More and more consumers are spending online. Whether online via their desktops or on their smart devices, the trend of spending is online. As of 2021, eCommerce has reached $870 billion in sales. That segment is estimated to cross $1 trillion in sales in 2022. Businesses and merchants have to adapt to these changing spending patterns quickly.
It’s not enough that you have an online presence via a website to reach your customers directly. Security has become a significant concern and is often the area least understood and invested in. This is especially important because the current technologies used to conduct business are just as misunderstood. As merchants start wrapping their heads around the need for a virtual terminal and a payment gateway that can accept payments from various e-wallets, they need to stay abreast of the latest security risks that are part and parcel of these new technologies.
This article will explore the granularity of point-to-point Encryption (P2PE), validated P2PE, and what unvalidated P2PE is. We also explain why this really matters to merchants from a security perspective.
What is Point-to-point Encryption
P2PE was introduced by the Payment Card Industry Security Standards Council (PCI SSC) as a set of security protocols to ensure cardholder data security from start to finish in a transaction environment. These security protocols include physical controls of information, technical controls in accessing point of sale terminals and payment gateways by the merchant, overall firm-wide internal policy guidelines, and data encryption.
From the moment cardholder information is captured all the way through the end-stage, which has to be decrypted and processed, that information is encrypted into an indecipherable set of characters. Specific guidelines were identified around the strength of encryption, protection of the encryption key, and the trust mechanism around the decryption process. There have been numerous iterations around P2PE, of which version 4.0 is currently in the draft stage, to ensure the security protocol is updated for the dynamic nature of vulnerabilities and the latest security measures available.
What is Validated P2PE?
The PCI SSC introduced the first iteration of its security protocols in 2004 that all merchants had to adhere to accept card payments. These protocols involved various forms of security controls and specific guidance around cardholder data encryption. The protocols apply to any merchant who processes, transmits, or databases credit or debit card information. The information is protected from the various security threats they may be subject to.
In 2012, these protocols were updated with specific guidelines on implementing a specifically defined standard for point-to-point encryption, simply called P2PE. In 2015, that standard evolved into criteria that vendors offering P2PE solutions must adhere to, allowing them to be classified as PCI Validated. A validated P2PE solution used by merchants meets the latest iterations of the PCI SSC criteria. Validated P2PE solutions are granted that status once qualified appraisers have tested those offerings under strict P2PE protocol test environments.
What is Non-Validated P2PE?
Those P2PE solutions that have not undergone the P2PE protocol test environments are called Non-Validated P2PE. Their processes are pretty secure, and they do offer great encryption. There is a specific category for such solutions that can encrypt card data used at the time of payment, or the technical term in these security protocols; point of interaction (POI). It is known as E2EE (end-to-end encryption).
However, merchants deciding to use these solutions may require the implementation of additional security safeguards depending on the specific controls missing since E2EE does not meet the full specifications for PCI SSC Validated P2PE. Unfortunately, the predicament with non-validated P2PE is that merchants seldom know which controls are lacking and may not understand which additional safeguards to implement.
Why does it all matter?
It’s hard to discern what may differentiate a validated P2PE solution from a non-validated offering. It may be minor technicalities, such as an appraisal from a qualified assessor. It may be something more fundamentally flawed, such as using devices in an environment that doesn’t meet specific guidelines around physical and technical controls.
Nonetheless, it is easy to discern the benefits of validated P2PE. Other than the peace of mind of protecting your customers’ private data, there are particular benefits available to merchants for using validated P2PE solutions. They include:
Reduction in PCI compliance workload – businesses that store, process, or transmit cardholder data must be PCI compliant as mandated by the card networks and implemented by the PCI Security Standards Council. One of the requirements of PCI compliance tests is a Self-Assessment Questionnaire (SAQ). Merchants using validated P2PE solutions use the SAQ P2PE, consisting of only 33 questions, whereas merchants using non-validated P2PE solutions use the SAQ D, composed of 329 questions.
Visa TIP (Technology Innovation Program) – If 75% of a merchant’s transactions are processed through a validated P2PE solution, the merchant may be eligible for Visa’s TIP. This is a waiver of the annual PCI compliance reassessment granted through the merchant’s acquiring bank.
As businesses explore the multitude of prospects offered by eCommerce and mobile commerce as consumers’ preferences shift to these forms of spending, they must also acclimate themselves on how to protect their customers from the new security threats that are likely to arise. Point-to-point Encryption (P2PE) is the de facto standard in protecting cardholder data for such environments. There are numerous solutions available that may be touted as secure for doing business online. However, it is vital to understand what P2PE is, its various forms, such as validated vs. non-validated P2PE, and what fits merchants’ needs.