PCI Validated P2PE Solutions for Merchants
Not all payments in our increasingly online world are actually executed without the card being present: in fact, four out of every five retail purchases occur in a brick-and-mortar environment.
While those card-present transactions feel logically like they would be safer than purchases made through e-commerce sites because the consumer holds onto their card at all times, the reality is that all the data on the card is collected and transmitted, in essentially the same way it would be if the consumer had simply typed their card details into a web form.
To combat the risk of data leakage, the PCI Standards Security Council created the Point-to-Point Encryption™ (P2PE) standard.
What is P2PE?
P2PE is a payment security process in which all data is encrypted at the point of collection, then stored, and controlled by a single payment provider—without ever being present in the merchant’s systems.
In a P2PE environment, sensitive data, including credit card numbers, is encrypted at the point of origin and can only be decrypted by the service provider, which takes sole responsibility for its transmission into the broader payments ecosystem. In such a setup, a consumer might have their credit card number encrypted by the P2PE-compliant swipe machine in a store; that encrypted information is immediately dispatched to the P2PE payment provider, which is the only entity that can decrypt it for presentation to the issuing bank. The transaction continues, either successfully or unsuccessfully, with only the PCI-validated P2PE provider—and never— the merchant ever having had access to the actual credit card data in plain text.
What does PCI Validated mean?
The PCI Security Standards Council established a series of requirements that allow a P2PE solution to be presented as appropriate for a PCI-DSS environment. Solutions that come close, but do not achieve full PCI validation are known as end-to-end encryption, or E2EE, options.
The difference between P2PE and E2EE is that P2PE environments generally use proprietary hardware so that only the gateway holds the encryption/decryption keys. In contrast, in E2EE, any participant in the chain may initiate the encryption process, including the merchant.
Why does PCI Validated P2PE matter?
For customers, PCI-validated P2PE brings a new and important level of security, as only the P2PE-compliant payment provider is ever granted access to the consumer’s credit card details. At no stage does anyone else need to see or handle the physical card—it is simply swiped, dipped, or tapped onto the physical payment terminal, and the details are instantly encrypted in a way that only the payment provider can decrypt.
For brick-and-mortar merchants, there are four big benefits to PCI Validated P2PE:
- Reduced PCI-DSS compliance costs: as they never have access to the customer card data, their systems do not come into PCI-DSS scope.
- The PCI validation means that not only the payment provider, but also the terminals in use have been fully certified as secure, reducing the risk of customer data leakage.
- When using a PCI Validated P2PE solution, the merchant is not held liable for any security breaches or losses suffered by the customer or other partners: liability is held by the system provider.
- The payment process is faster, as it uses proprietary encryption and can thus transmit a smaller payload across a more tightly-defined network.
Are there any downsides to PCI Validated P2PE?
So far, we have focused on the positive. Still, there is one big challenge to PCI Validated P2PE: the proprietary technology at the terminal and in the encryption means that the merchant is effectively tied to that one provider.
When the service is working well, and the fee structure is working for both parties, this is not an issue. Still, when the merchant starts to wonder whether they could do better with a range of partners or even a different one, the challenge of moving can be near-insurmountable.
This is due to the reality that, of course, in this environment, the merchant using a P2PE system absolutely does not control or own the storage of any customer details. As a result, they can never offer, for instance, subscription payment arrangements without staying with the same payment provider.
In addition, PCI-validated P2PE is, to all intents and purposes, a purely brick-and-mortar solution, as it relies upon a point-of-interaction (POI) device that can safely house the encryption keys and encrypted data before transmitting them to the payment provider. Housing an encryption key in a consumer-resident application to create a distributed PCI-validated P2PE is theoretically possible, but there are no live examples at the time of writing.
Can P2PE be emulated in e-commerce?
While there is no immediate evidence that one could create a truly PCI-validated P2PE solution without shipping proprietary POI machines to customers, creating a payment system that exhibits the best elements is possible. Merchants can:
- Have credit card data collected on their web pages through forms that transmit the details to a third-party token vault such as Basis Theory.
- Receive a similarly secure token from the token vault.
- Allow the token vault to provide secure storage.
- Request the token vault to present the credit card information to close sales.
An advantage to this situation is that the vault where credit card data is held is not owned or operated by a payment processor, making it perfectly viable for the merchant to have agreements with a range of providers, as makes sense for their business.
While not reliant upon physical security like a PCI-validated P2PE solution, it provides a very near approximation in an environment that, by definition, cannot rely upon proprietary POI devices.