SOLUTION BRIEF

Delivering Point-toPoint Encryption with

SafeNet Payment HSMs
Point to Point Encryption (P2PE) combines secure devices, applications, and processes to encrypt payment
data from the earliest point of interaction at a merchant, and keeps that data secure until it can be safely
decrypted by the payment service provider. SafeNet Payment HSMs from Gemalto play a critical role in
establishing the security mechanisms required to comply with P2PE.
Payment Card Industry Point-to-Point
Encryption Overview
The Payment Card Industry Security Standards Council (PCI
SSC) defines, articulates, and enforces security requirements
for the payment industry. Since its origin, the organization
has developed several standards, including the PCI Data
Security Standard (DSS), in order to fulfill its main objective.
In 2011, PCI SSC released the PCI Point-to-Point Encryption
(P2PE) standard. When implemented properly, P2PE can
dramatically reduce the burden of compliance for a merchant
by removing retail locations and supporting network
infrastructure from being subject to PCI DSS compliance.

P2PE Version 2.0

Version 2.0 of P2PE was announced in 2015, reducing PCI
scope to only the terminal as opposed to the entire network.
This latest version of P2PE allows merchants to use their
own decryption environment, opening P2PE opportunities
to larger retailers. And retailers who manage their own
keys and Hardware Security Modules (HSMs) are no longer
excluded. In fact, retailers are adding encrypting terminals,
which not only reduces PCI-DSS scope but also enhances
overall security.

The Business Opportunity

The P2PE standard is a true game changer for merchants.
Achieving PCI DSS Compliance has been a huge cost and
effort for retailers, and the pressure from acquiring banks
continues to grow. This means that retailers are increasingly
susceptible to fines and loss of business if they fail to comply.
Furthermore, larger merchants may have hundreds or even
thousands of stores, which means there are thousands of
point-of-sale (POS) systems and PIN entry devices (PEDs)
that will be in scope and must be brought into compliance.
This entails running anti-virus, patching, enabling auditing
and logging, and so on for each of these devices. Ultimately,
these efforts substantially increase the complexity and cost
of the store infrastructure, and represent a huge upfront and
ongoing investment in staffing and budgets.
That being said, it is fairly obvious why P2PE is such a
compelling opportunity for merchants. By simply deploying
a P2PE-compliant PED device, and following the appropriate
instructions, merchants can effectively remove their stores
from the scope of PCI DSS compliance. In the long run,
this leads to reduced risk of fraud and improved consumer
confidence and loyalty.
And for vendors serving the merchant community, delivering
effective P2PE-compliant solutions can:
>> Open up new markets
>> Deliver strong competitive differentiation
>> Enable increased sales within existing accounts

Delivering Point-to-Point Encryption with SafeNet Payment HSMs - Solution Brief

Why SafeNet Payment HSM for P2PE?

SafeNet Payment HSM Benefits:

Given that HSMs are mandated for P2PE compliance, it is

essential for retailers to find the right one. SafeNet HSMs
are a market leader in this space with more certified
solutions than any other vendor. Following are some key
features of the SafeNet Payment HSM that should be
considered when evaluating HSM alternatives in order to
achieve PCI P2PE compliance:

>> Robust Security and Auditing

>> PCI-HSM 2.0 and APCA CECS Certification
>> Comprehensive Command Set & API Support
>> Security for Host Card Emulation
>> Scalability with Secure Partitions
>> Support for 3-D Secure Payment Transactions

Features

>> Supports General Purpose Crypto Processing

>> Keys in Hardware. Tamper-evident seals, intrusion

>> Secure Partitions. A single SafeNet Payment HSM can be

separated into 20 cryptographically isolated partitions,

with each partition functioning as if it was an independent
HSM. This provides a tremendous amount of scalability
and flexibility, as a single HSM can perform tasks for
multiple payment applications concurrently.
>> Web-based Configuration. The regular task of configuring

and managing cryptographic and key component settings

often executed through a command line interface is
simplified through the use of an easy-to-use GUI. A wellstructured menu-based navigation system, coupled with
intuitive dialog box interaction, reduces the risk of manual
input errors and speeds up the administrative process.

Conclusion
Gemalto SafeNet Payment HSMs play a critical role in
establishing the security mechanisms required to comply
with PCI P2PE. After all, if HSMs are mandated for P2PE
compliance, why not trust a market leader who offers a
certified solution with keys in hardware, secure partitions,
web-based configuration, and several other key features
and benefits?

About Gemaltos SafeNet Identity and Data

Protection Solutions
Gemaltos portfolio of Identity and Data Protection solutions
offers one of the most complete porfolios of enterprise
security solutions in the world, enabling its customers to
enjoy industry-leading protection of data, digital identities,
payments, and transactionsfrom the edge to the core.
Gemaltos SafeNet Identity and Data Protection solutions
enable enterprises across many verticals, including major
financial institutions and governments, to take a data-centric
approach to security by utilizing innovative encryption
methods, best-in-class crypto management techniques, and
strong authentication and identity management solutions
to protect what matters, where it matters. Through these
solutions, Gemalto helps organizations achieve compliance
with stringent data privacy regulations and ensure that
sensitive corporate assets, customer information, and digital
transactions are safe from exposure and manipulation in
order to protect customer trust in an increasingly
digital world.

Contact Us: For all office locations and contact information, please visit safenet.gemalto.com
Follow Us: blog.gemalto.com/security

GEMALTO.COM
Delivering Point-to-Point Encryption with SafeNet Payment HSMs - Solution Brief

Gemalto 2016. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries. SB (EN)-Oct.11.2016 - Design: ELC

detection switches, and shielded connectors are designed

into SafeNet Payment HSM to minimize exposure from
direct physical attacks.