6 min read
Enhancing Payment Card Security By Integrating PCI with EMV Technology
Cryptomathic : 30. September 2015
This article discusses how the security protection of payment card data used in a transaction can be maximized by integrating PCI DSS with EMV technology.
What is the PCI DSS?
The PCI DSS (Payment Card Industry Data Security Standard) was developed to provide a standard set of technical and operational requirements for the protection of cardholder data throughout a transaction process, including storing, processing, and transmitting. This standard is designed to regulate, improve, and encourage cardholder data security, and was meant to apply to all system components involved in the processing of a payment card transaction, including servers, network devices, computing devices, and applications.
The standard also applies to anything or anyone connected to this system, which is part of the cardholder data environment (CDE) and consists of people, processes, and technologies that are capable of handling cardholder data and/or sensitive authentication data in any way. Examples of CDE users include merchants, acquirers, issuers, financial institutions, and service providers. If a company decides to outsource its payment operations to a third-party service provider, it must guarantee that the supplier safeguards all account information in accordance with PCI DSS requirements.
The PCI DSS Standard uses two methods to achieve its security objectives:
- It maintains the integrity of any system component utilized in a transaction against fraudulent use.
- It maintains the privacy of cardholder data in the CDE wherever it is stored or transmitted, and it also protects sensitive authentication data.
Will the PCI DSS regulations be adequate for data security?
Although the PCI DSS Standards are broad in scope, they nevertheless consist of a minimum set of requirements for protecting cardholder data. New technologies, controls, or practices may be used in conjunction with these standards to provide a much higher level of protection, which is often needed in certain cardholder data environments.
These additional methods are also needed sometimes to comply with local or regional laws and regulations. For instance, a new regulation may be adopted to require specific protection of certain identification information, such as cardholder names.
Strong cryptographic protection by combining EMV chip technology with the PCI DSS Security Standards
The recent trend of the popular EMV chip technology is a perfect illustration of how new technology can be combined with the PCI DSS Security Standards to make any form of fraud or counterfeiting of payment cards nearly impossible.
As previously stated, the PCI standards will provide controls for making sure the cardholder’s data is protected throughout the transaction process, while the EMV chip embedded in a card works only at the point of sale to prevent fraud by using secret cryptographic keys along with a PIN that can be entered by the user.
This method provides an additional level of authentication that can drastically reduce any chance of any lost, stolen, or counterfeit card being used at a point of sale since the card will be accepted for a transaction only by its owner.
How does EMV chip technology work together with the PCI DSS Security Standards?
The EMV chip by itself will provide very little protection beyond the card reading device, which means the cardholder’s data could be transmitted and stored at some point in the network, where it could be susceptible to criminal activity and fraudulent usage.
As the cardholder data is read by a point-of-sale terminal, it is processed in its clear text form in order to complete the critical steps in the EMV transaction process. If PCI DSS were not implemented, this clear text data would be available at all points in the transaction, making it easily accessible for criminal activity.
Therefore, after the point-of-sale processing, the PCI DSS Standards take over the data security process, with its additional layers of security control at every point in the network where confidential data may be found. It is essential that both EMV and PCI DSS be used together as the security controls for a payment card system to provide the greatest level of security. Each security control takes care of any lacking security measures inherent in the other.
PCI DSS is also essential for Non-EMV transactions
The extra layers of security provided by PCI DSS are essential anyway because many merchants are capable of processing both Non-EMV transactions and EMV transactions, where PCI DSS provides the only means to protect the confidentiality of cardholder and sensitive authentication data at all points involved in a transaction, including the point of sale.
Comparing fraud mechanisms for EMV and Non-EMV transactions
To understand how the current EMV technology can relate to the PCI DSS Standards, one should examine the existing data elements in EMV transactions and the inherent mechanisms for possible fraudulent use. These mechanisms should be considered alongside those for non-EMV transactions (using the magnetic stripe or key entry of data).
Consideration of the data elements used on a payment card
Two types of data elements are used for EMV transaction processing: Cardholder Data and Sensitive Authentication Data. These elements are listed here, along with their purpose in a transaction:
- Cardholder Data includes:
- Primary Account Number (PAN) - The primary account number (PAN) is the primary identifier of the cardholder and the card itself. This number is utilized in performing the transaction, enabling the routing of the transaction, authenticating data at the point of sale, and allowing the issuer to derive keys associated with it.
