Through Point-to-Point Encryption (P2PE), data is encrypted upon entry by a certified card terminal and continues to be encrypted until the data reaches a secure point of decryption outside of the merchant environment. This secure point of decryption is a validated PCI P2PE solution provider. Benefits of P2PE include making sensitive and protected data unreadable by unauthorized parties. This data is devalued because it is unusable in its encrypted form. Another benefit is that P2PE significantly simplifies PCI compliance. The P2PE Self-Assessment Questionnaire (SAQ) includes only 26 PCI requirements compared to more than 100 questions for the standard PCI SAQ.
Despite the benefits of P2PE, awareness of this powerful solution is not widespread among merchants. Many merchants rely on PCI compliance as the bulletproof approach to protecting data. The PCI DSS can certainly reduce data theft by increasing controls around cardholder data, but the PCI DSS alone is not enough to fully protect data. Although the standard requires data transmitted over a public network to be encrypted, there is no encryption requirement for data sent over a private network. This means that data leaving a merchant’s point-of-sale and traveling across their private networks and systems is susceptible to being captured.
Some merchants still consider PCI compliance as a one-time certification. In fact, PCI compliance is a continual effort, and compliance can be lost soon after achieving it. Yet other merchants believe that EMV technology is the ironclad antidote to data theft. In reality, EMV protects data at the POS terminal only and does not protect data leaving the point-of-sale to the processor.
Although P2PE may not be widely implemented today, merchants are becoming increasingly aware of the benefits of this solution. Digital Transactions’ January 2018 issue includes an article describing the advantages of P2PE. The PCI Council has published numerous articles and blogposts explaining the benefits of P2PE, with the intention of educating the public about this valuable strategy to simplify PCI compliance. In addition, knowledgeable QSAs have shared with their clients a way to reduce the scope (and cost) of PCI compliance by pursuing P2PE.
For merchants that have already implemented a P2PE solution, the benefits have been significant. The PCI Council has published case studies describing how merchants using a P2PE solution have simplified their PCI compliance. One case study describes The Hillman Group which operates thousands of self-service kiosks that accept card payments. Maintaining 230 security requirements for each kiosk would have been costly, so P2PE was used to reduce the security requirements to only 26. Another case study describes Northwestern University’s challenge in increasing the transactional data security across every payment location on campus. A P2PE solution significantly reduced Northwestern’s resources in completing SAQs.
Through educational resources and real-world successes of P2PE implementation, the awareness of P2PE is on the rise. Consequently, the demand for P2PE solutions should increase as more merchants become aware of the benefits of implementing P2PE within their environment. With rising adoption of P2PE, merchants can further protect sensitive data within their scope of responsibility as well as contribute to the overall security of our global payment ecosystem.