Here comes EMV Cotton tail, hoppin’ down the PCI trail, Hippety hoppety, EMV’s on its way!

While crammed in the back of a cab last night I flipped through some stuff on Twitter and found this post by Adrian Lane on Securosis describing Visa’s chip migration acceleration. Now that I am actually back in front of my computer and not bouncing around in the back of a PT Cruiser (the BACK back), I wanted to elaborate on how this impacts cardholders and merchants.

filter, by mason bryant

If you read his post, you will learn some of the motivation for accelerating the change, but you miss a couple of key points.

  1. Chip and PIN doesn’t work if the card in your wallet doesn’t use the EMV technology. It’s not just about merchants putting EMV capable terminals at their registers. If you and I don’t have a capable card, it doesn’t matter if the merchant can accept it.
  2. While EMV capable terminals are more expensive, I see more and more of them in the US with the EMV functionality disabled. Granted, I recall more large merchants than small ones having these terminals, but they are out there. Many merchants are already facing a technology refresh as they aim to accept NFC or other ways to pay.
  3. EMV payments are NOT an escape hatch to compliance.

Let’s walk through that last one. Visa announced a way to avoid the burden of an annual PCI assessment by meeting four key requirements. This does NOT exempt companies from complying with PCI DSS as Adrian hints. If more than 75% of the payment load consists of EMV payments, merchants avoid the annual PCI DSS validation, not totally abandon compliance or security.

This post originally appeared on BrandenWilliams.com.