Clarity on PCI and Chip & PINPCI Council: 'EMV is Complementary Technology'
I was a little critical of the council for its lacking of direction or vision regarding compliance with the EMV chip and PIN standard. In case you missed the blog, here's the gist of what I wrote: Assuming that the EMV standard and the PCI Data Security Standard are both global payments security initiatives, with EMV eventually impacting the United States and PCI DSS impacting Europe and other parts of the world, I questioned how the PCI Council could adequately pass down guidance on PCI DSS compliance if it did not have a vision or recommendation about how EMV might be used or deployed in conjunction with PCI-DSS. Less than an hour after the blog posted, amidst the swirl of the closing day of the PCI Community Meeting in Orlando, Fla., the council took the initiative to clarify its views on EMV and PCI-DSS. And I'm glad it did.
So, to set the record straight, I want to clarify the council's position on EMV. And honestly, I do think what the council had to say makes some sense.
The PCI Council does not want to be in the business of managing EMV, but it does feel the standard needs to be recognized.
The PCI Council does not want to be in the business of managing EMV, but it does feel the standard needs to be recognized and its relationship to PCI-DSS noted.
Troy Leach, the PCI Council's chief standards architect, and Jeremy King, who heads up PCI efforts for the council in Europe, say the guidance the PCI Council has passed down regarding EMV is not a perspective but, rather, a reflection of the vision set forth for EMV by EMVCo., the organization that created the EMV standard. "This paper just explains what EMV does," Leach says. "In markets like France, where EMV has already been deployed, they were wondering if they had done enough. And that's where PCI comes in." In a nutshell, PCI standards fill the gaps.
"We had a lot of people asking if PCI would replace EMV or if EMV would replace PCI, and that's why we felt the need to explain that EMV is just a complementary technology," Leach says. "The (PCI) council is worried about the state of security; EMV's sole focus is not security."
That hit a chord, and it makes some sense. EMV is a technology that undoubtedly improves security - just look to EMV-compliant countries, where card fraud has definitely decreased. But EMV is about more than just security - it's about a revolution in card-payment transactions. PCI-DSS, on the other hand, is about payment card data security.
The council assures me that it is working closely with EMVCo. to address concerns from PCI members regarding compliance with PCI-DSS in an EMV environment. But the PCI Council will defer questions about EMV compliance and evaluation to EMVCo. As Leach says: "Our paper on EMV is there just to say, 'This is what EMV is and this is how PCI complements it.'"