This article discusses how the security protection of payment card data used in a transaction can be maximized by integrating PCI DSS with EMV technology.
The PCI DSS (Payment Card Industry Data Security Standard) was developed to provide a standard set of technical and operational requirements for the protection of cardholder data throughout a transaction process, including storing, processing and transmitting. This standard is designed to regulate, enhance, and encourage cardholder data security, and was meant to apply to all system components involved in the processing a payment card transaction, including servers, network devices, computing devices, and applications.
The standard also applies to anything or anyone connected to this system, which is part of the cardholder data environment (CDE), and consists of people, processes, and technologies that are capable of handling cardholder data and/or sensitive authentication data in any way. Examples of CDE users include merchants, acquirers, issuers, financial institutions, and service providers. If an organization chooses to outsource their payment operations to a third party service provider, they should make sure the provider protects all account data per applicable PCI DSS requirements.
The PCI DSS Standard uses two methods to achieve its security objectives:
Although the PCI DSS Standards are broad in scope, they nevertheless consist of a minimum set of requirements for protecting cardholder data. New technologies, controls, or practices may be used in conjunction with these standards to provide a much higher level of protection, which is often needed in certain cardholder data environments.
These additional methods are also needed sometimes to comply with local or regional laws and regulations. For example, a new regulation may by enacted to require specific protection of certain identification information, such as cardholder name.
The recent trend of the popular EMV chip technology is a prime example of how a new technology can be combined with the PCI DSS Security Standards to make any form of fraud or counterfeiting of payment cards nearly impossible.
As mentioned, the PCI standards will provide controls for making sure the cardholder’s data is protected throughout the transaction process, while the EMV chip embedded in a card works only at the point of sale to prevent fraud by using secret cryptographic keys along with a PIN that can be entered by the user.
This method provides an additional level of authentication that can drastically reduce any chance of any lost, stolen, or counterfeit card to be used at a point of sale, since the card will be accepted for a transaction only by its owner.
The EMV chip by itself will provide very little protection beyond the card reading device, which means the cardholder’s data could be transmitted and stored at some point in the network where it could be vulnerable to criminal activity and fraudulent use.
As the cardholder data is read by a point-of-sale terminal, it is processed in its clear text form in order to complete the critical steps in the EMV transaction process. If PCI DSS wasn’t used, this clear text data would be available at all points in the transaction, making it easily accessible for criminal activity.
So after the point-of-sale processing, the PCI DSS Standards take over the data security process, with its additional layers or security control at every point in the network where confidential data may be found. It is essential that both EMV and PCI DSS be used together as the security controls for a payment card system to provide the greatest level of security. Each security control takes care of any lacking security measures inherent in the other.
The extra layers of security provided by PCI DSS are essential anyway, because many merchants are capable of processing Non-EMV transactions along with EMV transactions, where PCI DSS provides the only means to protect the confidentiality of cardholder and sensitive authentication data at all points involved in a transaction, including the point of sale.
In order to understand how the current EMV technology can relate to the PCI DSS Standards, one should examine the existing data elements in EMV transactions, and the inherent mechanisms for possible fraudulent use. These mechanisms should be considered alongside those for non-EMV transactions (using the magnetic stripe or key entry of data).
There are two types of data elements used for EMV transaction processing: Cardholder data and Sensitive Authentication Data. These elements are listed here along with their purpose in a transaction:
All four items for 'Cardholder Data' must be stored on the EMV chip, but only the PAN must be rendered to be unreadable. For security purposes, the three items listed under 'Sensitive Application Data' are not permitted to be stored on the card's chip after authorization under any circumstances (even if encrypted).
If the Track 2 Equivalent Data on the chip contains a card verification code different from that on the magnetic-stripe, this creates a layer or protection that makes it almost impossible to create counterfeit magnetic-stripe cards from compromised data on an EMV card. If this code wasn’t used, the Track 2 data from an EMV card could be used to create a magnetic-stripe card, since they would have equivalent data fields.
It should also be noted that a valid payment card transaction would often require only the PAN and expiration date to be stored, processed, and transmitted on the card reading device.
If the cardholder name and service code are also used in the transaction, they must also be protected along with the PAN and expiration data according to PCI DSS requirements.
Although EMV chip technology has proven to be very capable of reducing counterfeiting and fraud substantially in card-present transactions at POS (point of sale) terminals and ATMs, it doesn't satisfy the requirements prescribed by PCI-DSS by itself unless steps are taken to protect the integrity and confidentiality of cardholder and sensitive application data at all system components that handle the data in any way, as outlined in the 12 key PCI DSS requirements as established by the PCI Security Standards Council (PCI SSC).
These guidelines specify the technical and operational requirements and corresponding testing procedures which are used for PCI DSS compliance assessment of each component in the payment card system.
Since non-EMV transactions may also take place at POS and ATM terminal at many locations, implementations provided by PCI-DSS are the sole means of cardholder data protection.
Even though the PCI DSS compliance measures are satisfied, a transaction of this type is still susceptible to fraud at the POS or ATM terminal, where tampering of card data, false signatures, usage of lost or stolen cards, counterfeiting, etc. are possible.
So in order to maximize the benefit in reducing fraud and enhancing the security of the payment card system, steps must be taken to combine EMV chip technology with the PCI DSS guidelines for a more complete spectrum of security measures.
PCI DSS Applicability in an EMV Environment - A Guidance Document (2010) by the PCI Security Standards Council
Payment Card Industry (PCI) - Requirements and Security Assessment Procedures - Version 3.0 (2013) by the PCI Security Standards Council