Blog Post: Welcoming EMV – But Not a PCI Panacea

By Simon Gamble

It’s been an exciting time at Mako as we continue our expansion into the U.S. market. There’s no doubt that the world’s leading economy for card transactions will be an important one for Mako’s future. But it’s also a market that’s particularly interesting to us, as it’s presently in the midst of a substantial change in the way credit cards are used.

It’s all got to do with the familiar magnetic stripe found on the back of your card. These stripes are encoded with information about your card, including the Primary Account Number (PAN) and other bits of data used to verify your account with the credit card company. When you ‘swipe’ to make a purchase, the terminal reads the information off the card, and verifies with the payment processor that your card is genuine and approved to make a purchase.

While it’s certainly a convenient technology that’s served us well, the fact is that magnetic stripe technology is now nearly 60 years old. Card fraudsters have developed myriad methods to steal data from magnetic stripes, usually through skimming either at the point-of-sale, or other places where cards are used.

You don’t watch black and white television anymore, use a rotary-dial telephone, or pop the latest cassette into your stereo. So why are we still depending on an outdated technology for credit card transactions?

Well, most other regions of the world aren’t. There’s a newer type of card authentication technology available, known as EMV (after Europay, MasterCard and Visa, the creators of the technology). Commonly called ‘chip-and-PIN’, these types of cards look the same as your old one, but have a small microchip embedded in the middle.

Examples of EMV credit cards with embedded microchips.

That microchip contains mostly the same information as the magnetic stripe, but it’s encrypted and protected by multiple layers of technology that make it very difficult to duplicate. Even if someone successfully stole and decrypted your card’s info, it would be almost impossible for fraudsters to encode it to another chip.

Because of the superior security EMV offers over magnetic stripes, card companies around the world have been slowly phasing out magnetic stripes and issuing new EMV cards instead.

The catch is that merchants need to use a different kind of reader to accept these cards. Instead of ‘swiping’, customers ‘dip’ EMV cards into a slot on the terminal, which decodes the chip information after the user enters a PIN number.  This means most merchants need to update their payment terminals in order to accept EMV cards.

Another catch: EMV cards are much more expensive to produce than the old ones, and when multiplied by the millions of current magnetic stripe users out there, it quickly adds up to be a significant sum of money for card issuers to swallow.

For these reasons, the U.S. is one of the last holdouts still primarily reliant on magnetic stripe cards. But times are beginning to change.

Last year, both Visa and MasterCard started issuing EMV cards to some of their customers (often ones that frequently travelled overseas, where EMV is commonly used). Recently, American Express followed suit.

Coupled with that change, the card companies offered an incentive to merchants: if at least 75 percent of their card transactions were EMV, the card companies would reduce the PCI DSS audit requirements they had to meet (though not the requirements themselves). The thinking was that if merchants were accepting a more secure method of payment, there would be less risk for card data breaches and the merchant does not need to be audited as often. Note that this only applies to the Level 1 and 2 merchants who require on-site audits, and not the smaller, self-assessed merchants that constitute the majority of businesses out there.

As we’ve seen numerous times, just because a transaction is secure does not mean that a merchant’s payment environment is secure. Payment terminals can be swapped for fraudulent ones, and card data is often stored in areas of the network where it’s least expected, without the knowledge of the business owner or network administrator but still available to hackers if they penetrated the network defenses.

So, while it’s an exciting time for the US market to see this change in the way we pay at the register, EMV does not absolve merchants from the PCI DSS. There’s still work to be done to keep the network environment secure and protected, and Mako Networks is here to help.

Are you a merchant accepting EMV cards? Contact us to learn how Mako can secure your business to PCI DSS compliance specifications.