If you’re responsible for PCI DSS compliance at your company, the idea of being able to reduce the lengthy and complicated self-assessment process, as well as your costs and accountability for data breaches, no doubt sounds too good to be true.
Fortunately, such a possibility does exist and it comes in the shape of Point-to-Point Encryption or P2PE. If you’d like to find out more about P2PE (whether it’s right for your contact centre and how it might be able to descope and reduce the cost of your PCI DSS assessments), here’s our handy guide…
What is P2PE?
Point-to-Point Encryption is a standard set of requirements created by the PCI Security Standards Council to ensure maximum security for payment card data. It involves the secure and undecipherable encryption of data from the moment a card is swiped or payment details taken, to the moment the relevant banking service receives those details.
The standard is intended to be met by a P2PE solution, a comprehensive service providing devices, secure software and everything else that is needed to meet P2PE requirements. Solutions are delivered by specialist P2PE providers – third parties responsible for designing, supplying and maintaining a validated P2PE service.
How Does P2PE Work?
P2PE works by encrypting card information from the moment it is taken (known as the point of interaction or POI), using an algorithm that turns the data into unreadable codes. These codes are then transferred directly to the processor where they are decrypted automatically using a secure key, before being passed onto the relevant bank.
Since the decryption is carried out electronically, the merchant or processor does not have to decrypt data manually nor do they need access to the secure key; therefore, they never have access to their customer’s personal card data. The P2PE solution will even supply a token to the merchant with each transaction, helping them to identify and refund or rectify a payment at a later date, without ever revealing the card information.
Isn’t That Just End-to-End Encryption?
While many E2E and P2P solutions are similar, P2PE only refers to encryption solutions that specifically meet the PCI Security Standards Council’s requirements. Many E2E solutions don’t meet the standard because they include other systems between the POI and the point of processing, elevating the risk of fraud or hacking.
P2PE transfers data directly from the point of interaction to the point of processing, with no other systems in between – hence the name Point-to-Point – making it a much more secure (and much quicker) process.
P2PE is also an assessable, validatable standard, whereas E2E has no standards or requirements protecting data once it has been taken.
How Can P2PE Help Descope & Reduce PCI DSS Assessment Costs?
The best thing about a P2PE solution from a contact centre’s perspective is that all accountability for PCI DSS compliance is automatically the solution provider’s responsibility. It’s down to the solution provider to ensure all the requirements of the standard are met and that they are providing a complete and secure system.
If fraud or a data breach does occur, the P2PE solution provider will be held accountable for any ensuing fines or penalties, rather than the merchant.
This passed-on accountability also makes PCI DSS assessments much easier for a merchant using a P2PE solution. For example, on the PCI DSS compliance self-assessment questionnaire (SAQ), an organisation responsible for their own encryption has to go through 12 sections and 329 questions, whereas those using a P2PE solution provider only have to cover four sections and 35 questions.
Reducing this lengthy assessment process not only saves time but also money.
Where Can I Find PCI-Validated P2PE Solution Providers?
When it comes to choosing a P2PE solution provider, there are some big names that you will have already heard of. MasterCard, WorldPay and Verifone are all well-known examples of PCI-validated P2PE solution providers, but for a more comprehensive selection you can also check out the PCI Security Standards Council’s directory of Point-to-Point Encryption Solutions.
If you’d like to find out more about P2PE, or PCI compliance in general, we’d encourage you to speak to one of our expert advisers today.
This guide is the seventh chapter of our eBook ‘Starting Your PCI Compliance Journey‘.