make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

How Does EMV Adoption Relate to PCI Compliance?

09/30/2015  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services

Share

Social Logo Social Logo Social Logo Social Logo

The October 1st deadline by which merchants must be Europay MasterCard and Visa (EMV) compliant has raised some concerns among organizations that don’t know if or how this requirement relates to PCI compliance requirements. Is there an intersection? Let’s walk through some details on both.

Europay, MasterCard, and Visa ­­are the three companies that originally created the current global standard for credit and debit payment cards. The standard is based on chip card technology that generates a unique, one-time code that verifies and approves point-of-sale (POS) transactions, making the physical counterfeiting of cards much more difficult. EMVCo, a consortium with control split equally among Visa, MasterCard, JCB, American Express, China UnionPay, and Discover, now manages the standard. EMV improves the detection and prevention of in-store credit/debit card fraud by using the chip to generate a unique code and by requiring a second type of user authentication before the transaction is processed. However, it will not protect against card-not-present fraudulent charges, such as those transacted online.

Late is Better Than Never

According to EMVCo, 32% of card-present transactions globally in 2014 utilized EMV, with much of Europe leading the way at 96.60%. Canada, Latin America and the Caribbean followed with a respectable 85.41%. Wondering where the U.S. fell in 2014? At .12%.  Yes, that is 12 one-hundredths of one percent.

That percentage of EMV transactions in the US should increase dramatically, however, as all credit card issuers and merchants in the U.S. are expected to be EMV-compliant by October 1, 2015.

The October 1st EMV chip technology deadline puts pressure on credit card issuers to issue new cards with EMV chips, but it puts even more burden on merchants to accept and process them. In most cases, in order to process an EMV transaction, a merchant will need to purchase and install new card readers. If they fail to do so and a cardholder with an EMV capable card is then hit with fraudulent charges, the merchant is now obligated to bear the responsibility for the cardholder’s bogus charges (previously those charges were borne by the card companies). This shift in financial liability was put in place by the card brands to compel U.S. merchants to complete the upgrades necessary to enable EMV transactions.

Download the PCI Guide

The Benefits of EMV

As previously mentioned, EMV’s chief benefit is card-present transaction fraud protection. When the credit card’s chip is placed in a capable card reader, the chip generates a unique, one-time code in order to authenticate the card and the transaction. That is the first layer of protection. EMV further insulates against fraud by requiring the cardholder to approve the transaction by providing a second method of approval authentication, either a unique PIN or a signature. This type of multi-factor authentication is similar to the safeguards that many organizations are now using for user account authentication in their computer networks when requiring both a password and a token value before access is granted. 

This new process differs from the traditional magnetic strip credit card’s information that doesn’t change and can be reproduced. While EMV isn’t foolproof, the EMV chip is much more difficult to reproduce than cards with magnetic strips, greatly reducing the possibility of physical credit card fraud.

What’s Behind Low EMV Adoption?

Why such a low percentage of EMV transactions from the U.S.? The answer is really twofold. One is a financial issue. For a long time, the U.S. was the leader in credit card technology. As a result, a lot of money was poured into the nation’s credit card processing infrastructure, so return on investment on current technology trumped an immediate move to EMV. Two, it is a cultural issue. U.S. cardholders are used to the swipe. It’s quick. Just swipe and sign. An EMV transaction takes longer, and therefore merchants are reluctant to make the shift, since it will force customers to change their payment practices and initially might slow efficiencies during check out.

The Burning Question: EMV-compliant versus PCI compliant – Is there a difference?

Some are confusing the new EMV compliance movement with PCI DSS compliance. The most important thing to understand is that EMV doesn’t have a direct impact on an organization’s PCI compliance requirement, doesn’t reduce PCI scope, and certainly doesn’t change the entity’s responsibility to be PCI compliant. Compliance isn’t an either/or proposition. If you accept credit cards, you need to be both PCI compliant and EMV compliant.

PCI and EMV have different requirements and each protect distinct aspects of cardholder data. EMV helps to reduce card-present fraud, but doesn’t do anything to protect credit card data that is stored, processed, or transmitted by an organization. The PCI DSS helps to protect credit card data that is stored, processed, and transmitted, but doesn’t do anything to validate a specific card transaction. Consequently, EMV isn’t a substitute for PCI compliance and PCI isn’t a replacement or catchall for EMV either, but the two combine to help improve overall credit card security.

Don’t Delay Compliance

U.S. card issuers, merchants and other organizations that accept credit card transactions must get onboard with EMV compliance to insulate themselves against future card fraud liability. Half of all credit card fraud happens in the U.S. because many are still relying on outdated, ineffective credit card transaction practices. EMV has proven effective in reducing such card-present fraud.

The cyber criminals aren’t going to wait to steal credit card data. Therefore, merchants shouldn’t delay compliance with these key credit card security movements. If a breach or fraud occurs, the money “saved” by delaying a compliance investment will seem small when compared to the losses associated with the incident. If you don’t know where to start, contact a reputable data security firm that is well versed in credit card compliance issues. 

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.

LBMC Information Security reviews compliance efforts, can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.

Get a Quote for PCI Services

Ready to move ahead with your PCI project? Answer 9 questions and get a quote for your PCI compliance needs.

Posted in: PCI Compliance