Monday

Tag: Visa

History and Status of the PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) was created in response to the rapid growth of credit card transactions in the 1990s causing thousands of small companies to start storing credit card data and processing consumer transactions on unprotected networks.  Since many of these small businesses didn’t know how to properly secure these credit card transactions, it also led to a rapid increase in data theft and a growing concern from banks and credit card companies about ways to protect their brand and consumer accounts. In an effort to resolve the growing concern around payment card fraud and cybercrime in general, industry leaders such as Visa, MasterCard, and American Express got together and created a global security standard to protect online card payments.

The PCI DSS standard was established to set basic guidelines and requirements around how businesses must create a safer cardholder data environment, using basic requirements to drive minimum requirements around security that would lead to more secure business systems. As the standard evolved and procedures more refined, PCI DSS became an internationally accepted standard for all merchants and service providers.

PCI DSS History

PCI DSS was introduced in December 2004, after Visa and other brands had introduced their own standards.  These brand-specific standards weren’t well received by merchants and service providers, since these were small companies that didn’t need the confusion of multiple standards.

Continue reading “History and Status of the PCI DSS”

PCI 101: Becoming PCI Compliant

The Payment Card Industry (PCI) has established compliance requirements to help merchants protect customer credit card data. Since criminals want to harvest credit card data so they can steal the information and use the data to create fraudulent transactions, customer credit card data must be protected. The banks have developed some sophisticated algorithms to help detect and prevent this type of fraud, but the bulk of prevention happens at the merchant level with controls to prevent thief of the card holder data (CHD).

Overview

I’ll discuss the highest-level requirements, known as Level 1, because they are the most complex and difficult to implement. If the banks and credit card companies got their way, they would want everyone to be at Level 1 so they would know security compliance efforts would be at the highest level possible. You are assigned a level by your bank based on the number of credit card transactions performed in a 12-month period. If you have several million transactions, your CHD is at a higher risk than a smaller business with just a few transactions per week. The basic breakdown is based on VISA transaction counts: Continue reading “PCI 101: Becoming PCI Compliant”

PCI DSS 4.0 – Coming Soon

In the upcoming request for comments (RFC) for the first draft of the PCI Data Security Standard Version 4.0  (PCI DSS v4.0), there are some new and exciting changes. PCI DSS v4.0 has been in the works for a while, so a discussion of what is coming is important to anyone who has to meet the standards required to maintain their compliance with the payment card industry.

The October RFC documents will include the first draft of the new PCI DSS v4.0 standard as well as a sample of the new reporting template. This will help everyone understand the new validation method to help support business implementations. There is also a Summary of Changes document that will outline the changes in the draft as well as guidance for everyone on how to review the documents and provide feedback with any issues or questions.

This draft of PCI DSS v4.0 was crafted with feedback received during prior drafts and attempts to reflect changes in security technologies, customer environments, and payment industry changes. These updates to the standard are intended to strengthen security while also adding some flexibility to how the standards are implemented.

The 12 core PCI DSS requirements remain essentially the same while several new requirements are proposed to address evolving threats to significantly reduce the overall risk to payment data. The idea is to give more flexibility to organizations so that companies can use different methodologies and solutions to meet the intent of PCI DSS requirements.

Continue reading “PCI DSS 4.0 – Coming Soon”

PCI 101: Becoming PCI Compliant

The Payment Card Industry (PCI) has established compliance requirements to help merchants protect customer credit card data. Since criminals want to harvest credit card data so they can steal the information and use the data to create fraudulent transactions,  customer credit card data must be protected. The banks have developed some sophisticated algorithms to help detect and prevent this type of fraud, but the bulk of prevention happens at the merchant level with controls to prevent thief of the card holder data (CHD).

