How point-to-point encryption secures data
May 18, 2018
Read time: 4 min
Whenever money travels from one point to another, theft inevitably follows. Throughout history, it’s been common for pirates and brigands to stake out well-traveled commerce lanes to intercept valuable traffic.
Digital commerce thievery
In today’s world, this kind of physical heist is rare, and when it does occur, the novelty makes it highly newsworthy. But that doesn’t mean it has disappeared. Increasingly, this kind of “highway robbery” is migrating to digital commerce, where bits of data can be intercepted without the need for ships, cannons, or bandits in black hats.
The more things change
Historically, merchants, bankers and others took steps to guard their valuables against theft in the form of caravans, armed escorts, safes, and strongboxes.
In the digital age, while the tools differ, the same paradigm still applies. Instead of strongboxes and military escorts, encryption is used to secure valuable data in transit.
The PCI Security Standards Council (PCI SSC), a standards body established by card brands calls this Point-to-point encryption, or P2PE. P2PE is a terminal-based encryption standard, where payment data is encrypted within a point-of-sale (POS) payment terminal. This encryption safeguards card data from modern-day hackers and brigands as it moves through your network and on to a decryption and processing gateway.
On the List
In order to meet the PCI SSC standard, a P2PE solution must meet three high-level requirements:
- Card data must be encrypted using strong cryptography
- Encryption must be performed in a PCI P2PE-approved hardware device
- Decryption must not be possible within the merchant environment
Solutions that have been validated by the PCI SSC as meeting its P2PE standards are referred to as “listed” solutions. Solutions that have not been validated, but provide similar functionality, are commonly referred to as “unlisted” solutions.
Unlisted solutions hold a degree of uncertainty, as there may be no way for you to know whether a solution provider has fully addressed the controls that constitute the PCI P2PE standard. They may also mean a lot more effort on your end, in the form of needing to perform a thorough compliance assessment and potentially needing to implement additional security measures.
With a listed solution, you have the confidence of meeting the criteria of the PCI P2PE standard. Furthermore, you can substantially reduce your PCI compliance requirements, saving you a great deal of time and effort.
Cybersource point-to-point encryption
In order to bring you the security and compliance benefits of Point-to-point encryption, we are now offering our own PCI-validated P2PE solution. Cybersource P2PE helps protect payment data across all segments of your network, and prevents unencrypted transaction data from touching your systems.
To learn more about securing your data with Point-to-point encryption and our own P2PE solution, check out our ebook, Securing Payment Card Data in Flight.