Payment Security Fundamentals - FAQ

Find out the answers to the most frequently asked questions about payment security

Why is payment security so important?

Whenever you process a card payment, you and your customer are sharing sensitive, financial information, which needs to be protected.

With the increasing number of card transactions comes a growing number of opportunities for card fraud, so it is imperative that your customers' data is protected at every stage of their transaction.

As a business owner it is your responsibility to provide your customers with a secure payment experience. Failure to do so could not only result in a loss of custom, but you could also face hefty fines.

Let's get started with the fundamental information you need to know about payment security.

What is PCI-DSS?

PCI-DSS is a worldwide set of industry tools and measurements set up to help businesses process card payments and store sensitive cardholder information securely to reduce card fraud.

Who is PCI-DSS for?

If you take card payments, you have to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). This is a mandatory security requirement for all businesses that take card payments, whether that is in person, over the phone or online.

Does PCI-DSS apply to me?

PCI DSS applies to anyone involved in storing, processing or transmitting any cardholder data. What’s more, the standard doesn’t just apply to storing data electronically; it also covers manual processing and storage. You will belong to one of four merchant levels:

  • Level One Any merchant processing over 6 million Visa or MasterCard transactions per year. Or who has suffered an attack that resulted in an account data compromise. Or who have been identified as Level 1 Independent Qualified Security Assessor or Internal Audit signed by Company Officer.

  • Level Two Any merchant processing one to six million Visa or MasterCard transactions per year.

  • Level Three Any merchant processing 20,000 to one million Visa or MasterCard e-commerce transactions per year.

  • Level Four Any merchant processing fewer than 20,000 Visa or MasterCard transactions per year. Or all other merchants processing up to one million Visa or MasterCard transactions a year.

To find out more about PCI-DSS compliance, including the requirements, take a look at our list of PCI-DSS Frequently Asked Questions.

What is Point To Point Encryption (P2PE)?

Card fraudsters want card data, as quickly and as easy as possible so they can monetise it. They use malicious software to harvest data from point-of-sale (POS) applications.

Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. P2PE encrypts the data from the very first moment it enters your systems which means, if that is the only way card data enters your environment, you will never see sensitive cardholder data in the clear. This helps reduce your risk in the event of a breach, the associated costs (e.g. lost revenue, reputation, trust), plus your PCI scope.

Why P2PE?

Adopting P2PE is the most secure way merchants can process card transactions. The majority of card fraud involve malware that harvests the card data from the memory of the Point of Sale (POS) application. By encrypting the card data on the PIN Entry Device (PED) and only having the means to decrypt it at the service provider (such as PXP) it makes it impossible for POS memory scraping attacks to succeed.

Behind the scenes, each PIN entry device has a secure encryption key within it. We manage these keys from our secure datacentre and deploy them via remote key injection.

What are the different ways to implement P2PE?

We operate P2PE as a managed service for our customers either as an application or as a full solution. Both have been tested by trained P2PE assessors accredited by the Payment Card Industry Security Standards Council (PCI SSC) against the standard. These options are:

  • P2PE Application: a software service centred around the device and connection out to PXP Financial.
  • P2PE Solution: an end-to-end service and includes business processes for securing your terminal estate. For example, provisions around terminal deployment, security (physical and logical), maintenance and storage.

For more information on these options, including the pros and cons of each, we have created this guide: Point to point encryption (P2PE): Application or Solution?

What is Tokenisation?

Tokenisation replaces sensitive cardholder information with a unique digital identifier called a token. The token allows payments to be processed without exposing actual account details that could potentially be compromised.

The creation of tokens does not significantly impact transaction processing time, meaning there’s virtually no impact on the speed of service at during busy shopping times. It can also be activated retrospectively on stored card details. This simplifies compliance with data security requirements, and also delivers operational, cost and marketing efficiencies. 

What are the benefits of Tokenisation?

There are a number of key benefits of implementing tokenisation which include:

  • Reduce PCI Scope.
  • Negate risk from potential cyber threats.
  • Offer a user-friendly payment experience.
  • Store card data to perform certain tasks, such as matching refunds with sales, reserving accommodation, or releasing pre-booked tickets for collection.
What are the key features of Tokenisation?
  • Format preserving tokenisation means you can use legacy business systems that store card numbers (either 16 or 19 digits) without modification.
  • Cross-channel tokenisation works for every type of transaction (face-to-face, remote, sales, refunds, pre authorisations etc.), which protects your omni-channel strategy.
  • Tokenisation across sub-brands or franchises in a business group helps deliver operational and cost efficiencies.
  • Individual transactions or batches of stored card details can be tokenised and protected retrospectively without completing a transaction.
  • Compatibility with any front-end business application interfacing to the PXP Financial API makes our tokenisation easy to implement.

What are the best ways to keep customers' data safe?

Accepting card payment is a necessary part of running a retail business. But storing, processing and transmitting card data comes with risks. We have compiled a list of payment security awareness tips and tricks that should be common knowledge.

  1. Use a hosted solution - outsourcing payment security to a trusted partner not only saves you time in keeping up with industry standards but it saves you the expense of training your own team.
  2. Deploy point to point encryption (P2PE) - P2PE removes sensitive cardholder data from your systems, leaving you with less data security stuff to worry about.
  3. Utilise tokenisation - Tokenisation replaces sensitive card data with a token, which can be used across various front and back-end systems instead of the real card data.
  4. Consider PCI compliance - The goal of PCI DSS is to secure cardholder data. We advise adopting a matrix of measures. This includes detective, response and recovery controls to build operational resilience.

Download our Payment Security Guide

New call-to-action