Countless data breaches costing billions of dollars every year have prompted the credit card industry to introduce new practices that they are hoping you’ll adopt to minimize the risks both to their bottom line and yours. The information on this page is here to help you navigate these changes and understand what they mean to your pharmacy. We’ll be constantly updating this page as the year progresses so keep checking back for the latest updates.
PCI-DSS or PA-DSS: Payment Card Industry (or Payment Application) Data Security Standards, commonly referred to as PCI, are a set of regulations, standards and requirements put in place for the secure processing of credit and debit cards. All merchants that accept credit cards are required to meet these standards. The hardware and software you use to process credit cards, along with the security of your network, impact the scope of the standards that apply to your business as well as the difficulty in complying with those standards.
EMV: EMV stands for “Europay Mastercard Visa”. EMV technology was first implemented in Europe in 1995. EMV cards have an embedded microchip that creates a unique transaction code each time the card is used. This sharply contrasts to a standard card with a magnetic strip that contains constant and unchanging data. You may also hear EMV referred to as Chip and PIN, but EMV cards are more likely to be used in a signature based transaction during the early stages of EMV rollout in the United States. EMV prevents a card from being physically duplicated, which protects the card brands and acquirers, but it does not protect against data breaches. Additionally, EMV has no bearing on the scope of PCI Compliance.
P2PE: Otherwise known as Point to Point Encryption, P2PE virtually eliminates the chances of a data breach like the ones experienced by Target, Home Depot, and countless other retailers. With P2PE, when the card is swiped, it is encrypted by the hardware device and sent directly to the processor where it is decrypted for the first time. The only information returned to the POS system is an approval or decline, meaning there’s no credit card information in your POS system to be compromised. Additionally, P2PE dramatically reduces your scope for PCI Compliance.
QIR: Organizations qualified by PCI SSC as Qualified Integrator and Reseller Companies (QIR Companies) are authorized to implement, configure, and/or support validated PA-DSS Payment Applications on behalf of merchants or service providers for purposes of performing Qualified Installations as part of the QIR Program. The quality, reliability, and consistency of a QIR Company’s work provide confidence that the Payment Application has been implemented in a manner that supports the Customer’s PCI DSS compliance. You can learn more here: www.pcisecuritystandards.org
**NOTE: QIR certification is critical for any POS provider to install, implement, train, and support credit card solutions in a PCI compliant retail environment.
Here's an updated list of QIR certified POS companies and their QIR Employees:
Frequently Asked Questions:
Do I have to adopt EMV? EMV is not a requirement. While many news articles will tout October 2015 as the deadline for adoption of EMV, it’s actually just the date when credit card brands agree to shift fraud liability from you to them on EMV transactions. This is a liability that you carry today and the liability shift only applies to EMV cards. Adopting EMV is a choice, and the decision is completely up to you. Think of the October 2015 date as an incentive offered by the credit card brands to get you to adopt this technology.
What is the best way to protect my pharmacy from a credit card data breach? Because EMV will not actually reduce your risk of a credit card data breach, we recommend Point to Point Encryption as the most secure option for processing credit cards in your pharmacy. Since no credit card data is stored in your POS system, the chance of a breach due to stored credit card information is virtually eliminated.
Where can I get more information? Check out the latest articles posted on this page for the most up to date information on EMV, P2PE and implementation of these solutions. At RMS, we are working diligently with our processing partners to provide options for implementation of EMV and P2PE. At RMS, we believe our customers should have the most up-to-date information to make informed decisions, so we've been continually communicating news and updates to our customers since February of 2015. As always, feel free to call us if you would like to discuss EMV, P2PE, and other credit card security concerns further.