Overview

 

I’ll discuss the highest level requirements, known as Level 1, because they are the most complex and difficult to implement. If the banks and credit card companies got their way they would want everyone to be at Level 1 so they would know security compliance efforts would be at the highest level possible. You are assigned a level by your bank based on the number of credit card transactions performed in a 12-month period. If you have several million transactions, your CHD is at a higher risk than a smaller business with just a few transactions per week. The basic breakdown is based on VISA transaction counts:

  • Level 1  – Merchant processes over 6 million VISA transactions per year (or is designated Level 1 because of a previous breach or identified security issues)
  • Level 2 – Merchant processes between 1 and 6 million VISA transactions annually.
  • Level 3  – Merchant processes between 20,000 and 1 million VISA transactions per year.
  • Level 4 – Merchant processes fewer than 20,000 VISA payments per year.

Continue reading “PCI 101: Becoming PCI Compliant”

EMV Credit Card Chips Don’t Stop Fraud

New chip-enabled credit cards, known as EMV cards, which started rolling out to U.S. consumers starting in 2015 were intended to stop credit card fraud. Credit card companies like Europay, Mastercard, and Visa promoted EMV (which are the initials of the companies promoting the standard) as a merchant-funded way to force transactions over to a process known as “chip-and-PIN” where the computer chip inside the card would virtually eliminate illegal credit card cloning by organized crime.

A report from Gemini Advisory, a research firm, is showing that there were more than 60 million cases of credit card theft in the last 12 months. It also shows that 93% of the stolen cards used the new EMV chip technology that the card companies said would eliminate this type of crime.

The report states: “45.8 million…records [were] likely compromised through card-sniffing and point-of-sale (POS) breaches of businesses such as Saks, Lord & Taylor, Jason’s Deli, Cheddar’s Scratch Kitchen, Forever 21, and Whole Foods. To break it down even further, 90% or 41.6 million of those records were EMV chip-enabled,” which is stunning information.

Continue reading “EMV Credit Card Chips Don’t Stop Fraud”

PCI Compliance Requirements – Merchant and Validation Levels

If you deal with credit cards, you have to deal with PCI Compliance. What the exact requires are depends on some facts around the types and volume of those transactions.

The first step is to determine your “Merchant Level”, which is based on the type of transactions and the number of those transactions. Using the table below, you should be able to quickly determine if you are Level 1 (the highest level and the most expense to maintain compliance) or if you are Level 2, Level 3, or Level 4. Most small businesses fall into Level 4, but you might have enough volume to move into the other levels. It is your responsibility to verify with your bank as you move into higher levels to maintain your annual compliance.

Different Merchant Levels

Different expectations apply to merchants based on your volume of transactions. Visa ranks merchants according to the following system, applying general PCI Compliance guidelines.

LevelMerchant Selection CriteriaValidation Requirements
1Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
    • The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
2Merchants processing 1 million to 6 million Visa transactions annually (all channels)
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
3Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
4Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by merchant bank

The validation level can help drive the type of compliance requirements based on your merchant level. Work with your bank to verify your validation level.

Validation Levels

ACard-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
A-EPE-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.
BMerchants using only:

  • Imprint machines with no electronic cardholder data storage; and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channels.

B-IPMerchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
C-VTMerchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
CMerchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
P2PE-HWMerchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.
DSAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.
SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ.

If you are new to PCI compliance, you can read more here.

Anniversary Of The EMV Deadline

Today we celebrate the one-year anniversary of the EMV liability shift on point-of-sale systems imposed by the credit card companies. Credit card companies have declared limited success by showing credit card fraud from Point-Of-Sale (POS) transactions are down from last year, but card-not-present fraud transactions are up from last year.

I have written about how the rollout of new cards to support EMV mandates has been less that effective, and now other people are noting the same issues. This article by Sara Peters talks about the state of the current EMV mandates.

According to a report by The Strawhecker Group (TSG) released last week, only 44% of card-accepting merchants have EMV terminals. What’s worse, only 29% of card-accepting merchants can actually accept EMV chip-based transactions.

“You’re seeing a lot of pieces of paper over the chip readers,” says Jared Drieling, business intelligence manager of TSG. Paper, or maybe tape or stickers, he says.  

