ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    PCI Point to Point vs End to End

    Scheduled Pinned Locked Moved IT Discussion
    16 Posts 3 Posters 389 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said in PCI Point to Point vs End to End:

      @scottalanmiller said in PCI Point to Point vs End to End:

      Basically, unless I'm way off, Point to Point encryption means you take the credit card info and you send it over a secure channel, basically like a VPN. It keeps people from intercepting the data along the way. But the data is wide open on either end.

      End to End means that the data starts encrypted and stays that way until it is received. It's way more intensive and much more secure. Basically the data never exists as plain text.

      OK, but so what? As a merchant, I, so I just read, only care about the data remaining encrypted to the point where it reaches my payment gateway. Beyond that it's the processors problem if they are hacked.

      That's a question for the PCI people.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said in PCI Point to Point vs End to End:

        This also makes me ask - why is the data ever needing to be decrypted before it gets to the people who actually have to act on it?

        Because it starts that way. You generally take the information as plain text when you receive it.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @scottalanmiller
          last edited by

          @scottalanmiller said in PCI Point to Point vs End to End:

          @Dashrender said in PCI Point to Point vs End to End:

          This also makes me ask - why is the data ever needing to be decrypted before it gets to the people who actually have to act on it?

          Because it starts that way. You generally take the information as plain text when you receive it.

          Huh? what does getting the data as decrypted have to do with it? Of course the data comes unencrypted as we collect it... but why does it need to be decypted before First Data or Elavon deal with it? Why does the payment gateway want to decrypt it?

          1 Reply Last reply Reply Quote 0
          • 1
            1337
            last edited by 1337

            If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.

            For instance if you terminate SSL at your proxy/load balancers and run unencrypted from the load balancers to your internal web servers.

            DashrenderD 1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender @1337
              last edited by

              @Pete-S said in PCI Point to Point vs End to End:

              If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.

              Thanks, I get the difference now... but now why anyone cares.

              1 1 Reply Last reply Reply Quote 0
              • 1
                1337 @Dashrender
                last edited by

                @Dashrender said in PCI Point to Point vs End to End:

                @Pete-S said in PCI Point to Point vs End to End:

                If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.

                Thanks, I get the difference now... but now why anyone cares.

                It's just that CC info can't be picked up anywhere if it's end to end encryption.

                DashrenderD 1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @1337
                  last edited by

                  @Pete-S said in PCI Point to Point vs End to End:

                  @Dashrender said in PCI Point to Point vs End to End:

                  @Pete-S said in PCI Point to Point vs End to End:

                  If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.

                  Thanks, I get the difference now... but now why anyone cares.

                  It's just that CC info can't be picked up anywhere if it's end to end encryption.

                  but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).

                  1 1 Reply Last reply Reply Quote 0
                  • 1
                    1337 @Dashrender
                    last edited by 1337

                    @Dashrender said in PCI Point to Point vs End to End:

                    @Pete-S said in PCI Point to Point vs End to End:

                    @Dashrender said in PCI Point to Point vs End to End:

                    @Pete-S said in PCI Point to Point vs End to End:

                    If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.

                    Thanks, I get the difference now... but now why anyone cares.

                    It's just that CC info can't be picked up anywhere if it's end to end encryption.

                    but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).

                    Maybe I should have said it can't be picked up in transit.

                    The card processors probably have more stringent requirements for infosec than PCI. But yes, nothing is 100% secure.

                    alt text

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @1337
                      last edited by

                      @Pete-S said in PCI Point to Point vs End to End:

                      @Dashrender said in PCI Point to Point vs End to End:

                      @Pete-S said in PCI Point to Point vs End to End:

                      @Dashrender said in PCI Point to Point vs End to End:

                      @Pete-S said in PCI Point to Point vs End to End:

                      If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.

                      Thanks, I get the difference now... but now why anyone cares.

                      It's just that CC info can't be picked up anywhere if it's end to end encryption.

                      but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).

                      Maybe I should have said it can't be picked up in transit.

