Credit Payment Security – PCI P2PE and EMV E2EE Explained
In today’s digital world, payment processing security is increasingly important for arts and cultural organizations to prevent hacks and protect sensitive patron data. In this blog post, we’ll examine the security standards PCI P2PE and EMV E2EE.
What is PCI P2PE?
PCI Point-to-Point Encryption (PCI P2PE) is a standard established by the PCI Security Standards Council whose mission is to enhance global payment account data security. PCI P2PE encrypts credit card data by turning it into indecipherable code when captured at the payment terminal for secure transfer to the payment processor. The merchant will receive notice indicating whether it is approved or declined. Not only does the merchant never see or get any of the credit card data, if the data is hacked along the way to the payment processor, it is encrypted thereby increasing the security of card transactions.
In addition to added security, merchants who have a PCI-validated P2PE solution may qualify for a self-assessment questionnaire (SAQ) P2PE which significantly reduces the number of questions and their PCI scope. There are also cases when specific circumstances are met that merchants can discontinue their annual assessment process to re-evaluate PCI compliance and gain safe-harbor protection in case of a breach.
What is EMV E2EE?
The acronym EMV stands for Europay, Mastercard and Visa, the three companies who originally developed the security standard. It now refers to all of the security specifications administered by EMVCo, a consortium of the major card brands including American Express, Discover, JCB, Mastercard, UnionPay, and Visa as well as financial institutions. EMVCo’s charter is to facilitate worldwide interoperability and acceptance of secure payment transactions. The most well-known specifications are for credit cards with embedded chips and contactless technologies such as mobile payments like Apple Pay. EMV-certified devices are those that were designed and manufactured to meet EMVCo’s specifications and are most commonly associated with chip card readers or contactless readers. With these certified devices, cards are not swiped at the POS but are inserted into the reader, a process called chip dipping, or placed close to a terminal scanner, otherwise known as tapping.
E2EE refers to end-to-end encryption. The device generates a one-time identifier and encrypts the data at the point of sale, which is sent directly to the payment processor so that the sensitive data is never shared at the POS. The one-time identifier generated is unique per transaction, therefore dramatically reducing the risk of fraudulent charges since the identifier can only be used once. Many international countries have a chip and pin system, which provides the additional layer of security of requiring a pin to access the card.
In addition to added security, the liability for fraudulent chargebacks shifts from the merchant to the card issuer.
What is the difference between PCI P2PE and EMV E2EE?
Both PCI P2PE and EMV E2EE are security standards established and regulated by a council or consortium to make card payments more secure. While EMV standards secures and encrypts card-present payments to reduce fraud, PCI P2PE focuses on securing card data in-flight to deter fraud. Both standards require strong encryption of card data and secure hardware devices to handle the encryption in addition to the inability to decrypt the data within a merchant’s environment. The main difference is that PCI P2PE devices have been PCI-validated, which can reduce the scope of a merchant’s PCI questionnaire.