Point to Point Encryption, or ("P2PE") protects card data from the instant it is presented to the merchant. P2PE is accomplished using an encrypting card reader device or, when entering card data for mail-order or phone-order transactions, by using a secure, encrypting keypad. The encrypted card data can then travel securely through the merchant's POS system and local area network, without risk of a card data compromise.
Monetra supports two different types of P2PE: Main Street's CardShield® system performs decryption of the card data within a Monetra server, from which point the card data is securely transmitted to the merchant's transaction processor. Alternatively, for some processors, card data can remain encrypted as it passes through the Monetra server, and decryption is performed at the transaction processor's facility. This approach is called "processor-based P2PE."
With the CardShield system, the Monetra server may be located at the same site as the merchant's POS system (Figure 1), or at a central site servicing multiple locations for a given merchant (Figure 2), or operated by an independent organization as a third-party "gateway" service (Figure 3):
For any P2PE system, each encrypting card-reader or keypad device must contain an encryption key generated by the system that will be performing decryption of the card data. The encryption key must be securely loaded, or "injected," into the devices. Key injection for CardShield systems can be performed using the CardShield Key Manager utility software, or by a qualified Encryption Service Provider such as the device manufacturer. When key injections are performed by a service provider, a special encryption key, called a "base derivation key" or "BDK," must be securely transported to the service provider from the system that will be performing decryption. Contact our sales team for additional information.
Regardless of the approach used, P2PE systems protect card data and isolate sensitive card data from POS systems and merchants' networks, which vastly reduces PCI compliance requirements.