The PCI P2PE (point-to-point encryption) is a security standard that requires credit card information to be encrypted instantly upon its initial swipe and then securely transferred directly to the payment processor before it can be decrypted and processed. Point-to-Point Encryption (P2PE) technology makes data unreadable so it has no value to criminals even if stolen in a breach.

A point-to-point encryption solution includes validated hardware, software, and solution provider environment and processes. It may also include validated services from a component provider. All PCI-approved solutions, applications, and components are listed on the Council’s website. Validation is done by a PCI-qualified P2PE assessor.

SC2labs is accreddited by PCI SSC as both PCI QSA (P2PE) and PA-QSA (P2PE)


P2PE Solution:

Consists of point-to-point encryption and decryption environments, their configuration and design, and any P2PE components used with these environments. Within the P2PE solution, account data is always entered directly into a PCI-approved POI device with secure reading and exchange of data (SRED) enabled. This approach minimizes exposure of clear-text account data, and protects against point-of-sale exploits such as “memory scraping” malware.

P2PE Application:

Software or other files with access to clear-text account data, intended to be loaded onto a PCI-approved point of interaction (POI) device and used as part of a P2PE solution.

P2PE Component:

A subset of P2PE services including encryption management, decryption management, and key injection, which are provided by a P2PE component provider and included in the P2PE component listing on the PCI website.

P2PE Solution Provider:

An entity, usually a third-party such as a processor, acquirer (merchant bank), or payment gateway, that designs, implements, and manages the P2PE solution. The solution provider may outsource certain responsibilities, but will always retain overall responsibility for the P2PE solution. With P2PE v2, merchants may also chose to act as their own solution provider by implementing a merchant-managed solution (MMS)


PCI point-to-point encryption requirements (domains):

Domain 1 – Encryption Device and Application Management ( Secure encryption of payment card data at the point of interaction (POI),

Domain 2 – Application Security (P2PE validated application(s) at the point of interaction),

Domain 3 – P2PE Solution Management (Secure management of encryption and decryption devices),

Domain 4 – Merchant-managed Solutions (Separation between Merchant encryption and Decryption Environments )

Domain 5 – Decryption Environment (Management of the decryption environment and all decrypted account data),

Domain 6 – P2PE Cryptographic Key Operations and Device Management (Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage).

Validation :

The SC2labs P2PE QSA auditor will conduct the formal assessment against all domains and controls of P2PE , including review of Point of Interaction (POI) device, device management, encryption/decryption environment, third party applications, inventory management, key management, PCI DSS compliance, cardholder data flows, solution documentation.

PCI P2PE Reporting Requirements :

P2PE Solution RoV – Report of Validation

P2PE Application RoV – Report of Validation

P2PE Components RoV – Report of Validation

P2PE Solution AoC – Attestation on Validation

P2PE Application AoC – Attestation on Validation

P2PE Components AoC – Attestation on Validation

The P2PE Report on validation will be prepared and submitted to PCI Security Standards Council for review and upon approval listing on their website as a validated solution.

Links :