President Barack Obama last week signed an Executive Order that will force the federal government to adopt chip and PIN technology for government payment cards and to outfit retail point-of-sale terminals at federal facilities – like national parks and post offices – with the capacity to accept chip and PIN-enabled cards.
The move is part of broader “BuySecure” initiative, and the president hopes that the American public and private companies will follow the government’s example in transitioning to the more secure form of payment.
Chip and PIN – also known as EMV (Europay, MasterCard and Visa) – is a payment system in which cards contain a computer chip and the user must enter a personal identification number when using their card. The PIN is merely a second factor of authentication, but the chip actually replaces the magnetic strips that currently store payment information on the credit and debit cards of many Americans. According to the administration’s talking points, chip and PIN has helped limit payment fraud considerably in other countries. This is in part because a user must know the PIN associated with a chip embedded on the credit card in order to use it.
“With over 100 million Americans falling victim to data breaches over the last year, and millions suffering from credit card fraud and identity crimes, there is a need to act — and to move our economy toward stronger, more secure technologies that better secure transactions and safeguard sensitive data,” the Obama administration explained in a press release.
With that in mind, some private sector companies are already committed to installing chip and PIN-compatible point-of-sale terminals at their retail locations. The Home Depot, Target, Walgreens and Walmart all plan on being chip and PIN compatible by January 2015. Of course, it may be too little too late for the Home Depot and Target, each of which suffered massive data breaches in recent months affecting tens of millions of consumers. The White House also announced that American Express will start a new program to support small businesses upgrading the security of their point-of-sale terminals and Visa will launch a national public service campaign to educate consumers and merchants on chip and PIN and other secure technologies.
The administration is also using this Executive Order to help prevent identity theft, increase credit score transparency and to announce a White House consumer cybersecurity summit.
Specifically, the president’s executive office will support the Federal Trade Commission’s continued development of IdentityTheft.gov, a website designed to streamline the process of reporting identity theft. The plan to curb identity theft – like every other piece of security-related executive guidance from this administration – will involve expanded information sharing rules requiring law enforcement regularly report evidence of stolen financial and other information to companies whose customers are directly affected. In the end, the administration says that its goal is to cut in half the average amount of time it takes to remedy cases of identity theft.
Ultimately, the administration and the Consumer Financial Protection Bureau want every citizen to have easy access to their credit score, not just to maintain good credit health but also because credit score changes are often one of the first indicators of identity theft. Citi and the credit score provider, FICO, will be making free credit scores available online to Citi costumers. They will join Discover, Barclaycard, Pentagon Federal Credit Union and First National Bank of Omaha, each of whom currently provide similar services to some 70 million U.S. citizens.
“The goal is not just to ensure the security of doing retail business with the government, but also, through this increased demand, to help drive the market towards swifter adoption of stronger security standards,” the administration says. “Institutions like the United States Postal Service have already made this transition across tens of thousands of retail facilities across the country.”
The White House is also calling on Congress to pass data breach legislation designed to clarify the expectations consumers should have when their data has been breached along with steps that companies must take to notify their customers of risks after such security breaches. The order goes onto to call for further legislation intended to help the government better protect federal networks while appropriately balancing the need for greater information sharing and strong privacy and civil liberty protections.
While the chip and PIN payment system is said to be significantly more secure than two-track, magnetic strip payment cards most commonly used here in the U.S., it is not perfect. This year at the Black Hat security conference, Cambridge University professor Ross Anderson, a cryptography expert who has spent more than a decade examining the various chip and PIN protocols, vulnerabilities and hacks, warned that American banks and merchants should be wary and heed the lessons learned in Europe, where the system has been in place, not without faults, for the last decade.