Earlier this month, the Payment Card Industry Council (“PCI”) unveiled the first set of point-to-point encryption (“P2PE”) standards designed for providers of P2PE hardware-based encryption and decryption solutions. P2PE providers develop for merchants point-of-sale hardware such as payment card readers and electronic cash registers that completely encrypt payment card data from the point the card is swiped at the point of sale to the point when the payment card data is transmitted to the merchant’s payment card processor. P2PE hardware appeals to merchants because the hardware minimizes the extent to which merchants must store and transmit unencrypted cardholder data. The PCI P2PE standards provide requirements that are intended to standardize and enhance P2PE hardware solutions.
For merchants, the P2PE standards have the potential to reduce the scope of compliance and self-assessments under PCI-DSS, which governs merchants’ data security practices for cardholder information from credit cards and similar payment mechanisms. Merchants that use a PCI-validated P2PE hardware solution will have less of a compliance burden vis-à-vis PCI requirements pertaining to the encryption of sensitive cardholder information. Merchants will remain responsible for complying with PCI requirements governing the education of employees handling account data, security policies, third-party relationships, and physical security of media. PCI intends to release a list of PCI-validated P2PE hardware solutions in the spring of 2012.