PCI 101: Becoming PCI Compliant

The Payment Card Industry (PCI) has established compliance requirements to help merchants protect customer credit card data. As you might imagine, criminals want to harvest credit card data so they can steal the information and use the data to create fraudulent transactions. The banks have developed some sophisticated algorithms to help detect and prevent this type of fraud, but the bulk of prevention happens at the merchant level with controls to prevent thief of the card holder data (CHD).

Overview

I’ll discuss the highest level requirements, known as Level 1, because they are the most complex and difficult to implement. If the banks and credit card companies got their way they would want everyone to be at Level 1 so they would know security compliance would be the highest. You are assigned a level by your bank based on the number of credit card transactions performed in a 12-month period. If you have several million transactions, your CHD is at a higher risk than a smaller business with just a few transactions per week. The basic breakdown is based on VISA transaction counts:

  • Level 1  – Merchant processes over 6 million VISA transactions per year (or is designated Level 1 because of a previous breach or identified security issues)
  • Level 2 – Merchant processes between 1 and 6 million VISA transactions annually.
  • Level 3  – Merchant processes between 20,000 and 1 million VISA transactions per year.
  • Level 4 – Merchant processes fewer than 20,000 VISA payments per year.

The PCI DSS contain 12 pillars for data security. You are expected to address all 12 areas, and have an external auditor validate, at least once per year, that you are performing all the prescribed actions and that you have all required controls in place. Once the auditor verifies this compliance with an annual audit, they will issue a Report of Compliance (ROC) that lists all the reasons why your business is compliant, and you must provide this document to your bank.  Failure to remain compliant, and prove it with a ROC, will mean your bank could refuse to let you accept credit cards and they could fine you thousands of dollars for misleading them as to your level of compliance.

Requirements

The summary of the 12 PCI DSS Requirements:

  1. Install and Maintain Firewalls – You must have a perimeter firewall between the systems that collect, process, and store CHD and the internet. You will need to properly configure you firewalls to prevent unauthorized access to the CHD systems, and have controls in place to manage who can make changes to that approved configuration.
  2. Eliminate Vendor Supplied Default Passwords – Nearly every piece of equipment used in IT comes with a standard password that you are allowed to change once you have installed the equipment on your network. This issue is a lot of people never change those default passwords, and almost anyone who is in IT knows what the default passwords are on which piece of equipment. Always change the default passwords and make sure only a select few people know what they are at any time.
  3. Protect the CHD – Make sure you know where your credit card data is collected, processed, and stored so that you can identify the systems that require protection.
  4. Encrypt Transmission of CHD – Never send credit card data across the internet without the proper level of industry approved encryption.
  5. Protect against Malware and Viruses  – Make sure your systems are protected against malware and viruses. Maybe anti-virus software doesn’t always work as well as you like, but this basic protection is better than nothing at all.
  6. Maintain Secure Systems – You should configure your in-scope systems to be as secure as possible, and have documentation to show how you did that when the system was installed and after any maintenance.
  7. Restrict Access – Only approved people should have access to in-scope systems. Make sure the systems are secure and you have limited who has physical and remote access to those systems as much as possible.
  8. Authenticate Access –  Ever user that accesses those systems should have their own unique login. You don’t share accounts, and the system knows your unique identity so if something gets compromised they can link the crime to a specific person.
  9. Restrict Physical Access – Put your corporate servers behind a locked door. Limit access to corporate switches so that only approved personnel have physical access. These basic controls improve security and limit unauthorized changes to configuration and system settings.
  10. Track Network Access – You need to know who has access to the systems and make sure terminated employees lose access immediately. You also want to log system activity to identify abnormal activity and unauthorized system changes.
  11. Regularly Test Security – Make sure you have a Incident Recovery Plan and that you test procedures for a system failure or security breach at least once per year.
  12. Maintain a Security Policy – Write a security policy and publish it to the entire company. Make sure everyone knows their part in protecting customer data, including credit card transaction data. Make sure they acknowledge they have been briefed on the contents each year with sign-off sheets and evidence of training.

