What You Need to Know About EMV and PCI Compliance

What is EMV, and How Does It Work?

EMV is an acronym for credit card giants Europay, MasterCard, and Visa that dominate the industry and develop the global standard for chip-based security. EMV, an international standard for the secure processing of credit and debit cards based on microchip technology, is actively used in many countries worldwide after being introduced in Europe in the late 1990s.

EMV is sponsored by banks, merchants, processors, vendors, and other industry stakeholders and is facilitated by EMVCo regulated by six member organizations (MasterCard, Visa, Discover, American Express, JCB, and UnionPay).

See Also: What Are the Parts of a Debit or Credit Card and How Do They Work?

How do EMV chips work?

EMV chip cards contain microcomputer technology that provides increased security features for card transactions and your information stored in the small metallic square on the front of the cards. EMV technology guarantees that you have the safest and most convenient shopping experience possible, and it is one of the most powerful tools for preventing credit card fraud.

EMV cards store payment information on a secure chip instead of a magnetic stripe, and the personalization of EMV cards is done using keys specific to the donor. Unlike a magnetic stripe card, it is almost impossible to create a fake EMV card that can be used to execute an EMV payment transaction successfully.

Unlike magnetic stripe cards, EMV chip cards are designed to securely store sensitive data (such as PINs or keys). In this way, it has the processing power to manage risk and perform cryptographic calculations dynamically.

See Also: What You Need to Know About PCI Validated Point-to-Point Encryption (P2PE) Solutions

The rationale behind EMV processing is not radically different from magnetic stripe processing. As with magnetic stripe transaction processing, the EMV transaction process includes multiple steps such as card authentication, risk assessment, fraud detection, and optionally PIN or signature verification, which must be performed before a transaction is authorized.

However, thanks to secure chip technology, EMV processing also brings new features to increase interoperability and security:

  • EMV offers the ability to define flexible cardholder authentication. For example, banks that manage multiple card portfolios may configure some cards to prefer PINs and other cards to prefer a signature.
  • EMV offers advanced card authentication methods based on dynamic data and powerful cryptographic techniques.

What are the EMV authentication methods?

The EMV transaction verification process relies on the generation of dynamic data (digital signature) to verify a card or device’s identity. Online and offline signatures are created using both asymmetric and symmetric encryption keys and securely stored algorithms and operated on the card.

The EMV processing authorization process is as follows:

  1. A cardholder inserts an EMV chip card into a reader or touches the card in the event of a contactless transaction.
  2. POS terminal defines which payment brand has the application on the card.
  3. The terminal selects the appropriate EMV implementation and uses a data set associated with each payment brand to implement the brand’s implementation requirements.
  4. The card and terminal follow a protocol process established by the EMV to conduct a dialogue to carry out their respective risk management processes.

One of the critical features of EMV is authenticating the card to make sure it is not a clone or a counterfeit. In the EMV specification, two methods are defined as offline card authentication and online card authentication.

Offline card authentication uses EMV-defined asymmetric cryptography to allow merchants to replace the physical inspection of a card with electronic card authentication before requesting authorization from the card issuer.

Online card authentication is performed as part of the real-time authorization process, similar to magnetic stripe, allowing the card issuer to verify the card further and authorize the transaction.

The key difference is that the card uses symmetric key technology to generate unique application encryption. This encryption, called the authorization request code (ARQC), is sent to the publisher as part of the authorization request and approved.

These cryptographic processes enable the EMV to protect the card’s transactions from fraudulent fraud and review risk. It generates unique digital signatures and passwords by applying an algorithm to the data provided by the chip, card, and acceptance device, and transaction-specific data.

What are the Types of EMV Technology?

There are two basic categories of chip technology, contact and contactless. Contact technology requires a physical connection between the card’s chip and a card reader that allows data exchange with the credit card terminal. Contactless technology transfers data via Near Field Communication or NFC, requiring the cardholder to swipe or shake their mobile device or card close to the card reader.

See Also: What do the credit card numbers mean?

There are also two types of EMV chip cards, chip and PIN and chip, and signature. They function the same way but differ in how they are verified at the point of sale. The customer inserts the EMV card into the card reader instead of swiping, as they are used to doing with the magnetic stripe card. The reader collects the account data embedded in the chip, and the transaction is processed.

After obtaining authorization from the processor, the chip and PIN card owners complete the process by entering a four-digit personal identification number (PIN) into a PIN pad. Chip and signature cardholders must sign to confirm the sale.

What are the Differences between EMV and PCI Compliance?

Understanding PCI compliance and EMV is critical for business owners, but the two standards are often misunderstood. This is partially due to the fact that both require different assessments and certifications, and certain solutions will help ensure that they are compatible.

PCI is a series of security standards aimed at preventing data breaches and card data theft. EMV is a security standard as well, but it focuses primarily on preventing counterfeit cards from being produced and used.

