Datacap Logo

Point-to-Point Encryption

Datacap offers both DirectE2EE™ and PCI-Validated Point-to-Point Encryption. P2PE significantly reduces the risk of payment card fraud by instantaneously encrypting confidential cardholder data at the moment a payment card is ‘dipped’ or swiped at the PIN pad (payment terminal) or point of interaction (POI).

Direct E2EE

DirectE2EE™

  • Data is encrypted at the point of interaction (POI) and decrypted outside of the Point of Sale environment.
  • Utilizes Datacap’s proprietary encryption format (NETePay Hosted) or processor-specific encryption (NETePay Classic).
  • No additional charge from Datacap for DirectE2EE™.
  • Available to Datacap POS partners without integration changes.
  • Non-validated E2EE due to unique format per processing platform.
PCI Validated P2PE

PCI-Validated P2PE

  • PCI-validated P2PE solution secures transactions by encrypting all data within a PCI-approved point of entry device, preventing clear-text cardholder data from being available.
  • Reduced PCI scope for the merchant (reducing SAQ questions by 90%).
  • Requires NETePay Hosted
  • Available to Datacap POS partners without integration changes. 

PCI-Validated P2PE FAQ

As defined by the PCI Security Standards Council (PCI SSC), “Building upon the solid data and environmental security foundation established and promulgated by the PCI SSC for the payments industry via the PCI DSS, PA-DSS, and PTS, the P2PE Standard is a comprehensive set of requirements focused on providing the requisite security requirements necessary to support the deployment of secure P2PE solutions.” 

The PCI Point-to-Point Encryption (P2PE) Standard was introduced in 2012. Datacap partner, Bluefin, became the first company in North America to receive PCI validation for a P2PE solution in March 2014. Today there are nearly 50 PCI-validated P2PE solution providers worldwide. 

(via Bluefin)

DirectE2EE and PCI-Validated P2PE are both secure in nature because they both encrypt credit card data at the POI and decrpyt the data outside the Point of Sale environment. See the data flow diagrams below to understand the differences between DirectE2EE and PCI-Validated P2PE. 

DirectE2EE:
Direct E2EE


1. Point of Sale sends XML sale request or HTTPS post to Datacap’s NETePay/GIFTePay. 

2. NETePay/GIFTePay communicate to EMV-enabled PIN Pad. 

3. Encrypted card data (using processor-proprietary encryption method) is passed from NETePay/GIFTePay directly to credit card processor. 

4. Response from the Processor is sent to NETePay/GIFTePay. 

5. Approve, Decline, or Error response returned to Point of Sale and PIN Pad from NETePay/GIFTePay.

 

 

PCI-Validated P2PE:P2PE with Bluefin

1. Point of Sale sends XML sale request or HTTPS post to Datacap’s NETePay/GIFTePay. 

2. NETePay/GIFTePay communicate to EMV-enabled PIN Pad (encrypted with BlueFin’s P2PE key). 

3. Encrypted card data is passed from NETePay/GIFTePay directly to NETePay Hosted. 

4. NETePay Hosted takes encrypted data, sends to BlueFin’s Decryptx, who returns data to NETePay Hosted, who then passes the data to the appropriate Processor. 

5. Response from the Processor is sent to NETePay Hosted. 

6. Approve, Decline, or Error response returned to Point of Sale and PIN Pad from NETePay/GIFTePay.

 

 

A well documented device chain of custody process (shipping, deployment and management of devices; and the resulting reduction of PCI scope and the Cardholder Data Environment (CDE)) must be implemented to ensure that all Secure Cryptographic Devices (SCDs) are controlled from receipt through installation and use. 

A PCI-validated P2PE solution must include all of the following: 

1.) Secure encryption of payment card data at the POI / i.e., the payment terminal

2.) P2PE-validated application(s) at the POI

3.) Secure management of encryption and decryption devices

4.) Management of the decryption environment and all decrypted account data

5.) Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection and administration 

(via Bluefin and PCI

There are numerous tangible benefits merchants receive from using a solution that has been through the validation process. 

PCI-Authorized Scope Reduction
Merchants who use a validated solution within their environment and keep this environment segmented from any card data from other channels (e.g., e-commerce) are eligible to complete the authorized self-assessment questionnaire SAQ P2PE that is known and accepted by all acquirers. Under PCI DSS v3.2, this represents a significant reduction of controls, reducing the number of questions by nearly 90% for merchants moving from the SAQ D (329 questions) to SAQ P2PE (33 questions).

Card Brand Programs
Visa Technology Innovation Program (TIP) Merchants who accept at least 75% of their transactions through a PCI-validated P2PE service may qualify to apply through their acquirer for the Visa TIP program, which allows approved merchants the ability to discontinue their annual assessment process to re-validate PCI DSS compliance.

Visa Secure Acceptance Program
This program incentivizes acquirers by providing safe harbor for fees in the event of a compromise for Level 3 and 4 card-present merchants who use a PCI-validated P2PE solution.

Solution for Challenging Compliance Issues
By encrypting all card data within a validated card reader before it passes through the mobile device, the consumer mobile device is rendered out of scope for PCI DSS compliance (so long as it is not used for any other payment function), ensuring compliant card acceptance via a consumer mobile device.

Foreign Networks
Because systems and networks between the encryption point and the decryption environment are no longer in scope due to the P2PE encryption, this unique advantage can address complex network responsibility challenges for some merchants. 

(via Bluefin

P2PE with Bluefin

1.) Point of Sale sends XML sale request or HTTP post to Datacap’s NETePay/GIFTePay. 

2.) NETePay/GIFTePay communicate to EMV-enabled PIN Pad (encrypted with Bluefin’s P2PE key). 

3.) Encrypted card data is passed from NETePay/GIFTePay directly to NETePay Hosted. 

4.) NETePay Hosted takes encrypted data, sends to Bluefin’s Decryptx, who returns data to NETePay Hosted, who then passes the data to the appropriate Processor. 

5.) Response from the Processor is sent to NETePay Hosted. 

6.) Approve, Decline, or Error response returned to Point of Sale and PIN Pad from NETePay/GIFTePay.

PCI-Validated P2PE Supported Devices

The devices below can be used with Datacap’s PCI-Validated P2PE solutions. PIN Pads used with PCI-Validated P2PE solutions require specific encryption keys from distribution. Contact Datacap for more information.

PAX A920Pro
PAX A77
PAX A30
PAX A35
PAX Aries8
PAX IM30
Ingenico Link/2500
Ingenico Move/5000
Ingenico iSMP4
Ingenico Lane/3000
Ingenico iPP 320
Ingenico iPP 350
ID Tech Augusta
ID Tech VP6800
Ingenico iUC 285
Ingenico Lane/5000
Ingenico Lane/7000
Ingenico Lane/8000
Ingenico iSC Touch 250
Verifone P400

POS Data and Encryption Insights

Learn more about P2PE!

Request more info about Point-to-Point Encryption