For two decades, the Payment Card Industry Data Security Standard (PCI DSS) has served as the compliance standard for merchants that store, process or transmit cardholder data.
Active today, the newly released PCI DSS 4.0.1 (which offers clarifications to PCI DSS 4.0 and not new requirements) is the only existing set of PCI guidelines and security standards designed to protect consumer card data and reduce merchants’ exposure and risk of fraud and data breaches.
In addition to PCI, the EMV liability shift that began in the United States in 2015, which required retailers to accept chip cards at fuel pumps, is now a global standard for terminals, chip cards and devices. EMV is designed to protect against card counterfeit fraud, and PCI is designed to protect cardholder data. According to the PCI Security Standards Council, EMV combined with PCI is “a powerful combination for increasing card data security and reducing fraud.”
By October 2015, however, some retailers were experiencing an outrageous increase in chargebacks for counterfeit/fraudulent transactions.
At the 2016 Conexxus Annual Conference, Mike Lindberg, senior director, payment solutions, at CHS/Cenex, commented that some merchants were reporting a $10,000 to $15,000 increase in chargebacks per week.
As EMV continues to evolve within the payments space, Lindberg shared more on the status of two contactless payments options at this year’s Conexxus Annual Conference: the mainstream magnetic stripe (magstripe) card and EMV contactless.
Some card brands are looking at removing magstripe cards from the marketplace, he said, adding that for EMV contactless, there are 20-plus different kernels (software for POS terminals and ATMs to process contactless transactions) that retailers have to certify. “It is the cyclical nature of all the certifications that the POS providers and the acquirers have to do to get all this in the marketplace.… It’s taking a long time to get EMV contactless into the petroleum space,” said Lindberg.
Bryan Benner, vice president of information systems at FKG Oil/Moto C-Stores, said that being EMV compliant has been vital to reducing most of the retailer’s chargebacks and fraud.
“The elimination of fraud/chargeback exposure for card-present businesses probably won’t happen until magstripe transactions cease to exist,” Benner said, adding that Mastercard, for example, has a roadmap to total elimination of magstripe use.
“By 2033, no Mastercard credit and debit cards will have magnetic stripes, which leaves a long runway for the remaining partners who still rely on the technology to phase in chip card processing,” noted the card brand on its website. For Visa, there are no specific plans to eliminate magstripe cards.
“That being said, it is also a good idea to block the ability to manually enter card numbers into the POS system. Fraudsters will quickly find retailers who allow this practice and will target those locations,” said Benner.
Brad Buckmaster, IT manager at Oregon-based Plaid Pantries Inc., said that reducing liability and exposure to chargebacks requires doing the best job possible to “protect all data and potentially vulnerable endpoints that you have determined in your risk analysis.”
Even temporary endpoints (e.g., a district manager’s laptop temporarily connected to a store system) will be included in the new PCI DSS 4.0.1 standard, added Gray Taylor, executive director of Conexxus.
Buckmaster suggests training your store associates to check their points of payment frequently to defend against physical compromise, such as skimmers, shimmers or rogue devices.
“We have the stores send us a picture of their card readers weekly and our help desk associates inspect and document every store at least once per quarter as well,” Buckmaster said, adding that if a potential issue is discovered, “mitigate it and report it to your acquirer as soon as is reasonable and work with them to ensure whether there was a compromise or not. The sooner the reporting, the less opportunity for exposure.”
For smaller operators, not running the latest EMV version can lead to non-compliance fees and full assumption of liability in the event of chargebacks.
"Many merchants assume they're compliant because they have installed EMV hardware at the pump. We recommend that merchants verify that they are running the latest EMV software versions in-store and at the pump at all times," said Colin Mayer, director of client solutions at Omega ATC, a PCI DSS Level 1 Service Provider.
"Outdated systems without the most up-to-date EMV software version can trigger fees and leave you holding the bag for chargebacks and fraudulent charges," said Mayer.
This article is the third in a series that explores how several retailers are staying on top of the new PCI DSS 4.0 requirements. Read the two previous articles, “How Retailer-Supplier Partnerships Help Enable PCI Compliance,” and “Are You Both PCI Compliant and Cyber Secure?”