EMV coming to America

I was very pleased to read this article which reports that Visa will be pushing for and eventually requiring any company that processes Visa transactions to support EMV cards by 2013. This is great news, as the EMV cards (short for Europay, Mastercard and Visa) are in wide use in Europe and greatly increases transaction security through an encryption chip on the card itself that replaces the magnetic strip, making it much more difficult to not only grab transactions off of the wire but also use stolen credit card info.

The U.S. has largely ignored implementing these better controls because of the costs to every company that swipes cards to replace their existing Point of Sale equipment with new gear that supports the EMV cards. So as an incentive to retailers, Visa will waive much of the costs of PCI-DSS compliance validation if companies have at least 3/4ths of their POS systems EMV capable. It seems entirely feasible that if EMV cards provide end to end encryption from card to processor, PCI-DSS scope may drastically change with most businesses like gas stations, convenient stores and restaurants that never store card data now not having to even think about whether or not their systems and networks are secure enough to meet today's PCI-DSS requirements, and therefore expensive remediation controls. Keep an eye on this one.