P2PE – Silver Bullet or Snake Oil?

P2PE – Silver Bullet or Snake Oil?

Colin Neil

SVP Business Development at Adyen UK

Views 830

P2PE – Silver Bullet or Snake Oil?

14.08.2020 05:30 pm

Fraud is an ever-present problem for merchants, especially with the increasing number of payment providers, start-up challenger banks, and online shopping sites providing different levels of fraud protection. To ensure the best customer and business experience, merchants are faced with a raft of stringent legislation and regulations to follow. One solution that helps organisations with compliance and experience is point-to-point encryption, or P2PE.

What is P2PE?

Point-to-point encryption (P2PE) is a system that encrypts account data along the payments value chain – from the moment the merchant accepts the payment card to when it is decrypted and sent to the issuing bank. The P2PE standard was developed by the Payment Card Industry’s Security Standard Council (PCI SSC) and is designed to reduce the risk of access to payment card data. Without being able to access the card data, online and digital payments fraud becomes significantly harder.

Larger organisations will typically employ the services of a Qualified Security Assessor, or QSA, to help assess the security of the data that runs through their network. More often than not, QSA’s will advise retailers selecting in-store payment systems that a P2PE solution is the best way to deliver the level of encryption required.

A silver bullet?

P2PE is an effective solution to deliver encryption across the journey that cardholder data takes and gives consumers peace of mind that their information is safe. P2PE reduces a merchant’s risk profile and in some circumstances across a traditional payments value chain, can reduce the scope of a merchant’s PCI Data Security Standard (DSS) assessment.

By using a P2PE validated solution, merchants are not required to fill out the Self-Assessment Questionnaire (SAQ) D. This is the most demanding form of self-certification with over 12 requirements, and 329 questions for merchants to answer. Instead, users with a P2PE solution only need to complete three requirements and answer 35 questions from the alternative SAQ P2PE document.

Snake oil?

As with any solution, P2PE isn’t going to be right for some merchants and can carry a number of unseen headaches. In the unfortunate event of a data breach, the weakest point in the chain is looked at first. Sadly, this is often the merchant’s adherence to the procedures laid out in the P2PE Instruction Manual (PIM). In order for retailers to realise a compliance benefit from P2PE, they must closely follow the PIM. While adherence to the PIM brings increased external validation, there is also the trade-off of increased operational effort in addition to the yearly assessment, all validated by the retailer’s QSA.

By adopting a P2PE solution, merchants are required to follow the PIM and put measures in place for store staff to record that terminals received haven't been tampered with. PIM measures include checking serial numbers, cameras being in place aiming at the terminals in store, monthly site checks and more.

Alternatively, users can opt for an end-to-end encryption solution, or (E2EE). E2EE solutions offer the same encrypted payments pathway as P2PE but also can come with fewer regulatory requirements under PCI. Depending on their acquirer, E2EE users may only need to complete two requirements and 22 questions in the SAQ B-IP form, offering merchants greater flexibility and freedom when it comes to implementing security practices.

P2PE or E2EE?

The ultimate decision as to adopt P2PE or E2EE rests with the merchant as both options are suitable depending on their circumstances. Understandably, some merchants are more risk-averse than others, so prefer the extra measures put in place for their store staff that are provided through a P2PE solution. Some merchants prefer a more flexible system with fewer requirements – in that case they might be more suited to an E2EE solution.

If the complete payments value chain is managed by a single provider, then E2EE is just as effective in protecting against data breaches as P2PE. For an E2EE solution, if the gateway, processor and acquirer roles are all managed by a single provider, it forms an unbroken chain and the chance for hackers to gain access is much more difficult. However there are businesses that are required to only use a P2PE encryption solution, both for the added security around terminal handling but also for their own stakeholder requirements. In this case, where a P2PE solution is mandatory, by choosing a solution with a payments provider that manages the whole payments chain, encrypted customer data is that much more secure all the way through it’s journey.

Retailers should look for simplicity, especially when there are a number of regulations and restrictions businesses have to follow. Ensuring the best business experience, while maintaining high standards of customer experience through data security is essential. By opting for P2PE there’s the trade-off between the added value of external validation of the solution and the increased operational effort in both time and money spent. Any E2EE solution however should come directly from a payment provider securing the whole value chain to ensure maximum protection.

Latest blogs

n/a n/a

How COVID-19 Is Ushering In a New Era of Cashless Technology

  Image source: https://www.pexels.com/photo/person-shopping-online-3944405/   Cashless technology isn't a completely fresh concept. People have been using credit cards for decades, and the market for fintech services has been Read more »

Jean Shin tyntec

Using WhatsApp for 2FA is the Future of Banking

From user authentication and password resets to transaction verification, two-factor authentication (2FA) offers basic but useful protection for consumers. The 2FA process typically sends an SMS sent to the customer with a one-time password (OTP). Read more »

Amir Ghodrati App Annie

The Role of Fintech Apps in Navigating This Period of Financial Insecurity

Economic instability has been ricocheting throughout the stock market in the wake of the global coronavirus pandemic. Its effects have been felt across all industries, with winners and losers’ across different sectors. So, how has fintech Read more »

n/a n/a

How to Choose a VPN for Digital Privacy & Security

In a world where almost everything is connected, and where hackers and other malicious people are roaming the internet, it is always advisable that you take every precaution that you can to enhance your data security and privacy protections. Using a Read more »

Ben Slater Instaclustr

The Case for Adopting Open Source – Own Rather Than Rent the Foundations of Your Business

For some time open source was seen as something that only the biggest companies could use and play with. But with the modern, increasingly fast business environment, the use cases for open source are in everything and the technology is increasingly Read more »

Related Blogs

n/a n/a

How to Choose a VPN for Digital Privacy & Security

In a world where almost everything is connected, and where hackers and other malicious people are roaming the internet, it is always advisable that you take every precaution that you can to enhance your data security and privacy protections. Using a Read more »

Sandra Higgins Sysnet Global Solutions

Are You ‘Prescribing’ the Right Security Solution to Your Merchants?

When it comes to leading a healthy lifestyle, eating the right food, taking regular exercise, and maintaining a positive mindset are key. However, despite these best intentions and practices, you still might not get all the nutrients your body needs Read more »

Sunil Jhamb WL Payments

Staying in control of digital payments

For the CIOs and CTOs of banks and PSPs, fraud and security are never very far from their minds. Protecting both their own organisations and their merchants from the threat of cybercrime is a truly business-critical challenge – and one in which the Read more »

Gabriel Leperlier Verizon Enterprise Solutions

Why is Payment Security Compliance Declining with only 1 in 3 Companies Globally Making the Grade?

When companies are attacked, personal and financial customer information from payment card data is often the target. The Payment Card Industry Data Security Standard (PCI DSS) was designed to help protect payment data from the point of purchase and Read more »

Alan Stewart-Brown Opengear

Security Challenges for Financial Institutions – How Smart Out-of-Band (OOB) Management Keeps Networks Up and Running

Information technology and telecommunications are fundamental to service delivery in financial institutions today. Firms are increasingly reliant on IT networks to deliver core services but this can leave them vulnerable to ever-expanding security Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel