What does p2pe mean?

Saturday, January 03, 2015

Credit card information needs to be carefully encrypted in order to keep both consumers and businesses safe. There are many security measures out there to prevent credit card data theft, but point-to-point encryption (P2PE) is often cited as the best practice for doing so.

Here, we’ll walk you through what P2PE entails, how it works, and why it is crucial to use to ensure your business’s security and your customers’ security.

What is P2PE?

Transactions are increasingly conducted online, and in order to keep the transactions secure, there are a number of measures and protections in place for both the business owner and consumer to take advantage of.

These security measures prevent hackers from gaining access to sensitive information. For P2PE, this means a customer’s card number and private data is never stored at the payment terminal or in the network between the transaction point and the decryption environment.

Industry standard for encryption

Simply put, P2PE is an industry standard for maintaining credit card data security. This standard is noted by the Payment Card Industry Security Standards Council (also known as the PCI council or PCI SSC) as a best practice to ensure data security because of the way that encryption occurs immediately upon card usage at the merchant’s point-of-sale (POS). The term “encryption” refers to the process of translating information into code for the purpose of securing data and preventing it from unauthorized access.


However, not all P2PE solutions are PCI-validated, meaning that the council approves of the security measures being taken. The PCI SSC looks for certain requirements to ensure that the Payment Card Industry Data Security Standards (PCI DSS) are being met. PCI DSS is a set of basic security standards designed to help reduce the risk of theft and fraud of customers' sensitive credit and debit card data.

In fact, all businesses that accept credit and debit cards must be able to prove that they are in compliance with PCI DSS.

To ensure top-notch security provisions and qualify for PCI-validation, the following features are necessary:

  • P2PE applications at the payment terminal
  • Cardholder data encrypted at the POS
  • Management of encryption and decryption devices secure
  • Management of the description environment and decryption secure
  • Encryption methodologies and cryptographic key operations in place

In order for a vendor to become a PCI-validated P2PE solution provider, the above-listed features must be included in their payment processing system. An easy way to check if your solution provider is P2PE compliant is to contact your service provider to inquire.

How does P2PE Work?

There is an ever-increasing growth of online transactions, meaning that security for electronic payments is also in high demand. Security measures have come a long way to protect against hackers, but still, methods like P2PE need to be constantly updated to stay on top of security risks.

Secure encryption

P2PE is a process that uses an algorithm to encrypt information into a code at the POS. After this encryption occurs, the code is sent to the payment processor. The processor then decrypts the code using a secure key in order to read the data and determine whether the payment is approved or declined.

The encryption keys are only accessible to authorized parties, meaning that no party from the POS, over the network, or to the decryption point can access it without authorization.

Another security benefit of the encryption process is that the merchant never comes in contact with the secure information.

Authorized keys for decryption

By P2PE standards, the data is fully encrypted from the moment the customer enters their data at the card reader of the POS, meaning the data is not vulnerable to third-party access and theft. If a hacker were to obtain the data after this point of entrance, the information they would come away with would be indecipherable, and therefore useless.

Once the access key is used to decipher the data, the transaction is approved or denied, and the purchase completed.

Differences between P2PE and E2EE

E2EE stands for end-to-end encryption. By the name alone, one might suspect that this process does the same thing as P2PE. However, the processes are slightly different. P2PE and E2EE are both standards for encrypting cardholder data. You can use either of these systems to ensure that your customers’ cardholder data stays secure. But what makes these two different from one another? P2PE and E2EE layouts both have different rules for how they process data. You can utilize the right system based on your business’s demands, but you should know what makes these distinct. Let’s look at some of those.

Additional security risk

For starters, when using E2EE, there are separate systems between the POS (or POI) and the payment processor, meaning that there is additional risk of data breach in this method. A P2PE system requires regular security checks based on P2PE instruction manual guidelines. E2EE systems aren’t as thorough, as the service provider you hire for E2EE work will handle the data itself. The processor is in charge of all encryption and decryption keys. Therefore, you must ensure whoever you hire for the process is capable of managing these keys well.

Non PCI-compliant

E2EE is not a PCI DSS compliant option. There are fewer standards using end-to-end methods of payment processing. This is important to know because if you decide to use a PCI P2PE compliant system, you as a business owner are both more protected from data breaches as well as protected in the unlikely event that there is a breach. With E2EE systems, you may run the risk of being held accountable for any security risks that may occur.

Next steps

Technical terminology of P2PE and PCI-compliance can seem overwhelming at first, so here is an example of how these apply to your business and what using these payment processing methods look like in the “real world”.

When a small business owner looks for a payment processing service for their business, the first thing they should look for is a merchant account provider with PCI DSS compliance. The alternative is payment processing systems that are less secure and could end up costing you fees, chargebacks, and more for preventable security breaches.

Ready to work with a payment processor who can help your small business?

Heartland is here to help.

Heartland helps nearly 1,000,000 entrepreneurs make and move money, manage employees and engage customers with human-centered technology solutions that allow them to rise above the daily grind and lead their businesses into a brighter future. Learn more at heartland.us.