Frequently Asked Question
What is the Point-to-Point Encryption (P2PE) Standard?
The PCI Point-to-Point Encryption (P2PE) Standard contains detailed security requirements and testing procedures for application vendors and providers of P2PE solutions to ensure that their solutions can meet the necessary requirements for the protection of payment card data.
As of April 2013, the Council has released two P2PE Standards to accommodate solutions using hardware-based encryption and either hardware-based or hybrid-based decryption. A high-level summary of the two Standards is provided below:
P2PE Standard (Solution type) | P2PE Solution Characteristics | Description of Encryption mechanism | Description of Decryption mechanism |
Hardware / Hardware | Encryption, Decryption, and Key Management within Secure Cryptographic Devices | Hardware: encryption of account data within a PCI-approved POI using SRED | Hardware: all decryption and key management within SCDs (HSMs) |
Hardware / Hybrid | Encryption & Key Management within Secure Cryptographic Devices, and Decryption of Account Data in Software | Hardware: encryption of account data within a PCI-approved POI using SRED | Hybrid: decryption of account data in software with key management in SCDs (HSMs) |
Subsequent releases of the P2PE program are planned and will address requirements for hybrid-based encryption, as well as scenarios where merchants manage their own P2PE solutions.
May 2013
Article Number: 1161
Related
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Most Recently Updated
-
Where can I find the current version of PCI DSS?
-
Why are there multiple PCI DSS Self-assessment Questionnaires (SAQs)?
-
What is a PCI DSS Self-Assessment Questionnaire?
-
Are Mobile Payments on COTS (MPoC) solutions, Software-based PIN Entry on COTS (SPoC)™ solutions, or Contactless Payments on COTS (CPoC™) solutions eligible for a P2PE Solution approval?
-
How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs?