The new PCI guidance concerning EMV technology and thecomments of PCI council members related to EMV all point to onelarge conclusion: the introduction of EMV cards in any market isnot enough to stop payment card fraud outright. There simply is nosilver bullet. Or if there is, it isn’t EMV in and of itself. Themigration to chip cards in any market currently doing so, orcontemplating migration, should be accompanied by multiplesafeguards in payment systems that process and store sensitivedata, as well as the continual review and modification of thosesystems to comply with the PCI Data Security Standard, which itselfwas recently updated.
At a recent PCI Community Meeting, Jeremy King, PCI’sdirector in Europe stated “EMV was created to try and authenticatethe cardholder, and therefore the security is around theauthentication, rather than the actual transactiondata.”
When it comes to data security, much of the data in theEMV card transaction is transferred “in the clear,” just as themajority of magstripe card transactions are currently. If the EMVimplementation has been performed using outdated minimal standardsand the same data has been compromised in a security breach,fraudsters could use it to create cloned magstripe cards orperpetrate card-not-present fraud. This is the risk withcompromised unencrypted payment card data regardless of the formfactor (EMV Chip or Magnetic Stripe) being used at the point ofsale.
Certainly, EMV’s capabilities can stem card fraudcommitted with lost or stolen cards if the entry of a PIN isrequired with use of the chip. But the “clear” data in transit is aclear weak point. Thus the accompanying guidance on payment dataencryption!
For the first time also, the PCI council has openly statedthat what they’re calling “point-to-point encryption” (or P2PE) canassist merchants in PCI scope reduction. Which is to say that, ittoo, only tackles part of the problem. As PCI commentator WalterConway points out in his Storefrontbacktalk post on this topic,”What is important to realize…is that P2PE addresses only thetransmission of cardholder data. That is, it does not address datastorage.”
For those merchants that actually store and use cardpayment data for any number of reasons (customer service,marketing, loss prevention, etc.), PCI scoping may actually be amore complicated issue. It really depends on how the payment dataarrives in the merchants systems (whether through acquirerreporting or through in-house decryption) and whether it happens tobe tokenized or passed “in the clear.”
Of one thing we can be sure: while much effort to securethe card payment environment has resulted in some useful andbeneficial developments, none are simple, and none are total. Fornow, that silver bullet remains ever-elusive.
Read Referenced Press Release:
https://www.pcisecuritystandards.org/pdfs/pr_101005_emv_ptp.pdf
Read Referenced Articles:
http://www.bankinfosecurity.com/articles.php?art_id=3044
http://www.storefrontbacktalk.com/securityfraud/is-point-to-point-encryption-ready-for-prime-time/