Chip Card Migration Should Include a Full Security Checkup

As evidenced by recent high-profile data breach incidents at major retailers, keeping payment data secure in today’s world is an increasingly complex challenge.

While EMV solves one part of the problem, there’s no single solution that addresses all security challenges. For example, EMV is not intended to protect the growing part of our global economy that conducts business online.

EMV provides excellent protection against fraud in a face-to-face environment. But in preparing for migration to EMV, multi-channel organizations need to consider their entire payment infrastructure, not just brick and mortar, and specifically e-commerce environments. In fact, those countries that have adopted EMV chip have experienced a significant spike in other types of fraud, especially in card-not-present environments, like e-commerce. For help understanding how to apply PCI Standards to secure online transactions, check out the PCI DSS E-commerce Guidelines. The PCI Security Standards Council also works closely with EMVCo and is an active member of the EMV Migration Forum (EMF)

The soundness of payment terminals is also an important component of security in an EMV environment. The EMV migration is a great opportunity to look at overall terminal security, and for retailers to invest in a terminal that meets various security standards and needs. The PCI Security Standards Council provides a list of PCI compliant transaction security devices. Also, merchants should consider future Point-to-Point Encryption (P2PE) plans and what additional layers of security that may be desired.  

Even after the EMV migration is complete, it's only part of a broad security strategy that includes other identity risk measures and IT security.

Implementing EMV doesn’t do away with the need for secure passwords, patching systems, monitoring for intrusions, using firewalls, managing access, developing secure software, educating employees, and having clear processes for the handling of sensitive payment card data. These processes are critical for all businesses—both large retailers and small businesses—who themselves have become a target for cyber criminals. At smaller businesses, EMV chip card technology will have a strong positive impact. But if small businesses are not aware of the need to secure other parts of their systems, or if they purchase services and products that are not capable of doing that for them, then they will still be subject to the ongoing exposure of the compromise of cardholder data and resulting financial or reputational risk.

Bob Russo is the General Manager of the PCI Standards Security Council.