Point-to-Point Encryption (P2PE) is a standard developed by the Payment Card Industry (PCI). The purpose of this standard is to protect the transmission of payment messages from payment terminals to the acquirer networks against data breaches. By default, Adyen protects such transmissions using the Adyen End-to-End Encryption (E2EE) solution.
When implementing a point-of-sale integration with Adyen, you have the option to use either E2EE or P2PE. Here we compare the two, to help you make a choice.
Adyen's E2EE solution
Compared to other acquirers, Adyen is unique because we cover the whole payments value chain. We manage the entire payment flow from payment terminal to final settlement. As a result, the way we protect payment messages is an end-to-end solution by nature. We encrypt the payment message on the payment terminal, and decrypt it on our payment platform when we send it for authorization to the issuing bank. This prevents anyone in the middle from gaining access to sensitive data in the payment messages, such as cardholder data.
The following diagrams show the exchange of payment messages in the traditional payments value chain, and in Adyen's payments value chain.
By default, the payment terminals provided by Adyen are all PTS-approved Point-of-Interaction (POI) devices using E2EE to protect the payment messages.
Adyen's P2PE solution
As an alternative to E2EE, you can opt-in to use our P2PE solution. This solution includes:
- PCI-approved P2PE payment solution.
- Encryption of the PAN (Personal Account Number) and the track data (for authenticating the cardholder and/or authorizing card transactions) in the payment message.
- Compliance with the P2PE Instruction Manual (PIM).
The separate encryption of the PAN and track data adds an extra encryption layer. Compliance with the PIM means that both Adyen and you need to implement various operational measures, to meet logistical, monitoring, and other requirements. For example, store staff will need to inspect the terminals regularly and keep an audit trail of these inspections.
Comparing Adyen P2PE and E2EE
Let's have a look at the support, compliance, security, and quality aspects of the two encryption solutions.
- P2PE: PCI-approved for the e280, e285, M400, P400 Plus, V240m, V400c Plus, V400m, and UX-series terminal models.
- E2EE: all terminal models that we provide.
- P2PE: it is claimed that using P2PE reduces the scope of your PCI DSS assessment. In the traditional payments value chain, this is true. Without P2PE you would need to complete the Self-Assessment Questionnaire D (SAQ D). This is the most demanding form of self-certification with the full set of over 200 requirements. But with P2PE, you only have to complete the SAQ P2PE, which has 33 requirements.
- E2EE: considering that Adyen has control over the whole payments value chain, P2PE does not necessarily reduce the scope of your PCI DSS assessment. Adyen's default point-of-sale integration is designed to reduce your PCI DSS scope as much as possible. You only have to complete the SAQ B-IP, which is a relatively easy questionnaire with a limited number of requirements.
Compared to Adyen's E2EE solution, using P2PE will result in an increased operational effort because with P2PE you need to comply with both the SAQ P2PE and the PIM.
- P2PE: because cardholder data such as the full PAN and the track data is encrypted separately, malicious actors will not be able to access this data.
E2EE: the same is true for Adyen's E2EE solution. This encrypts the complete payment message, including all cardholder data.
With many E2EE solutions there's an increased risk of fraud or hacking, because there are other systems between the point of interaction (POI) and the point of processing. With Adyen's E2EE solution, the cardholder data is transferred directly from the POI to the point of processing, with nothing in between.
Because we manage the whole payments value chain and encrypt the complete payment message, the default Adyen E2EE solution and the P2PE solution are equally secure.
- P2PE: an independent organization validates the security of the solution.
- E2EE: E2EE is secure, but does not have an official PCI P2PE-validated 'stamp'.
Ultimately, it's up to you to decide which option works best for you: Adyen E2EE or P2PE. Keep in mind that our default E2EE solution already is an end-to-end solution. With our P2PE solution there's a tradeoff between the added value of external validation of the solution, and increased operational effort.