PCI-validated Point-to-Point Encryption (P2PE) FAQ

Point-to-Point Encryption (P2PE) is an encryption standard established by the Payment Card Industry (PCI) Security Standards Council. It requires that payment card data be encrypted immediately upon use with the merchant’s point-of-sale terminal and cannot be decrypted until securely transported to and processed by the payment processor. Learn more about Bluefin’s PCI-Validated P2PE solution.

A PCI-validated P2PE solution is a combination of secure devices, applications, and processes that encrypt credit card data immediately upon swipe or dip in the payment terminal (also called the Point of Interaction, or POI). The data remains encrypted until it reaches the Solution Provider’s secure decryption environment.

In order for a P2PE solution to receive validation from PCI, the solution, the Solution Provider, and associated players in the overall P2PE solution must undergo assessment and audit by a P2PE Qualified Security Assessor (QSA), before being brought before the Council for approval.

With Bluefin’s PCI-validated P2PE solution, we encrypt cardholder data at the POI in a PCI-Approved PTS device running P2PE validated software and decryption is done off-site in an approved Bluefin Hardware Security Module (HSM). Our solution prevents clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach.

Note: “Only Council-listed P2PE solutions are recognized as having met the rigorous controls defined in the PCI P2PE Standard for the protection of payment card data, as well as meeting the requirements necessary for merchants to reduce the scope of their cardholder data environment (CDE) through use of a P2PE solution.”

• Non-Validated (Unlisted) Encryption Solutions

  Encryption solutions that have not been validated by the PCI SSC, but still provide functions such as encrypting within the POI terminal and decrypting outside the merchant environment, are generally called unlisted P2PE solutions or End to End Encryption (E2EE) solutions.

• PCI-Validated (PCI-Listed) P2PE Solutions

  PCI-validated P2PE solutions have been assessed by a P2PE QSA as having met the PCI P2PE standard and are therefore listed on the PCI website under Approved P2PE Solutions. In addition to meeting the P2PE standard, the decryption component of the solution must operate within a secure environment that is annually assessed to the full PCI DSS standard.

A PCI-validated P2PE solution is required to have all of the following:

• Secure encryption of payment card data at the POI / i.e., the payment terminal
• P2PE-validated application(s) at the POI
• Secure management of encryption and decryption devices
• Management of the decryption environment and all decrypted account data
• Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection and administration

As a PCI-validated P2PE Solution Provider, Bluefin is responsible for the design and implementation of our P2PE solution, and management of the solution for our partners and their merchants. We are also responsible for ensuring that all P2PE requirements are met, including any P2PE requirements performed by third-party organizations on our behalf (for example, hardware manufacturers, certification authorities, and key injection facilities).

• PCI-validated P2PE protects data in transit. The role of P2PE is to immediately and fully encrypt all cardholder data within the payment terminal so it does not enter the POS as clear-text card data. By using strong encryption, device management practices, and key management, P2PE is effective at addressing the risk of card data compromise for card data in transit out of the merchant network as it is transmitted to the gateway or acquirer for decryption and processing.
• Tokenization enables merchants and enterprises to safely “store” cardholder data at rest for use in future transactions. Tokenization is the technology where secure card data storage is centralized and a different value is used to represent the original cardholder data. When ready to be re-used, the token must generally be passed to the tokenization provider, where the original cardholder data is retrieved, decrypted, and utilized.
• EMV authenticates the credit or debit card at the point of sale by reading a chip embedded on the card and validating the cardholder with their signature. EMV makes it extremely difficult (though not impossible) to “white-label” or duplicate a physical credit card that could then be used by thieves to purchase items at the POS.

Merchants who use a validated P2PE solution within their environment and keep this environment segmented from any card data from other channels (e.g., e-commerce) are eligible to complete the authorized self-assessment questionnaire SAQ P2PE that is known and accepted by all acquirers. Under PCI DSS v3.2, this represents a significant reduction of controls, reducing the number of questions by nearly 90% for merchants moving from the SAQ D (329 questions) to SAQ P2PE (33 questions). To put it simply, separating card data from the POS and other enterprise network systems allows merchants to reduce PCI scope and more efficiently manage controls or eliminate them completely.

In 2017, we released a white paper with P2PE QSA Coalfire Systems that detailed the ROI of a P2PE PCI solution. See our media page to view more white papers, view our case studies, and educational videos on P2PE. Read more on our blog: The ROI and TCO of a PCI-Validated P2PE Solution.

Every product provided by Bluefin includes PCI-validated P2PE. Our P2PE solutions include:

• PayConex Payment Gateway – Card present and card-not-present (CNP) payment processing for U.S. and Canadian companies
• PayConex Plus – Card present and CNP payment processing for companies outside of the U.S. and Canada
• PayConex for Salesforce – Card present and CNP payment processing for U.S. and Canadian companies utilizing Salesforce; a 100% integrated application
• QuickSwipe Mobile – iOS, Android and web-based payment processing for U.S. and Canadian companies
• Decryptx – Stand-alone, P2PE solution decoupled from payment processing; available to global processors, payment gateways and software vendors

Learn more about the devices available with each product.

