Before we dive in:
This is a complex topic. While this post will provide an overview and, hopefully, give an indication as to what might benefit your organization in your next PCI audit, it is not intended to be a thorough guide, nor should you use it as the sole basis for your decision regarding P2P or E2E.
Now that we’ve got that out of the way, let’s define P2P and E2E. These terms stand for “point-to-point” (P2P) and “end-to-end” (E2E) encryption, and they’re used to keep credit card data safe.
What is P2P Encryption?
As it relates to the PCI DSS, P2P refers to tools (card swipe devices, pinpads, or any other tool used to accept credit cards) that encrypt card data the instant it’s swiped or entered into the device. It’s then transmitted encrypted all the way to a third-party, who decrypts the data and sends it to the bank.
In short—in P2P encryption, data is encrypted from the moment it enters the system until it reaches its intended destination. The PCI Council has set up a validation program for P2P systems in order to clearly identify to merchants exactly which P2P solutions are configured in accordance with PCI standards.
Why Should You Use P2P Encryption?
Beyond the altruistic (and practical) benefit of keeping cardholder data safe, using P2P encryption across all your systems that process and transmit cardholder data enables you to drastically reduce the scope of your PCI audit. This means not only a shorter, less painful audit, but also a less costly one, as your QSA will be able to spend less time assessing your environment.
What is E2E Encryption?
Well—it’s a lot like P2P. In fact, theoretically, the two technologies function in the same manner. But, there’s one key difference. E2E systems are not validated by the PCI Council. They’re offered by banks or other third parties as a way to securely transmit card data.
So Why Would Anyone Choose E2E Over P2P?
The offerings for P2P are limited, and many merchants need a more flexible solution. Getting the technology validated by the PCI Council is not a simple task. It requires assessment by a special Point-to-Point Encryption (P2PE) QSA. And, as you might guess, if you’re familiar with the PCI DSS, requirements are stringent. Banks and other service providers took notice of this and introduced E2E as a viable solution to the lack of P2P options. Because merchants’ compliance and liability is controlled by their bank/processor, a bank offering an E2E solution can accept the ‘risk’ of not using a PCI Council validated solution but offer customers the same scope reduction.
What’s Better? P2P or E2E?
We always recommend our clients choose a P2P option, if at all possible. Here’s why: the PCI Council is in charge of running the PCI DSS program. While it’s not likely they’ll outright prohibit E2E solutions as a means to reduce scope anytime soon, this is a risk you accept when using an E2E solution, and you should always have in writing from your merchant bank that they accept the non-listed E2E solution for scope reduction.
Beyond that, while E2E generally offers the same scope-reduction benefits as P2P, it’s not guaranteed. Your QSA must perform additional tests to fully verify an E2E setup is actually reducing your audit scope.
While the two technologies are similar, P2P provides an element of security and certainty that E2E is unable to match at this point. And, that’s why we recommend it to our clients.
If you decide to go with an E2E solution (i.e. one not listed on the PCI Council’s website), it’s important to perform appropriate due diligence on the vendor. Make sure you ask these questions:
1. Is your solution listed as a validated P2PE solution by the PCI Council?
2. If not, why?
3. How can we be assured this solution is set up and operating correctly?
4. Will my merchant bank/processor honor the same scope reduction as a validated P2P solution?