1 min read

EMV Migration and PCI Compliance for Financial Institutions

EMV Migration and PCI Compliance for Financial Institutions

As more cards move to EMV chips it makes sense to wonder how this will impact the Payment Card Industry (PCI) Data Security Standard (DSS). A good example can be seen by looking at Europe. In a mature EMV environment the fraud migrated to card-not-present transactions, so the security controls outlined in the standard still apply. And if you think about how the data is used in a financial institution, it isn’t the point of sale where financial institutions are involved. EMV provides stronger authentication for in-person transactions, but doesn’t add protection within the financial institutions where cards are issued and card numbers must exist in human-readable form (e.g. not encrypted or tokenized).

 

When dealing with PCI compliance, the challenge for financial institutions is that nobody is asking about PCI. Federal examiners began asking about PCI at a very high, generic level a few years ago. But those questions dies out fairly quickly. The major card brands, meanwhile, are busy with retailers that, compared to finance, had no real security in place prior to PCI. They know after more than a decade of strict regulation that financial institutions are still ahead of other industries.

 

Banks and credit unions do have to comply with PCI standards, even if nobody is asking about it. According to the major card brand compliance web sites, any entity that stores or transmits cardholder data must comply with some level of the PCI standard. This means in the event of a security breach involving cardholder data (which the vast majority of financial institutions have) there would likely be significant fines issued.

 

The good news is financial institutions aren’t processing large amounts of transactions so we typically fall into lower compliance levels. And with the FFIEC-based controls you already have in place, adding a PCI self-assessment, some vulnerability testing, and possibly some control updates… PCI compliance isn’t too bad.

 

Once you’ve scoped in your systems, your existing security controls can be mapped to the   controls to give you a good indication of where you stand. This mapping is made easier if you use a well-known standard like the NIST Cybersecurity Framework, ISO, or the new FFIEC Cybersecurity controls.

 

If you are interested in FFIEC Cybersecurity Maturity controls mapped to PCI let me know through the Contact Us link on our web site. I have an internal tool for helping my clients develop an internal common control framework. If there is enough interest I will trim it down and provide it.

 

NIST CSF 2.0: Breakdown and Key Updates for Financial Institutions

NIST CSF 2.0: Breakdown and Key Updates for Financial Institutions

Originally launched in 2014 and updated in 2018. NIST CSF 2.0 (released in February 2024) builds on ten years of cybersecurity progress. It expands...

Read More
Unlocking Budget With Quantitative Risk Assessments

Unlocking Budget With Quantitative Risk Assessments

Year after year, the responsibilities of security leaders seem to grow. They must develop and implement security policies, train their organization...

Read More
ASSESSING CYBER INSURANCE FOR BANKS AND CREDIT UNIONS

ASSESSING CYBER INSURANCE FOR BANKS AND CREDIT UNIONS

Cyber insurance can't fully shield your organization from cybercrime, but it can help keep your business operations going if there's a major security...

Read More