Blog - Cryptomathic

Enhancing Payment Card Security Integrating PCI DSS with EMV Technology

Written by James H. Reinholm (guest) | 30. September 2015

This article discusses how the security protection of payment card data used in a transaction can be maximized by integrating PCI DSS with EMV technology.

 

What is the PCI DSS?

The PCI DSS (Payment Card Industry Data Security Standard) was developed to provide a standard set of technical and operational requirements for the protection of cardholder data throughout a transaction process, including storing, processing and transmitting. This standard is designed to regulate, enhance, and encourage cardholder data security, and was meant to apply to all system components involved in the processing a payment card transaction, including servers, network devices, computing devices, and applications.

The standard also applies to anything or anyone connected to this system, which is part of the cardholder data environment (CDE), and consists of people, processes, and technologies that are capable of handling cardholder data and/or sensitive authentication data in any way. Examples of CDE users include merchants, acquirers, issuers, financial institutions, and service providers. If an organization chooses to outsource their payment operations to a third party service provider, they should make sure the provider protects all account data per applicable PCI DSS requirements.

The PCI DSS Standard uses two methods to achieve its security objectives:

  • It maintains the integrity of any system component utilized in a transaction against fraudulent use.
  • It maintains the confidentiality of cardholder data in the CDE wherever it stored or transmitted, and also provides this protection to sensitive authentication data.

Will the PCI DSS regulations be adequate for data security?

Although the PCI DSS Standards are broad in scope, they nevertheless consist of a minimum set of requirements for protecting cardholder data. New technologies, controls, or practices may be used in conjunction with these standards to provide a much higher level of protection, which is often needed in certain cardholder data environments.

These additional methods are also needed sometimes to comply with local or regional laws and regulations. For example, a new regulation may by enacted to require specific protection of certain identification information, such as cardholder name.

Strong cryptographic protection by combining EMV chip technology with the PCI DSS Security Standards

The recent trend of the popular EMV chip technology is a prime example of how a new technology can be combined with the PCI DSS Security Standards to make any form of fraud or counterfeiting of payment cards nearly impossible.

As mentioned, the PCI standards will provide controls for making sure the cardholder’s data is protected throughout the transaction process, while the EMV chip embedded in a card works only at the point of sale to prevent fraud by using secret cryptographic keys along with a PIN that can be entered by the user.

This method provides an additional level of authentication that can drastically reduce any chance of any lost, stolen, or counterfeit card to be used at a point of sale, since the card will be accepted for a transaction only by its owner.

How does EMV chip technology work together with the PCI DSS Security Standards?

The EMV chip by itself will provide very little protection beyond the card reading device, which means the cardholder’s data could be transmitted and stored at some point in the network where it could be vulnerable to criminal activity and fraudulent use.

As the cardholder data is read by a point-of-sale terminal, it is processed in its clear text form in order to complete the critical steps in the EMV transaction process. If PCI DSS wasn’t used, this clear text data would be available at all points in the transaction, making it easily accessible for criminal activity.

So after the point-of-sale processing, the PCI DSS Standards take over the data security process, with its additional layers or security control at every point in the network where confidential data may be found. It is essential that both EMV and PCI DSS be used together as the security controls for a payment card system to provide the greatest level of security. Each security control takes care of any lacking security measures inherent in the other.

PCI DSS is also essential for Non-EMV transactions

The extra layers of security provided by PCI DSS are essential anyway, because many merchants are capable of processing Non-EMV transactions along with EMV transactions, where PCI DSS provides the only means to protect the confidentiality of cardholder and sensitive authentication data at all points involved in a transaction, including the point of sale.

Comparing fraud mechanisms for EMV and Non-EMV transactions

In order to understand how the current EMV technology can relate to the PCI DSS Standards, one should examine the existing data elements in EMV transactions, and the inherent mechanisms for possible fraudulent use. These mechanisms should be considered alongside those for non-EMV transactions (using the magnetic stripe or key entry of data).

