EMV and PCI standards need to coexist


 by Paul Prior, SVP Client Engagement

Much has been written over the past number of months in the payments industry regarding the adoption of EMV in the US and yet there remains an unfortunate misconception that its introduction means that PCI DSS “goes away”.


The reality however is that this is not the case and that the EMV and PCI standards need to coexist and operate within a multi-layered industry framework for ensuring card data and transaction security.


While there is no doubt that EMV can substantially reduce counterfeit fraud, it does not automatically satisfy PCI DSS requirements for the protection of cardholder and sensitive authentication data. The PCI SSC published a detailed guidance document on the matter as long ago as 2010.


The misconception appears to have originated from an incorrect interpretation of the fact that certain card brands (VISA for example) have waived the requirement for merchants to annually validate their PCI DSS compliance in specific circumstances. Importantly though, the mandate for merchants to remain complaint has not been rescinded.


Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below


Indeed in a recent update from VISA on the Technology Innovation Programme (or TIP) dated 26th March 2015 they reiterate this notion with respect to merchants PCI DSS Compliance Requirements in stating “Although Visa may eliminate the annual validation requirement for TIP-qualifying merchants, all merchants are still required to maintain ongoing PCI DSS compliance.


The resulting question for acquirers in the US is what becomes of our merchant compliance programme..? The aforementioned publication also states, “Acquirers retain full responsibility for merchants’ PCI DSS compliance… If risk conditions change in any market, Visa may re-evaluate the need for merchants to validate PCI DSS compliance.


In addition, Visa may rescind participation in TIP if it determines that a participant does not meet all program requirements.” This would suggest that the acquirer still has a responsibility to monitor and manage both the risk profile of their overall portfolio and of individual merchants in this context.


Indeed it may be possible to leverage an existing compliance programme to educate merchants, espouse the benefits and encourage the adoption of EMV.


The issue then becomes more about whether or not the acquirer’s compliance program is flexible enough to incorporate the card brands’ waiver programs as well as maintaining a capability to appropriately manage merchant risk and track changes to merchant processing environments.


In the UK for example, where EMV has been the norm for over a decade, all of the acquirers in the market still run and maintain merchant compliance programs albeit with somewhat less of a PCI DSS centric message.


The prevalent view is that while EMV undoubtedly has its benefits, equally there are legitimate and valuable business reasons for implementing merchant compliance programs where the message of data security education and awareness is emphasised and the opportunity to interact with merchants regarding their technology environment and associated risk profile is not wasted.


To learn more about our solutions or for more information about our services, please visit Sysnet.air or email sales@sysnetgs.com


Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at marketing@sysnetgs.com We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms