As a business owner, one of the most important things you can do is protect your customers’ data. In today’s world, where credit and debit card fraud is on the rise, it’s essential to safeguard your customers’ payment card information. That’s where PCI Validated Point-to-Point Encryption (P2PE) comes in. In this blog post, we’ll discuss what P2PE is, how it works, the benefits it provides for businesses, and what Jonas Fitness did to bring this solution to its customers.
What is P2PE and How Does it Work?
P2PE is a security solution that encrypts payment card data from the point of sale (POS) device until it reaches the payment processor, making it nearly impossible for fraudsters to access sensitive data. P2PE solutions are rigorously tested and validated by the Payment Card Industry Security Standards Council (PCI SSC) to ensure that they meet strict security standards. In fact, a PCI-validated Point-to-Point Encryption solution MUST include validated hardware, software, and solution provider environments and processes.
During a recent webinar, Geiger Lee, Compliance Officer for Coalition Security Group, explained how P2PE works: “When a customer makes a purchase using a P2PE solution, their payment card information is encrypted at the point of sale device. The encrypted data is then sent through a secure channel to the payment processor, where it is decrypted and processed. This means that even if a hacker intercepts the data during transmission, they won’t be able to read it because it is encrypted.”
The Benefits of P2PE for Businesses
Implementing P2PE can provide numerous benefits for businesses, including:
1. Reduced Risk of Data Breaches and Fraud
P2PE can significantly reduce the risk of data breaches and fraud, making it nearly impossible for hackers to access payment card data. In addition, by encrypting the data at the point of sale and throughout the transaction process, businesses can ensure that their customer’s payment card information remains secure by removing the credit card data from their network entirely.
2. Reduced PCI DSS Compliance Assessments and Scope
Businesses that implement P2PE can streamline their PCI compliance and scope. Since P2PE solutions must meet strict PCI DSS requirements, a P2PE solution reduces the number of annual audit requirements from over 300 questions to less than 35, reducing your annual PCI efforts and expenses.
3. Improved Customer Trust and Confidence
Businesses implementing a P2PE solution are committed to protecting their customers’ data. The decision to use a P2PE soltuion can help to build trust and confidence with customers, who are increasingly concerned about the security of their personal and financial information.
Who does P2PE Benefit Most?
In reality, P2PE can benefit any business interested in securing their payment card data and the payment card data of their customers. With that said, P2PE solutions are more relevant to businesses with large complex networks that handle sensitive data, like hospital wellness centers and universities. In fact, many compliance and security teams within such organizations will now require that all transactions within their given network meet the P2PE standard. When looking for new solutions within these types of businesses, it’s essential that you search for companies that can provide a proper PCI-validated P2PE solution. Businesses like hospital wellness centers often will be far along the purchase process, only to find out that their desired solution isn’t approved by their compliance and/or security team because P2PE is not offered. This need in the industry led Jonas Fitness down the path to providing a P2PE solution with their flagship product, Compete Member Management Software.
Jonas Fitness’ Path to P2PE
We began our path toward offering a P2PE solution over six years ago when a potential client in the university space was interested in using our Compete Club Management Software solution. This university and its compliance team required that ALL credit card transactions on campus must utilize a PCI P2PE solution. So we looked into this new solution and found that the PCI P2PE standard addressed the needs of small merchants that only required real-time card-present purchase transactions. Think of a convenience store, a pizza shop, or an on-campus bookstore. And that’s great! We could quickly implement P2PE solutions for purchases like water bottles, snacks, classes, etc. But in our industry, we also need to process card-not-present transactions for things like monthly recurring dues. You see, P2PE was never designed for card-on-file purchases and was instead conceived as a card-present real-time purchase solution. So we hit a wall.
Additionally, without a P2PE solution for card-not-present transactions, our customers would still need to undergo the entire scope of PCI’s 300 assessment. So we had two necessities that our P2PE solution had to meet. First, it had to accommodate card-not-present transactions, and two, it had to provide the reduced scope that our clients desired.
We searched through many providers claiming to offer P2PE solutions, and along the way, we found many types of P2PE solutions that went by many different names, such as End-to-End Encryption (E2EE), TrueP2PE and even solutions that used the exact P2PE name. In reality, all of these solutions are what we consider “unlisted P2PE solutions”. Many of these solutions might have done right by our clients, but we wanted a solution that couldn’t do it wrong.
So, we approached WorldPay, and they agreed to work with us to design a solution that met this goal. Unfortunately, during the development of our P2PE solution, the world came to a halt as the 2020 pandemic hit. But we felt so strongly about the need for our P2PE solution that it remained a top product development project throughout a time when other companies were halting production on strategic initiatives. Jonas Fitness is excited to share that in the fall of 2021, we released the first phase of our P2PE solution. This first phase was designed to cover card present transactions. Later, in the fall of 2022, we released phase two, which we were told couldn’t be done. Our P2PE phase two rollout covers monthly recurring transactions and card-not-present data. With our two-phase rollout of our P2PE solution, we met our goal AND the requirements set by the PCI council.
In conclusion, PCI-validated Point-to-Point Encryption (P2PE) can be confusing, but it is an essential security solution for businesses that want to protect their customer’s payment card data. By encrypting the data from the point of sale device until it reaches the payment processor, businesses can significantly reduce the risk of data breaches and fraud, streamline compliance during PCI DSS assessments, and improve customer trust and confidence.
And, while it can be a bit confusing to understand the intricacies involved with Point-to-Point Encryption solutions, with Jonas Fitness’ PCI P2PE compliance mode enabled, your business can rest easy knowing that your customer’s card data is fully insulated and protected for both card-present and card-not-present transactions.
If you’re interested in implementing a PCI P2PE solution in your business, give us a call to schedule a free security audit and consultation.