Bluefin is the only P2PE solution provider that has “decoupled” P2PE from payment processing with our Decryptx product, enabling processors, payment gateways and software vendors to provide our P2PE solution through their platforms.

Any merchant or organization utilizing one of Bluefin’s partners can get the security and reduced PCI scope of our P2PE solution through their current configuration. Example partners are listed below, or you can access our full list.

• Healthcare: Epic, Flywire, Paya, HealthPay 24, Phreesia
• Higher Education: Paciolan, Nelnet Campus Commerce, TouchNet, Blackbaud, Blackboard, AudienceView, Modern Campus
• Retail: Verifone, NCR, CyberSource, Volante, Transaction Network Services, BridgePay
• Other: 3Delta Systems, Aspira, DataCap Systems, Powertranz, Kubra, Payscout, Payway, Anderson Zaks, Unberboeck Systems

Additionally, any platform provider globally can partner with Bluefin for Decryptx via a simple API. Learn more about our Decryptx partner program or contact us.

Bluefin is your partner in payment security and will be there every step of the way in P2PE implementation and activation.

Our implementation options vary by product, organization size and configuration.

• For small to medium-sized businesses utilizing Bluefin’s products, our clients work directly with our inside sales team on device ordering and setup. They are available to answer any questions that you may have and walk you through the process of using your P2PE device. They will also get you started with our P2PE Manager® portal for device check-in, activation, monitoring and P2PE attestation. Additional questions after initial setup by the sales team can be addressed by contacting our Customer Service team.
• For large enterprises, our clients work directly with a dedicated Relationship Manager. Your Relationship Manager will guide you through the implementation options, depending on your environment and partnerships, while also engaging our integration team for any necessary development. Consultation and management is free of charge.

For partner clients, Bluefin will assist in the above steps but depending on the partnership, organizations may need to contact their partner provider for integration and support. If you are unsure of whether Bluefin or your provider offer integration and support assistance, contact us.

As part of Bluefin’s P2PE program, all clients and partners have access to Bluefin’s P2PE Manager – the only 100% online portal for P2PE device chain of custody and attestation – free of charge.

The P2PE Manager simplifies management, reporting and attestation for your organization. The Manager records the complete lifecycle of each device that you deploy, from the time the device is ordered, to shipment, to receipt, to activation. You can also set up locations for the devices, assign an administrative hierarchy for user access, view transactions, and export reports for attestation.

The P2PE Manager is also offered as a tool for other P2PE solution providers or organizations seeking to simplify device management for their users. Contact us to learn more.

Yes, one of the benefits of our Decryptx partner program is that all of our partners are eligible to include their P2PE solution as a “sub-listed” solution under Bluefin’s P2PE listing. A sub-listing enables your organization to be listed under our P2PE certification with your own product name for the PCI-validated P2PE offering. Learn more about our sub-listing option or contact us directly.

Bluefin can work directly with your organization to create a custom P2PE solution. Our relationship managers will work with you one-on-one to understand your processing environment, your acceptance channels and your partnerships to craft a solution for your unique business case.

Additionally, for large retailers and other organizations, we can provide our Direct to Merchant P2PE solution, which can be accessed through a direct connection to Bluefin – making our P2PE option available with no change to a retailer or enterprise’s processing environment. This is an ideal solution for large companies interested in a direct P2PE program. Benefits include:

• Simple Implementation: Bluefin provides several configurations and options for P2PE direct, including coding directly to our Decryptx API from your data center to eliminate customer and employee endpoints, networks, and environments from PCI scope.
• Customization: Our direct P2PE solution allows your organization to easily modify your existing payment ecosystem with the largest selection of P2PE payment terminals and Key Injection Facilities (KIFs) available in the market, including Remote Key Injection (RKI).
• Premier Support: Bluefin can support and manage the requirements for all components included in a validated P2PE solution (Domains 1-6), including encryption management services, the decryption environment, chain-of-custody, RKI and KIFs.

Contact us to learn more.

Bluefin has the distinction of being the leading PCI-validated P2PE solution provider with the largest number of device and KIF offerings. Our full list of devices can be accessed on our P2PE Device page, but we provide countertop, mobile, call center and unattended devices from a variety of manufacturers, including:

• Anywhere Commerce
• AMP
• BBPOS
• Datecs
• Equinox
• ID Tech
• Ingenico
• Magtek
• Miura
• PAX
• Verifone

*Note that all devices may not be available across all partners and all Bluefin products. Contact us to learn more about devices and configurations.

Bluefin is currently partnered with 16 KIFs globally to provide our solutions. These include:

• CDE – Atlanta, GA
• Datecs – Sofia, Bulgaria
• First Data Hardware – Atlanta, GA and Mississauga, ON
• Fiserv – Brookfield, WI
• Infinite Peripherals – Irvine, CA
• Ingenico Group – Atlanta, GA and London, UK
• Lantec – Dublin, UK and Poland
• Maxwell Merchant Solutions – Belleville, ON
• PayCipher – Alpharetta, GA
• POS Portal – Sacramento, CA and Louisville, KY
• SecureRetail – Leicestershire, UK
• Spencer Technologies – Northborough, MA
• UCP – Las Vegas, NV
• Verifone – San Jose, CA