What You Need to Know About PCI Validated Point-to-Point Encryption (P2PE) Solutions

P2PE solutions are now being used by more companies and payment service providers to secure cardholder data and offer peace of mind to both businesses and consumers.

P2PE, or point-to-point encryption, is a security standard developed by the Payment Card Industry (PCI) to ensure that payment card data is encrypted from the start to the finish of a transaction. Many companies provide data encryption services, but not all of them are created equal.

Encryption helps secure sensitive data. The technology that uses encryption at the point of payment card acceptance up to the point where the payment transaction is made is known as point-to-point encryption (P2PE).

See Also: What Are the PCI DSS Encryption Requirements

P2PE technology can help merchants reduce the scope of their cardholder data environments and PCI DSS requirements. In this way, merchants can save time, effort, and costs in their annual PCI audits and better protect cardholder data (CHD) for all relevant parties.

As the applications of point-to-point encryption technologies increased, the PCI Security Standards Council (PCI SSC) has developed guidelines for creating, testing, and deploying solutions that provide strong support for PCI DSS compliance.

The P2PE solution provider is a third-party organization responsible for designing and implementing a specific P2PE solution. The solution provider also manages P2PE solutions or has corresponding duties for their customers.

PCI validated P2PE solution must ensure that all P2PE requirements are met, including ensuring that P2PE requirements are met by third-party organizations that perform P2PE functions on behalf of the solution provider certification authorities (CA) and key-injecting facilities.

In addition to a P2PE solution provider, new hardware solution requirements and testing procedures can affect point-of-interaction (POI) manufacturers, application developers, third parties, vendors, and integrators.

While using a PCI validated P2PE solution for payment card acceptance and processing, P2PE specifications include a means for P2PE solution providers to verify their solutions and for merchants to reduce the scope of their PCI DSS assessments.

What is Point-to-Point Encryption (P2PE)?

Point-to-Point Encryption (P2PE) is an encryption standard created by the Payment Card Industry (PCI) Security Standards Council. It requires the payment card data to be encrypted immediately after use with the merchant’s point of sale terminal. It cannot be decrypted until it is transported securely to the payment processor and processed by the payment processor.

P2PE has been an official program of the PCI Standards Council since 2011. While the use of PCI validated P2PE solutions is not mandatory, compliance with PCI Council standards reduces the P2PE Self-Assessment Questionnaire to only 26 requirements.

P2PE maintains merchant communication channels that tokenization cannot do between the payment device and the processing network in card environments, including traditional and mobile points of sale. P2PE will encrypt sensitive payment card data during transmission.

When it enters a stable decryption area, payment data is encrypted. Payment data remains encrypted until it reaches a secure decryption environment. P2PE adds an additional security layer to the payment process and protects consumers’ payment information from various attacks, including malware infections on the POS terminal or system.

Hackers insist on detecting and exploiting weaknesses in a merchant payment system. If you don’t have a PCI validated P2PE solution, your customers’ way of providing their card information can also bother you.

Customers can use a magnetic stripe reader, an NFC or contactless reader, or an EMV (chip) reader to make a purchase. Magnetic stripe information can be copied, but the EMV chip generates a one-time transaction code for each payment, making it extremely difficult for hackers to create a duplicate card.

See Also: What You Need to Know About EMV and PCI Compliance

P2PE encrypts the CHD from when a card is dipped, swiped, touched, or keyed in a payment terminal. This means that card data is never actually entered into the point of sale system.

P2PE can protect payment data in the event of a breach. It also lowers the data’s value, so the data cannot be used even if it is stolen. Thus, your organization not only reduces the risk of a breach but also limits its reputation and financial risk.

What are P2PE Ecosystem and Domains?

PCI validated P2PE Solution Providers must implement various protections to provide the required level of security for the PCI Point-to-Point Encryption (P2PE) standard. P2PE Solution Provider works directly with the vendor to coordinate the ordering, key injection, and dispatch of terminal devices and organizes the decryption process.

