As the Fraud Liability Shift Date for EMV Compliance approaches on October 1, 2015, retailers are working to make sure they are meeting these standards. In addition to this, are there other regulations to consider, and if so, how does EMV compliance fit in?
PCI
The main regulation that retailers need to be aware of is the Payment Card Industry Data Security Standard (PCI DSS). This regulation encourages retailers to meet security standards by building and maintaining a secure network and systems, protecting cardholding data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.
Essentially, the PCI standard requires retailers to protect cardholder data against a security breach by installing and maintaining firewalls, using strong passwords rather than vendor-supplied defaults, encrypting data when it is transmitted, protecting their systems against viruses and malware, monitoring access to cardholder data, and regularly testing their security systems. Following these policies will help retailers avoid data breaches and keep them from incurring penalties.
E2EE
The latest full version of the PCI standard, version 3.0, was released in November 2013 (version 3.1 was released in April 2015, but it mostly consists of clarifications to the language in version 3.0). This version of the standard connects the regulation to End to End Encryption (E2EE) solutions. Retailers who utilize E2EE encrypt cardholder data when it is sent to payment processors for authorization, ensuring that no credit card numbers are stored in their local POS systems. This greatly reduces the possibility of a data breach.
Implementing E2EE will allow retailers to remove themselves from PCI scope, meaning that since they do not store any cardholder data, they are not subject to regulations related to maintaining the security of this data and protecting it from a breach. This solution can greatly reduce the risk, burden, work, and cost of maintaining data security.
If you’re interested in implementing an E2EE solution, we recommend POINT by Verifone.
If you want to know more about how to implement E2EE or if you have any questions about EMV compliance or PCI standards, please contact us.
