What retailers need to know about reducing fraud with EMV chip and PCI standards
|Bob Russo GM PCI Security Standards Council|
By Bob Russo, GM, PCI Security Standards Council
As evidenced by recent high-profile breach incidents, keeping payment data secure in today's world is an increasingly complex challenge. While EMV chip solves one part of the problem, there's no single solution that addresses all security challenges.
For example, EMV chip is not intended to protect the ever-growing part of our global economy that conducts business online. Increasing security and reducing fraud requires a layered approach to security. PCI standards, in concert with EMV chip and other technologies that devalue data, provide a multi-layered strategy for defending against criminals that are after card data for fraudulent use.
As EMV chip comes to the U.S., here are a few considerations for retailers on leveraging this new technology in conjunction with PCI standards to better protect their customer data.
Don't forget about e-commerce. EMV chip provides excellent protection against fraud in a face-to-face environment. But in preparing for migration to EMV chip, multi-channel organizations need to consider their entire payment infrastructure, including e-commerce environments and not just brick and mortar or physical devices. In fact, those countries that have adopted EMV chip have experienced a significant spike in types of fraud, especially in card-not-present environments, like e-commerce. The PCI DSS E-commerce Guidelines can help clarify how to apply PCI standards to secure online transactions.
Time to re-evaluate your terminal security. EMV chip migration is a great opportunity to look at overall terminal security, and for retailers to invest in a terminal that meets various security standards and needs. When thinking about your terminal infrastructure for EMV chip, take advantage of the PCI PIN Transaction Security (PTS) listing and consider a V3 terminal. Also consider any future Point-to-Point Encryption (P2PE) plans and what additional layers of security you may want.
There's no silver bullet. Implementing EMV chip doesn't do away with the need for secure passwords, patching systems, monitoring for intrusions, using firewalls, managing access, developing secure software, educating employees and having clear processes for the handling of sensitive payment card data – all of which are covered in the PCI Standards.
These processes are critical for all businesses – both large retailers and small businesses – who themselves have become a target for cyber criminals. EMV chip technology can have a strong positive impact on small businesses, but if small businesses are not aware of the need to secure other parts of their systems, or if they purchase services and products that are not capable of doing that for them, then they will still be subject to the ongoing exposure of cardholder data and the resulting financial or reputational risk.
Together, PCI standards and EMV chip provide the best protection for cardholder data across the entire transaction.
For more information on how PCI standards and EMV chip work together, visit the PCI SSC website.
The PCI Security Standards Council works closely with EMVCo and is an active member of the EMV Migration Forum (EMF). For additional information and resources on EMV chip, check out www.EMVCo.com and www.emv-connection.com.
Bob Russo, GM of the PCI Security Standards Council, works with representatives from American Express, Discover, JCB International, MasterCard and Visa to drive awareness and adoption of the PCI Data Security Standard. He is responsible for driving the organization's growth and development, as well as meeting its goals to create educational programs, establish pools of certified Qualified Security Assessors (QSAs), Internal Security Assessors (ISAs), PCI Forensic Investigators (PFIs), Approved Scanning Vendors (ASVs), and incorporate feedback from all stakeholders across the payment chain into the work of the Council and the development of new standards. In addition, Russo oversees the PCI Security Standards Council's training, testing and certification programs for QSAs, ISAs, PFIs, and ASVs.