If you're a merchant working to maintain a high level of security for cardholder data, you've probably heard quite a lot about the EMV transition and PCI compliance. And you may be wondering how these two security strategies connect.
Let's talk first about how EMV technology is different from Payment Card Industry Data Security Standards (PCI DSS).
During the EMV transition, chip cards are replacing magnetic stripe cards in customer's wallets. (Keep in mind the current generation of cards contains both technologies.) And merchants are upgrading payment terminals and point-of-sale (POS) software to process these transactions.
As you probably know, EMV cards affect the card-present environment and use dynamic data to make it difficult to steal and duplicate a consumer's card. Each time one of these cards is used at the point of sale, the chip creates a unique, single-use authentication code to complete the transaction.
PCI DSS requires that every business that processes, stores, or transmits card information maintain a secure environment. That means protecting cardholder data from the time a card is swiped or dipped until the transaction leaves the merchant's POS system and long after if the card data is stored anywhere on a merchant's network. And PCI compliance isn't limited to merchants, but extends to third-party payment processors and other companies that handle some part of the card transaction.
PCI compliance also extends to card-not-present (CNP) transactions, when consumers pay online or over the phone. That's one difference between these security standards, as today's EMV technology just secures face-to-face transactions.
PCI compliance and the EMV transition: a layered approach
Now that you know how each of these security standards works, let's talk about how they complement each other.
As with many data security strategies, no single solution can prevent data loss. That's why industry experts recommend layering multiple tactics.
When a payment card is presented at the point of sale, the EMV chip adds an additional level of authentication, increasing the security of the transaction and reducing the likelihood of fraud.
But as the card data pass into the merchant's POS system and through their network, they can be vulnerable to intrusions at unsecured access points and to unauthorized physical access via the point of sale. And if card numbers are transmitted or stored without any type of encryption, the confidential data can be stolen. That's where PCI compliance strategies come in.
PCI standards offer additional security layers across the entire card processing system. That includes protection for the POS device where the card is read, plus controls throughout the transaction process and across payment channels.
By monitoring for intrusions, creating effective firewalls, limiting and managing access, using secure software and mobile apps, educating employees, and developing clear processes for handling sensitive payment card data, merchants can significantly reduce the opportunity for data compromise.
That's why it's important that business owners get ready for the EMV transition while maintaining PCI compliance. Both are necessary to ensure the highest level of security for valuable payment card data.
How is the EMV transition changing the way you look at PCI compliance?
ABOUT THE AUTHOR
Jeremiah Shea leads Ingram Micro’s DC/POS Payments Program and provides support for vendors like Verifone, Ingenico, Magtek, ID Tech, and Equinox. He has been part of the DC/POS division at Ingram Micro now for five years, working with all facets of the business for strategic execution. Jeremiah has also become the subject matter expert on EMV readiness and overall payments strategy. With a technical background and a sound understanding of the business, he is a great resource to tap for any and all questions relating to EMV, but more broadly anything DC/POS related as well.
Phone: 1-800-456-8000 ext 64810