Why point-to-point encryption is essential for payment security

November 20, 2020

While 2020 is on track to have the lowest number of data breaches since 2015 due to the COVID-19 pandemic, industry experts don’t expect the lull to last. As businesses continue to implement digital payment technologies and cyberthieves continue to evolve tactics, data breaches will remain a persistent threat.

Breaches aren’t only inconvenient; they’re costly. Customer personally identifiable information (PII) is the costliest, at $150 per stolen record. Average overall costs of a data breach vary by country, with the U.S. leading the way at $8.64 million, and the global average at $3.86 million.

The sooner a data breach is identified and contained, the lower the costs. The cost savings of containing a breach in less than 200 days versus more than 200 days is $1.12 million. Still, the average time to identify and contain a breach has remained fairly consistent, around 280 days.

The fallout of a data breach can be devastating to any type of organization. In addition to the disruption of daily operations, lost sales, recovery of assets, fines and compensation, businesses that experience an attack also incur nonmonetary costs like brand erosion and reputational damage.

Why was P2PE created?

Implementing an effective data security solution involves navigating myriad regulatory and compliance requirements. The complexity and time involved in these efforts can be challenging – and overwhelming.

In recent years, point-to-point encryption (P2PE) has emerged as a security technology solution that solves these pain points. P2PE protects cardholder data in transit by encrypting it from the point of payment through to the solution provider’s secure environment, where it is then decrypted. Since P2PE removes clear text data from a business’s network, the data has no value if stolen.

Three key benefits of P2PE

With P2PE, cardholder data never even enters the point-of-sale environment, offering businesses the following benefits:

  • Better security with greater reassurance
    With P2PE, customer account data is devalued even if stolen, so businesses are less likely to be the victim of a profitable attack.
  • Simplified PCI DSS compliance process
    PCI-listed P2PE solutions can help reduce the scope of a PCI DSS audit, saving time and money without sacrificing data security.
  • Peace of mind through a managed service
    Some P2PE solutions include features like PED device tracking and monitoring, which businesses must evidence as part of their PCI DSS assessment.

Dispelling the P2PE myths

Some misconceptions exist around P2PE, particularly related to PCI compliance. Following are the most common myths:

Myth: P2PE is mandated.
Truth: P2PE is not compulsory but is highly recommended by payment schemes including Visa, Mastercard, American Express, Diners, Discover and JCB.

Myth: P2PE automatically reduces PCI scope.
Truth: Scope reduction is not a given, but when managed correctly, P2PE should help to reduce the effort of compliance.

Myth: Businesses that implement P2PE don’t need to engage a QSA.
Truth: It’s still necessary to engage a QSA and revalidate compliance on an annual basis, but the scope of the assessment may be reduced.

Myth: P2PE covers in-store and online channels
Truth: P2PE only applies to in-store environments; businesses with e-commerce channels must follow the compliance requirements for those channels.

What to look for in a P2PE solution

There are a number of key considerations when choosing a P2PE solution and provider. Here are some things to look for:

  • The solution should meet the latest standard, PCI-P2PE version 2.
    This helps avoid the disruption and added investment that businesses with PCI-P2PE version 1 will encounter.
  • The provider should offer access to the newest PIN entry devices (PEDs).
    Your solution provider should support a variety of PEDs – PCI PTS Version 3 or later – without significant development work.
  • The solution should include electronic inventory management and monitoring.
    By allowing businesses to track and monitor PEDs remotely, businesses can receive seamless updates and real-time information that enables compliance.
  • The provider should offer scale and reliability.
    Your provider should provide reliable solutions with the scale to support current and future business needs.

Safeguard your business with P2PE

With the ability to protect cardholder data from the point of entry through the secure decryption endpoint, P2PE is an essential element in protecting your business and your customers. Worldpay from FIS provides the P2PE solutions that are critical to your overall payment security efforts. Reach out to us to learn more about how we can help your business.