More merchants are accepting EMV chip cards this holiday season.
This is partly due to the liability shift deadline that passed back in Oct. 2015, and also because they are more secure than the old cards.
But accepting chip cards at a register does not ensure PCI DSS compliance, or even that a company’s card data will be secure. It mostly helps prevent fraudulent in-person, card-present transactions.
So don’t be fooled. EMV cards will not save a business from PCI fines.
Below are three more big reasons you should not count on EMV cards alone to protect your clients.
EMV Cards vs. Magnetic Strip Cards
First, a little background information.
Prior to EMV, in-person card transactions required a customer to swipe the magnetic strip of a credit or debit card in a payment terminal.
This payment method is less secure because the data on the card’s magnetic strip is static. It uses the same transaction code for all purchases.
If someone skims the data from a magnetic-strip card, they will have no problem putting it onto another card (“cloning it”) and using it for fraudulent purchases.
The new EMV chips are different. They create a unique transaction code for each purchase, so they are far more difficult to clone. They are much more secure than the older magnetics stripes.
In the event that an EMV transaction code is stolen, the hackers would not be able to use it, nor would they be able to trace the transaction code back to the original card number.
And without further delay, here are three dangerous misconceptions about EMV card security.
#1. Transactions are not always encrypted
Most EMV card readers do not automatically encrypt transaction data.
EMV is designed to prevent fraudulent transactions – it does nothing to protect card holder data once it is in the hands of a company.
Hackers can easily get this data from unencrypted transaction information stored on a company device.
The obvious solution for small business would be to shell out the extra dough to add the encryption features that some card readers offer.
Some alternatives/additions to encryption include token programs, which give retailers a token code that holds no financial information as an identifier for a transaction instead of the actual transaction code given during a purchase.
The original transaction data is typically stored in a PCI compliant, high-security “vault” or server owned by a token service provider.
This ensures that businesses do not have any sensitive customer information stored on their network in the event of a breach.
There are also multi-pay token programs available for companies who need access to customer financial information in order to do returns and exchanges, but who don’t want the added risk associated with the extra access.
Some companies also choose to create a customer profile that stores transaction data rather than storing the transaction code onto their machines.
The ultimate goal with any of these programs is to further protect customer data. Weigh the needs of your client’s business against each of these services to determine which one would be best for you.
#2. Using EMV will not prevent a data breach
EMV technology does not ensure that a business will be safe from hackers. This type of security is mainly supplemental and mostly applies to card-present transaction that occur in person.
Customer and business information can still be leaked if a company does not maintain an effective security policy and consistently follow its network security protocols and procedures.
Ignoring the typical threats that target retailers can have disastrous results.
Implementing a security solution system such as a firewall alongside proper security protocols and regular employee training are crucial to proactively protecting a business against hacker attacks.
Relying on a single technology to meet all of a business’s needs can be risky and costly, so avoid the hassle with proactive planning.
#3. EMV chips do not protect online transactions
Unfortunately, EMV technology only protects card-present transactions. It does nothing to improve the security of online card-not-present transactions.
EMV was only intended to make face-to-face transactions safer, and while it’s been pretty successful at doing so throughout the world, it doesn’t quell concerns about online transactions and their security.
Some ways businesses can reduce the risk of card-not-present fraud is to enable an AVS, or an Address Verification System, on an ecommerce site.
An AVS asks the buyer for their billing address during checkout in order to verify that the purchasing party is the real cardholder.
AVSs will check the provided address against the address that the card issuer has on file.
Mismatched addresses typically indicate fraud, so many ecommerce sites will stop the transaction if the provided billing address does not match the one on the credit issuer’s file.
Asking for card security codes during checkout is also one way to ensure that the person ordering has the physical card in hand.
Most major card issuers place a 3-4 digit number somewhere on the card they issue for this purpose.
Another extra step businesses can take to reduce card-not-present fraud is to call the number provided during checkout before shipping the ordered merchandise out.
This can help a business verify that the person on the other end of the call actually placed the order.
Small business should also consider using a secure ecommerce platform instead of handling online transactions on their own, especially if they do not have an in-house security team available to tackle everyday security issues.
By using an ecommerce platform hosted by a third party, especially one that does not require your client to handle cardholder data, your clients can insulate themselves from attacks on that system.
Referring to the PCI DSS guidelines when in doubt can save a business the stress of being breached and fined for negligence.
While EMV chip cards and card readers are a great solution for minimizing debit and credit card fraud, they are not a silver bullet for issues such as identity theft and PCI DSS compliance.
Knowing and preparing for the gaps that EMV can’t fill in advance is the best way to prevent your business from being breached or fined.