PCI And EMV Cards: The Urban Myth That Won’t DieWritten by Walter Conway
A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
The recent comments by leading retailers that want U.S. card issuers to move to the EMV standard for card authentication are missing the point. EMV cannot, does not and will not make PCI go away, regardless of recent moves by Visa Europe. As I have observed many times in the past, PCI is impervious to silver bullets of any kind. There are a few things every retailer needs to understand about both EMV and PCI before jumping on this particular bandwagon. To see what I mean, we need to conduct a little thought experiment.
In this thought experiment we will assume, as was suggested, that EMV becomes the “metric system” equivalent for payment cards. That means Chip-and-PIN—like a shift to the metric system—replaces all previous card and cardholder authentication methods. My EMV metric system card has no signature panel, no magnetic stripe. And the PAN is printed, not embossed, on the front of the card. Does PCI go away?
I suggest it does not. Retailers still have mail order and telephone order (MOTO) transactions where call center operators will key-enter cards and other payment information. Those call centers—including the people, processes and systems—will all be in scope for PCI. Retailers will also still need to deal with the security codes (CVV2, CVC2, CID). The same situation would hold for Web-based E-Commerce transactions.
Card-present transactions will rely on cardholders entering their PIN. That means PCI PTS rules would apply, and retailers would still need to meet PCI DSS Requirement 3.2.3 and not retain the PIN data. Much of the data is protected, to be sure, but that does not mean PCI becomes irrelevant.
Regardless of how perfect the EMV technology and its implementation are, some percent of face-to-face transactions will fail. This may be due to a system or power failure. In this case, the retail employee will need a (PCI-compliant) procedure to enter the PAN manually. Once again, the transaction process is in scope for PCI. The only alternative is to decline the card and accept only cash, an option most retailers will be loathe to take.
Lastly, although Europe and North America all adopt the EMV “metric standard,” what are cardholders to do when they travel to the rest of the world? How are travelers to use their EMV metric system card that now has a fancy chip but lacks a magstripe or even embossing? Someone will need to manually enter those PANs, and that process is certainly subject to PCI compliance.
Moving away from our thought experiment, my experience is that there is a lot more to PCI than securing the POS, as important as that is.