The first version, 1.1 of the PCI P2PE, contained more than 900 requirements that had to be met by the P2PE Solution Provider.  Some solution providers have gone through this process, but the program has not received enough attention.

In 2015, version 2.0 of the PCI P2PE standard was released, and in this new standard, PCI SSC allowed independent evaluation of P2PE component providers. This version of the standard was quickly adopted because a P2PE solution provider can offer a variety of services from other companies, such as a key placement facility (KIF), certificate/enrollment authority (CA / RA), management service (EMS), decryption management service (DMS), or encryption.

With the release of the PCI P2PE 3.0 version in 2019, four new types of component providers were added to the standard: POI Distribution Component Provider (PDCP), POI Management Component Provider (PMCP), Key Management Component Provider (KMCP), and Key Installation Component Provider (KLCP).

P2PE Solution Providers can choose from a list of validated component providers published based on supported devices and software to build their solutions. The opportunity to select from various component suppliers allows the solution provider to concentrate more on their core services, which are usually point-of-sale software, gateway service, or improved vendor acquisition service with the terminal’s inclusion.

See Also: What You Need to Know About Encrypted Communication

Each of these component entities fulfills a specific role within the five domains of the PCI P2PE v3.0 standard, and each performs a subset of P2PE control requirements.

What is the PCI Validated P2PE Solution?

The first version of security specifications was released by the Payment Card Industry Security Standards Council (PCI SSC) in 2004. Merchants accepting credit and debit cards must enforce these controls to protect against security threats to their customers’ payment card information.

PCI controls apply to all businesses that process, transmit or store cardholder data. They detail the requirements that vendors must follow to protect cardholder data and comply with the PCI Data Security Standard (PCI DSS).

PCI DSS allows vendors to enforce data encryption procedures to secure cardholder data during the transaction process, in addition to technological, operational, and physical controls. PCI DSS developed the first point-to-point encryption standard, known as P2PE, in 2012 to resolve the need for guidance on how vendors can implement encryption solutions.

PCI SSC updated the standard in 2015 and published the criteria for a cryptographic solution provider or business to be considered PCI validated.

A PCI validated P2PE solution is a combination of secure devices, applications, and transactions that instantly encrypt credit card data after being swiped to the payment terminal, also called the Point of Contact or POI. The payment data remains encrypted until it reaches the Solution Provider’s secure decryption environment.

See Also: PCI SAQ P2PE

Before the Solution Provider and the relevant actors in the public P2PE solution are brought before the Council for approval, a P2PE Qualified Security Assessor (QSA) must assess and audit the solution.

The P2PE solution prevents clear-text cardholder data from residing on a vendor’s or organization’s system or network that could be accessed in the event of a data breach.

Only the PCI Council’s P2PE solutions are considered to follow the PCI P2PE Standard’s strict controls for the security of payment card data and merchants’ requirements to minimize the complexity of their cardholder data environments.

What is the P2PE Solution that is Not PCI Validated?

Unverified encryption solutions encrypt payment card data captured at the point of interaction (POI) and then protect by decrypting card data outside of the vendor’s network. This process is known as end-to-end encryption (E2EE) solutions.

Since end-to-end encryption (E2EE) solutions may not satisfy all PCI SSC protection requirements, companies that use them need to invest in additional products or services to ensure that sensitive cardholder data is protected from hackers’ malware.

What is the Purpose of the PCI P2PE Standard?

Realizing the existence of existing encryption solutions and the increasing need for guidance on their correct implementation, PCI SSC wanted to provide a structure for encryption solutions, taking into account the impact of transaction encryption within the framework of standards.

The PCI SSC determined which risks could be fully addressed to protect card data, and related controls could be reasonably neglected:

• Encryption must be robust to submit data safely without brute-force decryption security.
• Acceptable key management practices must be used to protect the private key from compromise.
• At the encryption stage, required controls must be implemented to protect secret encryption keys.
• The integrity of the decryption environment must be free from security vulnerabilities.