Actions

What actions must you take to complete this compliance action?

  1. Talk to your bank – Make sure they understand your concerns and answer your questions about your level based on your transactions, as well as the timeline and expectations for when they expect you to complete the compliance process and submit your ROC. The bank drives this process, you you must work directly with them to make sure you are meeting their expectations.
  2. Understand Penalties – Make sure you understand the cost of non-compliance. It should be much cheaper to demonstrate compliance than pay the expected penalties and fines that will be imposed by your bank if you do nothing. Use this information to help understand your budget as well as sell the project to your management team. Remember: Businesses may also be subject to lawsuits and governmental prosecution for failing to protect customer data through non-compliance, so you may need to seek legal advice if you choose not to take the compliance route.
  3. Read the PCI DSS – The PCI Council creates the compliance requirements and provides you will the written requirements in the format of a document called the Payment Card Industry Data Security Standard (PCI DSS). The documentation is free and you should download everything you can fin and start reading.
  4. Engage a QSA – You will need a Qualified Security Assessor (QSA) to review your infrastructure and verify you are meeting the PCI DSS requirements. This is going to cost some money, but it is required. A level 1 merchant is required to have an external QSA sign-off that they have verified you are meeting all the requirements and issue a Report of Compliance (ROC) each year. Your QSA should also help you create the evidence required, make sure you are performing all the tests correctly, and help you document all the new policies and procedures they will need for the audit.
  5. Start Network Scans – You will also need to engage an Approved Scanning Vender (ASV) to start performing external network scans and penetration tests. These services are important to provide evidence that your network is secure from external attacks, properly configured, and patched with the latest vendor security updates. You will also need to either do internal scans yourself, or hire someone with the relevant skills, to scan your internal network. These internal scans are looking for security vulnerabilities and incorrectly configured systemsthat have access to CHD.
  6. Passwords – Start reviewing all systems looking for default passwords. Change vendor provided passwords immediately, and implement a password program for all your employees. Passwords should be changed regularly in compliance with vendor instructions, generally meaning every 90 days.
  7. Protect In-Scope Systems – Your systems should be protected with anti-virus and malware detection software.  You will also need to develop policies and procedures that prohibits users from adding unapproved software (games, internet applications, etc.), that could compromise the in-scope systems. No user should access those systems with shared accounts. Each user needs their own account, and the permission on their account should provide the least permissions required for that person to perform their job. You will also need to monitor all in-scope systems for file changes and collect event logs to track all activity on those same systems.
  8. Information Security Policy – You will need to create, among other policies, a formal Information Security Policy. This document will be the key evidence of what steps you and your employees are doing to make your systems compliant and how you are keeping them compliant all year long.
  9. Incident Recovery Plan – If you don’t already have one, you will have to create one for the QSA. You will also need to conduct a test of the plan at least once per year. The QSA will help you create a plan that matches your environment while also including the sections required for the compliance effort. They can also help you understand how to schedule, conduct, measure, and document a test and help make sure you are ready for future issues while demonstrating compliance today.
  10. Conduct an Audit – Once you have everything in place, the QSA will conduct an audit to verify you are performing the correct actions and have ample evidence to prove you are compliance. They will then issue you a ROC as well as the other required documents.
  11. Submit the ROC – Your bank will have given you a deadline to submit your ROC. If you provide the ROC before the deadline, the bank will inform the payment card companies you are compliant and you will continue to allow you to accept credit cards without any penalties or fines.
  12. Lather, Rinse, Repeat – Keep doing what your QSA told you to do on the schedule they tell you to do each action. They will continue to complete the same steps on a fairly regular quarterly schedule, with an annual assessment timed to issue a new annual ROC right before the bank generated deadline. Work directly with your QSA and your bank to maintain compliance.

EMV Transition in the US is a Disaster

It started about a year ago in the United States. The transition of millions of credit cards from standard swipe cards with a magnetic strip to a more sophisticated card with an embedded chip inside. The new credit cards were supposed to make everyday transactions safer and more secure, but the story that you may hot have heard is it just isn’t working as expected.

