EMV Among the Missing Pieces of PCI DSS 3.0

NEWS ANALYSIS: The next major standard for payment security goes into effect on Jan. 1, 2015, but it's missing some critical items.

retail security

On Jan. 1, 2015, the Payment Card Industry Data Security Standard (PCI DSS) version 3.0 formally goes into effect, ushering in a new era of compliance specifications to secure payment card data. The PCI DSS 3.0 specification was approved in December 2013, giving retailers and those who handle payments a year to get ready.

The PCI DSS 3.0 specification includes many improvements and process clarifications from the PCI DSS 2.0. With PCI DSS 3.0, there is a clear focus on making security an ongoing process, as opposed to just a once-a-year activity with checkbox items for compliance.

Although there are many different requirements in PCI DSS 3.0, some items that are part of secure payment deployments are not part of the specification. One of the most often talked about security improvements for payments, especially in the United States, is the use of chip-and-PIN credit cards, also known as EMV (Eurocard Mastercard Visa).

Although EMV is considered by many to be a security improvement over magnetic-stripe-based credit cards, PCI DSS 3.0 does not mandate the use of EMV—and likely never will.

"PCI DSS 3.0 is mute on EMV, and the reason [is that] EMV is essentially an anti-fraud mechanism," said Greg Rosenberg, security engineer at Trustwave. "PCI DSS is a mechanism to prevent card data from being stolen," he told eWEEK.

Speaking metaphorically, Rosenberg compared PCI DSS and EMV to peanut butter and jelly. He added that there is some degree of collaboration across the standards bodies that govern PCI DSS and EMV, and both groups understand that using the two standards together is powerful for security.

"I think that EMV has been mislabeled in terms of its data security potential," Rosenberg said. "It's a great tool that largely focuses on increasing the cost of replicating a card if it is stolen."

The EMV specification does not deal with card data security after the card data has been captured by a point-of-sale (POS) device, Rosenberg said. In contrast, that's the area where PCI DSS is strong, helping to provide guidance and best practices for securing the card holder data.

"EMV, used properly in the right context will be a great anti-fraud mechanism," Rosenberg said.

Nicholas Percoco, vice president of strategic services at Rapid7, noted that PCI DSS has never had an emphasis on the actual types of payment cards that merchants should accept. Payment card technology discussions are held at the card brand and card issuer level, he added.

"As new technologies come in like EMV and Apple Pay, PCI DSS will continue to evolve to secure payment card data," Percoco said. "But as far as I know, PCI will not call out the use of EMV; that activity only comes out of direct mandates from the card brands."

EMV use in the United States is set to grow in the coming year, with a recent report forecasting that up to 70 percent of U.S. credit cards will have EMV chip-and-PIN technology by the end of 2015.

Penetration Testing

While the overall PCI DSS 3.0 specifications are effective Jan. 1, not all of the requirements in the new specifications go into effect on that date. Among the delayed PCI DSS 3.0 requirements is one for enhanced penetration testing.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.