Will EMV Make You PCI Compliant?

December 18, 2014 • Published Categories PCI 101Tags , , , , , , ,

Understanding EMV’s capabilities with the concepts of data security and PCI compliance.

Many merchant acquirers, payment processors and Independent Sales Organizations (ISOs) have been reaching out to business owners to alert them of America’s 2015 migration from magstripe (i.e., “swipe”) credit/debit cards to EMV (i.e., “chip”) payment cards.

The new EMV cards will have much-needed, enhanced anti-fraud capabilities at the physical point of sale. So, when your customer presents a card for payment, it will be much easier to tell if that card actually belongs to them.

While EMV represents a significant improvement in the way credit/debit card fraud is detected and prevented, some have confused EMV’s capabilities with the concepts of data security and PCI compliance.

Does EMV override PCI?

The short answer is no, EMV technology does not satisfy any PCI requirements, nor does it reduce PCI scope.
What EMV is:

  • It is counterfeit card fraud protection – it makes it more difficult for bad guys to make use of stolen card data

What EMV is not:

  • It is not encryption – EMV does not encrypt the Primary Account Number (PAN) and therefore the card data must still be protected according to PCI guidelines
  • It is not helpful for ecommerce transactions  – EMV only works for card present transactions

So, if your business accepts credit or debit cards in a physical store (or other face-to-face setting), you will need to implement the EMV technology and PCI standards in a layered fashion. For example, as you upgrade your terminals for EMV, consider adding point-to-point encryption (P2PE) capabilities to reduce PCI scope and protect data end to end. In addition, using tokens after authorization can prevent the card data from being used, should it be stolen.

Even if 100% of your payment transactions are ecommerce (i.e. card-not-present), you’ll want to take a closer look at your payment acceptance methods as well as the security of your web applications. That’s because as EMV takes effect, you will see a shift in fraud from card-present transactions to ecommerce. This happened in Europe and it’s expected to happen in the U.S. as well.

Just getting started with PCI DSS compliance?

Want to learn more about reducing your PCI compliance scope or just need a good place to get started with PCI compliance? Check out the free ControlScan white paper, “The Top 5 Security Best Practices for Small Merchants” for ways to jump start your efforts.

Subscribe to this blog for additional tips and webinar announcements.

Leave a Comment