PCI Validated P2PE in Card-Not-Present Environments
Point-to-Point Encryption (P2PE) is a critical technology used to protect credit card data from being breached. While P2PE has been around for many years, only PCI Validated P2PE technologies have been tested to rigorous standards and should be trusted to reduce risk and PCI DSS scope as a merchant.
When implemented properly, these types of solutions make payment card transactions more secure by preventing the theft of credit card data while unencrypted on a POS device, or in transit.
- P2PE 2.0 is a standard developed by the major card brands and the Security Standards Council (PCI SSC).
- P2PE is the standard designed to work hand-in-hand with the Payment Card Industry Data Security Standard (PCI DSS).
P2PE encryption is designed to encrypt cardholder data at the time of swipe point-of-interaction (POI) utilizing an encryption key that is built into the POI. Once encrypted, sensitive cardholder data is not decrypted until it arrives at the secure end point, typically the acquirer, processor or gateway. By using P2PE, account data is unreadable until reaches the secure decryption environment, which makes it less valuable if the data is stolen in a breach. By encrypting cardholder data at the POI, merchants can significantly reduce the risk of a data breach.
In a credit card data breach, an attacker gains access to a store or corporate headquarters and targets any storage or processing of credit cards by using special tools to monitor memory or to scan disks. In a P2PE system, there is no unencrypted credit card data and therefore the only data items that might be available to an attacker would be truncated, encrypted or tokenized credit card data. In each of these cases, however, there is little the criminal can do with the data.
As such, P2PE is one of the best methods a merchant can use to protect their customers, themselves and prevent credit card breach. In return, merchants using these validated solutions receive a sizable reduction in both the size of their cardholder data environment (CDE) and the number of PCI DSS requirements that apply to them.
To more about P2PE in detail, download our whitepaper, “Synopsis: Impact of PCI P2PE on PCI DSS Compliance & Scope Reduction”