P2PE Revisited

David Froud is on a roll.  Tenable’s Jeffrey Man wrote a post regarding point-to-point encryption (P2PE) and it apparently got the juices flowing.

I have discussed P2PE (known to almost everyone else as end-to-end encryption or E2EE) a number of times (see my Post Series References page).  Also see my post on What Happens Once Merchants Get Rid Of Cardholder Data to understand how the risks will shift and that the terminal becomes a large attack point.  This is why we need to get to some sort of single use code for a payment which is easily handled with today’s smartphones.

Read the posts and decide.  I think you will find that they both make compelling cases for why P2PE certification is a non-starter and is really not needed.


2 Responses to “P2PE Revisited”

  1. 1 TB
    November 2, 2013 at 9:54 AM

    I would argue that if the acquirer approves a P2PE solution (even though it’s not the Council approved one) then P2PE can simplify compliance dramatically. Especially when the merchant has other apps running on the store network that talk to the Internet. You make good points but I see it as an option that serves it’s purpose well.

    • November 3, 2013 at 5:29 AM

      That is pretty much where we are at today. There are a lot of P2PE solutions already implemented by merchants and their processors. Most of those are in the convenience store sector between their gas pumps and their processor.

      The problem is that the processor controls what P2PE solutions are supported. That can be problematic for some merchants as it can require using only one processor and/or the wholesale replacement of terminals or other equipment. It can also obviously reduce the flexibility of a merchant to move from one processor to another because the new processor most likely will not support the P2PE solution used by the merchant. That is due to the fact that the P2PE vendors are signing exclusive agreements with processors limiting who uses what solution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


November 2013
« Oct   Dec »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,985 other followers


%d bloggers like this: