Frequently Asked Question
What is the Point-to-Point Encryption (P2PE) Standard?
The PCI Point-to-Point Encryption (P2PE) Standard contains detailed security requirements and testing procedures for application vendors and providers of P2PE solutions to ensure that their solutions can meet the necessary requirements for the protection of payment card data.
As of April 2013, the Council has released two P2PE Standards to accommodate solutions using hardware-based encryption and either hardware-based or hybrid-based decryption. A high-level summary of the two Standards is provided below:
| P2PE Standard (Solution type) | P2PE Solution Characteristics | Description of Encryption mechanism | Description of Decryption mechanism |
| Hardware / Hardware | Encryption, Decryption, and Key Management within Secure Cryptographic Devices | Hardware: encryption of account data within a PCI-approved POI using SRED | Hardware: all decryption and key management within SCDs (HSMs) |
| Hardware / Hybrid | Encryption & Key Management within Secure Cryptographic Devices, and Decryption of Account Data in Software | Hardware: encryption of account data within a PCI-approved POI using SRED | Hybrid: decryption of account data in software with key management in SCDs (HSMs) |
Subsequent releases of the P2PE program are planned and will address requirements for hybrid-based encryption, as well as scenarios where merchants manage their own P2PE solutions.
May 2013
Article Number: 1161