Ingenico payment services Wikipedia
Securing card data from point A to point B
Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. Payment solutions which offer similar encryption but do not meet the P2Pe standard are referred to as end-to-end encryption (E2Ee) solutions. The objective of P2Pe and E2Ee is to provide a payment security solution that instantaneously converts confidential payment card (credit and debit card) data and information into indecipherable code at the time the card is swiped to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.
The Standard[edit]
The P2Pe Standard defines the requirements that a "solution" must meet in order to be accepted as a PCI validated P2Pe solution. A "solution" is a complete set of hardware, software, gateway, decryption, device handling, etc. Only "solutions" can be validated; individual pieces of hardware such as card readers cannot be validated. It is also a common mistake to refer to P2Pe validated solutions as "certified"; there is no such certification.
The determination of whether or not a solution meets the P2Pe standard is the responsibility of a P2Pe Qualified Security Assessor (P2Pe-QSA). P2Pe-QSA companies are independent third party companies who employ assessors that have met the PCI Security Standards Council's requirements for education and experience, and have passed the requisite exam. The PCI Security Standards Council does not validate solutions.
How it works[edit]
As a payment card is swiped through a card reading device, referred to as a point of interaction (POI) device, at the merchant location or point of sale, the device immediately encrypts the card information. A device that is part of a PCI validated P2Pe solution uses an algorithmic calculation to encrypt the confidential payment card data. From the POI, the encrypted, indecipherable codes are sent to the payment gateway or processor for decryption. The keys for encryption and decryption are never available to the merchant, making card data entirely invisible to the retailer. Once the encrypted codes are within the secure data zone of the payment processor, the codes are decrypted to the original card numbers and then passed to the issuing bank for authorization. The bank either approves or rejects the transaction, depending upon the card holders payment account status. The merchant is then notified if the payment is accepted or rejected to complete the process along with a token which the merchant can store. This token is a unique number reference to the original transaction that the merchant can use should they ever be need to perform research or refund the customer without ever knowing the customers card information (tokenization).