners are proactively protecting data to an adequate degree is through a P2PE-listed solution. In fact, while encryption capabilities have led to a reduction in retail POS attacks over the last few years, a number of organizations who’ve adopted non-listed encryption services were still compromised.

These incidents usually occur when there has been an issue with the deployment and no third party has checked the encryption capability of the merchant. Without P2PE compliance to consider, the systems remain unchecked, and criminals find the vulnerabilities before the merchants or their solution provider realizes a problem exists.

Clearly, all of this is important to any merchant who wants to avoid a data breach, but P2PE is also vital for maintaining consumer confidence. As data becomes more valuable, more businesses are moving towards P2PE-listed solutions. If you don’t, you could be left with a less secure shopping experience than many of your competitors.

How do merchants know which P2PE solution is right for their business?

Brant: Every business’s assessment of risk is different. Our customers have often weighed the PCI DSS compliance benefits against the flexibility that non-listed P2PE solutions offer. While P2PE-listed solutions have been historically restrictive for organizations to adopt, that’s not necessarily the case today.

Dozens of service providers are now listed on PCI’s list of certified P2PE solutions, meaning organizations can easily choose the solutions that meet their needs. The key is to identify a P2PE solution provider that offers a clear set of tools and capabilities to help customers adopt P2PE, so the process is less disruptive to the merchant’s existing business operations and overall compliance expenditure.

This is especially important if the organization uses a variety of different payment acceptance devices or deployment processes, but still requires a consistent experience within their daily compliance operations.

Have there been any innovations in P2PE compliance in recent years?

Ruston: P2PE used to focus on a monolithic, ”one solution only” approach, until Bluefin realized that collaboration was the way forward. As specialists in security gateways, processors and independent software vendors, we realized that we could add the most value to a solution by focusing on our area of expertise and working with outstanding partners to deliver a secure end-to-end solution.

Together, an ecosystem of partners can simplify the solution, provide seamless customer experiences and limit the merchant’s compliance burden. In fact, effective P2PE-compliant solutions can reduce the number of self-assessment payment questions by 90%, from 329 down to just 33, saving businesses even more time and money.