PCI And EMV Cards: The Urban Myth That Won't Die

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

The recent comments by leading retailers that want U.S. card issuers to move to the EMV standard for card authentication are missing the point. EMV cannot, does not and will not make PCI go away, regardless of recent moves by Visa Europe. As I have observed many times in the past, PCI is impervious to silver bullets of any kind. There are a few things every retailer needs to understand about both EMV and PCI before jumping on this particular bandwagon. To see what I mean, we need to conduct a little thought experiment.

In this thought experiment we will assume, as was suggested, that EMV becomes the "metric system" equivalent for payment cards. That means Chip-and-PIN—like a shift to the metric system—replaces all previous card and cardholder authentication methods. My EMV metric system card has no signature panel, no magnetic stripe. And the PAN is printed, not embossed, on the front of the card. Does PCI go away?

I suggest it does not. Retailers still have mail order and telephone order (MOTO) transactions where call center operators will key-enter cards and other payment information. Those call centers—including the people, processes and systems—will all be in scope for PCI. Retailers will also still need to deal with the security codes (CVV2, CVC2, CID). The same situation would hold for Web-based E-Commerce transactions.

Card-present transactions will rely on cardholders entering their PIN. That means PCI PTS rules would apply, and retailers would still need to meet PCI DSS Requirement 3.2.3 and not retain the PIN data. Much of the data is protected, to be sure, but that does not mean PCI becomes irrelevant.

Regardless of how perfect the EMV technology and its implementation are, some percent of face-to-face transactions will fail. This may be due to a system or power failure. In this case, the retail employee will need a (PCI-compliant) procedure to enter the PAN manually. Once again, the transaction process is in scope for PCI. The only alternative is to decline the card and accept only cash, an option most retailers will be loathe to take.

Lastly, although Europe and North America all adopt the EMV "metric standard," what are cardholders to do when they travel to the rest of the world? How are travelers to use their EMV metric system card that now has a fancy chip but lacks a magstripe or even embossing? Someone will need to manually enter those PANs, and that process is certainly subject to PCI compliance.

Moving away from our thought experiment, my experience is that there is a lot more to PCI than securing the POS, as important as that is. Moving away from our thought experiment, my experience is that there is a lot more to PCI than securing the POS, as important as that is. My colleagues and I see merchants and processors often struggle more with their back-office processes, people and systems that depend on the PAN. For these retailers, it is quite possible that solutions such as tokenization have at least as great a potential to reduce PCI scope as moving to EMV cards. Plus, a retailer can implement tokenization an awful lot sooner than waiting for every issuer on the planet to issue EMV chip cards.

The bottom line is that in a practical world, moving to a Chip-and-PIN regime will not remove the need for PCI compliance. I can think of one, and only one, way to make PCI go away: Stop taking plastic.

There are many things on which we all can agree. EMV or something like it is the way of the future for payment cards. The present magnetic stripe system of card authentication is ancient and flawed. It is prone to skimming and other low-tech forms of compromise. EMV is one option with great promise, but it, too, has its critics and has been successfully attacked and compromised.

Take a look at the payment cards in your wallet. How many of them still have the PAN embossed on the front? My guess is just about all of them do. Even though embossing was to have been rendered obsolete by the magstripe, most issuers still emboss the PAN on the card. The same situation exists if you have an EMV chip card—that is, you still have a card with a magnetic stripe and embossing.

This means that as long as the industry piles new security features on top of each other (don't forget the hologram!) without removing the old, presumably compromised or obsolete features, the bad guys are going to have a field day. And PCI will continue to be as relevant as ever.

Personally, I would love to see more U.S. banks issuing EMV chip cards. I travel to Europe, and without a chip card I can't rent a bike or buy a train ticket from an automated kiosk. I also get to argue with waiters and gas station attendants and show them how to swipe my poor, woefully inadequate (in their eyes) magnetic stripe card using their POS terminal.

On that basis alone, sign me up for an EMV chip card now. Just don't ask me to put on my QSA hat and say that that card made PCI go away.

What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].

P.S. If you are reading this, then you are a subscriber to StorefrontBacktalk's Premium Service. That means you have received your user ID and password from the administrator. As resident PCI columnist (and your long-distance QSA), I would like to say just one thing to you: PCI Requirement 8.5.3. I'll leave 8.5.9-11 as exercises for advanced pupils.