PCI-Validated P2PE Overview

Introduction

A PCI-Validated Point-to-Point Encryption (P2PE) solution offers merchants greatly reduced PCI DSS scope for in-person POS, unattended POS, MOTO POS, and other use cases where payment data is captured by a point-of-interaction (POI) device. TokenEx's PCI-Validated P2PE Solution can work with any payment gateway or processor, any PCI PTS listed payment terminal, and any PCI listed payment terminal application. TokenEx's solution is the first 100% cloud-based P2PE solution and is built to be modular. The modularity of the solution makes it easy to add new terminals, new key injection facilities (KIFs), payment processors, etc.

TokenEx PCI-Validated P2PE is part of our Universal Tokenization product suite, enabling merchants and service providers to unify payment data across in-person and digital channels. Take advantage of a truly omni-channel, processor-agnostic, and flexible format payment token. The Universal Token (representing the PAN) is returned in the response of a P2PE transaction.

📘

View the TokenEx Validated P2PE Solution Listing on the PCI SSC P2PE registry by searching for "TokenEx". You can view the Solution details here.

Building the P2PE Solution

Screenshot from PCI P2PE Program Guide

Screenshot from PCI P2PE Program Guide

TokenEx is the P2PE solution provider. The solution is a modular combination of other P2PE components such as the payment application on a terminal, the hardware (PCI PTS devices), and KIFs. TokenEx is responsible for the compliance of the overall solution and management of the various components and component providers. TokenEx designed the solution to make it as easy as possible to add new hardware, KIFs, or other components to the solution listing. Adding additional components to the solution requires a delta assessment and subsequent review by the PCI SSC.

PCI PTS Devices Supported

  • Ingenico Lane 7000
  • Ingenico Lane 8000
  • Ingenico Self 7000
  • Ingenico Self 8000
  • Ingenico Moby 5500

📘

PCI PTS approved devices can be added upon request. A delta assessment is required to update the solution listing.

Payment Applications Supported

  • Ingenico Unified Payments Platform (UPP)

📘

PCI approved payment applications can be added upon request. A delta assessment is required to update the solution listing.

Encryption, Decryption, and DUKPT

P2PE uses symmetric encryption. The same key that is used for encryption on the POI device is used for decryption in the secure decryption environment. TokenEx P2PE relies on DUKPT for key derivation. Each encryption event uses a unique derived key. To facilitate decryption, a key serial number (KSN) is provided in combination with the ciphertext to be decrypted.

🚧

TDEA was deprecated by NIST in 2023 and signifies that TDEA is no longer an approved block cipher. The recommended block cipher is AES.

Plaintext Data Format Before Encryption

The POI terminals that encrypt the data can be configured to format the plaintext data prior to encryption. Our solution architecture team can work with you and the hardware manufacturer to ensure that the devices are configured properly. Currently, TokenEx's P2PE Decrypt function supports the following formats:

  1. The ISO standard track data format (e.g. ISO/IEC 7813:2006) which specifies the data structure and data content of magnetic tracks 1 and 2. This format can be used even for other card entry modes. In cases where the entry mode is not swipe, this format is typically referred to as "mock track format". TokenEx supports Track 1, Track 2, or a combination of both tracks.

📘

Track 1 Format Example: %B4111111111111111^DOE/JOHN F^3005543768?

📘

Track 2 Format Example: ;4111111111111111=16121019761186800000?

  1. TokenEx also supports another format, which is typically used for manual entry scenarios. Although, POI devices may also use mock track data format for manual entry. The format is exp date (YYMM), PAN, and optionally a CVV. The fields are separated by a pipe.

📘

Manual Entry Format Example: 3005|4111111111111111|123

📘

Mock Track Data Format for Manual Entry Example: %M545454554545454^MANUALLY/ENTERED^12120000001234000000?

TokenEx's P2PE Decrypt function will look for standard track 1 or track 2 data first. If track data is not detected in the decrypted plaintext, the function will expect the manual entry format.

Supported Encryption Algorithms

  • AES_128
  • TDES_2KEY (Upon request)
  • TDES_3KEY (Upon request)

The ciphertext and key serial number (KSN) can be passed as input parameters to the P2PE Decrypt function within the Transparent Gateway API v2. TokenEx will decrypt the ciphertext in our secure decryption environment and then parse elements from the ciphertext as instructed by the P2PE decrypt function.

Testing

A P2PE solution can be tested by using a standard test key. Whoever provides the payment terminals or injects the keys on the terminals can inject a standard test key which is considered non-sensitive. TokenEx already has an ANSI test AES-128 key loaded in our non-production decryption environment. Other test keys can be shared with TokenEx to be loaded. Contact your TokenEx representative to setup P2PE testing.

To use the P2PE Decrypt function within the Transparent Gateway API v2, you will need to be granted the "P2PEDecrypt" permission.

Production Key Conveyance

TokenEx will generate the base derivation keys (BDKs) that will be injected on the payment terminals by the KIF(s). To deliver the production BDKs from TokenEx's decryption environment to the KIF requires an electronic key conveyance process. This key conveyance process leverages cryptography to securely transmit the BDKs using either TR31, TR34, or RSA key wrap depending on the constraints of the key receiving device (KRD). The TokenEx key custodians and security team will work with you to facilitate the production key conveyance.