Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Do PCI SSC-approved point-to-point encryption products reduce scope?

Expert Mike Chapple details the potential benefits for organizations that choose PCI SSC-approved point-to-point encryption products.

I saw the news that the PCI SSC approved a point-to-point encryption product for the first time, but I'm wondering what that means from a practical perspective? How would a company that selects the PCI-approved product benefit, specifically in terms of reducing scope?

With P2PE, the card reader encrypts the credit card information before it enters the PoS.

Point-to-point encryption (P2PE) products present credit card merchants with a unique opportunity to reduce the scope of their PCI DSS compliance efforts by effectively removing sensitive information from their environments. These products are used for point-of-sale (PoS) applications where a customer's credit card is swiped through a credit card reader.

In a traditional PoS system, the reader scans the information stored on the card's magnetic stripe, processes it and then bundles up the credit card and transaction information in an encrypted authorization request, which is sent off to the solution provider who decrypts the request and processes the transaction. Under this model, the PoS system must view the unencrypted credit card information and, therefore, is clearly in scope for PCI DSS compliance.

With P2PE, the card reader encrypts the credit card information before it enters the PoS. The PoS simply takes the encrypted card information, combines it with the transaction information, and then sends it off to the solution provider for processing. The PoS device never sees unencrypted card information and, indeed, the merchant does not even have the ability to decrypt the card information. Under this model, the PoS system may be removed from the scope of PCI DSS compliance, reducing the merchant's burden.

In order to reduce their compliance scope, merchants must meet the following requirements, as outlined in the PCI Security Standard Council's P2PE standard:

Ask the Expert

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

  • Use a validated P2PE product.
  • Never store, process or transmit unencrypted account information.
  • Implement PCI DSS compliant physical security measures, service provider management and policies/procedures.
  • Isolate the P2PE system from any other card processing systems that do not use P2PE (if applicable).
  • Remove any legacy cardholder information or systems from the environment.

I expect that we will see many similar announcements to follow, as the PoS industry is now on notice. With the release of the first P2PE-validated product, customers will probably demand similar certification from the products provided by their vendors to achieve a reduction in compliance scope.

This was last published in March 2014

Dig Deeper on PCI Data Security Standard

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Burden? If the attitude of the merchant is that security/compliance is a burden then they already are missing the point. I wrote about P2PE shortly after the council's announcement about the first approved product being listed:
Of course it is a burden to merchants. Can you imagine having a great idea to set-up a store, renting a store and buying some equipment only to find out that you need to complete a bunch of work to make the POS safe? That seems like a burden to me. To illustrate, if you bought car you wouldn't expect to have to source your own brakes, safety belts and windows screens / shield. The car manufacturer is responsible for ensuring it is safe before it is sold to consumers.
Good point pwhittaker. It's both a burden and a business reality. Just like the burden we each have to protect our homes from criminal thugs and the like. It's a cost of doing business in today's world.