[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1804
  • Last Modified:

Is there a difference between and End to End Encryption solution vs a Peer to Peer Encryption solution?

Just a quick question.  My company is currently reviewing solutions for us to accept credit cards and be PCI (credit cards) compliance.  From what I've read I think our best approach is going to be going with a validate P2PE solution.  One of the providers we are looking into describes their solution as an End2End encryption service and reduces our scope for PCI the same as P2PE.  They are very careful as to not state it's P2PE.  I'm just wondering what the difference is, if any.  Thanks for your help.
  • 2
2 Solutions
Well, terminology is a tricky business.  If they're being pedantic about it, then you need to ask them why, and what differentiates their solution from a P2PE solution.  I'd hold their feet to the fire about it, since PCI compliance is such a pain in the neck.

It could be functionally identical, but just not be a validated P2PE solution.  If you require a validated solution, that could be an issue.
GoNatsAuthor Commented:
Thanks Asavner.  I have asked them and waiting to hear back.  PCI compliance is a pain, but from what i've been reading and although it's not cheap, a validated P2PE solution makes compliance life much more bearable and achievable.  Our solution needs to be validated.
Dave HoweCommented:
Classically, an end to end solution encrypts the message, a peer to peer solution encrypts the transmission channel.

if there are only two actors in the system, there really isn't a distinction. If there are more than two actors though, it gets interesting.

To give an example, lets look at email.

An end-to-end solution is PEM (s/mime) or pgp - you encrypt the message, you send the message, the recipient receives the message, the recipient decrypts the message.

A peer to peer solution would be TLS.
You send your mail unencrypted... BUT the transmission from you to your ISPs mailserver is TLS (and hence, encrypted by the same mechanism HTTPS websites use)
Your ISP sends the mail on to THEIR ISP, and *might* use TLS, if it is offered, but probably won't insist on it.
The recipient may receive from the ISP via SMTP, or pull via IMAP or POP3. That may in fact be TLS also (hence, SMTPS, IMAPS, POP3S) or may not be.

In this case, there are 3 hops the mail goes though, and at each step past the first, you are reliant on a third party securing the channel (and the recipient is reliant on third parties securing each step prior to the last)

Does that make sense?
GoNatsAuthor Commented:
It does  Thanks Dave!

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now