Monday, 23 January 2012 12:49
What’s the point of PCI DSS if the world is moving to EMV?
Comment on the Cicero's Ristrorante legal test case in the US by Ian Hermon, product marketing manager at Thales e-Security

A small restaurant in Utah is taking a stand against one of the biggest regulations affecting the payment security industry. Cicero’s Ristorante in Park City has launched a countersuit against their merchant acquirer after it seized money from the restaurant’s account for alleged violations of PCI DSS.

News of the lawsuit has whipped up a furore about both the drawbacks and benefits of the PCI scheme, and whether it is in fact worth having at all. One common argument against the cardholder data requirements of PCI DSS is that the standard is redundant in an EMV environment.  The argument goes like this: The purpose of PCI DSS and the more recent P2PE (point-to-point encryption) is to protect sensitive static payment data used for magnetic stripe transactions both in storage and in transit in the merchant to acquirer segment of the payment transaction. Encrypting cardholder data is all well and good – transaction data stolen from a POS (point-of-sale) terminal or merchant/acquirer system will be rendered worthless. However, any sensitive payment data stolen from an EMV transaction would be just as worthless to a criminal (due to its dynamic rather than static nature, thus preventing a replay attack) so why don’t we skip PCI DSS and move straight to EMV?

There is some truth in this argument, but it does not cover the complete picture. In an EMV environment, stolen cardholder data would indeed be useless for a fraudulent POS transaction as the criminal would not have (or be able to recreate) the corresponding, physical EMV card. However, stolen cardholder data could be used for a fraudulent online transaction as long as the merchant’s website does not demand a card security code (CSC) in its payments process.

The card security code (known as CVC2 on MasterCard cards, or CVV2 on Visa cards) are the three digits usually found on the back of a card on the right of the signature strip. This data is not normally used in traditional POS transactions and so can provide an additional layer of security for card-not-present transactions.

Many online merchants still fail to make use of the card security code in their payment processes. This means that the requirements of PCI DSS are still hugely important for payments security until all sites require the card security code for a transaction or employ other strong forms of authentication such as 3D Secure.

Lastly, we must not forget that many parts of the world - including the USA - are in the very early stages of a fragmented migration to EMV. PCI DSS compliance and other PCI initiatives will remain important for years to come and will naturally evolve to address new security threats.