PCI

Blog space

P2PE (Point-to-Point Encryption) – A guide to secure payment solutions for the retail industry

Inside this article:

  • Why implementing P2PE is becoming crucial for protecting payment data in the retail sector, and what threats this solution helps eliminate.
  • Real-life stories of major data breaches and insight into how modern payment solutions can effectively prevent such attacks.
  • Practical tips on how to choose the best P2PE provider and key factors to consider when implementing and certifying an encryption system.
p2pe

Origins and the need for P2PE solutions in the retail industry 

Challenges of traditional payment systems 

The modern retail industry faces unprecedented challenges related to payment data security. Traditional payment systems, in which cardholder data was transmitted and processed in an unencrypted form through the store’s infrastructure, posed significant security risks. Payment card data, passing through various system components – from the POS terminal through the store’s network to the payment processor – was exposed to interception at every point along this path. 

This problem is particularly important in the context of the growing number of attacks on payment systems. According to the data, the retail industry experienced 629 incidents in 2022, of which 241 were confirmed as data breaches. The main motive for these attacks was precisely to obtain customer data for financial purposes. 

Cases of payment data security breaches 

The history of the retail industry provides two particularly telling examples that show the consequences of the lack of appropriate P2PE-type security measures. 

The attack on Target (2013) is one of the most spectacular cases of data security breaches in retail history. Between November and December 2013, hackers gained access to 40 million credit and debit card numbers and the personal data of 70 million customers. The attackers exploited weak security at the HVAC systems provider (Fazio Mechanical Services) to gain access to Target’s network. A key element of the attack was the installation of malware on POS terminals, which captured data from system memory during transaction processing. 

The Home Depot security breach (2014) occurred between April and September 2014 and affected 56 million payment cards and 53 million e-mail addresses. As with Target, the attackers used compromised login credentials from an external supplier to gain access to the corporate network. They then installed specialised malware on more than 7,500 POS terminals, which collected payment card data directly from system memory. 

The key issue in both cases was that payment card data was available in unencrypted form in the POS terminals’ memory. A P2PE solution could have effectively prevented these attacks, as the data would have been encrypted at the moment of card reading, making it useless to malware operating in system memory. 

These cases led to significant changes in the industry’s approach to payment security and accelerated the adoption of P2PE technology as an industry standard. 

What P2PE is and how it differs from traditional solutions and E2EE 

Definition and operating principles of P2PE 

Point-to-Point Encryption (P2PE) is an encryption standard established by the PCI Security Standards Council, which protects cardholder data from the moment it is captured at the payment terminal to the secure decryption point. Unlike traditional solutions, where data may be temporarily available in unencrypted form, P2PE ensures that card information remains unreadable throughout the transaction process. 

Comparison of payment solutions 

Aspect Traditional solution E2EE (End-to-End Encryption) P2PE (Point-to-Point Encryption) 
Encryption point None or late encryption Encryption at terminal Encryption at PCI-certified terminal 
Validation No external validation Self-assessment Independent validation by QSA (P2PE) 
Key management Basic Various standards, not always disclosed Rigorous PCI requirements described in the standard 
PCI DSS compliance Full scope Potentially limited scope reduction Significant scope reduction 
Security Low–medium Medium–high Very high 

Advantages and disadvantages of each solution 

Traditional solutions: 

  • Advantages: Low implementation cost, ease of implementation, flexibility in choosing suppliers 
  • Disadvantages: High security risk, full PCI DSS compliance scope, vulnerability to memory scraping attacks, no guarantee of end-to-end encryption, increased cost of security audits 

E2EE (End-to-End Encryption): 

  • Advantages: Encryption of data at the terminal, some risk reduction, greater flexibility than P2PE 
  • Disadvantages: No external validation (self-assessment), inconsistent security standards, false sense of security – no one can verify the actual level of protection, potential implementation gaps, limited compliance benefits 

P2PE (Point-to-Point Encryption): 

  • Advantages: Highest level of security, independent validation, significant PCI DSS scope reduction 
  • Disadvantages: Higher cost per terminal (average 5–15 PLN per month per terminal), limited flexibility, limited multi-acquiring in the Polish market, vendor lock-in, managed and controlled change environment – all modifications must go through the certification process 

The key difference is that P2PE, as a closed and fully managed solution, ensures control over every change in the system. Implementing any modifications is carried out in a managed and controlled manner, making the solution much more secure than E2EE. 

