Frequently Asked Question

What is the Point-to-Point Encryption (P2PE) Standard?

The PCI Point-to-Point Encryption (P2PE) Standard contains detailed security requirements and testing procedures for application vendors and providers of P2PE solutions to ensure that their solutions can meet the necessary requirements for the protection of payment card data. 


As of April 2013, the Council has released two P2PE Standards to accommodate solutions using hardware-based encryption and either hardware-based or hybrid-based decryption. A high-level summary of the two Standards is provided below:
 
 
P2PE Standard (Solution type)P2PE Solution CharacteristicsDescription of Encryption mechanismDescription of Decryption mechanism
Hardware / HardwareEncryption, Decryption, and Key Management within Secure Cryptographic DevicesHardware: encryption of account data within a PCI-approved POI using SREDHardware: all decryption and key management within SCDs (HSMs)
Hardware / HybridEncryption & Key Management within Secure Cryptographic Devices, and Decryption of Account Data in SoftwareHardware: encryption of account data within a PCI-approved POI using SREDHybrid: decryption of account data in software with key management in SCDs (HSMs)
 Note: The term Hardware/* is used to indicate P2PE solutions that use a PCI-approved hardware-based encryption mechanism (PCI-approved POI using SRED). Hardware/* represents both Hardware/Hardware and Hardware/Hybrid types of P2PE solutions.
 
Subsequent releases of the P2PE program are planned and will address requirements for hybrid-based encryption, as well as scenarios where merchants manage their own P2PE solutions.
Last updated: May 2013
Originally published: October 2012
Article Number: 1161

Featured FAQ Articles