Like seatbelts, there's no point in rejecting EMV and PCI

Register now

You don’t necessarily need to know the intricate technicalities of PCI and EMV. All you need to know is that following the rules and recommendations for preventing data breaches and credit card fraud will serve your business well.

It’s like not buckling your seatbelt when you drive: You may be able to get away with it for a while, but sooner or later, you’re likely to either get a ticket or get into an accident, no matter how safe a driver you are.

PCI compliance and EMV are vital for business owners to understand, but they often confuse the two standards. This is partly because both require various assessments and certifications, and some solutions help solve for both. Payment Card Industry Data Security Standard, often called PCI for short, is a recently updated set of standards that aim to prevent card data theft and data breaches. EMV is also a security standard, but it focuses solely on preventing thieves from producing and using counterfeit cards by way of the country’s 394 million chip cards.
In short, PCI compliance is mandatory for all businesses that accept card payments. EMV is not mandatory, though it is strongly encouraged. Data security is a vital part of business, and misinformation can inadvertently result in a vulnerability. Ultimately, it’s every business owner’s responsibility to look at his own environment to understand where vulnerabilities exist.

PCI standards provide a framework, but they’re not the end-all security solution. Still, it’s a bit scary that only 20 percent of businesses are PCI-compliant, according to a recent report by Verizon.

Modern business is largely cloud-based, which means a lot of data is transferred back and forth between geographically distant servers. Data breaches are becoming more prevalent, and all it takes is network access to exploit a business’s data. Proprietary company information and confidential customer details are at risk, and a breach can mean a huge public relations disaster and even government fines.

Because PCI compliance is mandatory, it is important for any business owner to check all service providers and vendors to make sure they are compliant, as well. This includes your point of sale system, payment processor, e-retail shopping and payment options, and more.

It takes a collection of security practices to remain protected. The following steps reduce the likelihoods of credit card fraud and data breaches and lessen the value of compromised data in the event of a breach. They should be followed by all businesses that accept card payments, regardless of business size or industry.

Follow PCI data-security standards. Think of PCI standards as the bare minimum defense against hackers. Complete your self-assessment questionnaire and vulnerability scans, and keep up with all applicable assessments. PCI compliance is meant to keep you abreast of trending data-security vulnerabilities. If you suffer a breach and are found PCI-noncompliant, you’ll face penalties of up to $500,000 in addition to the consequences of stolen data.

Adopt EMV technology. Chip cards are meant to reduce fraud by encrypting all information between the card and the reader. Magstripe cards, on the other hand, contain analog data that’s easy to intercept, steal, and spoof. Nearly 40% of retailers were EMV-compliant as of mid-2016, and that number will have more than doubled by the end of this year. Don’t get left behind, or the chargeback fees that you’ll be financially responsible for could squeeze you out.

Use a PCI-validated P2PE solution. The most secure way to transfer data is using end-to-end encryption. Using a PCI-validated point-to-point encryption solution also enables businesses to take shorter PCI self-assessment questionnaires. In the event a malicious party breaches the network or intercepts any traffic, it should still be safely encrypted. Encryption keeps hackers and thieves from making sense of the information they’re looking at, a common tactic that governments, militaries, and financial institutions use to protect themselves.

Craft a data-breach action plan. No matter how rigorously a business follows the PCI Data Security Standard and employs other security techniques, a hacker can still prevail. No system is foolproof, and preparing for data breaches in advance keeps business moving along after one occurs. A data breach protection plan mitigates the financial damage of constantly evolving cybercrimes afflicting businesses of all sizes.

For reprint and licensing requests for this article, click here.
Retailers EMV PCI Customer data ISO and agent