EMV and PCI – You can’t live without?

By Jeff Archer, VP of IT, Tijuana Flats

Jeff Archer

And “WHY” “can’t you live without it?” – because after October 2015 retailers assume credit card fraud liability NOT the customer nor the card issuer – read REAL expensive.

 

BUT, to implement is a serious investment full of technical got’cha and we have alI stood in front of a cashier for what seems like forever (reality only 12 seconds). Yeah! EMV. Man… the days of the swipe and go has gone and went.

 

A huge bonus which many do not understand is EMV properly implemented with a Point to Point encryption solution coupled with a hardware “semi-integrated” credit card approach has benefits not offered by either just an EMV OR PCI implementation, let’s investigate.

 

EMV helps protect the user of the card and the issuer from fraudulent credit cards and PCI secures your system from being compromised and credit card information from being stolen, they are made to be together.

 

EMV and PCI should have a golden rule “No credit card numbers in the POS terminal or system”. How to implement this rule you may ask? One word “Token” – a Token is a unique representation of that specific credit card purchase transaction and not the credit card number – EMV passes the token to the POS and not the credit card number.

 

To create the EMV Token, credit card issuers add an integrated chip on the credit card and connect it to a payment device that can read it in a secure and encrypted way.  Personally, I am comforted by the knowledge that this protects my credit card and is worth the 12 second of my life to process the Token.

 

Here is a list of the primary EMV implementation options:

 

  • EMV Fully Integrated. – This means that the credit card device authenticates the credit card through the POS system
  • EMV Semi-integrated – This means that the credit card reader only partially integrates to the POS which has two flavors:
    • Software semi-integrated
    • Hardware semi-integrated
  • EMV Stand-alone with no POS integrated.

Since the Token is a representation of the credit card number and if the token is stolen or hacked, it is a one-time use token and no longer usable. Your customer credit card data is best protected because the Token is stored in the POS system not the credit card number, score 1 point for the good guys!

 

The EMV “Hardware Semi-Integrated” approach as opposed to the “Software Semi-Integrated, Fully Integrated or Standalone” is recommended.  The reason is the “Hardware Semi-Integrated” approach with Point to Point encryption direct to the integrator to receive the Token will give you one of the safest direct routes with the least possible hackable places to steal credit card numbers.

 

Why wouldn’t I use the other options / approaches – ?  Because:

 

The other approaches to implementing EMV like “Software Semi-Integrated” still runs transactions through the POS terminal or Back of House PC/Server, even though they may not use the actual POS software and instead use a separate piece of software to encrypt and acquire the Token, making EMV hardware and software still vulnerable – score 1 point…hackers.

 

The “Fully Integrated” approach is almost the same credit card process used today. The credit card information goes through the POS software, even though we are receiving a Token, it still has the same vulnerabilities as the “Software Semi-Integrated” approach above, if not more.

 

The “Stand-Alone Credit Card Device Integration” approach is probably the best when it comes to securing the credit card data but has SIGNIFICANT operational drawbacks. The “Stand-Alone” approach can cost even more customer time to process because you need to enter the transaction into the POS system, then through the credit card device… and who needs that time overhead?

 

Now for the PCI scope reducing part. Securing the credit card data is the main purpose of PCI, and with EMV securing the credit card data from the device to the integrator, relieves a lot of that liability. If implemented correctly with EMV, and a Point to Point encryption solution. You can even reduce up to 75% of your PCI requirements.  I don’t know about you… but I want some of that!

 

In the end if you properly implement EMV with a Point to Point encryption solution coupled with a “Hardware Semi-Integrated” credit card approach, provides the most flexibility. This approach has the added benefit of PCI scope reduction. The end goal after all is to protect the guest credit card data the best way possible while supporting optimum operations.

 

Now – see why you can’t live without EMV?