E2EE vs P2PE (I22c)
Encrypting cardholder data flowing through an entity’s network is one of the most common ways merchants try to reduce or eliminate the burden of becoming PCI compliant. Using encryption to reduce PCI scope is also one of the things most merchants get wrong. They deploy approved PTS devices to capture credit cards, check (or assume) that the device encrypts the card data before transmitting it to their payment processor, and believe this “end-to-end encryption” (E2EE) setup is all they need to keep the applicable PCI requirements to a minimum. However, encrypted cardholder data is still cardholder data, and the systems that handle it may be in-scope for PCI assessment! Well-implemented E2EE can certainly help protect cardholder data, but it cannot reduce the burden of PCI compliance nearly as much as a properly validated Point-to-Point Encryption (P2PE) solution. In this talk, we will discuss the differences between E2EE and P2PE, the challenges with having to demonstrate and assess E2EE, and the ways P2PE makes things much simpler.