Much attention is being paid to the EMV liability shift which goes into effect in October 2015. Rightfully so, as card-present merchants, who do not upgrade their payment systems by October 1st 2015, may find themselves frighteningly exposed to catastrophic financial losses in the event of a payment breach. That said, EMV implementation will still be a slow process and banks have yet to issue enough EMV-enabled cards. Moreover, merchants are very slow to pay for the upgrades ($500 per merchant on average). A recent Javelin study shows that not only about 75% of merchants will not be prepared for EMV, but also many are not even aware of it.
Based on the experience of Europe and other countries that adopted EMV, we know that card-not-present (CNP) fraud is sure to spike. This will occur on an increasing scale as more card issuers and merchants adopt EMV measures. To that end, PCI-DSS 3.0 and now 3.1 (effective June 30, 2015) have introduced stronger protocols in order to protect e-commerce transactions.
PCI-DSS version 3.1
- This new update requires e-commerce merchants who are using SSL certificates to protect transmission of payment card data to migrate these certificates to TLS v1.2.
- SSL and TLS versions earlier than 1.2 will NOT meet the PCI Compliance requirements.
- E-commerce merchants have until June 30, 2016 to have upgraded certificates in place.
SAQ Type A-EP, C, and D merchants MUST undergo penetration testing as mandated under Requirement 11.3 in their SAQs starting July 1st 2015.
- Failure for these merchants to do so can cause them to fall out of compliance and potentially leave them vulnerable to cyber-attacks and data breaches.
- It is important to note, these penetration tests MUST be performed by an OSCP (Offensive Security Certified Professional). And according to the PCI SSC’s March 2015 Penetration Testing Guidance Information Supplement, “the penetration tester must be organizationally separate from the management of the target systems.”
Even if merchants have upgraded their payment systems to accept EMV transactions, they still must adhere to PCI DSS protocols, complete their annual SAQ and perform the remediation required. PCI DSS doesn’t go away just because the new methods are supposed to be more secure. There are still significant growing pains merchants face, and rest assured, fraudsters will use this to their advantage. PCI-DSS will continue to evolve to meet the changes in technology, regulations and threat vectors. EMV is only a part of the overall security puzzle.