P2PE: What is point-to-point encryption?
If you’re a child of the nineties or earlier, you’ll remember your local corner shop, general store or newspaper stand being cash or check only, with paper receipts (only when requested), and special ink pens to test if the bills you were handing over were forgeries.
The world has changed a bit since those halcyon days of the handwritten signature being the height of risk protection, and today risk management tools are constantly evolving to keep up with new types of fraud and data attacks.
Encryption is now a legal requirement. And since P2PE was developed back in 2012 the world of in-person payments has evolved even further, and so too has the way traditional payment value chains operate.
These changes offer a more simplified way for retailers to encrypt payments data while meeting their PCI compliance obligations. So let’s get into the details of our E2EE, P2PE, and the differences between the two.
End-to-end encryption is the process of encrypting payments data for the entirety of the payment process and is Adyen’s default way of protecting in-store payments. With our E2EE, cardholder data never leaves the Adyen environment, meaning that from when the card is inserted or tapped at the point of sale terminal, cardholder data is encrypted by Adyen and only ever touched by Adyen. This is because we manage the entire payments value chain. It allows us to better protect your data, and give you a greater level of assurance that cardholder data cannot be accessed.
P2PE is a type of encryption that was developed by the Payment Card Industry Security Standards Council (PCI SSC). It offers protection for terminals and card-present transactions against device tampering and data breaches.
We offer both types of encryption.
There are three key ways that our E2EE and P2PE differ:
Using our E2EE means we’re your sole payments partner. We’re your gateway, processor, and acquirer rolled into one. With P2PE, encryption is often carried out between different providers.
Every merchant needs to prove to their acquirer that they process online and in-store payments securely. Since we act as an acquirer for our merchants, they’re required to report on their PCI compliance to us with something called an SAQ.
To meet PCI compliance, businesses must complete a questionnaire, also known as an SAQ.
Using our E2EE means you only have to complete the SAQ B-IP, which is relatively straightforward. And as your acquirer, we only ask you to complete two of the requirements, 22 simple questions.
Example questions include:
Businesses need to complete a different SAQ. It has three requirements and 35 questions.
Example questions include:
P2PE requires the following checks from a document called the P2PE Instruction Manual (PIM), provided to merchants by their solution provider, to assist them in remaining PCI compliant:
Adyen’s handling of terminals is similarly secure, regardless of whether or not the merchant chooses to use P2PE. With E2EE we don’t require any of the above. The only item you’ll see is the tamper-proof, sealed boxes we send our terminals in.
With P2PE, staff must record these actions precisely per the PIM. After that, the acquirer is required by the PCI SSC to audit these records yearly. This is where businesses sometimes miss the mark when seeking PCI compliance.
It comes down to the level of security you need as well as how you and your business manage your resources.
We believe in high-quality data security, without all the extra work. This is why we built an E2EE payment solution in a way that ensures the best possible data security.
More agile, decentralized businesses may find our E2EE more efficient. Examples of these could be enterprises who don’t need to centralize operational control, such as franchises, or scale-ups with smaller teams and aggressive roadmaps.
Larger, more heavily-resourced businesses with an aversion to risk prefer the P2PE solution as it gives them an added layer of control around the physical handling of terminals.
They’re likely willing to pay per POS terminal for the added security it provides. They will also spend more time and human resources to maintain the PIM.
We build to benefit all of our merchants (not just one). So if there is a solution out there that’s secure, validated, and people trust, we want to make sure we can offer it to you. By using P2PE with us you still benefit from working with a single partner.
With that being said, we firmly believe in the virtues of our end-to-end solution.
By submitting this form, you acknowledge that you have reviewed the terms of our Privacy Statement and consent to the use of data in accordance therewith.