The first edition of the PCI P2PE standard, the P2PE software guide, and the special P2PE self-assessment questionnaire (SAQ) for merchants was released by the PCI SSC in 2012. The new PCI P2PE Standard is version 3.0, which was released in 2019.

What is the PCI Point-to-Point Encryption (P2PE) Standard?

The PCI P2PE standard is built on the solid data and perimeter security foundation established and announced by PCI SSC for the payment industry through the PCI DSS, PA-DSS, and PTS standards. It’s a detailed collection of specifications to provide the required protections to enable the implementation of Secure P2PE Solutions.

What should a PCI validated P2PE solution include?

A PCI validated P2PE solution is required to have all of the following:

• At the payment terminal (POI), payment card data must be safely encrypted.
• P2PE approved applications must be used at the payment terminal (POI).
• Encryption and decryption devices must be managed securely.
• Decryption media and all decrypted account data must be managed securely.
• Encryption methodologies and cryptographic key operations, such as key generation, distribution, upload, and management, should be done securely.

A PCI validated P2PE solution Provider is responsible for designing and implementing our P2PE solution and managing the solution. The PCI-certified P2PE Solution Provider is responsible for ensuring that all P2PE requirements are met, including all P2PE requirements performed by third-party organizations.

What is the difference between PCI Validated and unvalidated P2PE solutions?

Since each solution is unique, it is difficult to generalize and assume that all solutions not checked by PCI are lacking any basic security checks. Suppose it is true that all validated solutions meet the PCI P2PE program’s standards. In that case, the only reason for unverified solutions is that they have not yet been validated to meet the exact requirement.

For some solutions, this process may be just a matter of completing the evaluation process. For others, unverified solutions may lack essential security controls that prevent them from being authenticated, such as performing key management functions without using a certified HSM or using PTS devices that do not have SRED certified TRSMs.

Encryption solutions that are not validated by the PCI SSC but still provide functions such as encryption inside the POI terminal and decryption outside the vendor environment are often referred to as unlisted P2PE solutions or End-to-End Encryption (E2EE) solutions.

Encryption solutions that are not validated by the PCI SSC but still provide functionality, such as encryption inside the point-of-interaction (POI) terminal and decryption outside the vendor environment, are often referred to as unlisted P2PE solutions or End-to-End Encryption (E2EE) solutions.

The problem with unlisted solutions is that there is no way for a vendor to know if the provider has entirely handled the controls defined by the PCI SSC to protect account data adequately.

Generally, most unlisted solution providers use very secure processes. However, because qualified evaluators do not evaluate unlisted solutions under the standardized PCI P2PE framework, merchants using these solutions may need to implement additional security measures to address threats associated with the absence of these controls.

Additionally, unlisted solutions are not eligible for reduced PCI SAQ P2PE, so vendors using these solutions should use PCI SAQ D or the PCI ROC template if applicable.

What are PCI Approved (PCI Listed) P2PE Solutions?

The PCI validated a P2PE QSA has evaluated P2PE solutions for meeting the PCI P2PE standard and are therefore listed under Approved P2PE Solutions on the PCI website. The solution’s decryption portion must also function in a safe environment that is tested annually against the entire PCI DSS standard, in addition to meeting the P2PE standard.

See Also: How to Protect Your POS System from POS Malware

Other requirements for PCI validated P2PE solutions include:

• Evaluation of key management applications and password strength
• Use of certified key injection facilities (KIFs)
• The use and configuration of PTS approved POI devices with encryption performed in the SRED (secure data reading and data exchange) tamper-proof security module (TRSM)
• Positive device identification before decryption
• Key management/decryption on hardware security modules (HSMs) validated with PCI or FIPS 140-2 Level 3

You can find the list of PCI validated P2PE solutions here.

How does it work with PCI-certified P2PE, EMV, and Tokenization?