Retailers spent a lot of money to meet the mandated transition of the hardware and infrastructure to support the new technology sent out by the major banks, but customers find it confusing, time consuming, and difficult to figure out when and where it will work correctly.

This problem seems to be driven by an inconsistent implementation at the retailers. Some retailers have installed the new software and are unable to support the new technology, resulting in an post-it notes asking you to just swipe your old magnetic strip and most card reading slots being taped over to block the chip readers from even being used.

In this article by Ian Kar, we learn some of the facts about this less than successful rollout:

All of this started when the US decided to move to the chip standard—known in the industry as EMV. The US process was different from those of other countries, where governments instituted a mandate to upgrade everything by a certain date. 

The US implemented something called a “liability shift”—essentially, if retailers didn’t support chip card payments by buying a new, expensive machine, they’d be held accountable for any sort of fraud that occurred in their store. Usually, that’s the bank’s responsibility. So, as long as retailers purchased the new chip-card reading terminals, liability would shift back to the bank. In a July report on the chip card transition in the US, the Aite Group, a financial services research firm, cited a lack of mandate in the US as one reason the chip card transition has been so confusing.

The liability shift date in the US was Oct. 1, 2015. But, when the date rolled around, shoppers were hard pressed to find a chain retailer that actually supported chip cards, let alone a mom-and-pop shop. In a letter from industry trade group Food Marketing Institute asking credit card companies to postpone the liability shift, the group wrote that as of April 2015 retailers were experiencing four-month delays just waiting for their new terminals to arrive.

And just because shops finally got new terminals didn’t mean they’d immediately start accepting chip cards. Their payment processors needed to certify their systems were still compliant and working correctly before the chip readers could be turned on. Even in 2016, they can only do that by physical inspection. That process can drag out for weeks, and some bigger retailers were still verifying their terminals as of early 2016, according to sources that spoke to Quartz.

 

Visa Credit Card Development Platform

Most people would have said that this would never happen. Visa is opening up its payment processing system directly to qualified third-party developers. Visa Developer has 150 different APIs to access Visa systems, from simple Visa Checkout and Visa Direct, to more complex solutions things like Visa’s location, foreign exchange, and tokenization services. With services like Apple Pay gaining traction, this is seen as an effort to maintain Visa’s relevance.

The “network effect” is an economics term that basically means a thing becomes more valuable the more people that use it. If Visa can stay on the development radar, it should be able to maintain it’s market dominance. You can read more about the recent announcement here.

Point Of Sale (POS) and Data Breach Prevention

Visa recently sent out a breach alert, and included these standard tips to merchants using Point Of Sale (POS) software:

  • Control the Windows Administrator account. Make it more difficult for malware to gain Administrative privileges.
    • Assign a strong password for all accounts on the POS system.
    • Create a unique local Administrator password for each and every POS system.
    • Do not allow users to be local Administrators on a POS system.
    • Change passwords frequently, across the enterprise (at least every 90 days).
  • Ensure the POS system functions as a single purpose machine. To reduce the risk of malicious software infections, disallow all applications and services (i.e. Internet browsers, email clients) that are not directly required as part of the POS’s core functionality in processing payments.
  • Keep operating system patch levels up to date. For Windows, this means ensuring Windows Update is functioning and automatically applying monthly security patches. For non-supported operating systems like Windows XP, there should be a plan to migrate to a current operating system.
  • Restrict permissions on Windows file sharing or disable file sharing altogether. Unless absolutely necessary, Visa recommends disabling file sharing on POS systems. Microsoft has published instructions on how to disable simple file sharing and set permissions on shared folders.
  • Restrict remote access services use. Unless necessary, disable remote access services, ports and accounts. If remote access services are needed, enable only when needed.
  • Promote security awareness. Design anti-phishing programs, defense in depth strategies, and promote shared responsibility in security awareness.

