IXOPAY | Product

What is P2PE?

Point-to-point encryption (P2PE) is the Payment Card Industry (PCI) standard for using cryptography to securely collect and exchange payment information from an in-person device or terminal. PCI-validated Point-To-Point Encryption (P2PE) drastically reduces your PCI scope for card present payments and unifies payment data across all channels and processors.

By using P2PE, payment information is unreadable until it reaches a secure decryption environment.

An in-person payment solution is not considered ‘P2PE’ unless it has been reviewed and validated by the PCI council. Solutions that are not PCI-validated certified are not considered P2PE and will incur additional PCI scope.

Key Benefits

Achieve PCI compliance

Reduce PCI scope by up to 90% and keep sensitive payment data out of your internal systems with our PCI-validated P2PE solution.

Own your payment data

Use universal tokens to unify payment information, analyze customer data, and support loyalty programs across your in-person and online channels.

Use any payment device*

Utilize new devices or maintain the functionality of existing terminals with the ability to easily upgrade later.

Gain processor flexibility

Reduce “processor lock-in” from existing payment terminals and gain the flexibility to add new processors, control your payment flow, and improve authorization rates.

*Must be on the PCI-approved PIN Transaction Security (PTS) devices list.

How it Works

Featured Resource

Blog

P2PE: Enable Secure Payments Everywhere

FAQ

What does ‘PCI-validated P2PE’ mean?

A ‘PCI-validated’ P2PE solution, like the one offered by IXOPAY, has passed a rigorous evaluation from the PCI SSC to confirm that it meets the P2PE standard. This is important to ensure appropriate security for in-person payments and reduce PCI scope related to in-person payments.

What kind of encryption technology is used for the IXOPAY P2PE solution?

IXOPAY uses AES encryption to provide modern, strong cryptography for payment transactions. However, our solution also supports TDEA (“Triple DEA”) encryption, which is common in existing hardware.

I currently use different processors for in-person and online payments. Can the IXOPAY P2PE solution work with multiple processors?

Yes, when you accept credit card information using the P2PE solution, you will receive a Universal Token that can be used across your different payment processors. This eliminates the burden of storing payment information in multiple systems and makes it easier to unify customer insights across your in-person and online channels.

I am already using encryption in my payment terminals. Do I still need a “PCI-validated” solution?

Yes. Encryption helps secure payment data, but encryption alone does not reduce PCI scope. Using a solution that is not PCI-validated means that your in-person payment flows will be under increased scrutiny during your PCI audit. This will require significant effort from your team to build, document and audit processes to ensure that in-person payment data is handled appropriately.

A PCI-validated P2PE solution can remove your in-person payments from scope and reduce the number of PCI requirements you need to meet by up to 90%. This reduced scope translates to less time your team spends on preparing for audits and more time spent on other critical security initiatives.

What payment devices does IXOPAY P2PE support?

The IXOPAY P2PE solution supports any payment device or terminal on the PCI-approved PIN Transaction Security (PTS) devices list. Please refer to this list of PCI-approved PTS devices.

Does IXOPAY P2PE support PIN transactions?

We are currently in the process of gaining approval for PIN-based transactions for our P2PE solution. Please request a demo with us if you are interested in this feature so we can update you on the timing for approval.

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	_fm	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	cf_clearance	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	_ga	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	2 years
Google Ireland Limited	_gid	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	24 h
Google Ireland Limited	_gat_ua-keynumber	Analytical cookie set by the service Google Analytics used to throttle the request rate, limiting the collection of data on Websites with high traffic.	Session
Google Ireland Limited	_ga_container-id	Cookie set by the service Google Analytics 4. The cookie is used to persist session state.	12 month
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	_lfa	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months

Partner	Name	Description	Duration
Google Ireland Limited	_gcl_au	Conversion-cookie set by the service Google Ads for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners.	3 months
Google Ireland Limited	_gac_gb_container-id	Cookie which connects Google Analytics und Google Ads. Google Ads website conversion tags will read this cookie.	90 days
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. In general, the cookie in the relevant domain and your IP address are passed to Microsoft with every http request and not just via UET.	13 months

Point-to-Point Encryption (P2PE)