DATA SECURITY & COMPLIANCE | 10 MIN READ

What is P2PE? 

How Point-To-Point Encryption Solves PCI-Compliance Concerns

Written by Michael Wise

What is Point-To-Point Encryption?

P2PE stands for point-to-point encryption, which uses specially-approved devices to capture and encrypt cardholder data before that data ever enters a merchant’s computer network. P2PE devices, which look just like a normal POS machine a consumer would swipe or insert when making a retail purchase, have an extra layer of security.

Each device is individually injected with an encryption key unique to the merchant. This carefully-controlled process takes place off-site at an approved Hardware Security Module (HSM). Once completed, these PCI-certified devices are then securely shipped to the merchant.

What’s the benefit of using a P2PE device?

P2PE devices are increasingly being used in the contact center and healthcare billing office environments—where a high volume of Card Not Present (CNP) transactions take place. Without the card or cardholder present, CNP transactions require merchants to manually enter card data into virtual terminal software installed on their computer.

Once card data is keyed into a merchant’s computer, the company’s whole network becomes “in scope” for PCI auditing and compliance standards. As PCI compliance guidelines and requirements become more complex and costly, P2PE devices offer a quick and relatively inexpensive solution.

P2PE solves PCI compliance issues because cardholder data is keyed directly into the device, where it’s encryped before ever hitting the merchant’s computer, network, or servers.