PCI DSS and EMV Compliance are aligned, but different, measures that govern various aspects of credit card uses and the payment terminals utilized to process the transactions.
PCI DSS and EMV Definitions
Kenny Natiss explains that the Payment Card Industry Data Security Standard (PCI DSS) provides security guidelines applying to merchants and service providers that allow credit card transactions, specifically pertaining to the how data is processed, transmitted and stored.
The Europay, Mastercard and Visa (EMV) standards apply to the embedded chips in payment cards and the chip readers used by payment terminals, with a view to fraud prevention.
As discussed above, the EMV and PCI DSS standards deal with the same universe of transactions for the most part, but they are not linked or associated with one another. This, in turn, means that organizations have to follow different guidelines in order to comply with both of these standards.
PCI DSS Compliance
What is required for PCI compliance is broader in scope, covering all aspects of the data being transmitted and processed, as well as stored. Thus, complying with EMV does not mean that the merchant has complied with PCI DSS standards. There needs to be a completely separate assessment and implementation in this specific regard.
EMV standards were developed with a view to protecting fraud when a credit card is stolen. Since most cards these days use smart chips, they are more complex than the previous generation of credit cards that used magnetic strips. EMV technology utilizes the fact that the embedded chips add a further layer of physical security, which are difficult to counterfeit, by rendering stolen cards useless.
It is important to note that complying with EMV standards would protect the “physical” cards, and not eCommerce where card information is entered.
Both EMV and PCI DSS Compliance are Necessary
Any responsible merchant should make their processes both PCI DSS and EMV compliant. Together, they provide the best set of options to help both the merchant, the customer and the card issuer feel as safe as plausible while undertaking credit card transactions.
While even this does not make credit card usage 100% secure, the onus of protecting identifying and financial information falls upon those who handle the information and issue the credit cards. Therefore, they should be fully compliant with EMV and PCI DSS.
Professional Help is Strongly Recommended
Given that considerations of safety and fraud prevention are fundamental to a merchant’s reputation, we strongly recommend that a professional organization, certified by the PCI Security Standards Council (https://www.pcisecuritystandards.org/about_us/contact_us) as a Qualified Security Assessor (QSA), be consulted.
Level 1 and 2 merchants and service providers are required to validate their compliance with the 12 step PCI DSS standards. A good QSA will be able to provide all important services in this regard, including:
- PCI DSS compliance according to the standards set by the PCI Security Standards Council
- EMV Compliance, and
- Completing each merchant’s self-assessment questionnaire (SAQ).
Additionally, an experienced QSA will be able to customize their approach and steps undertaken to the requirements of the specific merchant and their operations.
QSAs must be recertified every year, so you can rest assured that they will know the latest tweaks in the standards and the requirements therein.
Attempting to cover these steps on one’s own can result in costly mistakes, not only due to non-compliance but actual exposure to fraudulent activities.
PCI DSS and EMV compliance are a necessity in today’s world. Not only are merchants and service providers required to comply, but these measures also keep them and their customers safe from theft or further distress. Card issuers are similarly protected.
Call an expert like The LCO Group (https://thelcogroup.com/) for your compliance assessment today!