Magazine Article | June 17, 2015

2015 Priority — Protecting Your POS

July 2015 Integrated Solutions For Retailers

By Laura K. Johnson, director of communications, PCI Security Standards Council

How does EMV impact your PCI Data Security Standard compliance efforts, and what business benefits can it provide?

The liability shift for EMV chip migration in the U.S. is looming, and businesses are under increasing pressure to demonstrate the security of their systems and processes for protecting customers’ valuable payment information at the POS. But what is EMV, and why do you need it? How does it impact your PCI Data Security Standard (PCI DSS) compliance efforts, and what business benefits can it provide? If these questions aren’t top of mind for you, they should be. Let’s take a quick look at what you need to know to make sure you’re prioritizing POS security in 2015.

What’s The Big Deal About Chip Anyway?
Six hundred forty thousand dollars. That’s how much the average attack costs a breached company — which doesn’t even account for brand damage, reputation, and the very real impact to your customers. But I don’t have to tell you the business pressure retailers are under to assure their customers that shopping with them won’t put them at risk. While EMV chip technology won’t prevent the breaches we’ve been seeing, it will limit how fraudsters can use that stolen data to damage your business and your customers. This has been the case around the world — for example, in the U.K. and France, after deploying EMV chip technology, rates of face-to- face fraud dropped more than 75 percent and have stayed consistently low ever since.

The harder the data is to turn into real money, the less criminals are interested. They’ll move on to lower-hanging fruit. That’s why the major card brands in the U.S. have set an Oct. 1, 2015 deadline for merchants’ payment terminals and software to be EMV-capable. According to these guidelines, if merchants haven’t been certified through their acquiring banks as EMV-compliant, they will now be responsible for all card-present counterfeit fraud losses (see the EMV Migration Forum website [www.emv-connection.com/merchants] for more information on the liability shift).

How Does It Work?
Without getting too technical, a computer chip on the card tells the terminal (card reader) that the card is real and that it belongs to the person using it. As part of this process, a unique code is generated for each transaction. Even if the card data is stolen, a criminal can’t reproduce the code, which makes it nearly impossible to counterfeit the card for use in other in-store transactions.

There are three key elements to make an EMV chip transaction happen: 1) a payment card with an embedded EMV chip; 2) an EMV-enabled payment terminal at the physical POS; and 3) EMV-enabled payment software for the POS terminal and throughout the payment system to the processor or acquiring bank.

What’s PCI Got To Do With It?
If my business is EMV chip-capable, then I don’t need to worry about PCI, right? Wrong.

EMV chip ensures that the card is genuine and can’t be counterfeited. But it doesn’t secure the actual card data. In an EMV chip transaction, the primary account number (PAN), expiry date, and other cardholder data is transmitted in clear text, which means it’s vulnerable to compromise. This is where PCI comes in — rather than focusing on just in-store fraud, PCI controls are designed to protect that data throughout the transaction, including transmission and storage, so that it can’t be stolen and used fraudulently.

So What Now? Tips For Locking Down Your POS
The good news is that the breaches we’re seeing are preventable. In fact, a recent study by Verizon found that 99.9 percent of breaches in 2014 were a result of a hacker exploiting bugs that had a fixable patch for at least a year — this is basic stuff!

Vigilance in adopting and maintaining the 12 key technical and operational requirements in the PCI DSS is critical. These include things like using secure passwords and changing them regularly, patching systems, monitoring for intrusions, managing access, and educating employees.

On top of that, retailers need to make sure they’re using PCI-listed payment terminals, which have been tested against PCI standards to ensure the strongest security protection for card data.

With this in mind, here are a few key recommendations and resources that should be top of mind for retailers during the EMV chip adoption process.

Get The Most Out Of Your Investment In EMV Chip

  • Talk with your payment terminal vendors and IT partners to understand options for strengthening security with point-to-point encryption and tokenization throughout the cardholder data environment.
  • Consult the PCI Council’s listing (“Approved PIN Transaction Security Devices” at www.pcisecuritystandards.org) when upgrading to an EMV chip-capable terminal to ensure it’s PCI-approved to protect cardholder data. Upgrading to a device on this list will not only provide the strongest security protections but also enable your business to take advantage of the most payment acceptance options — like contactless, contact, and mobile wallets.

Don’t Forget E-Commerce Security

  • EMV chip brings great benefits to transactions in your stores, but fraud will migrate to the online marketplace. Multichannel retailers need to consider their entire payment infrastructure, not just brick and mortar, and ensure proper security protocols are in place.

Use Trusted Partners

  • Talk to your acquiring bank to understand implications and benefits of EMV chip migration for your business.
  • Talk to your technology vendors and service providers to make sure you are securing the other parts of your system and purchasing the right products and services.

Ready, Set, Go
While there’s still no magical technology to prevent data breaches, EMV chip technology will help you better protect your customers’ information and your business. Together with PCI controls, you can effectively take control of your point of sale security in 2015.

Merchant Pitfall: Payment Application Security

Did you know that errors introduced during implementation, configuration, and support of payment software by third parties into merchant environments are a leading cause of breaches?

Technology is only as good as its implementation. If you’re going to all the effort to bolster your security at the point of sale with EMV chip, don’t stop short. Use it as an opportunity to reevaulate your payment infrastructure — are you using PCI-listed (“Validated Payment Applications”) payment application software, and are you working with a trusted partner that can ensure it’s being installed and maintained securely?

Using a PCI Qualified Integrator & Reseller to install your payment application means you can be confident not only that your payment software is not putting your customers at risk, but that it’s actually increasing your security and supporting your PCI DSS compliance efforts. (Find out more about QIR here: https://www.pcisecuritystandards.org/training/qir_training.php.)