Are you and your organization doing the correct things to protect your company and your customers from a breach?

Six tips for becoming EMV compliant

If you deal with credit cards and work at keeping your business staying compliant, you have heard of the “Liability shift” change that will soon target businesses that accept credit cards, including retailers, restaurants, hotels, banks and more. On October 2015, there will be a shift of liability from banks to sellers (non-online).

Hardware, software, and payments processing vendors who operate in the POS marketplace are at various stages of EMV compliance, development, and marketing to sellers in the position of identifying the best long term solution for their organization.

Rob Chilcoat of UCP Inc., a distributor of hardware devices specifically for the acceptance of credit and debit cards for OEM cash handling and retail, notes that there are more moving parts in the current U.S. payment processing system than in years past or markets abroad: “Whereas in previous years, payment processors were the primary source of hardware equipment for retailers and sellers, there are a plethora of hardware solutions that are not simply one-size-fits-all. This adds to the mix ‘payment gateways’ that communicate between software, application, hardware & processors.” With this new component, sellers and retailers have increased flexibility to find a solution that best meets their needs, but also creates an unlimited number of options, with the need to select the appropriate hardware, application software, payment gateway, and lockdown software for your organization.

1. Start early. While you can purchase devices that are EMV-ready/EMV-compliant, the decision making and implementation process can take months.

2. Plan for the future. Buy a device and system that will modify and scale as the needs of the EMV system change.

3. Communicate. Communicate the issues, reasons, and implementation process clearly to everyone from C-level execs to the staff working with the devices.

4. Identify a list of must-haves. What functions and forms are required?

5. Select suppliers. Find suppliers that will give you the support needed. Will you need assistance in design, installation, and implementation?

6. Budget funds. Set aside funds that are earmarked for this transition. for what is necessary to purchase the proper system and equipment.

You can read the entire article from Laura Miller to get more details.

Retail Shift to EMV Doesn’t Solve Credit Card Security

Protecting and securing payment systems and consumer data is a never-ending task for all parties in a payment network, and it’s also a moving target. Retailers at the Electronic Transactions Association’s TRANSACT conference in Las Vegas (which includes credit card companies, banks, payment processors, regulators and retailers) all have the same fear. With the guild nature of security and hacking, any solution is potential only a temporary solution. They know that as soon as a new system or firewall is put in place, hackers have already figured out how to defeat or bypass it.

Most large retailers have had payment and data security teams in place for years, and have been working to migrate payment systems from the current magnetic stripe card readers to EMV systems (the chip-embedded cards and PIN-code technology widely used in Europe, often called “Chip and PIN”). Visa and MasterCard are giving merchants until October 2015 to have an EMV system in place. If merchants don’t comply, the responsibility to cover fraudulent purchasing will shift from the card companies to the merchants themselves. After the high-profile retail data breaches at Target, Neiman Marcus and Michael’s, a number of retailers are accelerating EMV technology plans.

The migration won’t be cheap or easy. Some have estimated it will cost retailers between $20 billion to $50 billion to upgrade systems to be EMV-compliant, while it will only cost about $2 billion to replace all consumer-level credit and debit cards with the new chip-embedded technology. Just weeks ago, Wal-Mart (the world’s largest retailer) enabled software at about 1,000 of its U.S. stores to accept chip-and-PIN cards, though there are few of those cards currently being used in the U.S.

Target has said upgrading its payment systems to accept chip-and-PIN cards is part of a $100 million effort to ready all of its 1,800 locations by the first quarter of 2015. The estimated cost for smaller mom and pop stores is around $3000 per store. This will move the entire point of sale system to a safer, smarter, and more secure systems.

But EMV systems are far from a panacea. When we look at the Target breach or some of the other retailers, those were breaches of retailers systems. EMV wouldn’t have done anything to stop the Target breach. EMV provides more encryption so credit card data is harder for hackers to replicate on counterfeit cards, but it wouldn’t have prevented the attackers from getting the data in an attack like what happened at Target.

%d bloggers like this: