The new technology used in credit cards is the chip technology. Cards with chips are known as EMV cards. EMV stands for Europay, MasterCard, Visa. EMV cards come in two flavors – chip and PIN or chip and signature. MasterCard acquired Europay in 2002. EMV cards are in use in Europe since 1992. Unlike the magnetic stripe cards, the EMV cards allow for dynamic authentication of the card. EMV cards are used all over the world, except in US where it is slowly being introduced now. It is lot easier to counterfeit a magnetic stripe card than an EMV card. PCI standard has two primary means of card use – Card Present (CP) or Card Not Present (CNP). Wherever POS (Point of Sale) terminals are in use, CP method is used for authentication. The CNP method uses the Card Verification Value (CVV) to authenticate the card data. However, with the widespread use of mobile devices and online purchases, more transactions use the CNP method for authentication. This requires the merchant to use secure channels to capture the credit card data such as the card number, expiration date and the Card Verification Value. Protecting the credit card data is an onerous job for many small and medium sized businesses (SMBs). That is why using third party security service providers to handle credit card processing is more cost effective for SMBs. PCI forecasts that when criminals have difficulty using the CNP method to defraud, they would switch to using the CP method wherever the POS terminals are not EMV-compliant. When a fraud occurs at a CP terminal that is not EMV-compliant, then the merchant becomes liable for the financial loss.
Worldwide there are 5 billion magnetic stripe cards in use and in US, Visa alone has over 1 billion cards in circulation. There are 15 million magnetic stripe POS terminals in US. Since credit cards are usable in ATMs as well, any change in technology in US should take into account the 360,000 ATM machines. Besides credit cards, there are 520 million debit cards in circulation. Converting all of them into the EMV standard will cost several billion dollars and a significant amount of time. That is why the adoption of EMV standard in US is rather slow. The new requirement from Visa and MasterCard is that merchants become liable for losses from October 2015 if they do not introduce the EMV-compliant POS terminals. In the case of ATM machines this liability shift occurred as of April 2013. Also, the liability shifts to merchants in October 2017 for gas pump card readers that are not EMV-compliant.
PCI DSS launched its current standard, version 3.0, on January 1, 2014. Their recommendation is to grant an extended grace period for organizations to comply with the requirements of the new standard. The requirements based on the new standard become fully operational on July 1, 2015. The main features to implement are highlighted below:
- Implement a firewall between the external systems and the credit card data environment
- Change default passwords on all third party hardware/software in use
- Install EMV-compliant POS terminals
- Keep cardholder data storage to a minimum, with suitable policies regarding data retention and data disposal
- Do not store sensitive authentication data after authorization
- Use strong encryption for all stored data
- Do not store full data from any track (i.e., either the magnetic stripe or the chip)
- Do not store CVV data for use with CNP transactions. Pass the CVV data to the transaction authorizing entity only.
- Do not store the PIN value. This should be with the card issuing bank, the customer and the transaction authorizing entity.
- Use strong encryption for wireless networks transmitting card holder data
- Practice the principle of least privileges for access to card holder data
- Provide physical security to any stored card holder data
PCI DSS’ goal is to make the use of credit cards safe for the consumer and the issuer. Europe and many parts of Asia have already migrated to the new chip card and PIN. In US, the implementation planned is the chip card with signature.