PCI Point to Point vs End to End
-
My accounting person stopped me to today asking me the difference between End to End and Point to Point - at first I was like - nothing, they are basically the same, but upon further thinking.. they aren't.
End to End means literally, from one end to another end the data stays encrypted.
Point to Point means that between two points something stays encrypted. Assuming there are multiple 'points' between the ends, then the data could be unencrypted multiple times between the end points.OK that's all great.
Now she tosses at me that PCI is making a difference between these two things.
Here's the wiki page.
https://en.wikipedia.org/wiki/Point_to_Point_EncryptionAs far as I can tell From this page, Point to Point is really just the name PCI has given to an encryption process.
Though from the page, I can't really tell how End to End is really much different, other than they don't really spell out the encryption process.
Edit - OK.. one of the big things seems to be that P2PE does tokenization as a requirement.. E2EE doesn't appear to require that.
-
Basically, unless I'm way off, Point to Point encryption means you take the credit card info and you send it over a secure channel, basically like a VPN. It keeps people from intercepting the data along the way. But the data is wide open on either end.
End to End means that the data starts encrypted and stays that way until it is received. It's way more intensive and much more secure. Basically the data never exists as plain text.
-
@scottalanmiller said in PCI Point to Point vs End to End:
Basically, unless I'm way off, Point to Point encryption means you take the credit card info and you send it over a secure channel, basically like a VPN. It keeps people from intercepting the data along the way. But the data is wide open on either end.
End to End means that the data starts encrypted and stays that way until it is received. It's way more intensive and much more secure. Basically the data never exists as plain text.
OK, but so what? As a merchant, I, so I just read, only care about the data remaining encrypted to the point where it reaches my payment gateway. Beyond that it's the processors problem if they are hacked.
-
This also makes me ask - why is the data ever needing to be decrypted before it gets to the people who actually have to act on it?
Is it because by allowing someone to interact with the data in middle on your behalf, they can do things like, setup auto bill pays, etc? A feature that the actual backend processor like First Data or Elavon don't want to deal with?
-
@Dashrender said in PCI Point to Point vs End to End:
@scottalanmiller said in PCI Point to Point vs End to End:
Basically, unless I'm way off, Point to Point encryption means you take the credit card info and you send it over a secure channel, basically like a VPN. It keeps people from intercepting the data along the way. But the data is wide open on either end.
End to End means that the data starts encrypted and stays that way until it is received. It's way more intensive and much more secure. Basically the data never exists as plain text.
OK, but so what? As a merchant, I, so I just read, only care about the data remaining encrypted to the point where it reaches my payment gateway. Beyond that it's the processors problem if they are hacked.
That's a question for the PCI people.
-
@Dashrender said in PCI Point to Point vs End to End:
This also makes me ask - why is the data ever needing to be decrypted before it gets to the people who actually have to act on it?
Because it starts that way. You generally take the information as plain text when you receive it.
-
@scottalanmiller said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
This also makes me ask - why is the data ever needing to be decrypted before it gets to the people who actually have to act on it?
Because it starts that way. You generally take the information as plain text when you receive it.
Huh? what does getting the data as decrypted have to do with it? Of course the data comes unencrypted as we collect it... but why does it need to be decypted before First Data or Elavon deal with it? Why does the payment gateway want to decrypt it?
-
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
For instance if you terminate SSL at your proxy/load balancers and run unencrypted from the load balancers to your internal web servers.
-
@Pete-S said in PCI Point to Point vs End to End:
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
Thanks, I get the difference now... but now why anyone cares.
-
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
Thanks, I get the difference now... but now why anyone cares.
It's just that CC info can't be picked up anywhere if it's end to end encryption.
-
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
Thanks, I get the difference now... but now why anyone cares.
It's just that CC info can't be picked up anywhere if it's end to end encryption.
but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).
-
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
Thanks, I get the difference now... but now why anyone cares.
It's just that CC info can't be picked up anywhere if it's end to end encryption.
but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).
Maybe I should have said it can't be picked up in transit.
The card processors probably have more stringent requirements for infosec than PCI. But yes, nothing is 100% secure.
-
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
Thanks, I get the difference now... but now why anyone cares.
It's just that CC info can't be picked up anywhere if it's end to end encryption.
but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).
Maybe I should have said it can't be picked up in transit.
The card processors probably have more stringent requirements for infosec than PCI.
Sure, ok - in transit... but once the data gets to your payment gateway, it's not your responsibility anymore - so again, who cares... P2PE gets it to the payment gateway just as good as E2EE does to First Data or Elavon, only the payment gateway then also injects itself into the data stream for some unknown reason...
So I'm still not seeing a benefit to E2EE to the merchant.
-
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
Thanks, I get the difference now... but now why anyone cares.
It's just that CC info can't be picked up anywhere if it's end to end encryption.
but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).
Maybe I should have said it can't be picked up in transit.
The card processors probably have more stringent requirements for infosec than PCI.
Sure, ok - in transit... but once the data gets to your payment gateway, it's not your responsibility anymore - so again, who cares... P2PE gets it to the payment gateway just as good as E2EE does to First Data or Elavon, only the payment gateway then also injects itself into the data stream for some unknown reason...
So I'm still not seeing a benefit to E2EE to the merchant.
I assume E2EE gives you some discounts.
-
@scottalanmiller said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
Thanks, I get the difference now... but now why anyone cares.
It's just that CC info can't be picked up anywhere if it's end to end encryption.
but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).
Maybe I should have said it can't be picked up in transit.
The card processors probably have more stringent requirements for infosec than PCI.
Sure, ok - in transit... but once the data gets to your payment gateway, it's not your responsibility anymore - so again, who cares... P2PE gets it to the payment gateway just as good as E2EE does to First Data or Elavon, only the payment gateway then also injects itself into the data stream for some unknown reason...
So I'm still not seeing a benefit to E2EE to the merchant.
I assume E2EE gives you some discounts.
based on what?
-
@Dashrender said in PCI Point to Point vs End to End:
@scottalanmiller said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
@Dashrender said in PCI Point to Point vs End to End:
@Pete-S said in PCI Point to Point vs End to End:
If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.
Thanks, I get the difference now... but now why anyone cares.
It's just that CC info can't be picked up anywhere if it's end to end encryption.
but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).
Maybe I should have said it can't be picked up in transit.
The card processors probably have more stringent requirements for infosec than PCI.
Sure, ok - in transit... but once the data gets to your payment gateway, it's not your responsibility anymore - so again, who cares... P2PE gets it to the payment gateway just as good as E2EE does to First Data or Elavon, only the payment gateway then also injects itself into the data stream for some unknown reason...
So I'm still not seeing a benefit to E2EE to the merchant.
I assume E2EE gives you some discounts.
based on what?
Just seems like the logical reason.
