There has been an increased confusion among the clients/ merchants about the compliance related activities related to Payment Card Industry Data Security Standards (PCI DSS) and EMVCo LLC (Europay, MasterCard, and Visa) (EMV) specifications.
There is not enough clarity on what to follow regarding the adoption of either standard. While many merchants (esp. the retail ones) are advocating the necessity to move towards EMV to reduce card fraud to a great extent, the others are still wondering if this move is justified as they are already struggling to keep up with PCI DSS.
Recently, the counterfeit card liability shift plans announced by many payment brands as per their individual milestones have once again raised the heated debate regarding the widespread adoption of these two popular standards. Let's take a closer look at them to understand clearly what does it takes to truly secure your client's valuable cardholder data from attackers.
EMV and PCI DSS - Same or different?
Both the standards advocate the protection of cardholder data (CHD) to minimize the rampant card fraud and consumer cardholder data breaches. But it is here that the standards take a different approach by focusing on various elements of CHD transactions.
Broadly speaking, PCI DSS tries to address the larger picture by ensuring the card data is not stolen and is reasonably secure whenever it is stored, transmitted or processed. On the other hand, EMV's objective is typically to render the data of chip-based payment cards useless, if somehow the attackers manage to get hold of it. Thus, EMV acts as more of an anti-fraud mechanism which makes the card skimming and card duplication fraud practices quite difficult, since the chip present in the card produces a unique encrypted output every single time when it is used.
PCI DSS has specific dedicated standards such as PA-DSS and PTS standards that are useful to form important security layers to reduce overall card fraud and risks. The risks arising from malicious payment applications, compromised POS terminals, technical fallback process, card skimming, etc. are covered quite effectively through the use of Payment Application Data Security Standard (PA DSS) approved applications and PTS compliant devices.
Hence, we see that though EMV and PCI DSS specifications are different, they complement each other very well to protect the cardholder data and prevent its exposure to effectively control fraudulent usage by criminals.
What should I go for - PCI DSS or EMV?
Since there is no "static" payment data present in magnetic stripe transaction when EMV is used, the card transaction details are effectively useless for an attacker; since in EMV, the data is "dynamic" due to unique encrypted output produced every single time for each card transaction.
A replay attack by the attacker is quite easily rendered ineffective in these cases.
This feature makes adopting EMV an attractive option for merchants (esp. in the retail sector) and not to go for PCI DSS. However, due to exponential growth witnessed in online shopping and e-commerce, customers are frequently opting for card-not-present transactions.
Hence, the card details acquired by an attacker on EMV card can be used to make card-not-present transactions. However, strong authentication measures such as one-time password (OTP) other measures deployed by payment brands such as "3D Secure Code" of MasterCard and "Verified by Visa" of Visa can mitigate this to a great extent.
Other threats such as technical fallback, PAN key entry fallback, Lack of maintaining unique chip CVV/CVC by EMV, Deep dip reading, clear exposure of PAN and expiry date still lurk in the dark that may bypass EMV anti-fraud protections.
However, it is important to note that certain card holder details such as PAN, expiry date need to be transmitted in clear for EMV environment to complete a transaction. Current processing environment typically processes both EMV and non-EMV transactions. Hence, security-wise there exists a threat that these non-EMV transactions such as magnetic stripe data, PAN key entry do not carry the same anti-fraud capabilities of EMV environment hence would require additional protection. This is why EMV environment must be complemented by PCI DSS so that the entire cycle of card payment is covered to guarantee the best security protection for card payments.
Thus, PCI DSS requirements are still important for card security as they address not only the technological aspects of security but also the processes and people part of it. It tries to prevent the theft of card data in the first place.
Further, a large part of the market is still yet to fully adopt EMV migration and right now only a few countries have fully adopted it. It will take some time to reach larger market such as US and Asia. However, EMV and PCI DSS complement each other very well as regards to card security and are helpful to maximize the security assurance value to the customer.
I'm concerned about the counterfeit card liability shift plans by my payment brand - What to do?
Payment brands such as Visa have rolled out October 1, 2015, as the milestone date for the financial liability shift for all the parties that may / may not have invested in EMV compliant POS terminals; barring those used in automated fuel dispensers.
This implies that post this date, for all the frauds reported in cases of POS related card-present transactions, the party (issuer bank / merchant / payment processor) which is least prepared for accepting EMV enabled cards, has to reimburse the victim (customer) for damages occurred.
Technically, this means that no fines / penalties will be levied for not implementing EMV enabled cards since EMV is not government mandated or regulated such as PCI SSC. It is your business decision to implement EMV or not.
If I upgrade to EMV enabled payment devices, can I still use non-EMV cards?
Yes, the "complete" phasing out of non-EMV cards which rely on the magnetic stripe, will still take a long time. To help in this regard, newer cards issued carry EMV chip as well as magnetic stripe for broader application across non-EMV POS terminals. This means, post the milestone date of October 1, 2015, businesses can still accept magnetic stripe cards.
Okay, so if I have adopted EMV, can I skip PCI DSS implementation?
Implementing EMV environment cannot fulfill PCI DSS requirements. It does not protect the confidentiality of cardholder and sensitive authentication data. Further, as of today, merchants can still process both EMV and non-EMV transactions, which means that it is essential to carefully handle the threat vectors aimed at compromising the CHD and SAD(sensitive authentication data) of Card data.
There are many other things to look out as well. We cannot leave the security of our business environments such as people, process, network security, application security and infrastructure security go unnoticed. They need to be secured as well. It is quite possible for an attacker to compromise these areas first, and then gain access to the Cardholder data; a fact that is time and again witnessed in numerous data breaches.
Protection provided by PCI DSS is two-fold:
Integrity protection of system components against physical and logical attacks wherever they come in contact with the cardholder and sensitive authentication data (SAD).
Confidentiality protection of CHD when it is stored / processed in given environment or gets transmitted over the open public network.
Hence, PCI DSS protection over CHD and SAD covers their presence within the payment eco-system itself, thus effectively making their availability quite difficult for an attacker to obtain them for fraud purposes. This is the very factor that is instrumental in protecting your business against breaches, fines, brand reputation damage, etc. since it advocates in covering the payment system in its entirety.
Dedicated separate standards such as PA DSS and PTS are available from PCI which effectively addresses the risks. Controls available via these standards plug many of the risks present in EMV transactions too.
While the adoption of EMV definitely brings good news to card security with regards to fighting the notorious card-present frauds happening throughout the globe, it would be naive not to comply with PCI DSS standard since it covers the entire cycle of cardholder data which is stored, transmitted or processed in your business environment. Adopting both EMV and PCI DSS will go a long way to provide peace of mind to your customers and deliver maximum security value to them.
Manasdeep currently serves as a Security Consultant - Quality at SISA Information Security Pvt. Ltd. Bangalore. His work focuses on conducting quality checks on deliverables and conducting onsite PCI DSS Audit assessments, Risk Assessments and Security Audits. He possesses strong analytical skills and likes to keep himself involved in learning new upcoming attack vectors, tools and technologies. The views presented here by the author are personal.
"The above Article has been published in Infocity Auditor (News Letter) December - 2015 Issue of ISACA Bangalore Chapter."