- Cardholder Name - The EMV chip contains this information, although it isn’t required to be transmitted in an authorization message
- Expiration Date - Always printed on EMV cards in clear text with an expiration date tag. If authorization is done online, the Track 2 Equivalent Data expiration date will be included in the authorization message.
- Service Code - This is found on a chip's Track 2 Equivalent Data. It allows the issuer to validate the card verification code if it is also included in Track 2 Equivalent Data.
- Primary Account Number (PAN) - The primary account number (PAN) is the primary identifier of the cardholder and the card itself. This number is utilized in performing the transaction, enabling the routing of the transaction, authenticating data at the point of sale, and allowing the issuer to derive keys associated with it.
- Sensitive Authentication Data includes:
- Full track data (magnetic-stripe data or equivalent on a chip) - This is the Track 1 and Track 2 Equivalent Data which have the same data structures as the magnetic stripe.
For legacy purposes, the Track 2 Data is usually included in EMV online authorization requests and is available in clear text. The Track 2 data differs from the magnetic stripe data when a unique chip card verification code is used to prevent counterfeiting. - CAV2/CVC2/CVV2/CID - This information is only printed on the card itself, and is not included on the embedded EMV chip, since it isn’t part of the EMV Specification. This is the three or four-digit code printed on the front or back of the payment card.
- PINs/PIN blocks - A Personal identification number can be entered by the cardholder during a transaction, and/or an encrypted PIN block on the chip itself can be used for online or offline verification of the cardholder. Other CVM methods are also supported.
- Full track data (magnetic-stripe data or equivalent on a chip) - This is the Track 1 and Track 2 Equivalent Data which have the same data structures as the magnetic stripe.
Storage of data elements on the EMV chip
All four items for 'Cardholder Data' must be stored on the EMV chip, but only the PAN must be rendered to be unreadable. For security purposes, the three items listed under 'Sensitive Application Data' are not permitted to be stored on the card's chip after authorization under any circumstances (even if encrypted).
Importance of using a unique card verification code (or value)
If the Track 2 Equivalent Data on the chip contains a card verification code different from that on the magnetic stripe, this creates a layer of protection that makes it almost impossible to create counterfeit magnetic-stripe cards from compromised data on an EMV card. If this code wasn’t used, the Track 2 data from an EMV card could be used to create a magnetic-stripe card, since they would have equivalent data fields.
Are all the data elements used in a transaction?
It should also be noted that a valid payment card transaction would often require only the PAN and expiration date to be stored, processed, and transmitted on the card reading device.
If the cardholder name and service code are also used in the transaction, they must also be protected along with the PAN and expiration data according to PCI DSS requirements.
Conclusion
Although EMV chip technology has proven to be very capable of reducing counterfeiting and fraud substantially in card-present transactions at POS (point of sale) terminals and ATMs, it doesn't satisfy the requirements prescribed by PCI-DSS by itself unless steps are taken to protect the integrity and confidentiality of cardholder and sensitive application data at all system components that handle the data in any way, as outlined in the 12 key PCI DSS requirements as established by the PCI Security Standards Council (PCI SSC).
These guidelines specify the technical and operational requirements and corresponding testing procedures which are used for PCI DSS compliance assessment of each component in the payment card system.
Since non-EMV transactions may also occur at POS and ATM terminals in many locations, PCI-DSS implementations are the only means of protecting cardholder data.
Even though the PCI DSS compliance measures are satisfied, a transaction of this type is still susceptible to fraud at the POS or ATM terminal, where tampering of card data, false signatures, usage of lost or stolen cards, counterfeiting, etc. are possible.
So in order to maximize the benefit in reducing fraud and enhancing the security of the payment card system, steps must be taken to combine EMV chip technology with the PCI DSS guidelines for a more complete spectrum of security measures.
References and further reading
-
PCI DSS Applicability in an EMV Environment - A Guidance Document (2010) by the PCI Security Standards Council
- Increasing Security and Reducing Fraud with EMV Chip and PCI Standards by the PCI Security Standards Council
-
Payment Card Industry (PCI) - Requirements and Security Assessment Procedures - Version 3.0 (2013) by the PCI Security Standards Council
- Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms (2015) by the PCI Security Standards Council