Point-to-Point Encryption (P2PE)

What Is Point-to-Point Encryption (P2PE)?

Point-to-point encryption (P2PE) is a technology standard created to secure electronic financial transactions. By following these guidelines, developers of software and hardware involved in the electronic payments network can ensure that their designs are mutually compatible and resilient against potential attacks by hackers.

How Point-to-Point Encryption (P2PE) Works

The P2PE standards were developed by the PCI Security Standards Council, a consortium of major companies involved in the electronic payments network. The core purpose of this organization is to facilitate the increasingly widespread use of electronic payments, which have grown to several trillion dollars annually in recent years.

One of the main factors required to sustain this growth is the existence of robust security safeguards to protect against hackers. After all, as consumers and merchants increasingly conduct transactions online, these electronic payments become an increasingly tempting target for hackers. Payments processors and other stakeholders must therefore continuously maintain and improve their systems to stay one step ahead of would-be thieves. 

Under the P2PE standards, transaction data is fully encrypted from the time the customer enters their data through to the point where that information is transmitted to the payment processor. Once received, the payment processor decrypts the data and either approves or declines the transaction.

Because the transaction data is fully encrypted throughout the process, it is not vulnerable to capture and misuse by unauthorized third parties. Even if a hacker were to intercept a particular transaction, the information obtained would be indecipherable since it would still be in its encrypted form. In order to decrypt the information, the user must possess the encryption keys, which are only made available to authorized parties.

Real-World Example of Point-to-Point Encryption (P2PE)

Individual companies are free to develop new products and services that interact with the electronic payments ecosystem. However, in order for those companies to achieve P2PE compliance, they must demonstrate that their new offering maintains or exceeds the P2PE standards. In practice, this means they must ensure that all transaction information is fully encrypted, that any hardware involved in the offering is securely managed, and that any cryptographic keys used in the process are securely generated, transmitted, and stored.

To help those involved in the financial transaction industry stay abreast of changes to these standards, the PCI Security Standards Council maintains regular events and communications. Historically, this governing body was founded by major payment brands, including American Express (AXP), Discover Financial Services (DFS), MasterCard (MA), and Visa (V). However, enforcement of compliance with the P2PE standards is the responsibility of the individual companies that offer products and services using these standards, rather than being the responsibility of the governing council itself.