Three Key Reasons why Merchants should (Re-) Look at PCI and EMV Compliance
Posted 1 September 2015, Australia
The changing PCI and EMV landscape. Is your business ready?
While focus is on the impending US migration to EMV, it is a timely reminder for all of the importance of EMV and PCI compliance to combat fraud.
With the breach of security being a continuous threat, and large scale incidences frequently publicised in the press, never has it been a more appropriate time for merchants to assess (or re-assess) their EMV and PCI Compliance.
PCI regulations are continually updated in order to cater for changes in payments technologies. Even in countries where EMV may be an old topic, merchants need to make sure that their processes are in line in order to remain protected.
Three drivers for compliance are;
• New PCI Compliance requirements mean many older solutions may no longer be compliant
• Contactless EMV usage is increasing rapidly and is being driven by global brands Apple, Samsung, Google and PayPal. Merchants should upgrade now to take advantage of consumer adoption
• The October 2015 EMV liability shift in the US asks the question whether all merchants, even in countries that have already enforced the shift, are EMV compliant This update explains each of these key drivers and how merchants need to be prepared.
Recent updates to PCI-DSS (Payment Card Industry Data Security Standard) have introduced more stringent controls around the data encryption protocols used to transmit credit card data. Older encryption methods like SSL and TLS v1.0 and 1.1 are no longer deemed secure enough to protect card data and must be upgraded.
This means that older style processing solutions often do not meet these enhanced security requirements even though they still may be EMV compliant. That in itself should be a catalyst to upgrade hardware to an EMV compliant solution that will meet the latest data encryption protocols. In conjunction with PCI-DSS, Pin Transaction Security (PTS) requires devices of PCI-PTS 3.0 as a minimum for new deployments. PTS introduces a number of security enhancements, including stronger standards for data security. Many credit card terminals used commonly in the market, including countries where EMV has been in place for many years, are older hardware which only supports PCI PTS 1.3. These units should be progressively phased out of the market, as hardware and software support for these End of Life products cease.
New PCI standards for end to end encryption, such as P2PE, are also becoming more commonplace and are increasingly expected as standard by merchants, acquirers and the industry.
One major component of EMV is to accept contactless payments. Often referred to as NFC (Near Field Communications), contactless EMV is fast becoming the default payment method for consumers and merchants. There are approximately 1.62 billion EMV cards in circulation, but adoption of the payment technology does vary per country (1) . Australia is one of the highest adopters of contactless payments. Research released by the RFI Group showed that 53% of Australians have made a Contactless Transaction. The UK is leading the way in Europe with 23% having made a Contactless Transaction in 2015. This is just three points behind the Global Average of 26% (2) .
Although Europe may be behind the global average, the number of transactions can’t be ignored. In July 2015 Visa alone reported 1.1 billion contactless Visa payments in the last 12 months to the value of €12.6bn (US$14.18bn) (3) . The UK Card Association has reported how contactless payments have increased by 331% in the last year.
To further push adoption, Visa and Mastercard have just introduced an increase to the maximum contactless spend limit from £20 to £30 (US$31 – US$46), and, as has been proven in other markets (the Australian limit is currently at AU$100 or US$70), this will further increase the use of contactless payments for lower value transactions. Schemes offer heavily reduced fees for accepting their contactless brands, and with contactless also contributing to an increase in sales and a reduction in cash payments by up to 30-40% in certain segments, it’s easy to see why merchants are benefiting too.
Global brands Apple, Samsung, Google and PayPal are all busy rolling out their own contactless wallets region by region, as part of their strategy to leverage consumer adoption of NFC and own the customer experience at the Point of Sale.
An underlying factor to these trends is the basic customer demand to use contactless payment methods. This demand is driven by the need for a faster, easier way to pay for goods or services, which in some areas has also driven an increase in sales. This is of course a key a contributing factor to the need to upgrade existing terminals, in order to support contactless payments and improve the customer experience.
EMV to reduce card fraud and PCI liability
EMV, named after the founding organisations (EuroPay, MasterCard and Visa) is old news in some countries and has proved successful in reducing card fraud (4) . Canada saw dollar losses due to card skimming decline by 40% the year after EMV implementation. In the EU, now that migration to EMV is complete, the region has seen an 80% reduction in credit card fraud. The US however, which is still to adopt EMV, has witnessed a 47% increase, as fraud has migrated from more secure markets to less secure markets (5).