In the case of E2EE, the solution provider conducts a self-assessment, which means that there is no external verification of security and, in fact, it is unknown what protective measures have been adopted. This can lead to a false sense of security, where theoretically the data is encrypted, but the actual implementation may contain security gaps that no one has verified. On the other hand, P2PE solutions undergo regular, independent audits conducted by specialised assessors (P2PE QSA), which guarantees a real level of protection. 

P2PE solution components 

Structure of a P2PE solution 

According to PCI P2PE Program Guide v3.2, a complete P2PE ecosystem consists of three key elements: 

P2PE Solution is a complete, PCI-validated set of devices, applications, and processes that encrypts cardholder data from a PCI-certified POI (Point of Interaction) terminal to a secure decryption environment. The solution may be provided by a single provider or consist of validated components from different providers. 

P2PE Component is a validated service that meets specific P2PE requirements as part of a larger solution. The P2PE v3.2 standard introduced the ability to certify individual components, significantly increasing market flexibility. 

P2PE Application is specialised software running on PCI-certified POI terminals that has access to unencrypted data solely for the purpose of immediate encryption. 

Types of P2PE components 

The PCI P2PE v3.2 standard defines several types of components, each with specific functions: 

  • Encryption Management Entity Component – manages encryption processes 
  • Decryption Management Entity Component – responsible for secure decryption 
  • Key Injection Facility (KIF) – facility for secure cryptographic key loading 
  • Certificate Authority/Registration Authority – for remote key injection processes 

New opportunities for payment solution providers 

  • Revolution in payment application certification: The P2PE standard opens new possibilities for POS software providers and integrators. A POS application provider can now obtain certification solely for their P2PE application (P2PE Application) without having to certify the entire solution. This means that a software vendor can focus on their specialisation – the application – while the terminal and decryption processes are provided by other certified suppliers. 
  • Modularity and specialisation: This modularity allows the creation of specialised solutions where each provider can focus on their core competency. For example, a company specialising in POS systems can certify its P2PE application, working with a certified terminal and decryption service provider. 
  • Benefits for integrators: A POS integrator can use a certified P2PE application to build a complete merchant solution, greatly simplifying the compliance process and increasing the security of the systems offered. 

P2PE benefits from the merchant’s perspective 

P2PE solutions are designed primarily for the retail sector and offer a range of benefits: 

  • Significant PCI DSS scope reduction: The greatest benefit for merchants is the drastic reduction of the PCI DSS compliance scope. P2PE solutions can reduce the number of questions in self-assessment from 329 to just 33, a reduction of around 90%. This translates into significant time and cost savings associated with compliance assessment processes. 
  • Protection against memory scraping attacks: P2PE protects against the most common methods of attacking POS systems, which involve capturing data from system memory during transaction processing. Even if malware enters the merchant’s system, the encrypted data remains useless. 
  • Reduction of security costs: Companies using certified P2PE solutions can achieve measurable savings related to lower costs of securing transactions and maintaining compliance with PCI DSS. 

