Jump to content

Point-to-point encryption: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Quarague (talk | contribs)
34 edits
2014 Target Breach: deleted paragraph, this paragraph has nothing to do with the definition of P2P encryption, additionally it strongly violates wikipedias neutrality and no bias rules
Line 24: Line 24:


P2PE significantly facilitates merchant responsibilities:
P2PE significantly facilitates merchant responsibilities:
* With a P2PE Security Solution, merchants save significant time and money as PCI requirements are greatly reduced. [[Payment Card Industry Data Security Standard]] (PCI DSS).<ref>{{cite web|url=https://www.pcicomplianceguide.org/pci-faqs-2/#2 |title=Frequently Asked Questions |publisher=PCI Compliance Guide |date= |accessdate=2014-08-25}}</ref> The PCI Self Assessment Questionnaire is reduced from 12 sections to 4 sections and the controls are reduced from 300 questions to just 19.
* With a P2PE Security Solution, merchants save significant time and money as PCI requirements may be greatly reduced. [[Payment Card Industry Data Security Standard]] (PCI DSS).<ref>{{cite web|url=https://www.pcicomplianceguide.org/pci-faqs-2/#2 |title=Frequently Asked Questions |publisher=PCI Compliance Guide |date= |accessdate=2014-08-25}}</ref> For organizations who use a PCI-listed P2PE Solution provider, the PCI Self Assessment Questionnaire is reduced from 12 sections to 4 sections and the controls are reduced from 329 questions to just 35.<ref>{{cite web|url=https://www.pcisecuritystandards.org/documents/SAQ_P2PE-HW_v3.docx |title=Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance |accessdate=2015-04-19}}</ref>
* In the event of fraud, P2PE, not the merchant, is held accountable for data loss and fines.
* In the event of fraud, P2PE, not the merchant, is held accountable for data loss and fines.
* The payment process with P2PE is quicker than other transaction processes; thus, creating simpler and faster customer-merchant transactions.<ref>{{cite web|url=http://www.elementps.com/merchants/security/encryption/ |title=Tokenization &#124; Element Payment Services |publisher=Elementps.com |date= |accessdate=2014-08-25}}</ref>
* The payment process with P2PE is quicker than other transaction processes; thus, creating simpler and faster customer-merchant transactions.<ref>{{cite web|url=http://www.elementps.com/merchants/security/encryption/ |title=Tokenization &#124; Element Payment Services |publisher=Elementps.com |date= |accessdate=2014-08-25}}</ref>

Revision as of 20:14, 19 April 2015


Maximizing security credit for card information in an increasingly complex regulatory environment is a critical challenge for merchants today. Point-to-point encryption (P2PE), which differs from end-to-end encryption, is a payment security solution that instantaneously converts confidential credit card data and information into indecipherable code at the swipe of the card to prevent hacking and fraud.

Securing card data from point A to point B

How It Works

After a credit card is swiped through a P2PE PCI certified card reading device at the merchant location or point of sale, the device immediately encrypts the card information. The PCI certified device uses an algorithmic calculation to encrypt the confidential credit card data in a tamper resistant module, known as the Point of interaction(POI). From the POI, the encrypted, indecipherable codes are sent to the payment gateway or processor for decryption.[1] The keys for encryption and decryption are never available to the merchant, making card data entirely invisible to the retailer. Once the encrypted codes are within the secure data zone of the payment processor, the codes are decrypted to the original card numbers and then passed to the bank for reading and authorization. The bank either passes or rejects the transaction, depending upon the card holders credit account. The merchant is then notified if the payment is accepted or rejected to complete the process. This process, from the encryption at the point of interaction to decryption at the P2PE solution provider's location, occurs under the span of one second.

Benefits of Point to Point Encryption

Customer Benefits

P2PE significantly reduces the risk of credit card fraud by instantaneously encrypting confidential cardholder data at the moment a credit card is swiped.

