Electronic payments are increasingly becoming part of our everyday lives. For most people, it can be hard to imagine a single day where we do not make a purchase using our payment cards in a physical store, or perform some form of online payment or money transfer.
But how do these payments work? The payments industry is fundamentally based on trust. When you use your payment card to purchase goods or services, you trust the merchant to accept that payment method and manage your details in some secure way. The merchant trusts that this method of payment will eventually end up with funds being transferred into their bank accounts if the payment is authorized. The financial institution that issues your payment card trusts that the details they receive from the merchants bank are not fraudulent, and the merchants bank trusts that the Issuer is going to follow through on their commitments if they approve the transaction.
Through addressing different aspects of the payment system, EMV and PCI work together to help secure the way we make payments globally. The standards ensure that when you travel from one side of the world to another, your card will still be accepted and your payment will be secure. The older generation of magnetic stripe cards, with static data that can easily be copied, are being retired with the last great implementation of EMV finally gaining traction into the US. Once this is done, we can look forward to more secure payments everywhere.
The Payment Card Industry Security Standards Organization (PCI SSC) creates and manages standards around the security of the transaction process, whereas EMV (named after the original payment brand founders; Europay, MasterCard and Visa) is tasked with establishing standards for the way in which chip based card payments are processed. EMV is often also referred to as Chip and PIN or Chip and Choice in different markets.
The EMV standards were created to outline a whole new methodology for performing payments, using a secure card that could provide cryptographic authentication of itself and the transaction. These standards are separated into three broad groups; ones that outline the security of the processing element, or chip on the customer card; ones that detail the physical and electrical interface of the customer card and payment terminal; and finally standards that outline how the transaction is to be performed.
Most of the EMV requirements are focused on the how of the transaction, rather than the security of the transaction. However, as part of this how the standards do allow for the customer card to provide authentication data to the payment terminal; preventing the cloning of payment cards. Additionally, an EMV card can also provide authentication data relating to the transaction itself, allowing for a card Issuer to validate that the transaction that the customer authorized is the same as that communicated from the payment terminal.
It is a commonly held myth about EMV payments that the system requires the use of a PIN; which it does not. The method used for cardholder verification actually depends on the type of transaction, the terminal used, and the Issuing bank who provided the cardand methods can vary from no verification at all, through PIN entry, signature, and even biometric validation. For this reason EMV is referred to as Chip and Choice in the US market, as it is the choice of the issuers and acquirers which cardholder verification methods they want to support.
The PCI standards, rather than dictating how payment processing should function, instead outline how the different aspects of this processing should be secured.
Like EMV, PCI is not a single standard; there are many different standards and information supplements that provide details on the many different aspects of payment security. The PCI Data Security Standard (PCI DSS) is an audit standard that focuses on the security of environments that are used to store, process and/or transmit cardholder data, and the Payment Application DSS (PA DSS) similarly focuses on the security of software used in payment processing.
The PCI PTS and PCI PIN standards dictate the minimum level of security for the physical devices that are used to accept card payments, and the Point to Point Encryption (P2PE) standard takes an overview of how all of these standards can work together in the form of a tailored solution to provide end to end security to payments through encrypting card data directly within the payment accepting device.
Andrew Jamieson is a testing manager for UL Transaction Security.