July 16, 2019 | Richard Carpenter
Just when car wash operators were starting to get a handle on PCI compliance, along comes EMV. And with it comes a whole new host of questions. What is EMV? Does it replace PCI? Is it mandatory?
First things first, EMV is NOT a replacement for PCI. While both work towards the same goal, they are not connected. They serve different purposes and have different requirements.
Let’s see how they differ and how both help protect merchants and customers.
The Payment Card Industry Security Standards Council (PCI SSC) was formed in 2006 by the five major credit card companies to create standards that ensure the secure handling of credit card information. There are 12 broad PCI requirements and 300+ sub-requirements, but here are the key points:
- Your payment software must be validated as PCI-compliant by a qualified security assessor (QSA). You can search the list of validated applications on the PCI website.
- A self-assessment questionnaire (SAQ) provided by your acquirer must be completed annually. The SAQ is complex, but a simpler version can be used if PCI-compliant Point-to-Point Encryption (P2PE) is in use. This technology securely encrypts card data from the card reader and decryption (to clear text) occurs at the processor. Merchants must use a product that has been validated to PCI standards to use the reduced SAQ.
- A quarterly network scan must be completed. This service is typically offered by the acquirer (using a 3rd party) who remotely accesses the car wash location to ensure there are no security vulnerabilities. The scan identifies weak points in your network externally (firewall) and internally (malware).
Compliance requirements are defined by the payment card brands and are applied by acquirers. As such, your merchant account acquirer is the best resource for compliance questions and guidance.
EMV stands for Europay, Mastercard, Visa, the three companies that created the global standard for chip-based debit and credit card transactions. While an EMV transaction uses the same card data as a magnetic stripe transaction, it also includes an encrypted data element (or cryptogram) which changes in every transaction. The cryptogram is generated by the chip on the EMV card and cannot be produced by a fraudulent card.
EMV is optional. However, not deploying EMV technology can put you at greater risk for financial loss from chargebacks. Also, you should consider consumer perception. Consumers are now familiar with EMV and may consider magnetic stripe processing as unsafe or outdated.
PCI compliance helps protect credit card data that is stored, processed, and transmitted, but it doesn’t do anything to validate a specific card transaction. EMV prevents businesses from accepting counterfeit cards but doesn’t do anything to protect credit card data after the swipe. Consequently, EMV isn’t a substitute for PCI compliance, and PCI isn’t a replacement or catchall for EMV. The two combine to improve overall credit card security.
When selecting a point-of-sale system for your car wash, payment security should be top of mind. Ask any vendor you are considering how their system will help you maintain PCI compliance. Be sure to verify through the PCI website that the software has been validated. Additionally, you’ll want to consider EMV and whether your POS provider can support it. Taking the time to do the proper due diligence from the start can save you from compliance headaches and financial losses in the future.