P2PE
Point to Point Encryption, or P2PE as it is commonly referred to, is the process by which sensitive information is encrypted within a trusted device from the Point of Interaction (POI). This information can only be decrypted once it has reached its intended recipient which is typically NMI.
There are two fundamental parts in the P2PE chain, the Encryption Environment, and the Decryption Environment. One part encrypts the data and the other decrypts it so that it can be processed.
The Encryption Environment is in the PIN Entry Device (PED).
The Decryption Environment is within the Payment Gateway.
If a device is P2PE enabled it will have a cryptographic P2PE key or Data key ‘injected’. It is possible for a device to have a P2PE key injected with encryption disabled within the PED settings. This shouldn't be the case by default. If you have any concerns over your device having encryption disabled even though it is injected, please contact your device distributor.
When using whitelisting with your solution, all devices should be shipped with encryption enabled. Whitelisting will be disabled if the device doesn't have on device encryption enabled. For more information on whitelisting, please see the relevant article here.
PCI P2PE
P2PE can form part of a PCI P2PE solution. The PCI P2PE solution adds additional security and reporting around the POI device. A PCI P2PE solution requires certification by the PCI Security Standards Council (PCI SSC) and can be used to de-scope a Merchant from PCI DSS assessments.
A PCI P2PE solution must comprise of the following:
- Secure encryption of payment card data at the POI.
- PCI P2PE validated application or applications at the point of interaction.
- Secure management of encryption and decryption device(s).
- Management of the decryption environment and all decrypted account data.
- Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage.
E2EE
E2EE or End to End Encryption encrypts the data from the card data pin entry and remains encrypted when sent to the acquirer. NMI would not act as a decryption environment but rather passes through the encrypted data whereupon the acquirer would act as the decryption environment themselves.
Technically a P2PE device could also be considered an E2EE device as sensitive data is indeed encrypted ‘end to end’ but it is the entity which decrypts the information which determines whether a device is referred to as P2PE or E2EE. A P2PE solution decrypts at the payment gateway, and E2EE solution decrypts only when the data is at the acquirer.
Therefore the most noticeable difference between E2EE and P2PE is that E2EE remains encrypted longer in the processing chain and it is the decryption environment that generates and takes responsibility for the encryption keys.