The Europay, MasterCard, and Visa (EMV) protocol known as “chip and PIN” is now the world’s fastest growing smart card payment system. EMV was introduced in the mid-1990s to combat increasing lost and stolen payment card fraud leading to a reduction in annual losses to the lowest levels in years, according to the UKCards Association. The chip on the card prevents card counterfeiting, and the PIN prevents abuse of stolen cards.
The U.S. was a late adopter of the EMV technology, but recently MasterCard and Visa have targeted the year of 2015 for moving to EMV implementations by banks, payment systems providers, and merchants. Large companies are already actively moving to the EMV technology. Many organizations believe this transition to EMV will eliminate the requirement of complying with the Payment Card Industry Data Security Standard (PCI DSS) that seeks to protect cardholder and sensitive authentication data within the payment eco-system. However, this notion is incorrect. The PCI DSS is not concerned with the type of cards used but the data contained on the cards. Data is processed, stored, or transmitted through payment processing applications and networks going beyond the EMV technology.
Deterring, not eliminating, credit card risk
Although EMV has minimized the risk of compromised card data being used to commit fraud, it has not made organizations fully resistant to cyber security attacks for two reasons. First, while EMV cards and their processing terminals are different than their magnetic stripe counterpart, the back-end systems that authorize and process transactions have not changed and remain vulnerable to attacks regardless of the type of card used. Second, the EMV technology does not eliminate fraud in card-not-present transactions used for online purchases.
As the industry continues to implement the EMV technology to deter attacks on payment data containing systems and network infrastructures, adversaries will adapt and adopt new techniques aimed at breaching payment systems and gaining access to sensitive payment data. Although EMV is expected to improve the security of the payment eco-system, it is not a silver bullet in protecting organizations against unauthorized access to cardholder data. No matter how secure the EMV or any future payment technology, reliance on technology alone is not sufficient. Thus, PCI DSS security assessments will remain a critical component of the industry’s overall effort in preventing payment data leakages.