The Fraud Blog with Tracy Kitten

Clarity on PCI and Chip & PIN

PCI Council: 'EMV is Complementary Technology'
Clarity on PCI and Chip & PIN

Let me offer some additional perspective on the blog I posted yesterday - you know, the one about the PCI Security Standards Council and its guidance on security standards for the future.

I was a little critical of the council for its lacking of direction or vision regarding compliance with the EMV chip and PIN standard. In case you missed the blog, here's the gist of what I wrote: Assuming that the EMV standard and the PCI Data Security Standard are both global payments security initiatives, with EMV eventually impacting the United States and PCI DSS impacting Europe and other parts of the world, I questioned how the PCI Council could adequately pass down guidance on PCI DSS compliance if it did not have a vision or recommendation about how EMV might be used or deployed in conjunction with PCI-DSS. Less than an hour after the blog posted, amidst the swirl of the closing day of the PCI Community Meeting in Orlando, Fla., the council took the initiative to clarify its views on EMV and PCI-DSS. And I'm glad it did.

So, to set the record straight, I want to clarify the council's position on EMV. And honestly, I do think what the council had to say makes some sense.

The PCI Council does not want to be in the business of managing EMV, but it does feel the standard needs to be recognized and its relationship to PCI-DSS noted.

Troy Leach, the PCI Council's chief standards architect, and Jeremy King, who heads up PCI efforts for the council in Europe, say the guidance the PCI Council has passed down regarding EMV is not a perspective but, rather, a reflection of the vision set forth for EMV by EMVCo., the organization that created the EMV standard. "This paper just explains what EMV does," Leach says. "In markets like France, where EMV has already been deployed, they were wondering if they had done enough. And that's where PCI comes in." In a nutshell, PCI standards fill the gaps.

"We had a lot of people asking if PCI would replace EMV or if EMV would replace PCI, and that's why we felt the need to explain that EMV is just a complementary technology," Leach says. "The (PCI) council is worried about the state of security; EMV's sole focus is not security."

That hit a chord, and it makes some sense. EMV is a technology that undoubtedly improves security - just look to EMV-compliant countries, where card fraud has definitely decreased. But EMV is about more than just security - it's about a revolution in card-payment transactions. PCI-DSS, on the other hand, is about payment card data security.

The council assures me that it is working closely with EMVCo. to address concerns from PCI members regarding compliance with PCI-DSS in an EMV environment. But the PCI Council will defer questions about EMV compliance and evaluation to EMVCo. As Leach says: "Our paper on EMV is there just to say, 'This is what EMV is and this is how PCI complements it.'"

Fair enough.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.