Point-to-point encryption (P2PE) is a payment security framework that encrypts Cardholder data inside a card reader before the data touches any business software, network, or Server. P2PE also keeps the data encrypted until it reaches the Payment Provider’s decryption environment. It’s a foundational element of scope reduction in Payment Card Industry Data Security Standard (PCI DSS) compliance, and it’s what separates a Merchant environment that handles plaintext Card data from one that never sees it at all.
When it comes to encryption, the stakes are high for businesses. The global average cost of a data breach reached $4.4 million in 2025. Keeping Cardholder data out of a business’s systems reduces breach risk and potential liability. Below, we’ll go over how P2PE works at a technical level, how it differs from tokenisation and general encryption, and what a validated implementation requires.
Key takeaways
P2PE encrypts Cardholder data at the point of capture and decrypts it only within the Payment Provider’s infrastructure, so plaintext Card data never exists in the Merchant’s environment.
Businesses using a PCI-validated P2PE solution typically qualify for Self-Assessment Questionnaire (SAQ) P2PE, a shorter compliance assessment.
P2PE and tokenisation solve different problems: P2PE protects data at capture and transmission, while tokenisation replaces stored Card data with a surrogate value for future use.
What is point-to-point encryption (P2PE)?
P2PE is a payment security standard that encrypts Cardholder data at the exact moment a Card interacts with a Reader. It happens before the data touches the business’s software or network and keeps the data encrypted until it reaches a secure decryption environment controlled by the Payment Provider. The Cardholder’s primary account number (PAN) and other sensitive data are never exposed in readable form anywhere in the Merchant’s environment.
How does point-to-point encryption (P2PE) work in a Transaction?
P2PE occurs when a Customer taps, inserts, or swipes their Card at a certified Reader that encrypts data internally before outputting anything. The moment the Card is read, the device’s secure cryptographic module encrypts it with a key injected during manufacturing or via a controlled key injection process. The device can encrypt data with this key but cannot decrypt it. Decryption requires a separate key held only by the Payment Provider.
The encrypted payload is called a ciphertext. It leaves the device, travels through the business’s Point of sale (POS) system and network, and passes through the business’s software and infrastructure, but none of that infrastructure can read it. The ciphertext arrives at the Payment Provider’s secure decryption environment, where the private key retrieves the PAN and the Transaction is processed.
The business’s POS software, network switches, and servers handle only ciphertext. A breach of this environment, such as a compromised Server, a malicious insider, or a network intrusion, yields no usable information because the Card data was never present in readable form.
What’s the difference between PCI-validated and nonvalidated point-to-point encryption (P2PE)?
The PCI Security Standards Council maintains a formal list of validated P2PE solutions. Here’s how it works.
PCI-validated P2PE
A solution earns this designation only after an independent assessor audits the full Stack, including hardware, key management, decryption environment, and operations controls. The assessment is exhaustive, and the PCI Security Standards Council publishes validated solutions on a public list that can be referenced by businesses and their Qualified Security Assessors (QSAs), which are the data security experts authorised to validate whether businesses adhere to the PCI DSS.
Self-Assessment Questionnaire (SAQ) implications
Businesses that use a validated solution correctly with no other Card data storage typically qualify for SAQ P2PE, which consists of a little over 30 questions. SAQ D, the default for many card-present (CP) environments without validated P2PE, can exceed 300 questions.
Nonvalidated P2PE
These implementations follow the same general concept: encrypt at capture and decrypt outside the Merchant environment, independent of the PCI Security Standards Council’s formal assessment process. They don’t carry automatic scope-reduction benefits under PCI DSS.
Nonvalidated scope risk
With a nonvalidated solution, a business might still argue for reduced scope, but they’d need to demonstrate the controls themselves during an assessment, and their acquiring bank or QSA might not accept that argument.
Why does point-to-point encryption (P2PE) matter for your PCI compliance scope?
Reducing PCI DSS scope is a financial benefit of correctly deploying P2PE. Scope is determined by which systems store, Process, or transmit Cardholder data, or which systems could affect the security of those that do.
