What’s the difference between EMV compliance and PCI compliance? The short answer is they’re both guidelines for protecting cardholder data for the purpose preventing fraud, but they focus on different elements of the credit card transaction.
“To clarify it even further and more simply, PCI is about making sure the card data doesn’t get stolen and is secure in the first place and EMV is making sure if the data IS stolen that the content is rendered useless.” – CPI PCI and EMV: What’s the difference?
My goal for this article is to give a brief overview of each of these standards for protecting cardholders so you have an idea how they impact how you accept credit card payments at your self-service kiosk or POS.
- The goal of EMV is to ensure the security and global interoperability of chip-based payment cards.
- Includes robust cardholder verification (i.e. Chip and PIN). The particular verification method that is used depends on the card issuer as well as the POS where you make a purchase.
- Prevents cards from being cloned through the use of microprocessor on the card which produces unique encrypted output each time the card is used to defeat card skimming.
- Requires EMV certification between EMV capable hardware and the processor.
- President Obama signed an executive order that requires all government-issued credit cards and readers to come equipped with EMV technology starting 2015.
- Has a US liability shift coming in October 2015
- The EMV specifications are managed by the privately owned corporation EMVCo LLC and was first published in 1995 through a joint effort by Europay, MasterCard, and Visa (hence EMV).
- The goal of PCI is to protect cardholder data that is processed, stored or transmitted by merchants.
- Follows common sense steps that mirror best security practices including building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks and maintaining an information security policy.
- Requires regular vulnerability scanning by an ASV of Internet-facing environments of merchants and service providers.
- Allows organizations to “self-assess” in many cases. Different Self-Assessment Questionnaires (SAQs) are specified for various business situations.
- The PCI specifications are administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.