2 Steps Merchants Should Take to Ensure Point-to-Point Encryption (P2PE) from Vendors

pci merchant p2pe

When looking to deploy Point-of-Interaction (POI) payment systems, Point-to-Point Encryption (P2PE) validated solutions are the gold standard.

They have been through rigorous testing by qualified assessors and help merchants reduce the number of controls on their environment for their PCI assessment.

Unfortunately, payment solution sales representatives and account managers are misusing the term of P2PE and leading merchants to believe their solution has this kind of encryption.

Many times, our QSAs start to assess a merchant’s environment and, while validating their POI payment solution, discover that it is actually not P2PE and instead an End-to-End Encryption (E2EE) solution with inconsistent or no scope reduction available to the end merchant.

Below, we’ll demonstrate, as a merchant, how to engage with these vendors to validate P2PE solutions to save you hours of headache in the future. We can help prepare you to gain better assurances that the solution you are entertaining is in fact what you need instead of simply taking the vendor’s word for it.

merchant verify p2pe

2 Quick Steps to Ensure Point-to-Point Encryption 

  1. Request and gather the following information and documents from the vendor:
    • P2PE solution name
    • POI Device Make and Model for the P2PE solution to be injected onto
    • P2PE Instruction Manual (PIM)
      • Note: If the vendor is unable to provide this information to you, that is a good indication that they are not a true Point-to-Point Encryption solution and you should proceed with caution.
  2. After you have gathered the above information and documents from the vendor, perform the following actions on the PCI SSC website:
    • When on the Home page of the website, click on the “Products & Solutions Listing” dropdown from the main navigation menu. Select “Point-to-Point Encryption Solutions.”
    • Once there, search the name of the P2PE solution that the vendor has provided and ensure that it is listed on the PCI SSC website, is valid, and has no additional warnings.
    • Once the solution is found, select “Solutions Details” for the listed solution and ensure that the POI Device Make and Model is listed under the “PCI-Approved POI Devices Supported” section.

That’s it! Taking a few minutes to conduct this verification of your POI vendors when doing your vendor due diligence will help avoid any surprises on your next PCI audit.

If you have any questions that pop up during this verification process, always ask your QSA and get them in the loop to catch any inconsistencies while they can still be fixed or adjusted easily.

If you have any questions about PCI or whether your solution is P2PE, please don’t hesitate to contact us to speak with one of our QSAs.

Share to


Share to

Like our content? Subscribe and stay informed.