Skip to main content

P2PE – silver bullet or snake oil?

(Image credit: Image Credit: Sergey Nivens / Shutterstock)

Fraud is an ever-present problem for merchants, especially with the increasing number of payment providers, start-up challenger banks, and online shopping sites providing different levels of fraud protection. With consumers starting to go back to shops now that the most stringent lockdown rules have been lifted, it is important for retailers to be at the top of their game when it comes to protecting their consumers purchases.

To ensure the best customer and business experience, merchants are faced with a raft of stringent legislation and regulations to follow. For example, encryption has become a legal requirement. The world of payments is constantly changing to keep up with new legislative requirements. These changes offer a more simplified way for retailers to encrypt payments data while meeting their PCI compliance obligations. One solution that helps organizations with compliance and experience is point-to-point encryption, or P2PE.

What is P2PE?

Point-to-point encryption (P2PE) is a system that encrypts account data along the payments value chain – from the moment the merchant accepts the payment card to when it is decrypted and sent to the issuing bank. The P2PE standard was developed by the Payment Card Industry’s Security Standard Council (PCI SSC) and is designed to reduce the risk of access to payment card data. Without being able to access the card data, online and digital payments fraud becomes significantly harder.

Larger organizations will typically employ the services of a Qualified Security Assessor, or QSA, to help assess the security of the data that runs through their network. More often than not, QSA’s will advise retailers selecting in-store payment systems that a P2PE solution is the best way to deliver the level of encryption required.

A silver bullet?

P2PE is an effective solution to deliver encryption across the journey that cardholder data takes and gives consumers peace of mind that their information is safe. P2PE reduces a merchant’s risk profile and in some circumstances across a traditional payments value chain, can reduce the scope of a merchant’s PCI Data Security Standard (DSS) assessment.

By using a P2PE validated solution, merchants are not required to fill out the Self Assessment Questionnaire (SAQ) D. This is the most demanding form of self-certification with over 12 requirements, and 329 questions for merchants to answer. Instead, users with a P2PE solution only need to complete three requirements and answer 35 questions from the alternative SAQ P2PE document.

Snake oil?

As with any solution, P2PE isn’t going to be right for some merchants and can carry a number of unseen headaches. In the unfortunate event of a data breach, the weakest point in the chain is looked at first. Sadly, this is often the merchant’s adherence to the procedures laid out in the P2PE Instruction Manual (PIM). In order for retailers to realize a compliance benefit from P2PE, they must closely follow the PIM. While adherence to the PIM brings increased external validation, there is also the trade-off of increased operational effort in addition to the yearly assessment, all validated by the retailer’s QSA.

By adopting a P2PE solution, merchants are required to follow the PIM and put measures in place for store staff to record that terminals received haven't been tampered with. PIM measures include checking serial numbers, cameras being in place aiming at the terminals in store, monthly site checks and more.

Alternatively, users can opt for an end-to-end encryption solution, or (E2EE). E2EE solutions offer the same encrypted payments pathway as P2PE but also can come with fewer regulatory requirements under PCI. Depending on their acquirer, E2EE users may only need to complete two requirements and 22 questions in the SAQ B-IP form, offering merchants greater flexibility and freedom when it comes to implementing security practices.

P2PE or E2EE?

The ultimate decision as to adopt P2PE or E2EE rests with the merchant as both options are suitable depending on their circumstances. Understandably, some merchants are more risk-averse than others, so prefer the extra measures put in place for their store staff that are provided through a P2PE solution. Some merchants prefer a more flexible system with fewer requirements – in that case they might be more suited to an E2EE solution.

If the complete payments value chain is managed by a single provider, then E2EE is just as effective in protecting against data breaches as P2PE. For an E2EE solution, if the gateway, processor and acquirer roles are all managed by a single provider, it forms an unbroken chain and the chance for hackers to gain access is much more difficult. However there are businesses that are required to only use a P2PE encryption solution, both for the added security around terminal handling but also for their own stakeholder requirements. In this case, where a P2PE solution is mandatory, by choosing a solution with a payments provider that manages the whole payments chain, encrypted customer data is that much more secure all the way through its journey.

Retailers should look for simplicity, especially when there are a number of regulations and restrictions businesses have to follow. Ensuring the best business experience, while maintaining high standards of customer experience through data security is essential to customer loyalty and repeat business, as well as brand reputation. By opting for P2PE there is the trade-off between the added value of external validation of the solution and the increased operational effort in both time and money spent. Any E2EE solution however should come directly from a payment provider securing the whole value chain to ensure maximum protection.

Colin Neil, SVP Business Development, Adyen UK