Does accepting EMV Chip & PIN cards make my business PCI compliant?

September 30, 2015
5
min read

One of the common misconceptions of implementing EMV enabled point of sale terminals is that by having EMV Chip & PIN, your business is Payment Card Industry (PCI) compliant. This is not true. EMV and PCI Data Security Standards compliance are two independent entities that are actually complementary.

What makes them different?

While both EMV and PCI compliance are both guidelines for protecting your customer’s payment card data against fraud, they focus on different components involving credit card processing.

PCI Data Security Standards compliance helps protect your business against physical and cyber security related breaches across your company’s entire network.

EMV on the other hand helps you identify and protect against counterfeit cards at your point of sale.

EMV Chip and Pin is a much more secure technology than the classic magnetic stripe terminal. EMV uses cryptographic keys at the terminal, which makes these types of cards more difficult to counterfeit. Authentication of transactions using EMV cards only happens when the physical card is actually present. Chip and PIN verification of EMV cards ensures the cardholder is present when being charged; drastically reducing the chances of businesses accepting counterfeit cards.

Since PCI Compliance covers the entire scope of your business, EMV will not make your business compliant. If you are going to process, store or transmit credit and debit card data, compliance with PCI DSS is mandatory.

So how do they work together?

At the transaction level, EMV provides an extra layer of security that reduces your chance for fraudulent cards to be used. But once credit card data is entered into your payments ecosystem, cardholders’ information still needs to be secure from criminal attacks on your network.

This is where PCI Standards play a role. On top of EMV (at the POS level), PCI standards offer additional layers of security protocol for your business to use throughout the transaction process and storage of cardholder data in your system. This protocol includes using firewalls, managing access to applications, patching systems, breach monitoring, security software and process development in effort to help keep your customer data safe.

What can you do to protect your customer data?

In order to accept EMV to protect your customer data at the POS level and to save your business from the October liability shift, your business will need to upgrade or change its POS system. At the same time, PCI Compliance auditing for your business will be necessary to keep your entire business safe from fraud.

While migrating to an EMV solution, you can save your business significant time and costs by also working with a certified information systems auditor and a consultancy to become PCI compliant.

We can help your business piece together a plan for a cohesive data security strategy that uses EMV as a piece of a larger picture to reduce your liability risk and achieve PCI compliance.

Using our recommended strategy to move forward with EMV and PCI compliance at the same time will be less complicated and time consuming than working with multiple other parties to accept credit cards securely.

Want to learn more about PCI Compliance or EMV? Give us a call.