Whether you’re a developer seeking an integrated payment solution or a business owner searching for a credit card processing partner, the security of cardholder data should be at the top of your checklist. When processing and storing credit card data via a terminal, the payment processing security standard can vary.
Below, we compare the two current standards for securing cardholder data: point to point encryption and cloud-based tokenization.
Point to point encryption (P2PE) encrypts data from point A, when a card is swiped or dipped in a terminal, until it reaches point B, the provider’s secure decryption environment. When data is encrypted, it is masked. A proper key is typically needed to decode it. The secure environment is managed by a P2PE solution provider, which is “ … a third-party entity (for example, a processor, acquirer, or Payment Gateway) that has overall responsibility for the design and implementation of a specific P2PE solution,” according to the PCI Security Standards Council.
Cloud-based tokenization removes card data in its entirety and replaces it with a string of characters, known as a token, that has no value if breached. The token, rather than the raw data, is passed to the cloud.
Only the tokenization system recognizes the true value of the token and answers requests to interact with the token when a transaction is processed. Credit card tokenization systems are also managed by a third-party entity such as a Payment Processor or Payment Gateway, rather than the Merchant Account Provider.
Point to point encryption gets the seal of approval with PCI validation, however, it still means there are two end points that are susceptible to exposure. Using this form of payment processing security is riskier than credit card tokenization because it’s reversible – data can be changed back to its original form. How?
With the right key or brute force decryption, raw card data can be revealed. As computers get faster, brute force attacks become increasingly effective. In 2010, a security researcher was able to crack an encryption algorithm in less than an hour. If a hacker gets in and steals your encrypted data, how much harder would it be for him to get the key while he’s at it? The strongest encryption will not protect your business if the data is stolen, and, if compromised, there is a lot of cleanup that follows.
Tokenization is safer because the data is removed at the terminal, rather than encrypted, before it is passed onto the cloud. Even if a token is hacked, it has no relation to the card data.
Although point to point encryption (P2PE) doesn’t give the business running the transactions access to the secure key, the card data is often stored on a business’s internal network. This places the business within PCI scope. Tokenized card data is stored only on the provider’s servers, removing the business’s internal network from PCI scope. Both the business and provider cannot access the raw card data.
Consider a scenario where an integrated software, such as a point of sale system, is in the mix. If integrated with a point to point encryption validated provider, the software provider is also within PCI scope. However, if leveraging a payment API with cloud-based tokenization, the software remains outside of PCI scope.
Put simply, point to point encryption limits your PCI scope whereas properly-done tokenization can eliminate it.
Our Smart Terminal uses cloud-based tokenization to secure cardholder data and is level 3 EMV certified; it has the highest level of security for all payment types. Integrating with the Smart Terminal allows your software to bypass both PCI audits and EMV-compliance testing. As a developer, eliminating your software’s scope benefits you in two ways: it saves the time required for quarterly and annual PCI audits along with certification costs.
Which payment processing security standard does your current terminal have? Were you aware of these different ways to secure cardholder data? Share below.
Editor's Note: This post was originally published in August 2017 and has been updated for comprehensiveness and accuracy.