• PCI validated P2PE solutions protects data in transit. P2PE’s role is to instantly and fully encrypt all cardholder data in the payment terminal. Thus, it does not enter clear-text card data into the POS. P2PE effectively addresses the risk of card data being compromised for card data in transit through the vendor network. It is transmitted to the gateway or collector for decryption and processing, using strong encryption, device management applications, and key management.
• Tokenization enables businesses to securely “store” cardholder data on hold for future transactions. Tokenization is a technology that centralizes protected card data and replaces the original cardholder data with a different value. When the token is usually ready for reuse, it must be forwarded to the token provider where the actual cardholder data was received, decrypted, and used.
• EMV verifies a credit or debit card at the point of sale by reading a chip placed on the card and verifying the cardholder with his signature. EMV makes it extremely difficult, but not impossible, to “white label” or duplicate a physical credit card that thieves can use to purchase items from the POS.

In the case of a data breach, how does P2PE help avoid the loss of cardholder data?

P2PE prevents the loss of cardholder data by preventing clear-text cardholder data from residing on the organization’s system or network in the event of a data breach.

A PCI validated P2PE solution aims to encrypt cardholder data immediately using the checked POI device, preventing hackers from obtaining clear-text cardholder data.

The malware parses plain text data temporarily stored in the memory of unique POS devices. When the card is swiped or submerged in the terminal, the malware collects the data stored on the magnetic stripe or chip while it is still in plain text in the system’s memory.

How Does the PCI P2PE Standard Apply to PCI DSS?

The PCI DSS security framework has provided a list of controls needed to resolve security threats that could compromise cardholder data in a vendor environment since its initial release in 2004.

Each security check, whether through physical security, technical controls, or corporate policies and procedures, is associated with one or more identified threats that could compromise the security of credit card data.

Throughout the PCI DSS, different encryption forms are required in connection with other technical, physical, and procedural controls in the cardholder data environment (CDE).

Why Do Businesses Use P2PE?

P2P in P2PE stands for point-to-point. Sensitive account data is protected from the payment card’s presentation at the payment terminal until it reaches the recipient. If a breach is attempted at any point, the E or encryption in P2PE means that it will not affect the customer or their data.

Businesses must complete a questionnaire known as the SAQ to reach PCI compliance (Self-Assessment Questionnaire). PCI SAQ is like a checklist that tells your organization that you are taking appropriate security measures to keep card data safe and compliant.

The SAQ questionnaire can pose problems for businesses that do not implement P2PE. The ease of completing the SAQ questionnaire is one of its main advantages for companies implementing a certified P2PE solution.

For traders who are not using a certified P2PE solution, the SAQ survey can contain 12 requirements and 329 questions. Here are some examples of questions you will encounter while completing the PCI SAQ:

• Are router configuration files protected from unauthorized access and synchronized?
• Is the list of hardware and software components and their usage descriptions maintained for all system components in the scope of PCI DSS?
• Is there a written access control policy in place that specifies access restrictions based on obligations, recorded permissions, and a declaration that they need access?

There are 326 more questions similar to the above in SAQ D, and you have to answer these questions every 12 months. However, if you are a business using a certified P2PE solution, you only need to answer 35 SAQ questions. This means you’ll be better protected against card fraud than before and spend far less time meeting your PCI compliance requirements.

PCI SSC must validate certified P2PE solution providers to ensure standards are met. PCI SSC is an independent, third-party organization that certifies that your payment service provider’s solution is secure.

What are the advantages of a PCI-validated P2PE solution for merchants?

There are many benefits for vendors using a PCI validated P2PE solution. Some of these benefits include various incentive programs for merchants using a PCI validated P2PE solution, in addition to reducing your risk of protecting customer payment data.

In addition to the fact that vendors protect their customer’s payment data, vendors gain several other tangible benefits by using a P2PE solution that goes through the verification process. Protecting your customers’ payment card data from security threats is one of your business’s most critical responsibilities. Implementing a PCI validated P2PE solution is the best way to protect their card data.

