Skip to content

    PCI Validated P2PE Solutions for Merchants

    PCI validated P2PE

    What is P2PE?

    P2PE stands for point to point encryption, and is used to refer to a method of payment security in which all data is encrypted, stored, and controlled by a single payment provider. In a P2PE environment, sensitive data such as credit card numbers is encrypted at the point of origin and can only be decrypted by the service provider, which takes sole responsibility for its transmission into the broader payments ecosystem. In such a setup, a consumer might have their credit card number encrypted by the swipe machine in a store; the merchant takes that encrypted information and sends it into the payment ecosystem, where only the terminal-owning processor can decrypt it for presentation to the issuing bank; and the transaction continues, either successfully or unsuccessfully, without the merchant ever having had access to the actual credit card data in plain text.

    What does PCI Validated mean?

    The PCI Security Standards Council established a series of requirements that allow a solution to be presented as appropriate for a PCI-DSS environment - in other words, for it to be PCI Validated. Solutions that come close, but do not achieve full PCI validation, are known as end-to-end encryption, or E2EE, options. The difference between P2PE and E2EE is that P2PE environments generally use proprietary hardware so that only the gateway holds the encryption/decryption keys; whereas in E2EE, the encryption process may be initiated by any participant in the chain, including the merchant.

    Why does PCI Validated P2PE matter?

    For customers, PCI Validated P2PE brings a new and important level of security, as only the payment provider is ever granted access to the consumer’s credit card details. At no stage does anyone else need to see or handle the physical card - it is simply swiped, dipped, or tapped onto the physical payment terminal and the details are instantly encrypted in a way that only the payment provider can decrypt.

    For brick-and-mortar merchants, there are four big benefits to PCI Validated P2PE: 

    • Reduced PCI-DSS compliance costs: as they never have access to the customer card data, their systems do not come into scope
    • The validation means that not only the payment provider, but also the terminals in use have been fully certified as secure, reducing the risk of customer data leakage
    • When using a PCI Validated P2PE solution, the merchant is not held liable for any security breaches or losses suffered by the customer or other partners: liability is held by the system provider
    • The payment process is faster, as it uses proprietary encryption, and can thus transmit a smaller payload across a more tightly-defined network

    Are there any downsides to PCI Validated P2PE?

    So far we have focused on the positive, but there is one big challenge to PCI Validated P2PE: the proprietary technology at the terminal and in the encryption mean that the merchant is effectively tied to that one provider. When the service is working well, and the fee structure is working for both parties, this is not a huge issue; but when the merchant starts to wonder whether they could do better with a range of partners, or even a different one, the challenge of moving can be near-insurmountable.

    This is due to the reality that, of course, in this environment, the merchant absolutely does not control, or own the storage of, any customer details. As a result, they can certainly retain the token the provider gives them to smooth future transactions; but if they move to a different provider, that token will be meaningless, and the merchant will be required to ask the consumer to enter their details again.

    In addition, PCI Validated P2PE is, to all intents and purposes, a purely brick-and-mortar solution, as it relies upon a point-of-interaction (POI) device that can safely house the encryption keys and encrypted data before transmitting it to the payment provider. Housing an encryption key in a consumer-resident application to create a distributed PCI Validated P2PE is theoretically possible, but there are no live examples at the time of writing.

    Can P2PE be emulated in e-commerce

    While there is no immediate evidence that one could create a truly PCI Validated P2PE solution without shipping proprietary POI machines to customers, it is certainly possible to create a payments system that exhibits the best elements. Merchants can

    • Have credit card data collected on their web pages through forms that transmit the details direction to a third party token vault such as Basis Theory;
    • Receive a similarly-secure token from the token vault;
    • Allow the token vault to provide secure storage; and
    • Request the token vault to present the credit card information to close sales

    An advantage to this situation is that the vault where credit card data is held is not owned or operated by a payment processor, making it perfectly viable for the merchant to have agreements with a range of providers, as makes sense for their business. While not as secure as a PCI Validated P2PE solution, it provides a very near approximation in an environment that, by definition, cannot rely upon proprietary POI devices.

    Subscribe to the Blog

    Receive the latest updates straight to your inbox