Point-to-Point Encryption – Sound Familiar?

Point-to-Point Encryption – Sound Familiar?
We have highlighted a number of technologies in this blog that help achieve PCI compliance. The latest technology that should be in your IT security team’s bag of tricks is point-to-point encryption (P2PE).?
This new technology may sound strangely familiar. And it should. Does end-to-end encryption ring a bell? In early October 2010, the PCI Security Standards Council announced a new moniker for end-to-end encryption, switching the language to point-to-point encryption, with the hope of offering guidance with the new name to clarify this technology.?
The new point-to-point encryption naming concept also came with a new roadmap designed for merchants, acquirers, processors, vendors and QSAs. The new roadmap offers guidance on what businesses should look for when purchasing encryption technology to protect credit cardholder data as it is authorized and transported into a database. (However, P2PE is not designed to address card data storage. For those merchants that require storing sensitive data, tokenization is a good solution, where card data is returned in the form of tokens rather than the actual data.)?
P2PE, properly implemented, should reduce a merchant’s PCI scope. Once the card is swiped, the data is encrypted, and remains so until it reaches its destination. Decryption cannot be possible between encryption and the final destination because only the P2PE provider will be able to decrypt the data. This makes the P2PE technology ideal for those retailers that have no need to retain card data. ?
A follow-up paper on point-to-point encryption from the PCI SSC is scheduled for 2011, which will expand upon their P2PE recommendations.?