1. Help Center
  2. Security
  3. P2PE (Point-to-Point Encryption)

Keep Customer Data Safe With P2PE

Credit card fraud was the most common type of identity theft last year and more than doubled from 2017 to 2019. So how can you keep your customer’s data safe with Point-to-Point Encryption (P2PE)?

P2PE is an emerging technology that is becoming increasingly essential for many companies, specifically merchants. It protects credit card data traveling through a merchant’s local network and across a payment gateway before reaching the payment processing system. Deployment of a P2PE-approved solution can virtually eliminate the current risk of compromised credit card data in many different environments.

When P2PE is implemented properly, it makes payment card transactions more secure by preventing the theft of unencrypted credit card data on a retail point of sale device, or while the data is in transit – such as online or in a card-not-present situation.

With P2PE, account data (account number, expiration date or the magnetic data on the card) is encrypted, making it unreadable until it reaches the secure decryption environment. This makes the data less valuable. By encrypting cardholder data at the point of sale or point of entry, merchants can significantly reduce their risk of a data breach.

How does P2PE work?

After a credit or debit card number is entered through a PCI-certified card-reading device at the merchant location or point of sale, the device immediately encrypts the card information. The device uses an algorithmic calculation to encrypt the confidential card data in a tamper resistant module, known as the point of interaction (POI).

From the POI, the encrypted data is sent to the payment gateway for decryption. The keys for encryption and decryption are never available to the merchant, making card data entirely invisible to the retailer. Once the encrypted data is within the secure data zone of the payment processor, the codes are decrypted to the original card numbers and then passed to the bank for reading and authorization. The bank either passes or rejects the transaction, depending upon the card holder’s credit account. The merchant is then notified if the payment is accepted or rejected to complete the process. This process from encryption through decryption adds negligible time to the authorization process.

Deployment of a P2PE-approved solution can virtually eliminate the current risk of compromised credit card data in an environment. While it may incur businesses some additional costs in terms of recording and inventory management, these can be offset by the solution providing clear and dramatic secure transactions. This includes reducing the scope of PCI DSS compliance requirements.