According to Gemalto’s Breach Level Index website, since 2013 more than 14.7 billion records were lost or stolen and only 4% of breaches involved systems where encryption was utilized. Said another way, that equates to 73 records per SECOND in that span. Now, it’s safe to say that most merchants want to secure their customer’s sensitive payment data and all merchants want to avoid being the subject of the next breaking news story on customer data breaches. With a sea of payment security acronyms floating around (E2EE, P2PE, PCI-P2PE), how do you make the right call for your business, though? In this article, we’ll give you some plain language descriptions of the encryption options available today along with some of their benefits and limitations.
What is Encryption?
According to the Payment Card Industry Security Standards Council website glossary, encryption is defined as, “(The) Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.” In the payments industry there are two common encryption approaches, Session Encryption and Data Encryption.
Session Encryption is protection for the delivery method between the POI and the endpoint. Also referred to as “encrypting the pipe” this approach applies the encryption to the communication path creating an armored pathway to deliver the sensitive data. This approach is most commonly used in ecommerce where it is impractical to encrypt payment data on a consumer’s device. Secure websites (those with https:// and/or the closed padlock symbol) often utilize SSL encryption (secure socket layer) to armor this pathway.
Data Encryption, as its name implies, involves the encryption of the information (card number, the track data, the card security code) that is being passed from the POI to the endpoint. This approach is most often deployed in one of the following methods.
End-to-End Encryption (E2EE)
With end-to-end encryption, the primary account number (PAN) and Sensitive Authentication Data (SAD) are encrypted at the Point of Interaction (POI) with the payment instrument. The PAN/SAD information stays encrypted with a single processor-owned key from the POI to the merchant acquirer or back-end processor. This encryption can be hardware or software-based encryption. In this scenario, the encryption process (and any related tokenization) is owned and controlled by the merchant acquirer or back-end processor. While often cited as the most secure of the encryption methods, E2EE is the most restrictive and can limit a merchant's ability to utilize customer data.
Point-to-Point Encryption (P2PE)
With Point-to-Point Encryption, the PAN and SAD is encrypted at the POI with the payment instrument just like with E2EE; however, this process utilizes a single merchant-owned key from the POI to the first processing host/gateway which is outside of the merchant’s payment infrastructure. The PAN/SAD can be re-encrypted with a unique processor key prior to forwarding to the next processing host/gateway. As with E2EE, this encryption can be hardware or software-based. Unlike E2EE, ownership and control of the encryption process is shared between the merchant and the processing host/gateway. This encryption method provides greater utilization of customer data and flexibility, but generally does not reduce PCI scope to the degree of the following method.
PCI Validated Point-to-Point Encryption (PCI-P2PE)
PCI validated P2PE is similar to standard P2PE but has the following distinctions. In this process, the encryption must be hardware-based using an approved PTS device and software that restricts access to PAN/SAD information. Control processes within the five PCI-defined “domains” must be validated annually by a Qualified Security Assessor (QSA). A solution provider must administer the full program to ensure compliance of all “components” with the PCI-P2PE v2.0 standards. Adherence to these guidelines provides PCI Self-Assessment Questionnaire (SAQ) relief for Level 2 and Level 4 merchants and may reduce audit complexity for Level 1 merchants.
Although all three approaches above can securely protect cardholder data, PCI Validated Point-to-Point Encryption provides the greatest flexibility and access while at the same time helping to reduce the burden of a merchant's annual PCI assessment. Its many benefits include processor-agnostic encryption keys, certified device security, built-in “chain of custody”, strict key management controls and encryption translation services which allow the utilization of a single encryption key at the POI for all payment types. In addition, it can be implemented by a service provider within a merchant's payment environment without the need to change processor and without regard for the processor’s capabilities.
Hopefully, this high-level overview of encryption, its methodology and the approaches to deployment gives you a fundamental understanding of its benefits and limitations. With the uniqueness of each merchant’s payment infrastructure, understanding how encryption can be deployed and utilized in your environment will warrant some rather in-depth discussions. To that end, look for a partner who is willing to commit the time necessary to understand the unique needs, characteristics, and challenges of your environment to help you more fully understand what’s possible to secure your sensitive customer data.