Click here
Click here
Retail Technology, Retail technology News
Click here

Still early days for P2PE: What retailers need to know

Wednesday October 31 2012

Recently a group of card payment industry practitioners gathered to discuss card security issues. A significant proportion of the debate focused on point-to-point encryption (P2PE). Payments expert Iain High explains the salient points.  

Recently a group of card payment industry practitioners gathered to discuss card security issues. A significant proportion of the debate focused on point-to-point encryption (P2PE). Payments expert Iain High explains the salient points.


Iain High, managing director of payment service provider (PSP) Anderson Zaks reports from a recent Vendorcom Special Interest Group meeting to discuss the subject of Payment Card Industry (PCI) compliance and the security of card data.


According to PCI guidelines, P2PE is designed to provide a comprehensive set of security requirements for payment solution providers to validate their hardware-based systems, and may help reduce the PCI Data Security Standards (DSS) scope of retailers/merchants using such systems.


It ensures that card information is passed securely from the point of payment (i.e. where you insert or give card details) to the acquirer (bank) and that the retailer/merchant does not hold card information. Even though they are not holding this data, the retailer/merchant will still have to provide evidence that they adhere to PCI standard. But High said P2PE may significantly reduce the scope of their cardholder data environment and annual PCI DSS assessments.


“While it has been around for a couple of years, P2PE is still in the early stages of market adoption, and different solutions that address various requirements are still evolving,” said High. “Larger tier 1 and 2 retailers/merchants with IT departments are already evaluating the benefits of P2PE, some smaller retailers/merchants may not be aware of the benefits.”


He said the salient points highlighted during the group meeting discussions were:

• P2PE is not compulsory

• There are different forms of P2PE

• The future direction of P2PE is not necessarily set

• Retailers/merchants should look to future proof any purchases made now.


P2PE is not compulsory


The banks are not insisting on P2PE, which means that retailers/merchants are free to choose any solution that meets their card processing requirements so long as it is PCI DSS compliant.


Different forms of P2PE


Different sectors of the card payment industry have different approaches to P2PE. Terminal manufacturers are building encryption into their PIN pads, whereas software solution providers’ approach is to encrypt or mask card data within the merchant’s systems and pass limited details back thus equally reducing the scope of PCI for the retailer/merchant. There is also an increasing groundswell for a third or middle path that combines elements of both approaches.


A difference in approach


The following diagrams illustrate the two approaches. The first diagram shows the encryption process between the retailers/merchants point-of-sale (PoS) application and the payment provider’s system. The PSP in turn interfaces with the PIN pad and host gateway, encrypting the card data.



A typical PSP or software-based approach


Anderson_Zaks_A typical PSP or software-based P2PE approach









This approach is currently approved under PCI DSS compliance validation.


The second diagram has all the encryption activity within the payment terminal but still sends limited transaction data back to the merchants PoS systems.


A typical terminal vendor’s approach


Anderson_Zaks_A typical terminal vendor’s P2PE approach










The perceived benefit of this option to the retailer/merchant is that they will significantly reduce their effort in attaining and maintaining PCI DSS compliance. However this is really only pertinent for level 1 merchants, who process over 6 million card transactions per annum**.


High said there are benefits to both approaches. “By having P2PE in the PIN pad everything is self-contained within the terminal, retailers/merchants are provided with a simple turnkey solution,” he explained. “By adopting software based approach retailers/merchants can mix and match their payment hardware and still use the same payment processing solution, so maintaining flexibility.”


Which direction will P2PE develop?


“Both of the approaches have pros and cons, however, neither have yet gained dominance within the market,” he continued. “As the first generation PIN pads reach end-of-life, retailers/merchants are faced with the fact that they must replace their systems – there is simply no ‘do nothing’ option.”


High concluded that this is why members of Vendorcom are suggesting that discussions continue across the industry with input from all stakeholders including acquirers, solutions suppliers, other interested industry associations and standards bodies such as the Payments Council, EPC [European Payments Council] and PCI SSC [Security Standards Council], PSPs, QSAs [qualified security assessor] and merchants/retailers.


“The ultimate aim is that developments in P2PE should deliver a strong, flexible, future proof and market empathetic solution,” he said.


**Currently a Level 1 merchant (and Level 2 for MasterCard) must perform an onsite PCI assessment using a certified QSA. This typically involves the completion of all 12 sections (280+ questions) of the PCI DSS SAQ D form. A certified PCI P2PE solution will reduce this effort to just four sections.