PCI-Validated Point-to-Point Encryption (P2PE) FAQs
Our answers to frequently asked questions.
Point-to-Point Encryption (P2PE) is an encryption standard established by the Payment Card Industry (PCI) Security Standards Council. It requires that payment card data be encrypted immediately upon use with the merchant’s point-of-sale terminal and cannot be decrypted until securely transported to and processed by the payment processor.
A PCI-validated P2PE solution is a combination of secure devices, applications, and processes that encrypt credit card data immediately upon swipe or dip in the payment terminal (also called the Point of Interaction, or POI). The data remains encrypted until it reaches the Solution Provider’s secure decryption environment.
In order for a P2PE solution to receive validation from PCI, the solution, the Solution Provider, and associated players in the overall P2PE solution must undergo assessment and audit by a P2PE Qualified Security Assessor (QSA), before being brought before the Council for approval.
Note: “Only Council-listed P2PE solutions are recognized as having met the rigorous controls defined in the PCI P2PE Standard for the protection of payment card data, as well as meeting the requirements necessary for merchants to reduce the scope of their cardholder data environment (CDE) through use of a P2PE solution.”
According to the PCI Security Standards Council (PCI SSC), the PCI P2PE standard is defined as: “Building upon the solid data and environmental security foundation established and promulgated by the PCI SSC for the payments industry via the PCI DSS, PA-DSS, and PTS, the P2PE Standard is a comprehensive set of requirements focused on providing the requisite security requirements necessary to support the deployment of secure P2PE solutions.”
A PCI-validated P2PE solution is required to have all of the following:
- Secure encryption of payment card data at the POI / i.e., the payment terminal
- P2PE-validated application(s) at the POI
- Secure management of encryption and decryption devices
- Management of the decryption environment and all decrypted account data
- Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection and administration
As a PCI-validated P2PE Solution Provider, Bluefin is responsible for the design and implementation of our P2PE solution, and management of the solution for our partners and their merchants. they are also responsible for ensuring that all P2PE requirements are met, including any P2PE requirements performed by third-party organizations on our behalf (for example, hardware manufacturers, certification authorities, and key injection facilities).
Non-Validated (Unlisted) Encryption Solutions
Encryption solutions that have not been validated by the PCI SSC, but still provide functions such as encrypting within the POI terminal and decrypting outside the merchant environment, are generally called unlisted P2PE solutions or End to End Encryption (E2EE) solutions.
PCI-Validated (PCI-Listed) P2PE Solutions
PCI-validated P2PE solutions have been assessed by a P2PE QSA as having met the PCI P2PE standard and are therefore listed on the PCI website under Approved P2PE Solutions. In addition to meeting the P2PE standard, the decryption component of the solution must operate within a secure environment that is annually assessed to the full PCI DSS standard.
- PCI-validated P2PE protects data in transit. The role of P2PE is to immediately and fully encrypt all cardholder data within the payment terminal so it does not enter the POS as clear-text card data. By using strong encryption, device management practices, and key management, P2PE is effective at addressing the risk of card data compromise for card data in transit out of the merchant network as it is transmitted to the gateway or acquirer for decryption and processing.
- Tokenization enables merchants and enterprises to safely “store” cardholder data at rest for use in future transactions. Tokenization is the technology where secure card data storage is centralized and a different value is used to represent the original cardholder data. When ready to be re-used, the token must generally be passed to the tokenization provider, where the original cardholder data is retrieved, decrypted, and utilized.
- EMV authenticates the credit or debit card at the point of sale by reading a chip embedded on the card and validating the cardholder with their signature. EMV makes it extremely difficult (though not impossible) to “white-label” or duplicate a physical credit card that could then be used by thieves to purchase items at the POS.
There are many benefits for merchants who use a PCI-validated P2PE solution. Some of these benefits include reducing your risk in protecting customer’s payment data as well as various incentive programs for merchants using a PCI-validated P2PE solution.
PCI-Authorized Scope Reduction
Merchants who use a validated solution within their environment and keep this environment segmented from any card data from other channels (e.g., e-commerce) are eligible to complete the authorized self-assessment questionnaire SAQ P2PE that is known and accepted by all acquirers. Under PCI DSS v3.2, this represents a significant reduction of controls, reducing the number of questions by nearly 90% for merchants moving from the SAQ D (329 questions) to SAQ P2PE (33 questions).
Card Brand Programs
- Visa Technology Innovation Program (TIP)
Merchants who accept at least 75% of their transactions through a PCI-validated P2PE service may qualify to apply through their acquirer for the Visa TIP program, which allows approved merchants the ability to discontinue their annual assessment process to re-validate PCI DSS compliance.
- Visa Secure Acceptance Program
This program incentivizes acquirers by providing safe harbor for fees in the event of a compromise for Level 3 and 4 card-present merchants who use a PCI-validated P2PE solution.
Solution for Challenging Compliance Issues
- Mobile Acceptance
By encrypting all card data within a validated card reader before it passes through the mobile device, the consumer mobile device is rendered out of scope for PCI DSS compliance (so long as it is not used for any other payment function), ensuring compliant card acceptance via a consumer mobile device.
Because systems and networks between the encryption point and the decryption environment are no longer in scope due to the P2PE encryption, this unique advantage can address complex network responsibility challenges for some merchants.