Home frame_main_breadcrumb_about frame_main_breadcrumb_contact    
1 APRIL 2015

Card & Payments World is the well respected international newsletter providing in depth information on mobile, card and online payments and this is our daily news and resource site for subscribers who also receive 11 printed newsletters a year and three glossy magazines.

More than just a technology title. Read more

PDF Print
Monday, 23 January 2012 12:49
What’s the point of PCI DSS if the world is moving to EMV?
Comment on the Cicero's Ristrorante legal test case in the US by Ian Hermon, product marketing manager at Thales e-Security

A small restaurant in Utah is taking a stand against one of the biggest regulations affecting the payment security industry. Cicero’s Ristorante in Park City has launched a countersuit against their merchant acquirer after it seized money from the restaurant’s account for alleged violations of PCI DSS.

News of the lawsuit has whipped up a furore about both the drawbacks and benefits of the PCI scheme, and whether it is in fact worth having at all. One common argument against the cardholder data requirements of PCI DSS is that the standard is redundant in an EMV environment.  The argument goes like this: The purpose of PCI DSS and the more recent P2PE (point-to-point encryption) is to protect sensitive static payment data used for magnetic stripe transactions both in storage and in transit in the merchant to acquirer segment of the payment transaction. Encrypting cardholder data is all well and good – transaction data stolen from a POS (point-of-sale) terminal or merchant/acquirer system will be rendered worthless. However, any sensitive payment data stolen from an EMV transaction would be just as worthless to a criminal (due to its dynamic rather than static nature, thus preventing a replay attack) so why don’t we skip PCI DSS and move straight to EMV?

There is some truth in this argument, but it does not cover the complete picture. In an EMV environment, stolen cardholder data would indeed be useless for a fraudulent POS transaction as the criminal would not have (or be able to recreate) the corresponding, physical EMV card. However, stolen cardholder data could be used for a fraudulent online transaction as long as the merchant’s website does not demand a card security code (CSC) in its payments process.

The card security code (known as CVC2 on MasterCard cards, or CVV2 on Visa cards) are the three digits usually found on the back of a card on the right of the signature strip. This data is not normally used in traditional POS transactions and so can provide an additional layer of security for card-not-present transactions.

Many online merchants still fail to make use of the card security code in their payment processes. This means that the requirements of PCI DSS are still hugely important for payments security until all sites require the card security code for a transaction or employ other strong forms of authentication such as 3D Secure.

Lastly, we must not forget that many parts of the world - including the USA - are in the very early stages of a fragmented migration to EMV. PCI DSS compliance and other PCI initiatives will remain important for years to come and will naturally evolve to address new security threats.
Do you want to know more about what is going on in mobile payments, payments using cards, online payments, the advanced IC business, or to get a handle on how technology is changing just about everything in our daily lives? Card & Payments World will keep you up to date with payments, and it will fill in your technology gaps so you understand the big picture.
Find out more