Every day, millions of customers all over the globe use their payment cards in thousands of stores generating enormous amount of transactions. During these transactions, there are many risk factors affecting cardholder data that need to be addressed, including the integrity of the card-reading device or terminal itself (PoS, PED, standalone dial-out, etc..), the exposure of the network that the device may be connected to (e.g the Internet or in a network with other devices in your business) and the security on an eventual  storage location where customers' data is present.

emv-chip-and-pci-dss-integration

The consequences, should any of your cardholder data be stolen along the way, could cause major headaches to your business, your customers and the company that provides their payment card.

As many businesses strive to achieve PCI compliance, a well known standard called EMV Chip will soon be used across the United States (it was created in Europe in 1995). This is causing some confusion with American merchants and MPA's (Merchant Portfolio Authorities).

You need to know what EMV is about and be aware that, regardless what many wrongly say, it does not replace PCI DSS but complements it. In this article we explain how these two standards are complementary to each other and which risks they aim to mitigate.

What is EMV Chip technology

EMV chip is a technological standard created by Europay, MasterCard, and Visa, hence its acronym. EMV tech is unlike a normal card which stores its information on the magnetic stripe on a card that must be swiped; it is effectively a 'smart' card and the information is stored on a tiny piece of circuitry within the card instead.

It’s a chip rather than a magnetic stripe, which is why we often use “EMV Chip” as a - reductive - definition of this technology. We all must be aware that cloning a non EMV, magstripe based card, is a kid’s game nowadays. The needed hardware can be found very easily off eBay, AliBaba and similar eShops.

emv-chip-and-pci-dss-integration

We refer to cloning as the act of making an exact copy on to another blank card so that it can be used in a face to face scenario. Stealing the card number and all security related numbers and using it online is not referred as cloning and, as we will see later on in this article, there is nothing EMV can do to mitigate this risk.

While cloning an EMV based card is still impossible nowadays, it is possible to carry out attacks against those cards which may still very well lead to frauds, as the pre-play attack can do.

However, the EMV standard makes transactions more secure in the case of card present transactions (card is present where the card is physically present at the merchant, card is not present refers to transactions being completed online or over the phone). Instead of relying on the static data written in the magnetic stripe, in EMV transactions the chip on the card uses complex cryptographic algorithms to verify the authenticity of the card with the issuer’s systems in real time thanks to a Card Verification Method (CVM, usually PIN or Signature).

The goal is to avoid leaving it down to the cashier to take the cardholder's signature and to assess whether or not the card had been tampered with. EMV is not designed to encrypt data so when it comes to data protection for example Primary Account Numbers (PAN) and expiration dates, which can be used for fraudulent card not present transactions, might still be exposed.

Additionally, EMV technology also sets the standard for contactless payment, allowing card users to pay for their goods securely, without putting their card into a card reader or other point of sale device.

As a result, it makes it a lot less likely that your business will be processing physical transactions made by those who have stolen someone else's card or who are using a lost card that they have found (because they cannot decepit the PIN from the card itself). And of course they will not (as of today) be able to use a clone card.

Why you shouldn't replace PCI DSS with EMV

As explained, EMV is a wonderful technology as it greatly decreases the risk of Merchants, Service Providers and Retailers accepting payments from criminals or fraudsters; but it doesn't offer comprehensive security. EMV is not an all round data protection standard and only takes care of encrypting and protecting one piece of data, the PIN which is not needed for online / card not present transactions. Indeed the important limitation is that EMV does not stop you from accepting counterfeit or stolen cards during transactions when the card is not present, such as those that take place online.

Furthermore, EMV does not encrypt such vital data like the Primary Account Number (PAN), CSC/CVV and the likes. This means that while the technology offers a great deal of protection in a face to face scenario to validate the identity of the cardholder, it has no effect on the security of the data as it is transmitted or stored. As a result, only using EMV still leaves the cardholder data open for exploitation, which is a massive risk that needs to be addressed.

EMV Chip and PCI DSS integration is the way ahead

So instead of scrapping your PCI compliance and relying solely on EMV to keep your customers data safe, what you should do instead is incorporate both of them into your IT Security practices. This infographic from the PCI SCC  website, explains the point really well.

In 2009, Visa, MasterCard, American Express, Discover, and JCB teamed up and formed the PCI SSC (Payment Card Industry Security Standards Council), a group that would release the PCI DSS (Payment Card Industry Data Security Standard). The PCI DSS contains several requirements and they are regularly added and updated - the latest version, PCI DSS 3.1, was published in April 2015. The main goal of the standard is to allow those that handle cardholder data in any way, shape or form, to do so in a secure and accountable manner and to keep up with the security threats of today. The standard is based on a constant understanding of the threat landscape and the growing amount of risks to which customers are constantly exposed.

The PCI DSS list of requirements contains practices that, for many aspects of a transaction, the EMV technology does not affect, such as the security of the card-reading devices and terminals themselves (PoS, PEDs, standalone dial-out terminals) which is covered by PCI DSS requirement 9.9, the transmission and storage of data, it offers a great deal of guidance on how to monitor your business' security and even how to teach your employees about proper IT Security best practices.

Together, the PCI DSS and EMV make up an effective team, a two-pronged approach for keeping malicious away from cardholder data.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA