Point-to-Point Encryption (P2PE) is a standard developed by the Payment Card Industry (PCI). The purpose of this standard is to protect the transmission of payment messages from payment terminals to the acquirer networks against data breaches. By default, Adyen protects such transmissions using the Adyen End-to-End Encryption (E2EE) solution.
When implementing a point-of-sale integration with Adyen, you have the option to use either Adyen's E2EE or P2PE. Here, you can find a comparative overview of the P2PE standard and Adyen's E2EE with their technical differences, security characteristics, and implementation aspects to help you make an informed decision.
Adyen's E2EE solution
Compared to other acquirers, Adyen is unique because we cover the whole payments value chain by managing the entire payment flow from payment terminal to final settlement. Adyen's end-to-end solution protects payment messages by encrypting them at the terminal and decrypting them at the platform before sending them for authorization to the issuing bank. This prevents anyone in the middle from gaining access to sensitive data in the payment messages, such as cardholder data.
The following diagrams show the exchange of payment messages in the traditional payments value chain, and in Adyen's payments value chain.
By default, the payment terminals provided by Adyen are all PTS-approved Point-of-Interaction (POI) devices using E2EE to protect the payment messages.
Adyen's P2PE solution
As an alternative to E2EE, you can opt-in to use Adyen's P2PE solution. This solution includes:
- PCI-approved P2PE payment solution.
- Encryption of the Personal Account Number (PAN) and the track data (for authenticating the cardholder and/or authorizing card transactions) in the payment message.
- Compliance with the P2PE Instruction Manual.
The separate encryption of the PAN and track data adds an extra encryption layer. Compliance with the P2PE Instruction Manual means that both Adyen and you need to implement various operational measures, to meet logistical, monitoring, and other requirements. For example, store staff will need to inspect the terminals regularly and keep an audit trail of these inspections.
Comparing Adyen P2PE and E2EE
Here is an overview table comparing the two encryption solutions.
| P2PE | E2EE | |
|---|---|---|
| Supported terminals | e280, e285, M400, P400 Plus, V240m, V400c Plus, V400m, UX-series, AMS1, S1F2, S1F2L, S1U2, and S1E2L. | All Adyen-provided terminal models. |
| Compliance | In addition to the SAQ P2PE, you need to implement P2PE Instruction Manual requirements. | Adyen's default point-of-sale integration is designed to reduce your PCI DSS scope as much as possible. You only have to complete the SAQ B-IP, which is a relatively easy questionnaire with a limited number of requirements. |
| Security | Because cardholder data such as the full PAN and the track data is encrypted separately, malicious actors cannot access this data. | Adyen's E2EE encrypts the complete payment message, including all cardholder data, which is transferred directly from the POI to the point of processing, with nothing in between. |
| Quality | An independent organization "stamp" validates the security of the solution. | While E2EE is secure, it does not have the PCI P2PE-validated “stamp”. |
Take a look at the following sections for a detailed comparison of P2PE and E2EE solutions covering compliance, security, and quality aspects. If you need more information, contact your Adyen account manager or sales manager.
Supported terminals
- P2PE: e280, e285, M400, P400 Plus, V240m Plus, V400c Plus, V400m, UX-series, AMS1, S1F2, S1F2L, S1U2, and S1E2L.
- E2EE: All Adyen-provided payment terminal models.
Compliance
- P2PE: it is claimed that using P2PE reduces PCI DSS scope, requiring the 33-requirement SAQ P2PE. In addition to the SAQ P2PE, you need to implement all requirements of the P2PE Instruction Manual.
- E2EE: Adyen's default point-of-sale integration is designed to reduce your PCI DSS scope as much as possible. You only have to complete the SAQ B-IP, which is a relatively easy questionnaire with a limited number of requirements.
Compared to Adyen's E2EE solution, using P2PE will result in an increased operational effort because with P2PE you need to comply with both the SAQ P2PE and the P2PE Instruction Manual. For an integration overview and the self-assessment questionnaires, go to our PCI DSS compliance guide.
Security
- P2PE: because cardholder data such as the full PAN and the track data is encrypted separately, malicious actors will not be able to access this data.
- E2EE: the same is true for Adyen's E2EE solution. This encrypts the complete payment message, including all cardholder data.
With many E2EE solutions there's an increased risk of fraud or hacking, because there are other systems between the point of interaction (POI) and the point of processing. With Adyen's E2EE solution, the cardholder data is transferred directly from the POI to the point of processing, with nothing in between.
Because Adyen manages the whole payments value chain and encrypts the complete payment message, the default Adyen E2EE solution and the P2PE solution are equally secure.
Quality
- P2PE: an independent organization validates the security of the solution.
- E2EE: E2EE is secure, but does not have an official PCI P2PE-validated 'stamp'.
Ultimately, it is up to you to decide which option works best for you: Adyen E2EE or P2PE. Keep in mind that the default E2EE solution already is an end-to-end solution. Adyen's P2PE solution offers the benefit of being PCI-certified, but the tradeoff is that it requires additional operational effort.