Over the past few years, massive data breaches have frequently dominated the national headlines. Nearly every industry has been adversely impacted by malicious hackers. If your personal information was stolen from your doctor’s office, favorite retailer, or credit reporting agency, would you continue to trust them with your payment card data?
This increasing threat has led the Payment Security Council (PCI) to develop a higher level of payment security called Validated Point-to-Point Encryption (P2PE). The requirements set by the Point-to-Point Encryption (P2PE) Standard are designed not only to keep payment data in transit secure, but also to thwart potential tampering with the point-of-sale (POS) payment devices. The standard requires special packaging and a clear, trackable chain of custody for every payment device shipped from manufacturer to merchant.
How Does the PCI P2PE Standard Relate to PCI DSS?
If payment security were cars, PCI DSS would be the basic sedan and P2PE would be the armored tank. The PCI DSS framework is a list of technical, physical, and process controls that are required to address security threats that could compromise cardholder data within the merchant environment. Throughout PCI DSS, different forms of encryption are required.
However, the PCI Council recognized the need for additional guidance regarding the proper implementation of transaction encryption. Hence, PCI P2PE was born. The Council also recognized that solution providers and merchants that adhered to the PCI P2PE would reduce the PCI DSS compliance scope in the merchant environment.
How Does Validated P2PE Work?
A PCI-validated P2PE solution has two parts: 1) security of the payment device hardware and 2) encryption of payment data starting at the Point-of-Interaction (POI).
- Security of Payment Device Hardware: Validated P2PE solutions have strict guidelines to drastically reduce the risk of tampering including special packaging and tracking the device through a secure chain of custody throughout shipment, starting from terminal key injection facility, to the terminal provisioning by the solution provider, and to the delivery/receiving point of the device’s end-user organization. In addition, the P2PE compliance Self-Assessment Questionnaire (SAQ) requires organizations to have a device management solution for inventory control and to track the location of all their payment devices.
- Payment Data Encryption: When the credit card is swiped, dipped (EMV), or tapped (NFC) at the POI, the card data is immediately encrypted, rendering it undecipherable to thieves and hackers throughout the payment process. .
What a PCI P2PE Validated Solution Means for Healthcare Organizations
For any organization that accepts credit cards at point-of-sale (or for healthcare organizations, at point-of-care), a validated P2PE solution enables them to go “above and beyond” to achieve the highest standard for securing cardholder financial data.
Not only does this reduce the threat of a data breach, it can also significantly lessen the scope, complexity, and administration costs of PCI compliance.
How to Find a PCI P2PE Validated Solution Provider
Less than 50 companies worldwide have been validated as PCI-listed P2PE Solutions Providers. A complete list can be found on the PCI Security Standards Council website at: https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions .
If you would like to learn more about AxiaMed’s Payment Fusion PCI P2PE Validated Solution, click here.
Dan Berger is the Director of Sales at AxiaMed
(AxiaMed as a division of Axia Technologies, LLC)