PCI DSS and Chip and PIN
September 30th, 2006 by pinsecurity Posted in Chip PIN, Credit Card Fraud, PCI DSSMany countries around the world are currently in the process of implementing the ‘chip and PIN’ system for credit card payments. This system is based on the EMV standard, and uses a card with an integrated processor (a ’smartcard’) to store the card holder data. During a card present transaction, the payment terminal obtains the card data from direct communications with the customers smartcard, rather than reading it off the magnetic stripe.
The chip and PIN system allows for the use of a different CVV to authenticate the card data - referred to as an iCVV. From the Visa ‘Chip Card Acceptance Device Reference Guide, Version 7.0‘ , Section 3.4.3:
iCVV is an optional VSDC risk control feature that facilitates detection of skimmed chip data being used to counterfeit magnetic-stripe cards. Issuers may elect to implement an iCVV encoded in the track data stored on the chip, which is different from the CVV encoded on the magnetic stripe.
Put another way, the use of an iCVV logically separates the card data stored on the smartcard from the data stored on the magnetic stripe, preventing the use of data ‘cloned’ from a smartcard to produce a fraudulent magnetic stripe.
So, if a captured card data cannot be used to produce a copied card, how does this system relate to the requirements of the PCI DSS? Do merchants still need to comply to the requirements?
The simple answer is yes.
The astute will have noticed that the use of iCVV is still ‘optional’. Therefore, CVV values can still be used, and must not be stored as stipulated by the PCI DSS requirements. It is also important to remember that the chip and PIN / EMV system is still not implemented world wide - and probably will not be for some time to come. Therefore, it is both possible (and probable, given the current uptake of EMV) that foreign cards will use the magnetic stripe during transactions, which of course will contain the CVV and PVV values. Fall back to magnetic swipe for local transactions may also be permitted, depending on the local risk management rules of the acquiring institution.
Beyond the narrow focus of the CVV itself, it is still important for the merchant or card processor to secure the cardholder environment to protect other data, such as the PAN and PIN block.
Finally, the additional features and protection measures of the chip and PIN system are only useful for card present transactions. Transactions where the cardholder is not physically present are currently performed identically to those using traditional magnetic stripe cards. These transactions are refered to as ‘Card Not Present’ - CNP - or Mail Order / Telephone Order - MOTO - transactions, and are traditionally secured with the use of the CVV2 value printed on the rear of the card. New developments such as Finread or Mastercards Chip Authentication Program (CAP - non-official informative link) may introduce more robust authentication mechanisms for these transactions, but it is still too early to predict the success of these programs.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
5 Responses to “PCI DSS and Chip and PIN”
By datasecurity on Oct 2, 2006
What is interesting is that, to the best of my knowledge, countries that have already implemented Chip/PIN do NOT use the iCVV values. This is part of the debate in Europe over how they just got done rolling out Chip/PIN and now they have to comply with PCI DSS. I think your post answers the question as to why they have to do both.
Thanks!
By Newsquoter on Oct 4, 2006
Sandra Quinn of the Association of Payment Clearing Services (APACS) agrees that it is important that we better protect card-not-present transactions:
http://www.newsquoter.com/ViewQuote.aspx?QuoteId=150
By Neon on Sep 3, 2007
Once a security feature was given away online you can not consider this feature as secure anymore.