A guide to secure data transmission with P2PE

So, what does P2PE mean? P2PE is a fraud-protection protocol that protects sensitive cardholder data when a consumer makes a transaction. All sensitive card information and customer data is immediately encrypted and stays so as it travels between the payment terminal, the payment service provider and the payment processor. This means that it isn’t vulnerable to interception by a third party.

The sensitive data that are encrypted by P2PE include:

• Customer’s account information
  • Name
  • Account number
  • Expiration data

• Sensitive authentication details
  • Full magnetic strip data
  • Validation codes such as CVC

Throughout every stage of the payment process – from the payment at the POS to the business’ payment processing provider or acquirer to the customer’s card issuer – the data is never made fully readable to any person or institution. This means it can’t be intercepted and remains secure throughout the entire process.

P2PE uses a process called tokenisation, whereby the real card number is switched for a unique placeholder code. If a hacker were to intercept the payment data, it would simply appear as a random collection of letters and numbers. The unique advantage of this is that the actual card data is never transmitted or stored by the merchant.

P2PE is fully certified by the PCI Security Standards Council (PCI SSC). The first version was released in 2011, with the most recent update in 2019. When merchants use a payment platform with P2PE security or they opt for a P2PE solution, this will be P2PE validated – it makes the process of PCI DSS compliance for merchants of all sizes simple and straightforward.

There are a range of benefits of P2PE, including:

• P2PE is super secure as the cardholder data is never stored at any stage of the transaction.
• It makes PCI compliance much simpler as it is a standardised protocol – when a business completes a PCI self-assessment questionnaire, it’s a much more straightforward process with P2PE.
• If a company undergoes a PCI compliance audit, P2PE makes the process much faster and more efficient.

If a business accepts card payments online, in person or over the phone, P2PE is key. It is especially important in industries where the tightest security standards need to be followed, such as healthcare and education.

If a business accepts a high volume of card payments from customers across multiple channels, P2PE makes it a simple process to handle this customer data.

P2PE may sound like end-to-end encryption (E2EE), but they are slightly different. E2EE is a broader term that is used to refer to data being encrypted and securely transported from one point to another. P2PE is a subset of E2EE.

There are key differences, however. P2PE solutions are fully certified by PCI DSS standards. E2EE solutions don’t have to meet any specific security standards. P2PE also encrypts the data from POS terminals right to the payment processor and doesn’t need to use any third parties along the way. No businesses in the payment chain can get access to the data. With E2EE, as it doesn’t have to meet any payment security standards, the data can be unlocked during the process. The responsibility of keeping everything secure with E2EE falls on the merchant, whilst with P2PE it is the responsibility of the P2PE solution provider.

At Aevi, our goal is to make our products secure and safe for everyone to use. These days, PCI certifications are a common standard in the payment environment, and we are no exception. We maintain and enhance the following certifications in our environment: PCI DSS, PCI PIN, and PCI P2PE. Discover more about our platform and what it can mean for your business.