                      The card processors probably have more stringent requirements for infosec than PCI.

                      Sure, ok - in transit... but once the data gets to your payment gateway, it's not your responsibility anymore - so again, who cares... P2PE gets it to the payment gateway just as good as E2EE does to First Data or Elavon, only the payment gateway then also injects itself into the data stream for some unknown reason...

                      So I'm still not seeing a benefit to E2EE to the merchant.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in PCI Point to Point vs End to End:

                        @Pete-S said in PCI Point to Point vs End to End:

                        @Dashrender said in PCI Point to Point vs End to End:

                        @Pete-S said in PCI Point to Point vs End to End:

                        @Dashrender said in PCI Point to Point vs End to End:

                        @Pete-S said in PCI Point to Point vs End to End:

                        If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.

                        Thanks, I get the difference now... but now why anyone cares.

                        It's just that CC info can't be picked up anywhere if it's end to end encryption.

                        but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).

                        Maybe I should have said it can't be picked up in transit.

                        The card processors probably have more stringent requirements for infosec than PCI.

                        Sure, ok - in transit... but once the data gets to your payment gateway, it's not your responsibility anymore - so again, who cares... P2PE gets it to the payment gateway just as good as E2EE does to First Data or Elavon, only the payment gateway then also injects itself into the data stream for some unknown reason...

                        So I'm still not seeing a benefit to E2EE to the merchant.

                        I assume E2EE gives you some discounts.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said in PCI Point to Point vs End to End:

                          @Dashrender said in PCI Point to Point vs End to End:

                          @Pete-S said in PCI Point to Point vs End to End:

                          @Dashrender said in PCI Point to Point vs End to End:

                          @Pete-S said in PCI Point to Point vs End to End:

                          @Dashrender said in PCI Point to Point vs End to End:

                          @Pete-S said in PCI Point to Point vs End to End:

                          If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.

                          Thanks, I get the difference now... but now why anyone cares.

                          It's just that CC info can't be picked up anywhere if it's end to end encryption.

                          but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).

                          Maybe I should have said it can't be picked up in transit.

                          The card processors probably have more stringent requirements for infosec than PCI.

                          Sure, ok - in transit... but once the data gets to your payment gateway, it's not your responsibility anymore - so again, who cares... P2PE gets it to the payment gateway just as good as E2EE does to First Data or Elavon, only the payment gateway then also injects itself into the data stream for some unknown reason...

                          So I'm still not seeing a benefit to E2EE to the merchant.

                          I assume E2EE gives you some discounts.

                          based on what?

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said in PCI Point to Point vs End to End:

                            @scottalanmiller said in PCI Point to Point vs End to End:

                            @Dashrender said in PCI Point to Point vs End to End:

                            @Pete-S said in PCI Point to Point vs End to End:

                            @Dashrender said in PCI Point to Point vs End to End:

                            @Pete-S said in PCI Point to Point vs End to End:

                            @Dashrender said in PCI Point to Point vs End to End:

                            @Pete-S said in PCI Point to Point vs End to End:

                            If you have unencrypted LAN communication (at your servers) you are encrypted point-to-point but not end-to-end.

                            Thanks, I get the difference now... but now why anyone cares.

                            It's just that CC info can't be picked up anywhere if it's end to end encryption.

                            but it can - at the terminal where it's collected - at the processor who terminates the E2EE (though hopefully that's beyond extremely unlikely).

                            Maybe I should have said it can't be picked up in transit.

                            The card processors probably have more stringent requirements for infosec than PCI.

                            Sure, ok - in transit... but once the data gets to your payment gateway, it's not your responsibility anymore - so again, who cares... P2PE gets it to the payment gateway just as good as E2EE does to First Data or Elavon, only the payment gateway then also injects itself into the data stream for some unknown reason...

                            So I'm still not seeing a benefit to E2EE to the merchant.

                            I assume E2EE gives you some discounts.

                            based on what?

                            Just seems like the logical reason.

                            1 Reply Last reply Reply Quote 0
                            • 1 / 1
                            • First post
                              Last post