It may be surprising that EMV (Europay, MasterCard, and Visa) compliance is not related to Payment Card Industry Data Security Standard (PCI DSS) compliance. While EMV is a standard for fraud prevention technology (embedded chips) incorporated into payment cards and chip readers, PCI DSS is a set of security guidelines used between credit card vendors and service providers to process, transmit or store card data.

The establishment of EMV is for adding an additional layer of physical security with chips embedded in credit cards. EMV is more difficult to imitate than simple magnetic strip technology. EMV physically tries to protect stolen credit cards, making encryption card data useless to thieves. EMV technology only protects transactions that require a physical read of the card and does not affect e-commerce security.

EMV Compliance;

  • The purpose of EMV is to ensure the security and global interoperability of chip-based payment cards.
  • EMV includes strong cardholder authentication (i.e., chip and password, chip and signature).
  • It prevents card duplication by using a chip on the card that generates a unique encrypted output each time the card is used.
  • Requires EMV certification between EMV-enabled hardware and processor.
  • EMVCo LLC manages EMV specifications (Europay, MasterCard, and Visa).

PCI Compliance;

  • The purpose of PCI is to protect cardholder data processed, stored, or transmitted by vendors.
  • Building and maintaining a safe network, protecting cardholder data, maintaining a vulnerability management program, enforcing strict access control controls, regularly monitoring and testing networks, and maintaining an information security policy are all examples of common-sense steps that embody best practices.
  • Requires regular vulnerability scanning by the Approved Scanning Provider (ASV).
  • It allows organizations to evaluate themselves. Different Self-Assessment Questionnaires (SAQs) are established for different job situations.
  • PCI requirements are governed by the PCI Security Standards Council established by American Express, Discover, JCB International, MasterCard Worldwide, and Visa Inc.

Generally, PCI DSS tries to take the bigger picture by ensuring that card data is not stolen and reasonably secure when stored, transmitted, or processed.

PCI DSS has specific proprietary standards such as the PA-DSS and PTS standards that are useful for building essential security layers to reduce overall card fraud and risks. Risks such as malicious payment applications, compromised POS terminals, technical return process, card reviewing are met very effectively using Payment Application Data Security Standard (PA DSS) approved applications and PTS compatible devices.

Therefore, although the EMV and PCI DSS specifications are different, they complement each other very well to protect cardholder data and prevent it from being subject to effectively controlling fraudulent use by criminals.

In a nutshell, PCI compliance is required of all companies that accept credit cards. EMV, although highly recommended, is not required by law but by industry standards. All you need to know is that adhering to the rules and guidelines for avoiding data breaches and credit card fraud would benefit your business.

Does EMV Use Affect PCI Compliance?

The EMV chip does not meet any PCI compliance requirements, nor does it reduce PCI coverage for the vendor. Regardless of whether EMV is used or not, PCI compliance is expected.

All merchants and service providers must comply with both EMV and PCI standards to fully protect customer information in card transactions. Even in combination, following these standards is not 100 percent effective against fraud.

But they provide better protection for the cardholder and seller than fighting alone. EMV and PCI work together to ensure those card transactions are safe and secure for merchants, customers, and card issuers.

See Also: How to Protect Your POS System from POS Malware

The most important thing to understand is that EMV does not directly impact an organization’s PCI compliance requirement, does not reduce PCI scope, and certainly does not change its PCI compliance responsibility. Compatibility is not a recommendation. You must be PCI-compliant as well as EMV-compliant if you accept credit cards.

The requirements for PCI and EMV are different, and each protects different aspects of cardholder data. EMV helps reduce card fraud but does nothing to protect credit card data stored, processed, or transmitted by an organization.

PCI DSS helps protect credit card data stored, processed and transmitted, but does nothing to validate a particular card transaction. As a result, EMV is not a substitute for PCI compliance, and PCI is not a substitute or complement to EMV, but the two come together to help improve overall credit card security.

  • EMV is counterfeit card fraud protection. It makes it difficult for bad guys to handle stolen card data.
  • It is not EMV encryption. Since EMV does not encrypt the Primary Account Number (PAN), card data must also be secured in accordance with PCI standards.
  • EMV is not useful for e-commerce transactions and does not provide any protection. EMV is only valid for card transactions.
  • EMV technology does not meet any PCI requirements and does not reduce PCI coverage.

If your company accepts credit or debit cards in a physical store or other face-to-face environments, EMV technology and PCI requirements must be applied in layers.

For example, when upgrading your terminals for EMV, consider adding point-to-point encryption (P2PE) capabilities to reduce PCI coverage and protect data end-to-end. Additionally, using tokens after authorization can prevent card data from being used in the event of theft.

Dedicated standards such as PA DSS and PTS are available from PCI, which effectively addresses risks. The controls provided through these standards also reduce many of the dangers found in EMV transactions.

What are the Differences Between EMV Chip Cards and Magnetic Stripe Cards?