Consideration of the data elements used on a payment card

There are two types of data elements used for EMV transaction processing: Cardholder data and Sensitive Authentication Data. These elements are listed here along with their purpose in a transaction:

  • Cardholder Data includes:
    • Primary Account Number (PAN) - The primary account number (PAN) is the primary identifier of the cardholder and the card itself.  This number is utilized in performing the transaction, enabling the routing of the transaction, authenticating data at the point of sale, and allows the issuer to derive keys associated with it.

    • Cardholder Name - The EMV chip contains this information, although it isn’t required to be transmitted in an authorization message

    • Expiration Date - Always printed on EMV cards in clear text with an expiration date tag. If authorization is done on-line, the expiration date in the Track 2 Equivalent Data will be included in the authorization message.

    • Service Code - This is found in the Track 2 Equivalent Data on chip. It allows the issuer to validate the card verification code if it is also included in the Track 2 Equivalent Data.

  • Sensitive Authentication Data includes:
    • Full track data (magnetic-stripe data or equivalent on a chip) - This is the Track 1 and Track 2 Equivalent Data which have the same data structures as the magnetic stripe.
      For legacy purposes, the Track 2 Data is usually included in EMV on-line authorization requests, and is available in clear-text. The Track 2 data is different from the magnetic stripe data when a unique chip card verification code is used to prevent counterfeiting.

    • CAV2/CVC2/CVV2/CID - This information is only printed on the card itself, and is not included on the embedded EMV chip, since it isn’t part of the EMV Specification. This is the three or four-digit code printed on the front or back of the payment card.

    • PINs/PIN blocks - A Personal identification number can be entered by cardholder during a transaction, and/or an encrypted PIN block on the chip itself can be used for on-line or off-line verification of the cardholder. Other CVM methods are also supported.

Storage of data elements on the EMV chip

All four items for 'Cardholder Data' must be stored on the EMV chip, but only the PAN must be rendered to be unreadable. For security purposes, the three items listed under 'Sensitive Application Data' are not permitted to be stored on the card's chip after authorization under any circumstances (even if encrypted).

Importance of using a unique card verification code (or value)

If the Track 2 Equivalent Data on the chip contains a card verification code different from that on the magnetic-stripe, this creates a layer or protection that makes it almost impossible to create counterfeit magnetic-stripe cards from compromised data on an EMV card. If this code wasn’t used, the Track 2 data from an EMV card could be used to create a magnetic-stripe card, since they would have equivalent data fields.

Are all the data elements used in a transaction?

It should also be noted that a valid payment card transaction would often require only the PAN and expiration date to be stored, processed, and transmitted on the card reading device. 

If the cardholder name and service code are also used in the transaction, they must also be protected along with the PAN and expiration data according to PCI DSS requirements.

Conclusion

Although EMV chip technology has proven to be very capable of reducing counterfeiting and fraud substantially in card-present transactions at POS (point of sale) terminals and ATMs, it doesn't satisfy the requirements prescribed by PCI-DSS by itself unless steps are taken to protect the integrity and confidentiality of cardholder and sensitive application data at all system components that handle the data in any way, as outlined in the 12 key PCI DSS requirements as established by the PCI Security Standards Council (PCI SSC).

These guidelines specify the technical and operational requirements and corresponding testing procedures which are used for PCI DSS compliance assessment of each component in the payment card system.

Since non-EMV transactions may also take place at POS and ATM terminal at many locations, implementations provided by PCI-DSS are the sole means of cardholder data protection.

Even though the PCI DSS compliance measures are satisfied, a transaction of this type is still susceptible to fraud at the POS or ATM terminal, where tampering of card data, false signatures, usage of lost or stolen cards, counterfeiting, etc. are possible.

So in order to maximize the benefit in reducing fraud and enhancing the security of the payment card system, steps must be taken to combine EMV chip technology with the PCI DSS guidelines for a more complete spectrum of security measures.


References and further reading