Credit Card Security and EMV - What Pharmacies Need to Know

 

isc250-rms-pharmacy-pos.jpg

 

Countless data breaches costing billions of dollars every year have prompted the credit card industry to introduce new practices that they are hoping you’ll adopt to minimize the risks both to their bottom line and yours. The information on this page is here to help you navigate these changes and understand what they mean to your pharmacy. We’ll be constantly updating this page as the year progresses so keep checking back for the latest updates.  

Important Terms:

PCI-DSS or PA-DSS:  Payment Card Industry (or Payment Application) Data Security Standards, commonly referred to as PCI, are a set of regulations, standards and requirements put in place for the secure processing of credit and debit cards. All merchants that accept credit cards are required to meet these standards. The hardware and software you use to process credit cards, along with the security of your network, impact the scope of the standards that apply to your business as well as the difficulty in complying with those standards.

EMV: EMV stands for “Europay Mastercard Visa”.  EMV technology was first implemented in Europe  in 1995.  EMV cards have an embedded microchip that creates a unique transaction code each time the card is used. This sharply contrasts to a standard card with a magnetic strip that contains constant and unchanging data. You may also hear EMV referred to as Chip and PIN, but EMV cards are more likely to be used in a signature based transaction during the early stages of EMV rollout in the United States. EMV prevents a card from being physically duplicated, which protects the card brands and acquirers, but it does not protect against data breaches. Additionally, EMV has no bearing on the scope of PCI Compliance.

E2EE: Otherwise known as End to End Encryption, E2EE virtually eliminates the chances of a data breach like the ones experienced by Target, Home Depot, and countless other retailers. With E2EE, when the card is swiped, it is encrypted by the hardware device and sent directly to the processor where it is decrypted for the first time. The only information returned to the POS system is an approval or decline, meaning there’s no credit card information in your POS system to be compromised. Additionally, E2EE dramatically reduces your scope for PCI Compliance.  

Validated P2PE: Validated P2PE uses the same technology that E2EE does. It just takes it up a level.  The big difference is that Validated P2PE has been vetted and certified by the PCI Security standards council, validating all aspects of the credit card hardware, right down to the hardware serial numbers that you install in your store.  Validated P2PE is by no means a requirement. However, having a validated solution allows merchants to significantly reduce their scope for PCI Compliance. Many security assessors and IS departments prefer a validated solution.

QIR: Organizations qualified by PCI SSC as Qualified Integrator and Reseller Companies (QIR Companies) are authorized to implement, configure, and/or support validated PA-DSS Payment Applications on behalf of merchants or service providers for purposes of performing Qualified Installations as part of the QIR Program. The quality, reliability, and consistency of a QIR Company’s work provide confidence that the Payment Application has been implemented in a manner that supports the Customer’s PCI DSS compliance. You can learn more here:  www.pcisecuritystandards.org 

**NOTE: QIR certification is critical for any POS provider to install, implement, train, and support credit card solutions in a PCI compliant retail environment.  

Here's an updated list of QIR certified POS companies and their QIR Employees:

 

Frequently Asked Questions:

Do I have to adopt EMV?  EMV is not a requirement.  While many news articles will tout October 2015 as the deadline for adoption of EMV, it’s actually just the date when credit card brands agree to shift fraud liability from you to them on EMV transactions. This is a liability that you carry today and the liability shift only applies to EMV cards. Adopting EMV is a choice, and the decision is completely up to you. Think of the October 2015 date as an incentive offered by the credit card brands to get you to adopt this technology.

What is the best way to protect my pharmacy from a credit card data breach?  Because EMV will not actually reduce your risk of a credit card data breach, we recommend End to End Encryption (E2EE) as the most secure option for processing credit cards in your pharmacy.  Since no credit card data is stored in your POS system, the chance of a breach due to stored credit card information is virtually eliminated.  

Where can I get more information?  Check out the latest articles posted on this page for the most up to date information on EMV, E2EE and implementation of these solutions. At RMS, we are working diligently with our processing partners to provide options for implementation of EMV and E2EE. At RMS, we believe our customers should have the most up-to-date information to make informed decisions, so we've been continually communicating news and updates to our customers since February of 2015.  As always, feel free to call us if you would like to discuss EMV, E2EE, and other credit card security concerns further.  

 

 

 

New Call-to-action
Credit Card Security Webinar with Brad Jones
"RMS' [pharmacy POS system] has increased our efficiency, which means less customer confusion and more time for other things.RMS employees are excellent, responsive, and quick – which makes us very satisfied. RMS has improved both our customer service and our business, every year.." – Jim Smith, Owner & Pharmacist, The Medicine Shoppe, Shelton, WA