Consider the following:
SAQ eligibility: This is the shortest assessment path available for CP environments.
QSA costs: A narrower scope means fewer systems for a Qualified Security Assessor to Review. That’s a meaningful reduction in assessment difficulty for multilocation retailers.
Simpler operations: When fewer systems are in scope, Patch management, logging, and access control requirements apply to a smaller footprint.
While none of this eliminates the need for PCI compliance, it does restructure what compliance requires of you. Keep in mind that PCI DSS compliance addresses scope, but not all potential consequences of a breach.
How does point-to-point encryption (P2PE) compare to tokenisation and encryption alone?
P2PE, tokenisation, and encryption are designed to work together. P2PE covers the capture and transmission phase, while tokenisation covers storage and reuse. The two approaches complement each other because they solve separate problems at different points in the payment lifecycle.
Here's how:
Encryption alone: Standard Transport Layer Security (TLS) encryption protects data in transit between systems, but it doesn’t prevent exposure at endpoints. If a business’s Server receives an encrypted transmission and decrypts it, the plaintext data now exists on the Server.
P2PE: Captures data safely. Cardholder data enters the Merchant environment already encrypted and leaves still encrypted; decryption happens entirely outside the business’s infrastructure. The environment never holds a usable PAN.
Tokenisation: Stores data safely. After a Transaction is authorised, a Token (i.e., a surrogate value with no intrinsic Card data) is returned and stored in place of the PAN. If the business needs to Process a repeat Transaction or Charge a Subscription, it references the Token instead.
P2PE applies specifically to card-present (CP) transactions because there’s no physical device in an online Transaction. It can apply to mail order/telephone order (MOTO) transactions if the person taking the Order keys the Card data into a hardware-based P2PE device. Tokenisation applies across both online and in-person payments, and standard TLS encryption applies to online sales.
What does implementing point-to-point encryption (P2PE) actually require?
Deploying a validated P2PE solution involves more than choosing a certified Reader. The full solution encompasses several components.
Hardware
Only PCI-listed devices can be part of a validated P2PE solution. These devices are built to have secure cryptographic modules that prevent key extraction and detect tampering. If a device is opened or its casing is breached, the keys are wiped automatically.
Key management
Encryption keys must be injected into devices at a secure facility, typically by the manufacturer or a certified key injection facility, before deployment. Keys must be rotated on a defined schedule. Mistakes made during key management can create vulnerabilities that undermine the overall process.
Staff training
Staff need to understand device handling, including what to do if a device appears tampered with, how to report anomalies, and why they should never accept a replacement device from an unverified source. Physical skimming attacks that target hardware have become a documented risk.
Device management
Devices need firmware updates, physical inspection, and inventory tracking. A lost or stolen device is a potential security incident depending on the state of its keys. Some providers handle device management as part of their service, while others leave it to the business.
The case for using a managed P2PE solution, where the provider handles key injection, device certification, and decryption infrastructure, comes down to where businesses want to spend their attention in operations.
Stripe Terminal is the clearest example of a managed P2PE solution. Terminal’s certified readers—the BBPOS WisePOS E, Stripe Reader M2, and others in the lineup—encrypt Cardholder data inside the device before anything leaves it. Stripe handles key injection and decryption.
How Stripe Terminal can help
Stripe Terminal allows businesses to grow their revenue with unified payments across in-person and online channels. It supports new ways to pay, simple hardware logistics, global coverage and hundreds of POS and commerce integrations to design your ideal payments stack.
Stripe powers unified commerce for brands like Hertz, URBN, Lands' End, Shopify, Lightspeed and Mindbody.
Stripe Terminal can help you:
Unify commerce: Manage online and in-person payments on a global platform with unified payments data.
Expand globally: Scale to 24 countries with a single set of integrations and popular payment methods.
Integrate your way: Develop your own custom POS app or connect with your existing tech stack using third-party POS and commerce integrations.
Simplify hardware logistics: Easily order, manage and monitor Stripe-supported readers, wherever they are.
Learn more about Stripe Terminal or get started today.
The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.