PCI Compliance and EMV Certification in a Nutshell
Posted 12 June 2018, Australia
As a payments company, our day to day business operations involve information handling, management of data and payments processing. It is not only vital that we execute our business securely, we also need to ensure that our clients are also secure and compliant.
Let us go back to basics as we go through two of the standards that are important to our business - EMV certification and PCI compliance.
Back to Basics
PCI Compliance vs EMV Certification
Both are designed to fight fraud.
PCI Compliance is a set of security guidelines for anyone that is processing, transmitting or storing credit card data. PCI ensures that a business is operating in a secure network and that information stored for a customer is secure.
The EMV certification process ensures that merchants can accept cards with chip technology, which adds an extra layer of security during card-present transactions. EMV enables issuers to assert that they are definitely processing the customer’s card and not a copied version. With this confidence, issuers are able to enforce a liability shift and take on any risk when processing a transaction that is fully EMV compliant. This means that merchants’ funds are guaranteed if processed as an EMV transaction.
PCI Level 1 Compliant – so what?
Below are the different levels of PCI Compliance. The greater the number of transactions being processed, the more compliance requirements there are. More card transactions being processed is equal to higher fraud risks; therefore, a much stricter compliance is required.
- Level 1: Merchants processing over 6 million card transactions per year.1
- Level 2: Merchants processing 1 to 6 million transactions per year.
- Level 3: Merchants handling 20,000 to 1 million transactions per year.
- Level 4: Merchants handling fewer than 20,000 transactions per year.
If a company is PCI DSS Level 1 compliant, it is required to undergo a yearly audit with the purpose of examining the company’s system, identify vulnerabilities and prevent data from being compromised.
To fulfil the above goals, the audit includes the evaluation of a company’s security infrastructure and procedures, policies, networks and systems. The outcome of the evaluation is a risk assessment which will be the basis for the actions the company has to undertake to ensure that they meet the PCI standards and regulations. These actions need to be completed before a company can be considered compliant.
EMV is the global transaction authentication standard for cards that are chip-based. It received its name from Europay, Mastercard and Visa. They are the credit card issuers who founded the standard. Later on, these issuers were joined by Discover, JCB, UnionPay and American Express to form EMVCo which is now the body that manages and continues to evolve EMV specifications and testing processes
EMV cards have the chip that interacts with POS systems for authentications. The chip is responsible for creating a unique code for each transaction made to ensure that hackers and fraudsters cannot copy the card data.
Life Before EMV
Before EMV, there was magstripe. With magstripe, the data or code it contains is the same all of the time. For each transaction, it uses the same information; hence, when someone hacks the system and steals the transaction data which includes the credit card details, the same information can be used to make purchases online or be encoded into a magstripe of a new card and be used in fraudulent transactions.
With EMV chip, a new unique code is generated for every transaction, each time a payment is made. Even if the transaction data is stolen by a hacker, this code cannot be used again.
This of course does not stop someone from stealing the physical card or the database of encrypted card information; however, it makes it harder for fraudsters to use the stolen information to make fraudulent transactions. An EMV card cannot be replicated and it ensures that merchants accept or process payments from ‘Real’ cards and not from ‘Fake’ cards with copied credit card data.
EMV Certified - What does it mean
When a payment terminal is EMV certified, it means that it can process payments made using a chip-based Debit or Credit card. In the certification process, the hardware, core software and the relationship to each payment scheme (Visa, Mastercard, Amex etc) needs to be tested and certified to achieve an end-to-end EMV payment solution.
For merchants, being EMV certified reduces their risk as a business. Because card issuers can guarantee that EMV-processed transaction is a genuine transaction, the liability is shifted to them from the merchants.
Watch this space
Each company in the payments industry has a huge responsibility to ensure that the collection, management and processing of the data they collect is secure and protected from fraud. It is vital to a payments company to ensure that they remain compliant with the latest security standards so that the customers get the best experience.
The payments technology landscape is always changing. It is important that you stay abreast of the latest regulations, technologies and ways to prevent fraudulent activity so that your business does not get left behind.
As a payments company, secure transactions and the protection of our customers from fraud and theft are front of mind in the solutions we provide; hence, we take security regulations and compliance seriously. A major deadline that merchants need to be focused on is the 30 June 2018 deadline for the TLS 1.2 Upgrade, which is a requirement to meet the PCI Data Security Standard for safeguarding payment data.
TLS 1.2 is the transfer layer security protocol which protects the privacy of the information communicated over the internet.
All credit card processors must be on TLS 1.2 by 30 June 2018; otherwise, your business will be in violation of the PCI Security Standards, your customers’ data will be at risk and your payment transactions are unlikely to be processed by your payment services provider.
If you are processing online payments, all your web payment applications must be upgraded to TLS 1.2. If you are using a payment terminal to accept payments, you need to ensure that the terminal you are using can transact via TLS 1.2.
Are you interested in receiving the latest insights and updates in the payment industry? Subscribe Now to our mailing list.