EMV and P2PE
From security strategies to mobile payment, the payment space is poised for major changes in the years ahead. With huge disruptions in the payment space, including dramatic security improvement with EMV, P2PE and the debut of Apple Pay this year has been a watershed year for payments technology. This product bulletin discussed two key technologies that work in tandem to protect our client’s fans and business against card fraud. The two key technologies are:
Also known as “smart card”, EVM uses a secure integrated circuit chip with a microprocessor in the card. This improves the security of a payment transaction by providing cryptographic card authentication that protects the merchant and issuer against the acceptance of counterfeit cards. EMV also offers cardholder verification and several means of transaction authentication that help safely authorize transactions.
- Point-to-Point Encryption (P2PE) which can immediately encrypt card data at inception – at card swipe, key entry, tap or insertion – so that no one else can read it and monetize the card data. By using P2PE, account data (cardholder data and sensitive authentication data) is unreadable until it reaches the secure decryption environment, which makes it less valuable if the data is stolen in a breach.
Implications of Encryption for PCI DSS Compliance Requirements
PCI DSS compliance applies to any merchant who stores, processes, or transmits payment card data anywhere within the merchant’s business. Any system that transmits, processes, or stores encrypted PANs falls within the scope of the PCI DSS, especially if the organization has the ability to decrypt the data. Many of our clients focus on minimizing the number of systems that require compliance with PCI DSS or that are subject to compliance, thus reducing the scope of PCI DSS compliance. The PCI Security Standards Council (PCI SSC) has provided the following guidance:
- The presence or absence of the PAN determines whether a system is in scope for PCI compliance.
- An encrypted PAN is still defined as cardholder data, because it is theoretically possible to decrypt and thus recover the PAN. Therefore, any system transmitting, processing, or storing encrypted PANs are still considered in scope for PCI DSS compliance, but if an entity (such as a merchant) has no ability to decrypt encrypted data, then the encrypted data is not card data, and therefore systems that transmit, process, and store this data are not in scope.
Even the best encryption solutions do not completely reduce the need for PCI compliance. Certain controls will always have to be validated and measures taken, so please contact us for more information on this subject.
- Are there different types of EMV?
Yes, there are two types; “Chip & Pin” and “Chip & Signature”. The U.S. financial institutions are primarily accepting “Chip & Signature”. Visa – CyberSource’s development is towards “Chip & Signature”. “Chip & Pin" development will be at a later date.
- What devices will Spectra deploy and certify?
Spectra will deploy and certify the VeriFone Vx820 and Mx915 card reading devices.For more information on the devices, click the following links:
- What is the difference between EMV, P2PE and “Verified by Visa” or “MasterCard SecureCode”?
EMV and P2PE technologies help to fight fraud in physical environment where person is present at the checkout counter. Verified by Visa or MasterCard SecureCode adds an extra layer of security to make it harder for someone else to use your Visa card to shop online in the unfortunate event your Visa or MasterCard card or account number is lost or stolen.