PCI Compliance and the Transition to EMV

One week ago today was a very big day in the world of credit card payments, credit card, processing, and ultimately a transfer in liability when credit card information is compromised. In case you are wondering, I am referring to the deadline that was set forth for October 1st for credit card issuers and merchants to make the transition to using EMV or "chip" cards for both credit and debit cards. What is this transition and what impacts will this have on PCI Compliance for merchants and service providers? Let's find out!

The first thing that we need to do is discuss what EMV technology is, and probably more importantly, what it is not. First, EMV stands for EuroPay, Mastercard, and Visa which are the three companies that originally created the standard that has been used in various parts of the world, specifically areas outside the United States, for several years. EMV cards include a "chip" on the front of the card that makes it very difficult for hackers or bad guys to counterfeit, ultimately making these cards more secure than the traditional credit cards with the magnetic stripe that we have been using for years. But, that security only goes so far and that is for transactions that are referred to as "Card Present" transactions. Just as it sounds, this is where you are physically swiping your card (or at least you used to swipe the card) through a terminal, reader, or a cashier is doing it for you. As of October 1st, merchants were required to have special terminals and software installed so that you no longer swiped your card, but rather insert it into the machine that reads that little computer chip on the front of the card. This makes the transaction more secure than the magnetic strip technology for these types of transactions. But what about online transactions? Does EMV impact these transactions? Unfortunately, the simple answer to that question is no, it does not. The reason why is that there is no reader to gather your information from the card, you are entering it into some sort of web form for processing. This could ultimately lead to a rise in attacks on e-commerce platforms as they may be an easier method of attack but that is a completely different topic for another blog post!

Now that we have covered what EMV technology is, we have to outline what it is not. One thing that we have seen numerous times is when new technology comes out, organizations get complacent as they think that this new technology is a silver bullet that will make them more secure, compliant, and mitigate their risk completely. While EMV technology is a shift in the right direction, there are things that it is not:

• EMV is not encryption. The primary account number (PAN) is not encrypted and therefore PCI DSS 3.1 regulations must still be adhered to
• EMV is not helpful for card not present transactions as we briefly discussed earlier. Therefore, PCI DSS 3.1 regulations must still be adhered to
• EMV is not a cure to an ongoing problem, it is another method for companies to better secure their sensitive credit card data

Why the change? Why make this enormous investment to re-issue millions of credit cards and force retailers to pay tens of thousands of dollars to install new credit card machines? Did you know that almost 50% of the worlds credit card fraud occurs in the United States? Did you know that only about 25% of the worlds credit card transactions are processed in the United States? Let that sink in for a minute as this is pretty powerful. 1/2 of the worlds fraud occurs where only 1/4 of the worlds transactions take place. Wow!

The final point that I want to make is the liability shift that comes with the transition to EMV credit cards and EMV terminals. In the good old days of the magnetic stripe, the card issuer or processor was ultimately on the hook for losses to the consumer. With this transition, the liability has shifted to "whichever party is least EMV compliant in a fraudulent transaction." If an organization has not installed the new EMV credit card terminals, they will be responsible for the charges incurred as a result of the fraud. 

Now would be a good time for your organization to consider having a PCI Risk Assessment completed. As the PCI Security Standards Council outlines, a thorough PCI Risk Assessment should be completed annually or whenever there are significant changes to the environment. A major shift such as the transition to EMV technology would definitely fall into the category of a significant change, especially with the transfer of liability. Download Compass IT Compliance's PCI DSS compliance services datasheet to learn more about the services that we offer to help your organization achieve and maintain compliance with the PCI Data Security Standards.