Due to the timing of the upcoming liability shift to EMV on October 1, 2015, and the new PCI requirements that went into effect on July 1, 2015, you may be wondering what the difference is between the two.
Both EMV and PCI Compliance are guidelines for protecting cardholder data for the purpose of reducing fraud, but focus on different elements of the credit card transaction.
The purpose of the PCI Data Security Standards is to make sure that the card data is not stolen and is secure to begin with. EMV assures that if credit card data is stolen that the content is rendered useless.
•EMV’s goal is to ensure security and global interoperability of chip-based payment cards.
•Includes strong cardholder verification (i.e. chip and pin, chip and signature).
•Prevents cards from being duplicated through the use of a chip in the card which produces a unique encrypted output each time the card is used to prevent card skimming.
•Requires EMV certification between EMV-capable hardware and the processor.
•The EMV specifications are managed by EMVCo LLC (Europay, MasterCard, and Visa).
•PCI’s goal is to protect cardholder data that is processed, stored, or transmitted by merchants.
•Follows common sense steps that mirror best practices including building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.
•Requires regular vulnerability scanning by an Approved Scanning Vendor (ASV).
•Allows organizations to self-assess. Different Self-Assessment Questionnaires (SAQs) are specified for different business situations.
•The PCI specifications are administered by the PCI Security Standards Council, which was founded by American Express, Discover, JCB International, MasterCard Worldwide and Visa Inc.