What Merchants and Processors Need to Know About PCI 3.0, the EMV Deadline and P2PE
The deadline for PCI 3.0 is fast approaching, and failing to comply could cost your company up to $25,000 a month in fines. The EMV deadline is on the horizon also—a positive step for payment security but a potentially costly change for merchants. These new requirements can be overwhelming for merchants of all sizes, so I’ve put together a guide to help make the transition a little easier.
First things first:
PCI 3.0.
Be prepared for penetration testing
Up until now, penetration tests (or pen tests) had few requirements to meet PCI standards. In 3.0, merchants will be required to develop a methodology for penetration testing that demonstrates that the environment is secure. Basically you’ll need to attempt to hack yourself to make sure there are no weak points. These test are highly specialized and can be very expensive to do properly, up to $50k.
The good news? You only have to worry about pen tests if you’re storing credit card data in your systems–if your processor handles card data storage, you’re out of the woods.
Keep an eye on your POS systems
The vast majority of the major breaches over the past year have been through POS malware and skimming. For this reason, PCI 3.0 requires all merchants to periodically inspect their devices, as well as maintaining an up-to-date list including:
- Make and model
- Serial number
- Location of device
- Unique identifiers
This impacts all card-present merchants, and will be particularly difficult for those merchants with multiple locations. Merchants will need to get into a routine of inspecting all of their physical devices, plus employees will need to undergo additional training to maintain their security.
…and your service provider
PCI 3.0 also clears up some confusion about the roll of service providers. Basically, you cannot transfer responsibility of cardholder data to your service provider, so if something happens and they experience a breach that impacts your customers, you are still liable. Make sure that your service provider is trusted and exhibiting security best practices to keep your customer’s information safe. Your service provider should also draw up more detailed contracts reviewing the specifics of their own compliance so you can be sure that you are protected.
EMV deadline
As for EMV, it’s been a long time coming. It all began in 1991 when a European study concluded a chip-based card was necessary for payment security. France had already started switching to chip cards, and by 1992 they had converted all of the POS systems in the country to accept them. The term “EMV” was coined in 1993, and stands for Europay MasterCard Visa.
Since then most of the world has made the switch, with the US lagging behind. And since we’re one of the few countries left using magnetic stripe cards, hackers around the world are focusing their efforts on us, hence the surge in fraud.
There are several reasons that it’s taken the US a while, but foremost is the cost. The implementation will end up being about $6 billion, the majority of which will be paid by merchants. Between upgrading POS systems and printing up more expensive EMV cards, it’s a huge project. That said, by October 2015, it must be done. It’s never too early to start preparing for the transition, and your payment processor should be well-prepared to help you.
Merchants with recurrent billing take note:
Aside from just swapping out old POS terminals for EMV-compliant ones, there are other things merchants can do to smooth the transition. One of those things is to seek out a payment processor that has account-updater capabilities. These payment processors work with Visa and MasterCard to keep your customer’s accounts up to date so in the event of a new card–and there will be many new cards coming–you won’t have to touch base with your customers to ensure you have the correct information. This is particularly valuable for retention of customers with subscriptions that have recurrent billing. Read more about account updaters here.
P2PE
One of the best ways to keep card data out of your system is with Point-to-Point Encryption, or P2PE. Through this encryption process, the data is encrypted at the point of interaction, so the unencrypted card number never touches the system. These solutions are provided by a third party, and the PCI council has developed a standard by which these companies must withhold. Make sure you choose a company that is part of the PCI council’s list of approved providers to ensure you can reduce your PCI scope.
The main takeaway? Don’t wait to upgrade to EMV-compliant terminals and never store card data in your system to reduce your company’s PCI burden as much as possible while keeping your customer’s data safe. It’s as simple as that.