Key considerations before choosing a P2PE solution provider 

Choosing a Point-to-Point Encryption (P2PE) solution provider is a decision that directly impacts the security of cardholder data and the organisation’s compliance with PCI standards. Before signing an agreement, it is worth carefully analysing not only the functional and cost offer but also the provider’s experience in P2PE certification, the stability of its solutions, and the technical support model. Key elements to consider are outlined below: 

  • Evaluation of the P2PE Instruction Manual (PIM): Every certified P2PE solution must have a PIM – a document containing detailed instructions for merchants regarding the secure installation, operation, and monitoring of devices. The merchant should familiarise themselves with this document before making a decision. 
  • Technical support analysis: It is important to check the availability of 24/7 support, the ability to quickly replace devices, and incident response procedures. The P2PE provider should offer comprehensive technical support. 
  • Compatibility with existing infrastructure: The merchant must ensure that the P2PE solution will be compatible with their current POS system, business processes, and the requirements of different card types (payment, fleet, local). 

Self-verification of a P2PE solution 

A merchant can independently verify the validity of a P2PE solution by: 

  • Checking the PCI SSC listing: The official site contains all validated solutions with reference numbers 
  • Verifying expiry dates: Each solution has a defined validity period and requires annual revalidation 
  • Confirming the P2PE QSA: Checking whether the solution has been assessed by an accredited assessor 
  • Analysing the scope of certification: Ensuring that the certification covers all used terminals and applications 

P2PE solutions in the Polish market – analysis and comparison 

eService – leader of the Polish P2PE market 

eService, as the first acquirer in Poland, obtained P2PE certification as early as March 2021. After re-certification in September 2024, the company can boast the largest portfolio of certified P2PE devices in Poland – 35 terminal models: 

  • 26 Ingenico terminal models 
  • 1 Verifone terminal model 
  • 8 PAX terminal models 

Exorigo-Upos 

Exorigo-Upos holds a P2PE Solution certificate for the “Eurokarta P2PE Solution” obtained in December 2023. It offers a solution compatible with 9 Ingenico terminal models. 

Polskie ePłatności 

Polskie ePłatności obtained “PeP P2PE Solution” certification in July 2025, completing the project in a record-short time, making it one of the fastest P2PE deployments in Poland. As an acquirer and the second-largest payment service provider in the country by the number of terminals, PeP has strengthened its market position by offering customers a solution that meets the highest PCI security standards. The system works with Ingenico terminals and supports 7 different device models, allowing wide applicability across various business environments. 

Elavon also offers a P2PE solution on the Polish market. However, since this solution is not developed locally in Poland, it has not been included in this overview. We appreciate Elavon’s presence in the market and their contribution to advancing payment security solutions. 

Comparison with global solutions 

  • Worldpay Total P2PE is one of the most recognised global solutions, holding 42% of the UK market. The company offers an omnichannel solution with a wide range of terminals and payment applications. 
  • Fiserv Clover represents the American approach to P2PE, focusing on integration with POS systems and broad business functionality. The solution is particularly popular among small and medium-sized enterprises. 
  • Ingenico as a terminal manufacturer works with many P2PE solution providers worldwide, including all Polish providers. 

Technological capabilities analysis – limitations of the Polish market vs global opportunities 

Comparing Polish providers with global competitors reveals certain limitations as well as opportunities for improvement in the Polish payment solutions space: 

  • No implementation of Remote Key Injection (RKI) – RKI is currently a kind of standard, allowing secure remote loading of cryptographic keys without the need to transport devices to the solution provider’s premises. Analysis shows that no solution offered on the Polish market supports RKI. 
  • Limited multi-acquiring – Polish solutions usually work with a single acquirer. Apart from EuroKarta, which can handle multiple acquirers – both eService and PeP create single-acquirer solutions – this is justified – they are themselves acquirers. 
  • Limited support for fleet, gift, or membership cards compared to global solutions. 