While unverified E2EE solutions are available, you have no way of knowing to what extent the solution provider ensures their products will adequately protect against security breaches and other vulnerabilities in your network.

Here are some of the advantages of implementing a PCI-certified P2PE solution in your company:

• PCI Scope Reduction: Merchants who use a PCI-verified P2PE solution in their environment and hold this medium separate from card data from other channels like e-commerce are entitled to take the SAQ P2PE authoritative self-assessment questionnaire. Under PCI DSS v3.2.1, the use of the P2PE solution means a significant reduction in controls, drastically reducing the number of questions for traders who switch from PCI SAQ D (329 questions) to PCI SAQ P2PE (33 questions). Another aspect of reducing PCI coverage is the impact of PCI P2PE on the definition of CDE. P2PE significantly decreases the number of networks and devices protected by the PCI DSS assessment by preventing vendor systems from accessing cardholder data after it has been correctly encrypted.
• Visa Technology Innovation Program (TIP): Merchants who accept at least 75% of their transactions through a PCI validated P2PE service can apply to the Visa TIP program, which allows them to skip the annual review process to re-validate PCI DSS compliance.  While available for traders of all sizes, this program is especially valuable for high-volume or geographically dispersed traders who might otherwise go through a more tedious and costly evaluation process.
• Visa Secure Acceptance Program: This program encourages buyers by providing a haven for charges in the event of a compromise for Tier 3 and 4 card merchants using a PCI validated P2PE solution There is no application process, but a merchant should still strive for full PCI DSS compliance and have documentation showing that 100% of transactions have been accepted through a listed solution.
• Mobile Acceptance: By encrypting all card data in a verified card reader before it passes through the mobile device, it is excluded for PCI DSS compliance unless used for any other payment function and enables compatible card acceptance. Mobile point of sale (mPOS) apps downloadable for consumer mobile devices such as Android, iOS, and Windows Mobile are not eligible for PA-DSS, making it difficult for traders to assess these software apps’ suitability. PCI P2PE is ideally suited for solving these problems. By encrypting all card data within a verified card reader before it passes through the mobile device, the consumer mobile device is excluded for PCI DSS compliance and PCI compliant card acceptance unless used for any other payment functionality.
• Foreign Networks: Systems and networks between the encryption point and the decryption environment are no longer within PCI DSS scope due to P2PE encryption, which can alleviate complex network responsibility challenges for vendors.
• Enhanced Security: Data encryption on a PCI-certified POI device prevents clear-text payment card information from being found on the device itself or in your business system or network. Thus, data remains safe from hackers as it moves through the transaction process.
• Save Time and Money: Because properly encrypted cardholder data cannot be accessed, fewer systems and networks are considered under PCI DSS, resulting in less costly PCI audits and penetration tests.

Are There Any Disadvantages to Using a PCI Validated P2PE Solution?

Along with all the data security advantages P2PE brings, businesses should also be aware of the operational burden. While the number of requirements for SAQ has decreased, there has been an increase in requirements for ensuring that payment terminals are physically secure inside the store.

Physical security of payment terminals is done through the P2PE Instruction Manual, also known as PIM. The P2PE Instruction Manual is provided to businesses by solution providers and must be closely followed and adequately implemented to meet PCI compliance.

PIM guides companies on how to secure payment terminals in their stores and includes several activities, including:

• A regular inventory check should be done to detect the necessary removal or replacement of devices.
• Security cameras are installed at right angles to view terminals and alert store personnel in case of tampering.
• Monthly site checks and visual inspections should be made by store staff to identify any device tampering.
• Terminals must be provided to reach the store in tamper-proof, sealed boxes, as well as a serial number sent by e-mail.

The merchant must complete a fully documented record of all these activities. Purchasers then need to perform several audits per year to ensure compatibility with PIM. Ultimately it is up to you and your business to weigh the benefits of P2PE against the time and resources required to track PIM.