Key Management Systems for P2PE and E2EE

What is Cryptography?

Cryptography in the data security sense is the use of mechanisms to transform data to a state that is indecipherable unless appropriate keys are used to decipher the contents. We have spoken about symmetric and asymmetric cryptography on this blog before, but today we will tackle cryptographic keys and key management from the perspective of Point-to-Point Encryption (P2PE) and End-to-End Encryption (E2EE) solutions.

General Encrypted Data

Data is encrypted often while at rest or in transit within a production environment, this may be enacted via transmission layer like TLS or SSL or data layer like AES-256 or 3-DES. The issue encountered with an in-house encryption scheme is that all components of the system are present within the system. Assuming the system is compromised, an actor may leverage cryptographic key stores or force specific insecure transmission layer configurations to harvest data within the network. A system with a backend decryption environment would be susceptible to this type of attack and therefore not considered P2PE as all components of the system are available to decrypt data entered or stored.

Point to Point Encryption

A point-to-point encryption solution works in such a way that the entity, such as a merchant, using the P2PE solution does not have access to the decryption keys or decryption environment. Typically keys are held by the service provider of the P2PE solution or the processor for decryption when a transaction is sent. In this way, the entity can benefit from a reduced PCI DSS scope, including descoping of network and system components handling the messaging and routing of the encrypted Account Data throughout the merchant environment.

Encryption keys for the P2PE solution are injected at a KIF (Key Injection Facility) or remotely injected into the POI device without knowledge of the key to the entity. This ignorance of the key is paramount to the solution as despite how corrupt or compromised the merchant’s systems may become, the original keys will not be exposed in any manner. The key itself is typically stored within the POI device; this tamper-resistant hardware stores and holds the data encrypting key and may only be leveraged when the payment application is used to accept cardholder data. There are also deployments of “Hybrid” decryption environments with slightly different application. Appropriate policies, procedures, and processes are in place to ensure that data encrypting keys are protected from both malicious use and from the entity leveraging the solution.

These P2PE encryption solutions may be merchant managed (MMS) where the merchant is deploying a specific solution and encryption to achieve PCI-P2PE scope reduction. This deployment may be a higher level of effort as the merchant must fulfill and prove that the solution is deployed as appropriate with the Product Implementation Guide with additional information provided by a P-ROV (P2PE Report of Validation). Additional information may be found on the MMS FAQs of the PCI Council website.

End to End Encryption

Unlike validated P2PE solutions, E2EE does not have a defined standard, architectures and implementations can vary by vendor and solution. E2EE can work similarly to P2PE, however the required P2PE controls may not be in place or validated. In addition, the endpoints are undefined on where encryption take place. E2EE mechanisms may transmit data to a processing server for encryption and likewise a decryption server within the merchant environment for decryption. These technical variances can significantly broaden the PCI DSS scope of merchant using an E2EE solution as the merchant is now in control of cryptographic keys and is subject to all controls related to key management including generation of keys, rotation, and security thereof. Some elements of the encryption/decryption process may exist inside the merchant environment causing increased scope.

Conclusion 

Validated Point-to-Point Encryption (P2PE) solutions that utilize compliant Point of Interaction (POI) devices provide the most effective way to minimize PCI DSS scope. These solutions are formally recognized and validated by the PCI Security Standards Council, ensuring compliance and reducing the associated security burdens. On the other hand, Non-standard Encryption Solution Assessments (NESA) or End-to-End Encryption (E2EE) implementations often require additional testing, validation, or the acceptance of risk by the processor, as these systems are not validated against the PCI SSC P2PE standards. By choosing validated P2PE solutions, organizations can streamline compliance efforts, reduce risk, and adhere to industry standards more efficiently.

Looking for a knowledgeable and trusted partner for your cybersecurity and compliance efforts? We’re Here To Help!

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!