U.S. President Obama has signed an Executive Order to implement enhanced security measures across government business, which includes the securing of payment cards using microchips and PINs.
Speaking at the Consumer Financial Protection Bureau, the President said it was “infuriating” for someone “halfway around the world” to “run up thousands of dollars in charges in your name just because they stole your number or because you swiped your card at the wrong place and the wrong time.”
For the victims of those crimes, he added, “it's heartbreaking,” noting that the U.S. must “do more to stop it.”
Obama outlined the steps that his Aadministration and the private sector have taken and will take in the future to better security. Under a BuySecure Initiative, the government, for instance, will secure payments using chip and PIN technology to government credit and debit cards. Retail payment card terminals at federal agencies will also be upgraded to accept the new technology.
The Order called for companies to join in the effort to improve security of the payment process, with the White House noting that Home Depot, Target, Walgreens and Walmart will be rolling out chip and PIN card terminals, by and large by January, while American Express will roll out a new program then to support small business efforts to upgrade point-of-sale (POS) terminals to comply with more secure standards. A Visa program will dispatch experts to 20 cities as part of a campaign to educate merchants on secure offerings such as chip.
Chip and PIN is already in widespread use in Australia and Europe, and the U.S. has faced harsh criticism for not adopting the more secure technology sooner. Calls to implement chip and PIN had initially met some resistance with naysayers claiming it would be too costly to upgrade the nation's current payment system. But as retailers have been hit by one costly breach after another and a troublesome volume of debit and credit card information has been exposed or compromised—a White House fact sheet said “more than 100 million Americans [fell] victim to data breaches over the last year”—merchants and financial institutions have been moving toward supporting the technology in earnest with a migration to EMV planned for next year.
The Executive Order was met with support from industry advocates.
RILA President Sandy Kennedy, who attended the signing of the White House Executive Order, said in a statement that the action “should serve as a catalyst for widespread adoption of chip and PIN card security.”
Kennedy added that the “antiquated card security system in place today” in the U.S. makes it easy for “criminals to commit card fraud.” Chip and PIN technology, already at work “elsewhere in the world,” will better protect this country's consumers from fraud.”
The PCI Security Standards Council (PCI SSC) was equally as approving of the President's announcement.
“We applaud the White House for highlighting the importance of payment card security today," the council said. Noting that PCI SSC “has long been a supporter of EMV chip technology,” PCI general manager Stephen Orfei said the council applauded the White House efforts to underscore the importance of payment card security. “We view [EMV] as a critical layer in any payment security strategy,” he said.
The technology, he noted, will “button down security” at the POS. But, he warned, alone, EMV is “not by itself a silver bullet for data protection,” because it doesn't prevent malware attacks “like the ones we've been reading about in the news, nor does it prevent card not present attacks. No one single technology is the answer.”
Orfei advocated for businesses to “maintain a multi-layered security approach that involves people, process and technology working together to protect consumers.”
Steve Wilson, principle analyst at Australia's Constellation Research, said that the US was motivated to embrace chip and pin by victims of fraud, rather than industry. Put simply, the growth in payments revenue has outstripped losses in frauds for banks, delaying the multi-billion dollar investment required to invest in new Chip and PIN readers across retail industries.
"The president's intervention is great news," he said. "A government decree is exactly what's needed."
"It's exactly what happened in the UK to get Chip and PIN rolling. The banks were collectively quite happy with magnetic stripe card losses in the early noughties, but as consumer complaints grew, the Chancellor of the Exchequer dragged the banks in and insisted they adopt EMV."
Wilson agreed with Orfei that the industry would need to remain vigilant.
"Card skimming is not the only fraud vector, and the Americans must prepare for criminality to pop up somewhere else," he said." Lucky for them, they know from ten years of international experience exactly what will happen next: Card Not Present (CNP) fraud executed with stolen account numbers will balloon."
Wilson said there was also room for optimism now that the payments industry has committed to using secure personal hardware and digital signatures for online payments. The recent Galaxy S5 and ApplePay apps both exploit security hardware like NFC Secure Elements, he noted.
Resources for victims of identity theft
The Presidential Order also outlined efforts at preventing identity theft, lending support to the U.S. Federal Trade Commission as it develops a “one-stop resource” for victims of identity theft, found at IdentityTheft.gov.
The site will help streamline reporting and remediation with credit bureaus. The FTC has been active in dogging private sector companies to improve their security and better safeguard consumer information.
In a statement, FTC Chairwoman Edith Ramirez said she welcomed “the opportunity for the Federal Trade Commission to participate in this new initiative advancing efforts to address this insidious problem on behalf of consumers.” She noted that “identity theft has been American consumers' number one complaint for more than a decade, and it affects people in every community across the nation.”
The President's action also expands the sharing of information, clearing the way for federal investigators to regularly report evidence of stolen information to those companies whose customers have been impacted.