Card fraudsters want card data, as quickly and as easy as possible so they can monetise it. They use malicious software to harvest data from point-of-sale (POS) applications.
Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. P2PE encrypts the data from the very first moment it enters your systems which means, if that is the only way card data enters your environment, you will never see sensitive cardholder data in the clear. This helps reduce your risk in the event of a breach, the associated costs (e.g. lost revenue, reputation, trust), plus your PCI scope.
Adopting P2PE is the most secure way merchants can process card transactions. The majority of card fraud involve malware that harvests the card data from the memory of the Point of Sale (POS) application. By encrypting the card data on the PIN Entry Device (PED) and only having the means to decrypt it at the service provider (such as PXP) it makes it impossible for POS memory scraping attacks to succeed.
Behind the scenes, each PIN entry device has a secure encryption key within it. We manage these keys from our secure datacenter and deploy them via remote key injection.
What are the different ways to implement P2PE?
We operate P2PE as a managed service for our customers either as an application or as a full solution. Both have been tested by trained P2PE assessors accredited by the Payment Card Industry Security Standards Council (PCI SSC) against the standard. These options are:
- P2PE Application: a software service centered around the device and connection out to PXP Financial.
- P2PE Solution: an end-to-end service and includes business processes for securing your terminal estate. For example, provisions around terminal deployment, security (physical and logical), maintenance and storage.
For more information on these options, including the pros and cons of each, we have created this guide: Point to point encryption (P2PE): Application or Solution?