PXP Financial Blog l PXP Financial

Point to point encryption (P2PE): Application or Solution?

Written by Lisa Middleton | July 12, 2019 at 12:30 PM

PXP Financial offers P2PE as a managed service for customers. You can either implement our certified P2PE application or our full P2PE solution. Both have been tested by trained P2PE assessors retained by the Payment Card Industry Security Standards Council (PCI SSC) against the standard.

Why P2PE?

Adopting P2PE is the most secure way a merchant can process card transactions. The majority of card breaches involve malware that harvests the card data from the memory of the Point of Sale (POS) application. By encrypting the card data on the PIN Entry Device (PED) and only having the means to decrypt it at the service provider (such as PXP) it makes it impossible for POS memory scraping attacks to succeed.

The options are...

Application only

Pros

  • The application only approach gives the merchant assurance that the application is encrypting the transaction on the PED using suitably strong encryption methods.
  • The transaction is only decrypted once it reaches PXP’s internal processing systems.
  • Providing there is no other interaction with the card or the PED there will be no clear card data anywhere on the merchant's systems.

Cons

  • It provides no assurance that the PED has not been tampered with prior to installation.
  • It provides no means of minimising the length of time that a tampered PED remains in operation.
  • It provides no assurance that the card information is not captured elsewhere in the merchant's system.

Key considerations

  • Swapping PED devices will require some work.

 

Full solution

Pros

  • In addition to the benefits of the application, the solution gives the merchant added assurance that the PED devices have not been tampered with prior to being installed in their environment.
  • It also gives the merchant assurance that the PED device is installed in a secure manner.
  • The engineer installing the PED is trained to recognise tampering and knows what to do if a PED has been tampered with prior to installation.
  • Providing the merchant follows the Service Provider's recommendations they will significantly reduce the likelihood of the PED being compromised.

Cons

  • Operational overhead is significantly higher due to the additional controls that the merchant has to put in place.
  • The merchant will have to familiarise themselves with the P2PE standard in order to be able to implement it correctly.
  • It will cost more for a trained third party to install the PED securely.

Key considerations

  • The merchant will probably have to review their entire environment, including things such as lighting etc.
  • Scope reduction is only possible if the P2PE solution is implemented correctly, which will probably not reduce security operations by much.
  • If correctly implemented and adhered to, it is probably the best assurance a merchant can have that they will not lose customer card holder data, even if they suffer a security breach.


P2PE is not currently mandatory but if you choose to implement P2PE, it must be done in accordance with the standards defined by the Payment Card Industry Security Standards Council (PCI SSC). P2PE currently only applies to the card-present environment. There is no one-size-fits-all approach to data security. We believe that each customer is different.

So call us for a free 30 minute consultation about your particular needs.

PXP Financial

The End-to-end payment platform

PXP Financial provides a single unified payments platform to accept payments online, on mobile and at the point of sale. Powered by inhouse global acquiring, 200+ alternative payment methods & financial services, PXP processes over EUR 16 billion annually through our unified gateway.

Whatever your business needs today or tomorrow, PXP Financials’ innovative payment platform will support your business growth with all the payment services you will ever need from one source, wherever your business takes you.