Today, more than ever, consumers want a fast, frictionless, and secure payment experience. At the same time, businesses need to protect customer data. But ever-changing compliance requirements and payment technology have increased the operational and technical complexity for businesses.
Point-to-point encryption (P2PE) protects cardholder data, makes it easier for organizations to ensure payment data is secure, and helps them meet the requirements of PCI compliance by enabling them to comply with the latest security standards, reducing the risk of fraud.
P2PE protects sensitive cardholder data when a consumer makes a transaction by instantly encrypting the sensitive card and customer data. This process keeps that data encrypted as it travels between the payment terminal and the payment service provider, where the data is then decrypted using a secure key.
P2PE ensures that customers’ sensitive payment information isn't exposed even if there's a data breach. This sensitive data includes consumers' account information, including their names, account numbers, and expiration dates, as well as sensitive authentication details, including full magnetic strip data and validation codes/values (the three- or four-digit value printed on the front or back of a payment card, such as CVV2 and CVC2). P2PE also helps businesses reduce the complexity of their PCI compliance.
The PCI Security Standards Council (PCI SSC) released the first version of the P2PE standard in 2011 to offer businesses an easier way to meet all the requirements of the PCI Data Security Standard (PCI DSS). The PCI SSC is an association of major organizations created to secure payments, payment data, and processes and drive the widespread use of electronic payments. In 2019, the PCI SSC released PCI P2PE Version 3.0 to simplify "the process for component and solution providers to validate their P2PE products for cardholder data protection efforts."
P2PE encrypts payment card data when a business accepts a payment card. This information is then transferred to the payment processor. At this point, the payment processor decrypts the information using a secure key and approves or declines the transaction. Since the decryption happens electronically, the business never comes into contact with its customers’ financial data.
Similarly, threat actors aren't able to capture and exploit the transaction data because it is completely encrypted throughout the process. Even if a cybercriminal intercepted a specific transaction, they wouldn’t be able to decipher the data because it's encrypted. Only authorized parties that have the secure key can decrypt the information.
A PCI P2PE solution can significantly help reduce the PCI DSS validation effort of a business' cardholder data environment. But the business must still ensure that it also meets PCI DSS requirements.
Using a P2PE provider that meets the requirements of PCI P2PE means that PCI compliance will mainly fall to a company's P2PE provider, rather than the business. The reason: using a P2PE provider means the company won't have to handle or store sensitive information within its internal systems.
However, the company is also responsible for ensuring that its payment terminals are free of risk and that all shoppers' payment card data gathered from anywhere other than a payment terminal—for example, via a call with a customer service representative—is adequately protected. To keep customer cardholder data secure, it's essential that businesses maintain secure systems for any data that's outside of the P2PE flow—still, a much less onerous undertaking than they would otherwise face without implementing P2PE.
Conversely, if companies select P2PE providers that are not properly certified or whose systems are not validated by the PCI SSC, then they are responsible for ensuring compliance with the PCI DSS. Consequently, it's important for companies that want to reduce their scope for PCI compliance to seek out certified P2PE providers.
The PCI P2PE standard requirements are:
When comparing P2PE vs. E2EE, it's important to note both are standards for encrypting cardholder data, and companies can use either system to ensure their customers’ cardholder data remains secure. But they differ in that an independent assessor has thoroughly inspected and verified PCI-validated P2PE solutions as well as their applications and components, e.g., payment terminals and technologies.
Since P2PE solutions can be fully certified by the PCI DSS standard, the scope of regulations that businesses need to comply with is reduced. E2EE, however, is not certified, which means those solutions don't have to meet any specific standards. Nevertheless, both these solutions can be equally secure.
In addition, P2PE encrypts data from the point-of-sale terminals to the payment processors and doesn't need to use third parties during the process. Therefore, all of a company's data goes directly from one point to the other, and no other companies can access it. When information reaches the payment processor, the processor uses a secure key to decrypt the data and sends it to the issuing bank to be approved. Businesses have no control over this data, and they can't access the secure key to decrypt it. The responsibility for handling the data and ensuring that it is secure falls to the third-party payment processor.
Although E2EE encrypts the payment process from end to end, E2EE doesn't have to meet any standards, so companies can unlock this data during the process. And, unlike with P2PE, third parties aren't responsible for securing the data; instead, merchants must ensure the data is secure.
The key benefits of using P2PE for merchants are:
The short answer is yes, Checkout.com is a P2PE-validated solution provider. Checkout Technology Ltd, a company within the Checkout.com group, is certified per the PCI DSS as a Level 1 service provider, which is the highest standard set by the payment card industry to ensure that credit card data is processed, stored, and transmitted in a secure environment. Checkout.com uses payment tokenization, 3D secure authentication, and PCI-validated point-to-point encryption to secure the acceptance of payments.