Our answers to frequently asked questions.
Point-to-Point Encryption (P2PE) is an encryption standard established by the Payment Card Industry (PCI) Security Standards Council. It requires that payment card data be encrypted immediately upon use with the merchant’s point-of-sale terminal and cannot be decrypted until securely transported to and processed by the payment processor.
A PCI-validated P2PE solution is a combination of secure devices, applications, and processes that encrypt credit card data immediately upon swipe or dip in the payment terminal (also called the Point of Interaction, or POI). The data remains encrypted until it reaches the Solution Provider’s secure decryption environment.
In order for a P2PE solution to receive validation from PCI, the solution, the Solution Provider, and associated players in the overall P2PE solution must undergo assessment and audit by a P2PE Qualified Security Assessor (QSA), before being brought before the Council for approval.
Note: “Only Council-listed P2PE solutions are recognized as having met the rigorous controls defined in the PCI P2PE Standard for the protection of payment card data, as well as meeting the requirements necessary for merchants to reduce the scope of their cardholder data environment (CDE) through use of a P2PE solution.”
According to the PCI Security Standards Council (PCI SSC), the PCI P2PE standard is defined as: “Building upon the solid data and environmental security foundation established and promulgated by the PCI SSC for the payments industry via the PCI DSS, PA-DSS, and PTS, the P2PE Standard is a comprehensive set of requirements focused on providing the requisite security requirements necessary to support the deployment of secure P2PE solutions.”
A PCI-validated P2PE solution is required to have all of the following:
As a PCI-validated P2PE Solution Provider, Bluefin is responsible for the design and implementation of our P2PE solution, and management of the solution for our partners and their merchants. they are also responsible for ensuring that all P2PE requirements are met, including any P2PE requirements performed by third-party organizations on our behalf (for example, hardware manufacturers, certification authorities, and key injection facilities).
Non-Validated (Unlisted) Encryption Solutions
Encryption solutions that have not been validated by the PCI SSC, but still provide functions such as encrypting within the POI terminal and decrypting outside the merchant environment, are generally called unlisted P2PE solutions or End to End Encryption (E2EE) solutions.
PCI-Validated (PCI-Listed) P2PE Solutions
PCI-validated P2PE solutions have been assessed by a P2PE QSA as having met the PCI P2PE standard and are therefore listed on the PCI website under Approved P2PE Solutions. In addition to meeting the P2PE standard, the decryption component of the solution must operate within a secure environment that is annually assessed to the full PCI DSS standard.
There are many benefits for merchants who use a PCI-validated P2PE solution. Some of these benefits include reducing your risk in protecting customer’s payment data as well as various incentive programs for merchants using a PCI-validated P2PE solution.
Merchants who use a validated solution within their environment and keep this environment segmented from any card data from other channels (e.g., e-commerce) are eligible to complete the authorized self-assessment questionnaire SAQ P2PE that is known and accepted by all acquirers. Under PCI DSS v3.2, this represents a significant reduction of controls, reducing the number of questions by nearly 90% for merchants moving from the SAQ D (329 questions) to SAQ P2PE (33 questions).
Merchants who accept at least 75% of their transactions through a PCI-validated P2PE service may qualify to apply through their acquirer for the Visa TIP program, which allows approved merchants the ability to discontinue their annual assessment process to re-validate PCI DSS compliance.
This program incentivizes acquirers by providing safe harbor for fees in the event of a compromise for Level 3 and 4 card-present merchants who use a PCI-validated P2PE solution.
By encrypting all card data within a validated card reader before it passes through the mobile device, the consumer mobile device is rendered out of scope for PCI DSS compliance (so long as it is not used for any other payment function), ensuring compliant card acceptance via a consumer mobile device.
Because systems and networks between the encryption point and the decryption environment are no longer in scope due to the P2PE encryption, this unique advantage can address complex network responsibility challenges for some merchants.