- By Use Case
- By Industry
- By Compliance
- Services & Support
- Contact Us
Data Security & Data Communication
Point-to-Point Encryption (P2PE) is a special case of application-level encryption, where encryption is applied selectively within a business application—in this case a retail point-of-sale (POS) terminal. If the point to point encryption process is implemented correctly, with account data being encrypted within an approved, secure cryptographic device (SCD) such as a POS terminal, and not decrypted at all within the merchant environment, there is potential for the merchant to be taken almost completely out of scope for PCI DSS. Strict controls for protection of and access to decryption keys must be in place; in fact, the current guidance requires the use of hardware security modules (HSMs) with an appropriate security rating to protect access to those keys. Acquirers and other players in the payments chain have already begun to market value-added services that exploit P2PE to reduce compliance costs for their merchants. From a PCI DSS perspective, any system that has the capacity to decrypt account data comes into scope immediately, so the ability to insulate merchants by protecting keys within HSMs can have significant benefits for all concerned.
Point-to-Point Encryption: Today’s Challenge
Point-to-Point Encryption: Thales e-Security Solutions
Products and services from Thales e-Security can not only help you implement measures to become PCI DSS compliant effectively and efficiently, but they can also play an essential role in a P2PE strategy to reduce the scope and therefore the cost of compliance. nShield and payShield HSMs are independently certified to the FIPS 140-2 level 3 standard that is mandated by the P2PE guidelines. nShield and payShield HSMs create a trusted environment in which key material can be safely generated, stored and managed, and where decryption operations can be performed securely. The use of HSMs in this way is directly analogous to the way HSMs are used to protect user PINs as they pass through the payments network. In both cases HSMs overcome the inherent weaknesses of purely software-based systems that could expose cryptographic keys and processes to memory scanning attacks, runtime monitoring or malicious privileged users.
Whether you choose to encrypt and decrypt account data using your own in-house developed software or using third-party commercial applications, nShield and payShield HSMs are easy to deploy and can support innovative technologies such as Format Preserving Encryption (FPE) to minimize impact on existing business processes. These devices are already certified to integrate directly with products from our industry partners and leading POS manufacturers, assuring you of fast deployments and seamless integration with your existing systems.
By using Thales HSMs you can:
With more security-sensitive applications depending on the enterprise PKI to deliver identification credentials to individuals and devices, the security of underpinning private keys is essential.
Thales self-managed PKI offerings combine technical expertise in the design and implementation of organizational PKIs, with the security hardware necessary to provide a robust root of trust for the system.
How Thales Helps Airlines Protect the Integrity and Authenticity of Electronic Boarding Passes. The integrity and authenticity of an electronic boarding pass is validated by checking the digital signature of the barcode they use. A digitally signed barcode protects against forgery and enables validation upon check-in.
Carriers use private signing keys to sign barcodes and issue associated public certificates from a public key infrastructure (PKI) for their validation. The degree to which carriers can trust their PKI depends on the protection afforded to the root and issuing CA private signing keys. The private signing keys underpin the security of the entire system, and properly safeguarding and managing them is essential.