Point-to-Point Encryption: Today's Challenge

Protecting data at the point of capture—literally the first opportunity you have to protect it—can have the greatest impact in terms of reducing the scope of security concern—and compliance. Although the best advice is always, ‘if you don’t need data, either get rid of it or don’t touch it in the first place’, that approach is not always practical; the next best thing is to encrypt data as soon as possible and keep it encrypted by default, end-to-end. This principle can be applied to many different types of data, but the concept of reducing PCI DSS scope by encrypting payment cardholder and account data provides a very pertinent example of its value—so much so that the PCI Security Standards Council gave it a name—Point-to-Point Encryption (P2PE)—and issued specific guidance in late 2011 to define its use. With this approach, account data is encrypted directly at the point of capture (at an ATM machine, retail store, restaurant, or web site) and is protected as it flows through the merchant’s IT systems and passes down the payment chain. The data is unprotected (decrypted) only when it is needed by specific business processes that have no choice but to access original account data—otherwise the data exists only in a protected state.

Learn More

P2PE is a really special case of application-level encryption, where encryption is applied selectively within a business application—in this case a retail point-of-sale (POS) terminal. If the P2PE process is implemented correctly, with account data being encrypted within an approved, secure cryptographic device (SCD) such as a POS terminal, and not decrypted at all within the merchant environment, there is potential for the merchant to be taken almost completely out of scope for PCI DSS. Strict controls for protection of and access to decryption keys must be in place; in fact, the current guidance requires the use of hardware security modules (HSMs) with an appropriate security rating to protect access to those keys. Acquirers and other players in the payments chain have already begun to market value-added services that exploit P2PE to reduce compliance costs for their merchants. From a PCI DSS perspective, any system that has the capacity to decrypt account data comes into scope immediately, so the ability to insulate merchants by protecting keys within HSMs can have significant benefits for all concerned.

Hide Section

Risks Associated with Point to Point Encryption (P2Pe)

  • Organizations that do not protect account data will fail to comply with PCI DSS mandates, risking fines and damage to the business.
  • Attackers can steal customer account data from many places within a typical organization since it can enter intentionally or unintentionally through numerous channels (web sites, call centers and helpdesks, email systems, etc.) and it can rapidly and widely propagate throughout the organization, driving up costs of countermeasures and compliance reporting.
  • Encryption can reduce the risks but organizations must take steps to manage keys appropriately. Keys that exist in purely software-based systems are vulnerable to attack and often fall short of compliance obligations.
  • While PCI DSS has not mandated the use of P2PE, organizations that do not take advantage of this approach to reduce their PCI DSS scope can incur unnecessary compliance costs.

Point-to-Point Encryption: Thales e-Security Solutions

Products and services from Thales e-Security can not only help you implement measures to become PCI DSS compliant as effectively and efficiently as possible, but they can also play an essential role in a P2PE strategy to reduce the scope and therefore the cost of compliance. nShield and payShield HSMs are independently certified to the FIPS 140-2 level 3 standard that is mandated by the P2PE  guidelines. nShield and payShield HSMs create a trusted environment in which key material can be safely generated, stored, and managed, and where decryption operations can be performed securely. The use of HSMs in this way is directly analogous to the way HSMs are used to protect user PINs as they pass through the payments network. In both cases HSMs overcome the inherent weaknesses of purely software-based systems that could expose cryptographic keys and processes to memory scanning attacks, runtime monitoring, or malicious privileged users.

Whether you choose to encrypt and decrypt account data using your own in-house developed software or using third-party commercial applications, nShield and payShield HSMs are easy to deploy and can support innovative technologies such as Format Preserving Encryption (FPE) to minimize impact on existing business processes, These devices are already certified to integrate directly with products from our industry partners and leading POS manufacturers, assuring you of fast deployments and seamless integration with your existing systems.


  • Deploy PCI DSS compliant Point-to-Point Encryption (P2PE) to protect account data and reduce compliance costs.
  • Accelerate implementation projects; nShield and payShield HSMs are pre-qualified to integrate with products from leading encryption vendors.
  • Take advantage of a choice of performance levels and form factors—deploy exactly what you need and only what you need, and upgrade easily as your needs change.
  • Take advantage of leading edge FPE to minimize the impact on existing systems that are now exposed to encrypted rather than plain text account data.