EMV cards transfer dozens of information between the terminal and the receiving bank’s main computer, while magnetic strips only process limited data. Therefore, it is much easier to review the information on a magnetic stripe card and transfer it to a prepaid card. Your card transactions are more secure, and identity theft is much less likely to occur when you use the chip instead of swiping.

There are three essential layers of security you should know about EMV technology:

  • Authentication: EMV uses an authentication mechanism to determine that the card belongs to the cardholder.
  • Verification: The issuer can verify an EMV card using a PIN or signature for security. The verification method may not be needed if the transaction is less than a certain amount. This amount will vary depending on the card brand, card issuer, and vendor.
  • Authorization: The card issuer can guarantee cardholders that their cards will be authorized when communication cannot be made using terminal EMV technology.

EMV changes the way you pay, but it is still easy to use and implement. With a magnetic stripe card, you swipe the card and put it back in your wallet. With a card with an EMV chip, you must insert your card in the terminal, leave it there until the receipt starts printing, and then remove it.

What Kind of Information Is Stored in EMV Chip Cards?

The microchip embedded in the card stores the necessary information for the verification, authorization, and processing of transactions. The information in the EMV chip is the same as the information currently stored on the magnetic stripe. The chip card does not store any personal information about your account.

The most significant benefit of EMV chip cards lies in the powerful fraud prevention technology built into the chip. Since the EMV chip is essentially a tiny, secure computer, it is almost impossible to counterfeit EMV cards. Smart card technology replaces the existing unencrypted magnetic strip with a chip embedded in the card, adding dynamic data to the transaction process and making it much less vulnerable to fraudsters.

What are the Benefits of EMV?

As mentioned earlier, the main benefit of EMV chip technology is card transaction fraud protection. When the credit card’s chip is inserted into a capable card reader, it generates a unique, one-time code to authenticate the card and transaction.

The purpose of EMV is often to render data from chip-based payment cards useless if attackers somehow manage to get it. Therefore, EMV acts as an anti-fraud mechanism that makes card slippage and card duplication fraud applications extremely difficult. It produces a unique encrypted output each time the chip contained in the card is used.

The code generated is the first layer of protection. EMV chips also protects against fraud by requiring the cardholder to confirm the transaction by providing a second verification method, such as a unique PIN or signature.

This type of multi-factor authentication is similar to the measures many organizations use for user account authentication on computer networks when requesting both a password and token value before being granted access.

This new process is different from traditional magnetic stripe credit card information that is stable and reproducible. While the EMV is not flawless, the EMV chip is much more challenging to reproduce than magnetic stripe cards and significantly reduces physical credit card fraud chances.

Using the EMV infrastructure for both contact and contactless payments will help create the framework for secure mobile payments. Using a Near Field Communication (NFC) enabled mobile device with an EMV-compliant contactless payment application will provide strong authentication at the POS.

The dynamic nature of the EMV authorization request cipher protects contactless mobile transactions in a way that secures a contact or contactless EMV transaction originating from a payment card.

What are the EMV Security Risks?

Card transaction details are effectively useless to an attacker, as the magnetic stripe transaction lacks static payment data when using EMV. In EMV, data is dynamic due to the uniquely encrypted output generated each time for each card transaction.

The unique password generated fairly easily neutralizes a repeat attack made by the attacker. However, due to the exponential growth seen in online shopping and e-commerce, customers often prefer cardless transactions.

Therefore, the card information an attacker obtains from the EMV card can be used to make cardless transactions. However, strong authentication measures such as a one-time password (OTP) implemented by payment brands such as MasterCard’s “3D Secure Code” and Visa’s “Verified by Visa” can significantly reduce this.

However, it is essential to note that specific cardholder details such as PAN, expiration date must be communicated for the EMV environment to complete a transaction. The current processing environment typically handles both EMV and non-EMV transactions.

Therefore, from a security standpoint, there is a threat that these non-EMV transactions, such as magnetic stripe data, PAN switch input, do not carry the same anti-fraud capabilities of the EMV environment and therefore require additional protection. Therefore EMV environment must be complemented with PCI DSS. Thus, the entire card payment cycle is covered to guarantee the best security protection for card payments.

Therefore, PCI DSS requirements are still crucial to card security as they address the technical aspects of security and the processes and the people involved. It tries to prevent card data from being stolen in the first place.

EMV and PCI DSS complement each other very well in card security and maximize security assurance value.

For detailed information, you can review the infographic published by PCI SSC: Increasing Security and Reducing Fraud with EMV Chip and PCI Standards

Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Best Practices Against Ransomware Attacks and Hardening Guidelines

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner.

What Are the Ransomware Infection Vectors

Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services.

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

Related posts

Latest posts

Best Practices Against Ransomware Attacks and Hardening Guidelines

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner.

What Are the Ransomware Infection Vectors

Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services.

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!