This is page 2 of:
PCI And EMV Cards: The Urban Myth That Won’t Die
Moving away from our thought experiment, my experience is that there is a lot more to PCI than securing the POS, as important as that is. My colleagues and I see merchants and processors often struggle more with their back-office processes, people and systems that depend on the PAN. For these retailers, it is quite possible that solutions such as tokenization have at least as great a potential to reduce PCI scope as moving to EMV cards. Plus, a retailer can implement tokenization an awful lot sooner than waiting for every issuer on the planet to issue EMV chip cards.
The bottom line is that in a practical world, moving to a Chip-and-PIN regime will not remove the need for PCI compliance. I can think of one, and only one, way to make PCI go away: Stop taking plastic.
There are many things on which we all can agree. EMV or something like it is the way of the future for payment cards. The present magnetic stripe system of card authentication is ancient and flawed. It is prone to skimming and other low-tech forms of compromise. EMV is one option with great promise, but it, too, has its critics and has been successfully attacked and compromised.
Take a look at the payment cards in your wallet. How many of them still have the PAN embossed on the front? My guess is just about all of them do. Even though embossing was to have been rendered obsolete by the magstripe, most issuers still emboss the PAN on the card. The same situation exists if you have an EMV chip card—that is, you still have a card with a magnetic stripe and embossing.
This means that as long as the industry piles new security features on top of each other (don’t forget the hologram!) without removing the old, presumably compromised or obsolete features, the bad guys are going to have a field day. And PCI will continue to be as relevant as ever.
Personally, I would love to see more U.S. banks issuing EMV chip cards. I travel to Europe, and without a chip card I can’t rent a bike or buy a train ticket from an automated kiosk. I also get to argue with waiters and gas station attendants and show them how to swipe my poor, woefully inadequate (in their eyes) magnetic stripe card using their POS terminal.
On that basis alone, sign me up for an EMV chip card now. Just don’t ask me to put on my QSA hat and say that that card made PCI go away.
What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
P.S. If you are reading this, then you are a subscriber to StorefrontBacktalk‘s Premium Service. That means you have received your user ID and password from the administrator. As resident PCI columnist (and your long-distance QSA), I would like to say just one thing to you: PCI Requirement 8.5.3. I’ll leave 8.5.9-11 as exercises for advanced pupils.
-Marc
May 4th, 2011 at 8:23 am
I can not read the whole story, as I’m not a premium subscriber. However, in my humble opinion, PCI is not an issue for certain merchants that implement EMV. Why? In at least a common implementation in my own country, the merchant will simply not have any access to CHD. The PAN goes encrypted from the terminal to the PSP, and the merchant does not have access to the decryption keys.
There is no integration between the terminal and the POS system that exposes any CHD.
May 4th, 2011 at 7:49 pm
Thanks for the comment, Erik, and you actually hit on a key point I was trying to make.
That is, EMV can help with POS-only systems so long as everything goes right. But it’s the other situations like card-not-present (MOTO), ecommerce (can’t read the chip using my keyboard, at least), or when the chip or reader or clerk fails, or any of a million other things happen, we bring all those systems, people, and processes into PCI scope.
Let’s also remember all the merchant back office and post processing systems that use the PAN as a user ID. Bad practice to be sure, but the unfortunate reality all too often, and EMV won’t re-write those legacy applications anytime soon.
I wish there were a silver bullet for PCI. Really, I do. It just doesn’t exist in the real world.
May 5th, 2011 at 3:00 pm
I would say that you don’t need PCI anymore once all transactions are chip based. And in Europe we will reach this stage pretty soon. Even on the Internet I now need my chip to generate a token, in case the merchant website implements MasterCard SecureCode.
May 12th, 2011 at 9:49 am
EMV does not encrypt all sensitive card data. Just the authentication data. “Track equivalent data” is still handled by the point of sale system in clear text. There’s a few digits changed so if magstripe cards are made with it, the issuer will know it’s a fraud. But the account number and expiration date are still in plain text. Mike Dahn has a good info here: http://chaordicmind.com/blog/2010/05/29/the-real-deal-on-chip-and-pin-emv-in-the-us/