Merchant Benefits

P2PE significantly facilitates merchant responsibilities:

  • With a P2PE Security Solution, merchants save significant time and money as PCI requirements may be greatly reduced. Payment Card Industry Data Security Standard (PCI DSS).[2] For organizations who use a PCI-listed P2PE Solution provider, the PCI Self Assessment Questionnaire is reduced from 12 sections to 4 sections and the controls are reduced from 329 questions to just 35.[3]
  • In the event of fraud, P2PE, not the merchant, is held accountable for data loss and fines.
  • The payment process with P2PE is quicker than other transaction processes; thus, creating simpler and faster customer-merchant transactions.[4]

Point-to-Point Encryption Vs. End-to-End Encryption

Point-to-Point

A point-to-point connection directly links system 1 (the point of payment card acceptance) to system 3 (the point of payment processing). Therefore, without the involvement of any other systems, not only do payment transactions take less time but there is greater security and confidentiality. A true P2PE solution is determined with three main factors:

  1. The solution uses a hardware-to-hardware encryption and decryption process along with a POI device that has SRED (Secure Reading and Exchange of Data) listed as a function.
  2. The solution has been certified to have a POI device that follows strict controls regarding shipping, receiving, tamper-evident packaging and installation.
  3. A solution includes merchant education in the form of a P2PE Instruction Manual, which guides the merchant on POI deice use, storage, return for repairs and regular PCI reporting.

End-to-End

Many providers offer end-to-end encryption, which is not a PCI certified P2PE encryption. An end-to-end connection indirectly links system 1 (the point of payment card acceptance) to system 2 (the point of payment processing) but with multiple systems in between and this increases hacker opportunity. At the same time, it allows credit card data to exist somewhere within the merchant environment in an unencrypted form, which is risky for both cardholders and merchants as the unencrypted data can be easily read and stolen.

PCI Point-to-Point Encryption Requirements

The requirements include:

  1. Secure encryption of payment card data at the point of interaction (POI),
  2. P2PE validated application(s) at the point of interaction,
  3. Secure management of encryption and decryption devices,
  4. Management of the decryption environment and all decrypted account data,
  5. Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage.[5]

Validated Point-to-Point Encryption Solutions

The following payment companies provide security through point-to-point encryption: Bluefin Payment Systems [6][non-primary source needed], European Payment Services LTD [7][non-primary source needed], The Logic Group [8][non-primary source needed]

Qualified Security Assessors of Point-to-Point Encryption

  • Amentor AB
  • Coalfire Systems, Inc.
  • CompliancePoint, Inc.
  • Control Case, Control Gap
  • Europoint Networking
  • Foregenix
  • FortConsult A-S
  • K3DES, LLC
  • NCC Services Ltd
  • Nettitude Ltd.
  • Payment Software Company (PSC)
  • SecurityMetrics, Inc.
  • Sikich LLP
  • SISA
  • SRC Security Research & Consulting GmbH
  • Sysnet Global Solutions
  • Trustwave Holdings, Inc.
  • TUV SUD Management Service GmbH
  • UL Transaction Security PTY Ltd.
  • Verizon/CyberTrust[9]

References

  1. ^ "Point-to-Point Encryption (P2PE) | Payment Technology". Creditcall. Retrieved 2014-08-25.
  2. ^ "Frequently Asked Questions". PCI Compliance Guide. Retrieved 2014-08-25.
  3. ^ "Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance". Retrieved 2015-04-19.
  4. ^ "Tokenization | Element Payment Services". Elementps.com. Retrieved 2014-08-25.
  5. ^ "PCI SAQ P2PE-HW | Point-to-Point Encryption | Hardware Terminals | PCI Compliance Policies". Pcipolicyportal.com. Retrieved 2014-08-25.
  6. ^ "Bluefin Releases White Paper Review on PayConex P2PE Conducted by Coalfire Systems - Bluefin Payment Systems : Bluefin Payment Systems". Bluefin.com. Retrieved 2014-08-25.
  7. ^ "EPS Total Care First Fully-Validated PCI P2PE Solution - WINDSOR, England, Oct. 30, 2013 /PR Newswire UK/". england: Prnewswire.co.uk. 2013-10-30. Retrieved 2014-08-25.
  8. ^ "The Logic Group Achieves World's First Accreditation for PCI P2PE". The-logic-group.com. 2013-05-23. Retrieved 2014-08-25.
  9. ^ "P2PE Assessor Companies". Pcisecuritystandards.org. Retrieved 2014-08-25.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Point-to-point_encryption&oldid=657229756"