Cybersecurity Insights

Kirsty Trainer

The payment industry is stepping up the fight against fraud with P2PE

26/09/18 13:38

P2PE (Point-to-Point-Encryption)  is a standard that is quickly becoming the preferred way for acquirers and merchants to secure customer cardholder data. The industry is ramping up P2PE efforts to combat fraud. The number of payment card P2PE systems, which meet the new industry standard has passed 200 for the first time, highlighting the growing worldwide emphasis on security.


Figures from the Payment Card Industry Security Standards Council (PCI SSC) reveal that 202 systems worldwide have now been certified under the P2PE standard, which was introduced in 2011. Of the 202 systems, we at Foregenix have validated 47% of projects globally – more than any other Qualified Security Assessor.

While most P2PE solutions originate from North American or multinational companies, the figures suggest that other countries are developing their own solutions. Altech Card Solutions recently became the first South African payment processor to achieve validation, with Foregenix taking the company through the process, which was completed in just seven months.

According to the South African Banking Risk Information Centre, credit card fraud in the country reached US $28.6m in 2016, up by 13% on the previous year.

Paolo Basilio, our head of P2PE said: “Altech’s success in gaining approval is another landmark for the global payment industry. It shows that South African organisations are starting to produce their own world-class solutions to protect merchants and buyers against an increasingly hostile threat landscape.”

The figures show Foregenix was the leading Quality Security Assessor in each, and responsible for validating 95 out of all 202 products approved.

Andrew Henwood, CEO adds: “The Foregenix team has been involved with the payment card industry standards since their inception. It is satisfying to be playing our part in championing the P2PE standard and fighting back against the rising tide of data theft and fraud. Our specialists are among the leading authorities in their field, and their expertise helps clients to minimise the time and effort required to achieve validation.”

PCI P2PE is a standard that defines the benchmark for the encryption of payment card data from the point of interaction (the Chip and PIN device/Contactless Reader/ – otherwise known as the PIN Encrypting Device) to the decryption of the payment card data within a secure environment (generally within the payment processor or acquiring bank) using industry standard cryptographic algorithms.

PCI P2PE is a somewhat detailed standard, requiring a considerable number of controls to be in place to ensure the resulting solution protects the payment card data appropriately. Achieving compliance is not all that difficult and most entities have been applying the same practices in protecting cardholder PINs for many years now. In simple terms, the focus is mainly in the following three areas:

  1. Managing encryption and decryption devices securely and ensuring chains of custody.
  2. Managing cryptographic keys and processes securely.
  3. Building and managing all the applications that run on the devices securely.

If you're interested in learning more about our P2PE services, or any of our other compliance services, click the link below!

View Compliance Services

TRENDING POSTS

David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More
Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More