Menu

Security and P2PE

This topic gives you an overview of data security, namely Point-to-point Encryption (P2PE) and tokenisation. It also gives some advice to merchants who feel they are are not ready for full P2PE.

P2PE (Point to Point Encryption)

The Integrated POS service is a validated Payment Card Industry Point-to-Point Encryption (PCI - P2PE) solution. It is approved and listed by the Payment Card Industry Security Standards Council (PCI SSC).

PCI P2PE is the benchmark standard for the encryption of payment card data. It covers the entire data journey that starts at the payment terminal or Point Of Interaction (POI) device. The payment card data is secure all the way to the its decryption within Worldpay’s secure environment. We use industry standard cryptographic algorithms to accomplish this task.

The PCI P2PE standard focuses on three main areas:

  • Secure management of encryption and decryption devices and to ensure chains of custody
  • Secure management of cryptographic keys and processes
  • Secure design, build and management of all the applications that run on the devices

Benefits

Because PCI meets the above standards, there are several significant benefits to you:

The network: With a PCI P2PE validated solution implemented, the network is deemed out of scope for PCI DSS. This means many of the payment card data protection issues vanish, as payment data within a PCI P2PE solution is encrypted and protected.

The PCI DSS validation process: PCI DSS validation is simple for a merchant who has implemented a PCI P2PE validated solution. Because the solution is secure, your validation steps are reduced to the following:

  • Ensure that the solution is implemented properly
  • Complete a self assessment questionnaire that focuses mainly on paper receipts and basic security procedures
  • Do a "clean up" of your legacy data. This ensures that no legacy data is left stored (intentionally or otherwise) on the older payment systems

General advice

To implement P2PE in your environment follow the instructions in the Worldpay PIM (P2PE Implementation Manual).

You can find details of Worldpay’s P2PE listing under Point to Point Encryption Solutions on thePCI SSC website

For more information on P2PE contact your Worldpay Relationship Manager (RM) or contact Worldpay Customer Support.

Tokenisation

You can use tokenization in tandem with P2PE to effectively create an integrated solution that protects data both in transit and at rest.

Worldpay’s Tokenisation service replaces the cardholder’s primary account number (PAN) with a randomly generated proxy alphanumeric number (or token) that is impossible to mathematically reverse. We use this token for long-term storage or as a transaction identifier.

Tokenization is ideal for recurring payments, such as subscriptions or payment by installment. This is because the card number is only on your network “in flight” during the initial transaction. We can use P2PE to encrypt and protect this initial transaction itself. Beyond that, you can use the token that represents the original card for subsequent payments or returns, for example, click and collect. Another idea is to use the token to track customer transactions for your marketing purposes.

IPC supports the use of tokens Sale and Refund transactions - for both Direct and Mobile SDK integration methods. For more details on the Worldpay Tokenisation service see theTokenisationtopic.

Not ready for P2PE?

At Worldpay we recognise that some merchants are not able or ready to implement the procedures and processes detailed in the P2PE Implementation Manual.

Even though you might not be ready for the full P2PE service, you should consider our Integrated POS service. This service covers the entire data journey that starts at the payment terminal or Point Of Interaction (POI) device. The payment card data is secure all the way to its decryption within Worldpay’s secure environment.

This high security prevents criminals from accessing card data at the point of sale (POS). It also prevents unauthorised interception of cardholder data-in-motion from the payment terminal to Worldpay’s secure environment.