Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

P2PE– It’s still early days

What merchants and retailers need to know
Recently a group of card payment industry practitioners gathered at a Vendorcom Special Interest Group meeting (SIG) to discuss the subject of PCI and the security of card data. The meeting was hosted by Anderson Zaksat their offices in Bracknell.A significant proportion of the debate focused on Point-to-Point Encryption (P2PE).Adina Ahmed, Operations Director at Anderson Zaks explains here the salient points.Adina Ahmed
The P2PE program is optional and provides a comprehensive set of security requirements for payment solution providers to validate their hardware based solutions, and may help reduce the PCI DSS scope of merchants using such solutions.*
This is to ensure that card information is passed securely from the point of payment (i.e. where you insert or give card details) to the acquirer (bank) and that the merchant does not hold card information.  Even though they are not holding this data, the merchant will still have to provide evidence that they adhere to PCI standard, however,P2PE may significantly reduce the scope of their cardholder data environment and annual PCI DSS assessments.
While it has been around for a couple of years P2PE is still in the early stages of market adoption, and different solutions that address various requirements are still evolving.  In many cases, whilst larger tier 1 and 2 merchants/retailers with IT departments are already evaluating the benefits of P2PE, some smaller merchants may not even be aware of this potentially advantageous approach.  The consensus of the meeting was that the future direction of P2PE should not be seen as cast in stone as the implications are only now becoming fully apparent as more companies – both solutions suppliers and retailers/merchants – assess the options available to them.in this context, a more open debate with merchants and retailers about the direction that the technology may take is to be welcomed and encouraged.
The salient points highlighted during discussions were:
• P2PE is not compulsory
• There are different forms of P2PE
• The future direction of P2PE is not necessarily set
• Merchants and Retailers should look to future proof any purchases made now
P2PE is not compulsory
There are potential misconceptions circulating currently, and the fact that P2PE is compulsory is one of them.  The banks are not insisting on P2PE which means that merchants/retailers are free to choose any solution that meets their card processing requirements so long as it is PCI DSS compliant.  However, for any solution they do select, merchants would be wise to ensure that it is future-proofed.  By this we mean that the component parts of their system could incorporate a P2PE solution in the future.  
Different forms of P2PE
One of the current debates is where exactly is the ‘point’ within the merchant/ retailer systems from which the data needs to be encrypted.   As is to be expected different sectors of the card payment industry have different approaches to the situation.  Terminal manufacturers are building encryption into their PINpads, whereas software solution providers claim that their approach is to encrypt or mask card data within the merchant’s systems and pass limited details back thus equally reducing the scope of PCI for the merchant.  These probably represent the two polar extremes of opinion, and there is an increasing ground swell for a third or middle path that combines elements of both approaches.  
The following diagrams illustrate the two approaches. The first diagram shows encryption taking place between the merchants ‘POS’ application and the payment providers system. The PSP in turn interfaces with the PINPad and host gateway fully encrypting the card data.
This approach is currently approved under PCI DSS compliance validation.
The second diagram has all the encryption activity within the payment terminal but still sending limited transaction data back to the merchants POS systems.
The perceived benefit of this option to the merchants/ retailers is that they will significantly reduce their effort in attaining and maintaining PCI DSS compliance. However this is really only pertinent for level 1 merchants doing over 6 million card transactions per annum**.
There are benefits to both approaches.  By having P2PE in the PINpad everything is self-contained within the terminal merchants/ retailers are providing with a simple turnkey solution. By adopting software based approach merchants/ retailers can mix and match their payment hardware and still use the same payment processing solution, so maintaining flexibility.
Which direction will P2PE develop?
Both of the approaches outlined above have their pros and cons, however, neither has gained dominance within the market, and this is why the future for P2PE isn’t yet decided.   However, as the first generation PINpads reach end of life and need to be replaced, merchants and retailers are faced with the fact that they must replace their systems – there is simply no ‘do nothing’ option. This is why members of Vendorcom are suggesting that discussions continue across the industry with input from all stakeholders including acquirers, solutions suppliers, other interested industry associations and standards bodies such as the Payments Council, EPC and PCI SSC, PSPs, QSAs and merchants/ retailers. The ultimate aim is that developments in P2PE should deliver a strong, flexible, future proof and market empathetic solution.
In the meanwhile we wait to see a QSA certified PCI P2PE solution in deployment.