EMV is perhaps the hottest topic in general commerce right now, but the impending payment technology will impact the higher-ed space as well. This is, in part, the case because come October 1, 2015, merchants – and universities – who have not taken the proper steps to accept EMV will be liable for fraudulent charges associated with counterfeit cards.
Moreover, with the volumes of affected consumers growing with each new data breach, the importance of Payment Card Industry (PCI) compliance also grows. To shed some light on the subject, Heartland Payment Systems’ vice president of product development, Michael English discussed PCI compliance, scope reduction and the protection of user data in a recent column entitled “PCI compliance is just one piece of the puzzle.”
In the column, English stresses that any time a merchant accepts any form of payment card they must be PCI compliant. However, it’s important to note that PCI compliance is only a component, not the complete solution. With this in mind, English highlights the basics of PCI compliance.
To protect card information during and after a financial transaction, the PCI Security Standards Council established Payment Card Industry Data Security Standard (PCI DSS), a set of security procedures for any business that accepts credit cards. PCI compliance, English says, refers to following the guidelines for user authentication, firewalls, antivirus, encryption, truncating account numbers, programming maintenance and vulnerability testing.
Another acronym to be aware of is PA-DSS, or the Payment Application Data Security Standard. “This is a set of requirements that are meant to help software vendors develop secure payment applications that support PCI DSS compliance,” English says.
To round out the defense against cyberattack, English explains the importance of a few familiar technologies: EMV, encryption, and tokenization.
“These technologies will reduce PCI scope, diminish the chance of card data being stolen as a result of a breach, and limit the risk of counterfeit card acceptance,” explains English. When implemented together, these three technologies work together to provide merchants with the highest level of security available to protect against card-present data fraud.
English explains how each technology plays a role:
“EMV. Otherwise known as Europay, MasterCard, and Visa, EMV helps prevent the acceptance of counterfeit cards by removing the ability to monetize card data through verification and technology that inhibits the chance of copying the card. EMV cards are embedded with a microchip programmed with secure, tamper resistant and unique digital information. In order for a transaction to be completed, the card sends the unique digital information to verify the card to the issuer and the issuer to the card.
Encryption. When done in a PCI PTS (pin transaction security) validated device, encryption of customer card information happens at inception. This means that encrypted card data remains encrypted while traveling in your POS system and throughout your network. Encrypted card data eliminates the opportunity for that card information to be stolen and monetized.
Tokenization. Tokenization is the process of eliminating the need to use the customer’s card information for transaction adjustments by replacing that card information with a ‘token’ that cannot be traced to the original card number. If compromised, the token is worthless to a hacker. Like encryption, this method completely removes card data from the business’s environment.”
These three technologies eliminate the opportunity for criminals to monetize card data and have proven to provide businesses with proper security against POS intrusions, insider misuse and other common sources of data fraud, says English. Moreover, these technologies reduce a business’ PCI DSS scope, and even more importantly remove clear text card data that mitigates the risk of card monetization through a data breach.
Michael English serves as vice president of product development for Heartland Payment Systems, one of the largest payment processors in the U.S.