DATA SECURITY & COMPLIANCE | 10 MIN READ

What is P2PE? 

How Point-To-Point Encryption Solves PCI-Compliance Concerns

Written by Michael Wise

What is Point-To-Point Encryption?

P2PE stands for point-to-point encryption, which uses specially-approved devices to capture and encrypt cardholder data before that data ever enters a merchant’s computer network. P2PE devices, which look just like a normal POS machine a consumer would swipe or insert when making a retail purchase, have an extra layer of security.

Each device is individually injected with an encryption key unique to the merchant. This carefully-controlled process takes place off-site at an approved Hardware Security Module (HSM). Once completed, these PCI-certified devices are then securely shipped to the merchant.

What’s the benefit of using a P2PE device?

P2PE devices are increasingly being used in the contact center and healthcare billing office environments—where a high volume of Card Not Present (CNP) transactions take place. Without the card or cardholder present, CNP transactions require merchants to manually enter card data into virtual terminal software installed on their computer.

Once card data is keyed into a merchant’s computer, the company’s whole network becomes “in scope” for PCI auditing and compliance standards. As PCI compliance guidelines and requirements become more complex and costly, P2PE devices offer a quick and relatively inexpensive solution.

P2PE solves PCI compliance issues because cardholder data is keyed directly into the device, where it’s encryped before ever hitting the merchant’s computer, network, or servers.

 

“Our solution prevents clear-text cardholder data from ever being present in our clients’ network. That means their customer’s credit card data isn’t accessible in the event of a data breach. This also removes our clients computers and servers out of scope for PCI compliance.
Jeff Mains
CEO, Intelligent Contacts

Our PCI-Certified P2PE devices undergo the most extensive security measures?

All PCI-validated P2PE solution providers must abide by strict controls to protect encryption keys. Device key injection is done directly at a certified Key Injection Facility (KIF) and decryption only occurs in the Hardware Security Module.

Once the unique encryption key has been injected, our certified devicesare designed to detect tampering. If malicious activity is detected, the device is automatically deactivated, preventing a breach.

PCI-validated P2PE includes a built-in “chain of custody” process for managing PCI P2PE certified devices. Our solution includes access to a online P2PE Manager where you can track and report on all POI devices for PCI attestation and compliance.

 

“While there are other providers offering solutions as “end-to-end encryption solutions,” most are non-validated P2PE products. Only P2PE solutions listed on the PCI-SS website have been audited and approved by the Payment Card Industry Council.”
Jeff Mains
CEO, Intelligent Contacts

How our P2PE solutions reduce PCI compliance requirements

Merchants that implement our PCI-validated P2PE solution throughout their work environment reduce their PCI compliance requirements by up to 90%. Businesses like medical billing offices and contact centers have discovered making this simple change to how they input credit card data has saved them between $40,000-$60,000 a year. Or, the equivalent of one full-time IT professional dedicated to maintaining network security.

Our PCI-approved P2PE devices are fully-integrated with our merchant gateway and virtual terminal. All transactions can be managed and reconciled in one place, or sent to your system of record (collection software, EHR, CRM) through our Rest API or sFTP.

Looking to solve yearly PCI compliance headaches with one call! We can help!

Resources

More Articles Related Consumer Payments

homepage_menu