Why EMV Doesn’t Make You PCI Compliant
EMV chip card technology remains one of the hottest topics in the payments industry. With EMV adoption, merchants will reduce their risk of a credit card data breach at the point-of-sale (POS) because of the encryption technology associated with the new chip cards. Though many merchants have found EMV adoption to be disruptive to their IT operations and finances, credit card companies are considering chip technology the best way to prevent fraud during card-present transactions.
However, EMV chip card technology does not address cardholder data beyond the POS environment.
Even though chip card technology protects credit card data during the swipe or dip of the card, EMV doesn’t address the entire transaction process, which includes the end-to-end exchange of card data. EMV does not negate the need for firewalls and other technologies that protect the card data environment. Moreover, PCI compliance requires adherence to many processes. If a business is breached, the merchant will still be held accountable if they fail to uphold PCI requirements such as the implementation of security policies and ensuring that all personnel are properly trained through a PCI-approved course. Additionally, EMV does not address card-not-present transactions (payments made via telephone or internet). With online transactions, many merchants still do not require the card’s three or four-digit security code at the time of checkout.
In addition to EMV failing to make merchants fully PCI compliant, chip technology still does not prevent cyber criminals from hacking into the merchant’s network; it simply reduces the risk at the point-of-sale. Since most cyber criminals work off IP addresses, they can easily get in through alternative avenues such as digital menu boards or music systems. That’s why, on top of becoming PCI compliant, implementing layered security such as a managed firewall is crucial for protecting your business from a data breach.