Whether it is online, over the phone, or in a store, everyone wants to be sure that their card information is secure. Point-to-point encryption (P2PE) is the industry standard to ensure the best possible level of security when making a credit card transactions.
What is P2PE?
P2PE was established by the Payment Card Industry Security Standards Council (PCI SSC) to ensure a standardized method of payment security for credit or debit cards. Every time a card is swiped the system automatically converts the card information into n indecipherable code designed to prevent fraud. It gives maximum security in a world where card fraud is rife.
The P2PE Standard states that a card processing solution must meet certain requirements. These requirements must be met in order to validate any payment solution as safe and secure. Validation is done by an independent company which employs P2PE Qualified Security Assessors (P2PE-QSA) that meet the PCI SSC requirements, and have passed the relevant exams.
Who provides this security?
The security for P2PE solutions is provided by a third-party company via a payment gateway. They are wholly responsible for the complete solution and manage the gateway for the merchant customers. They must also ensure that the P2PE standard is met, including other services provided by third-party entities on their behalf. The requirements for a point-to-point encryption solution are as follows:
- Secure encryption of card data at POI
- P2PE validated application at POI
- Secure management of encryption and decryption devices
- Management of the decryption environment and all decrypted account data
- Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage
- Validated point-to-point encryption solutions
Benefits of P2PE solutions
For a customer using their card, it means that the payment is always secure once the card is swiped on the system at the merchant terminal. The data is encrypted instantly when the card is swiped through the card reader.
For the merchants processing the payment through their respective terminals, it implies saving time and money as the requirements under the PCI Data Security Standard (PCI DSS) have already been met within the system. When using a P2PE provider the Self Assessment Questionnaire required by the PCI DSS is shorter and the control is reduced to only 35 questions.
Also, with a P2PE validated system in place, the merchant is no longer responsible in the event of a fraudulent transaction. It is the provider who is held accountable for any loss of data or action by the major credit card providers. And with the whole payment taking just a few minutes, it speeds up transaction times and makes the payment more efficient for both merchant and customer.
How does it all work?
Whenever a card is swiped through a card reader at the point of interaction (POI), the data for the transaction is immediately encrypted with an indecipherable code. The POI device then transmits the encrypted data to the payment gateway to be decrypted. The decryption keys are only held by the provider, and never released to the merchant or retailer, so the whole transaction is secure.
Once decrypted within the secure area of the gateway system, the provider sends the card numbers and other information to the issuing bank for authorization. The bank then either rejects or approves the transaction and the response is transmitted back to the merchant via the same payment gateway.
The merchant will receive a unique reference number for the transaction, known as a “token”. This token is stored by the merchant and can be used, if required, to process a refund for the customer without ever knowing any of the card data. This is known as “tokenization”.
With all of this in place, it is very reassuring to know that credit card transactions processed at a POI terminal are secure, and if there is any issue, the cardholder does not lose out.
Related articles published in Cardholders Data security :
- Secure Communication Prevents Eavesdroppers
- Merging technology and principles in fighting cybercrime
- Smart credit cards: The future of card security
- Safety netting against fraudulent online transactions
Image : Shutterstock