EMVCo’s EMV Adoption Map (Q4 2014) shows the prevalence of EMV in developing payment markets, and as high as 96.6% of transactions are EMV compliant in Europe.
EMV Chip & Pin solutions encrypt card data from the card terminal to the payment network. This means that sensitive card data, such as credit card details, are no longer stored on the Point of Sale system.
Merchants that implement EMV correctly can ensure their Point of Sale environment is not in scope for PCI-Compliance, which can significantly reduce the costs and complexity associated with monitoring and auditing PCI Compliance (6) .
The Liability shift
‘Liability shift’ is a buzzword for the payment industry. This simply means that the liability of card fraud shifts from the card issuer to the merchant, if EMV protocols are not in place and the card on which fraud has occurred is EMV compatible. Although the schemes released their current long-term security and compliance roadmaps many years ago (view the MasterCard 5 year plan and >Visa 7 Point Plan for more details), many merchants have not yet implemented EMV compliant terminals across their entire estate and are therefore potentially exposing themselves to fraudsters that might move to exploit softer magstripe targets.
The key EMV, PCI and Contactless dates are listed below;
1 September 2015
Contactless Limit Increase – UK
Visa and MasterCard increase to contactless maximum transactions limits from £20 to £30
EMV Liability Shift – US
EMV Liability Shift for Visa and MasterCard
30 June 2016
PCI DSS v3.1 – Global
PCI DSS v3.1 requirement to remove SSL and early versions of TLS encryption
ADVAM’s EMV and PCI Compliance Solutions
ADVAM’s experience in managing EMV migrations ensures that the card acceptance environment is secure, compliant and able to leverage mobile payment technology such as NFC and ewallets. Utilising the Ingenico iSelf hardware series, ADVAM supplies a range of EMV compliant payment solutions (Click to see ADVAMs unattended solutions) to support the unattended or self-service market.
ADVAM specialises in EMV migrations and has over 10 years’ experience as payment specialists. The ADVAM payment solutions not only provide EMV compliant payment terminals, but the full end-to-end integration from payment equipment through to the merchants preferred choice of acquiring bank.
ADVAM solutions provide the following features as standard;
• EMV contact and contactless readers
• Ability to support tokenisation and hashing to support parking and transport segment-specific features such as pre-booking, ‘Credit Card In/Out’ functionality and ticketless parking in a compliant manner
• Ability to accept non-payment cards (e.g. loyalty cards) at the same EMV terminal, removing the need to install separate MiFare or proximity readers
For these reasons NCP, the UK’s largest Car Park Operator awarded ADVAM responsibility for managing the migration to EMV compliant terminals across their whole portfolio. Refer to the full article ‘NCP selects ADVAM as sole provider to manage their Payment Transactions’ (click to press release) for details on their migration to EMV.
About ADVAM and Inventive IT
ADVAM is a leading global provider of payment solutions, providing a full suite of parking, reservation and ecommerce payment solutions. Managed on its own proprietary payment gateway, ADVAM solutions are PCI Level 1 and EMV compliant. In addition, ADVAM’s transaction network handles dedicated links with acquirer banks in over 20 countries, offering the power of multicurrency acquiring and instant access to global markets.
Inventive IT became a subsidiary of ADVAM UK in 2014. By working together the two companies combine extensive expertise, creating a specialist team to deliver best in class payment, reservation and parking solutions.
The combined expertise enables custom integrations with merchants existing systems and processes. As such, ADVAM has a wide range of client solutions including Sydney Airport, Dublin Airport, Swedavia, Copenhagen Airport, Wilson Parking, Westfield, Adelaide City Council, NCP, Readers Digest and many more.
Source: EMV Co: Worldwide EMV Chip Card Deployment and Adoption
Source: LEADERS: Australia lead in RFi Group’s Global Payments Evaluation Study
Source: VISA Europe announcement July 201: 1 billion Visa contactless purchases made in last year
Source: Chase Paymentech Solutions, 2012
Source: Discover Financial Services, 2013
VISA announces that they will waive PCI DSS validation requirements in a bid to accelerate the adoption of EMV. Source: VISA Bulletin August 2011 - http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf