In a nutshell: PCI Compliance and EMV Certification
Posted 10 July 2020
With the world of digital, contactless and touch-free payments, it's important to keep a focus on security. We thought it was timely to revisit our feature on PCI Compliance and EMV Certification in a Nutshell.
Let us go back to basics as we go through two of the standards that are important - EMV certification and PCI compliance.
Back to Basics
PCI Compliance vs EMV Certification
Both are designed to fight fraud.
PCI Compliance is a set of security guidelines for anyone that is processing, transmitting or storing credit card data. PCI ensures that a business is operating in a secure network and that information stored for a customer is secure.
The EMV certification process ensures that merchants can accept cards with chip technology, which adds an extra layer of security during card-present transactions. EMV enables issuers to assert that they are definitely processing the customer’s card and not a copied version. With this confidence, issuers are able to enforce a liability shift and take on any risk when processing a transaction that is fully EMV compliant. This means that merchants’ funds are guaranteed if processed as an EMV transaction.
PCI Level 1 Compliant – so what?
Below are the different levels of PCI Compliance. The greater the number of transactions being processed, the more compliance requirements there are. More card transactions being processed is equal to higher fraud risks; therefore, a much stricter compliance is required.
- Level 1: Merchants processing over 6 million card transactions per year.1
- Level 2: Merchants processing 1 to 6 million transactions per year.
- Level 3: Merchants handling 20,000 to 1 million transactions per year.
- Level 4: Merchants handling fewer than 20,000 transactions per year.
If a company is PCI DSS Level 1 compliant, it is required to undergo a yearly audit with the purpose of examining the company’s system, identify vulnerabilities and prevent data from being compromised.
To fulfil the above goals, the audit includes the evaluation of a company’s security infrastructure and procedures, policies, networks and systems. The outcome of the evaluation is a risk assessment which will be the basis for the actions the company has to undertake to ensure that they meet the PCI standards and regulations. These actions need to be completed before a company can be considered compliant.
EMV is the global transaction authentication standard for cards that are chip-based. It received its name from Europay, Mastercard and Visa. They are the credit card issuers who founded the standard. Later on, these issuers were joined by Discover, JCB, UnionPay and American Express to form EMVCo which is now the body that manages and continues to evolve EMV specifications and testing processes
EMV cards have the chip that interacts with POS systems for authentications. The chip is responsible for creating a unique code for each transaction made to ensure that hackers and fraudsters cannot copy the card data.
Life Before EMV
Before EMV, there was magstripe. With magstripe, the data or code it contains is the same all of the time. For each transaction, it uses the same information; hence, when someone hacks the system and steals the transaction data which includes the credit card details, the same information can be used to make purchases online or be encoded into a magstripe of a new card and be used in fraudulent transactions.
With EMV chip, a new unique code is generated for every transaction, each time a payment is made. Even if the transaction data is stolen by a hacker, this code cannot be used again.
This of course does not stop someone from stealing the physical card or the database of encrypted card information; however, it makes it harder for fraudsters to use the stolen information to make fraudulent transactions. An EMV card cannot be replicated and it ensures that merchants accept or process payments from ‘Real’ cards and not from ‘Fake’ cards with copied credit card data.
EMV Certified - What does it mean
When a payment terminal is EMV certified, it means that it can process payments made using a chip-based Debit or Credit card. In the certification process, the hardware, core software and the relationship to each payment scheme (Visa, Mastercard, Amex etc) needs to be tested and certified to achieve an end-to-end EMV payment solution.
For merchants, being EMV certified reduces their risk as a business. Because card issuers can guarantee that EMV-processed transaction is a genuine transaction, the liability is shifted to them from the merchants.
Watch this space
Each company in the payments industry has a huge responsibility to ensure that the collection, management and processing of the data they collect is secure and protected from fraud. It is vital to a payments company to ensure that they remain compliant with the latest security standards so that the customers get the best experience.
The payments technology landscape is always changing. It is important that you stay abreast of the latest regulations, technologies and ways to prevent fraudulent activity so that your business does not get left behind.