Main PCI P2PE standard requirements 

Five main areas of cryptographic key management 

  1. Secure key generation – The P2PE standard requires that all cryptographic keys be generated in certified HSM (Hardware Security Modules) meeting FIPS 140-2 Level 3 or higher, or holding PCI HSM certification. Keys must be generated using approved cryptographic algorithms and sufficient entropy. 
  1. Key lifecycle management – Each key must have a defined lifecycle covering generation, distribution, usage, archiving, and secure destruction. The standard requires the implementation of key rotation procedures and mechanisms for monitoring and logging all key operations. 
  1. Implementation of dual control – Critical operations on cryptographic keys must require authorisation from at least two authorised persons. This means that no single person can have full access to cryptographic keys or perform critical operations without oversight. 
  1. Secure storage in HSM – All keys must be stored in certified HSMs, providing protection against physical and logical compromise. The HSM must be configured in accordance with PCI requirements and be subject to regular security audits, and must have an LMK key providing at least 128 bits of security. 
  1. Access control and segregation of duties (split knowledge) – The system must ensure strict access control to cryptographic keys with role and responsibility separation. Different users may have access only to specific operations – some may manage configuration, others use specific key sets, but no one may have full access to all functions. 

Decryption environment requirements 

  • PCI DSS compliance: The decryption environment must fully meet PCI DSS requirements, meaning the implementation of all 12 PCI DSS requirements, including network protection, vulnerability management, access control, and regular monitoring. 
  • Monitoring and incident response: The standard requires the implementation of real-time monitoring systems and incident response procedures. All attempts to access the decryption environment must be logged and analysed. 

Payment application requirements 

  • Protection of PAN and SAD data: P2PE applications must ensure the protection of the Primary Account Number (PAN) and Sensitive Authentication Data (SAD) in accordance with the highest cryptographic standards. 
  • Secure application development: The application development process must follow a secure development lifecycle, including security analysis, penetration testing, and regular code audits. 

Key decisions for P2PE solution providers 

Five strategic questions for P2PE providers 

  1. Which P2PE business model to choose? 
    The provider must decide whether to offer a complete P2PE solution or specialise in specific components (application, terminal, decryption services). Each model has different certification requirements and business implications. 
  1. Which cryptographic architecture will be optimal? 
    The choice between DUKPT (Derived Unique Key Per Transaction) and other key management methods affects the security, performance, and costs of the solution. This decision also determines the selection of technology partners and HSM processors. 
  1. How to manage relationships with component vendors? 
    The P2PE standard requires close collaboration with terminal, HSM, and other component suppliers. The provider must define a partnership strategy and mechanisms to ensure compliance of all elements in the chain. 
  1. Which geographic markets and customer segments to prioritise? 
    Different markets have different regulatory requirements and technological preferences. The provider must decide whether to focus on the local market or pursue international expansion, which influences the choice of certifications and product strategy. 
  1. How to ensure business continuity and incident response? 
    The P2PE standard requires advanced incident response procedures and business continuity plans. The provider must develop backup, disaster recovery strategies, and communication procedures with customers during crisis situations. 

P2PE certification support  

If you are considering, thinking about, or exploring the PCI P2PE certification process, we warmly invite you to collaborate with Patronusec. We have extensive hands-on experience supporting organisations and merchants using P2PE solutions, helping them navigate certification successfully. Our deep understanding of both technical and compliance requirements enables us to anticipate challenges and streamline the entire journey. By choosing Patronusec, you gain a partner who combines global best practices with in-depth knowledge of the local market, ensuring your P2PE project is delivered efficiently, securely, and in full compliance. 

tisax
July 28, 2025 Cybersecurity

TISAX: A Comprehensive Guide to Information Security for the Automotive Industry… and Beyond.

 Read more →
February 25, 2024 vCISO

vCISO: an agile solution to boost business cyber resilience

 Read more →
Przygotowanie organizacji do wdrożenia ISO 27001
September 29, 2025 Information Security

Preparing an organization for ISO 27001 implementation

 Read more →

Don't buy a pig in a poke -
request a free consultation and check how we can assist you.

Free consultation
Contact form

Use the contact form or contact us directly.

Patronusec Sp z o. o.

Head Office:
ul. Święty Marcin 29/8
61-806 Poznań, Polska

KRS: 0001039087
REGON: 525433988
NIP: 7831881739
D-U-N-S: 989454390
LEI: 259400NAR8ZOX1O66C64

To top