PCI Compliance vs EMV Compliance
What’s the difference between PCI compliance kiosk and EMV compliance kiosk? The short answer is they’re both guidelines for protecting cardholder data for the purpose preventing fraud, but they focus on different elements of the credit card transaction.
“To clarify it even further and more simply, PCI is about making sure the card data doesn’t get stolen and is secure in the first place and EMV is making sure if the data IS stolen that the content is rendered useless.” – CPI PCI and EMV: What’s the difference?
The goal for this article is to give a brief overview of each of these standards for protecting cardholders so you have an idea of how they impact how you accept credit card payments at your self-service kiosk or POS.
What is EMV Compliance Kiosk:
- The goal of EMV is to ensure the security and global interoperability of chip-based payment cards.
- Includes robust cardholder verification (i.e. Chip and PIN). The particular verification method that is used depends on the card issuer as well as the POS where you make a purchase.
- Prevents cards from being cloned through the use of microprocessor on the card which produces unique encrypted output each time the card is used to defeatcard skimming.
- Requires EMV certification between EMV capable hardware and the processor.
- President Obama signed an executive order that requires all government-issued credit cards and readers to come equipped with EMV technology starting 2015.
- Has a US liability shift coming in October 2015
- The EMV specifications are managed by the privately owned corporation EMVCo LLC and was first published in 1995 through a joint effort by Europay, MasterCard, and Visa (hence EMV).
What is PCI Compliance Kiosk:
- The goal of PCI is to protect cardholder data that is processed, stored or transmitted by merchants.
- Follows common sense steps that mirror best security practices including building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks and maintaining an information security policy.
- Requires regular vulnerability scanning by an ASV of Internet-facing environments of merchants and service providers.
- Allows organizations to “self-assess” in many cases. Different Self-Assessment Questionnaires (SAQs) are specified for various business situations.
- The PCI specifications are administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
- PCI is separate from EMV. You can certainly be PCI compliant today without supporting EMV transactions. A non-EMV merchant just accepts additional liability on chargebacks when not supporting EMV transactions. Some merchants in high-volume environments will opt to trade the liability risk for a faster transaction. We’ve had high volume/low ticket merchant partners that are much more concerned with line abandonment due to long queues than chargeback risk and opt to delay EMV migration for that reason.
- Level 1 PCI means that the merchant is running at least 6M Mastercard or Visa transactions annually, OR, a merchant that has experienced an attack resulting in compromised card data, OR, a merchant deemed level 1 by a card association.
- So what is SRED? — Secure Read and Exchange of Data, SRED is a set of criteria that PIN entry and card reader devices are tested against. Manufacturers submit complete prototypes of terminals and other payment devices for SRED evaluation. SRED ensures that cardholder data is protected from the point of acceptance, and lays the larger foundation for point-to-point encryption (P2PE). There is specific SRED criteria for terminals installed in attended versus unattended environments. SRED devices are also equipped with tamper sensors and switches meant to guard against physical security breaches at the terminal level. Additional security requirements are listed for unattended hardware like that installed in self-service kiosks or fuel dispensers. These additional security measures help ensure merchants that the level of security is not degraded in unattended environments.
Related PCI Compliance Kiosk Explanations and Articles