The New Executive Order on Securing Financial Transactions
The Obama Administration is taking new steps to improve the security of consumer financial transactions. On October 17, 2014, President Obama issued an Executive Order, titled “Improving the Security of Financial Transactions,” focusing on government payments, identity theft remediation, and online federal transactions. Among other initiatives, the Order directs federal agencies to begin upgrading their payment processing terminals to use enhanced security features, including a requirement to allow chip-and-PIN technology, by January 1, 2015. The Administration's endorsement of chip-and-PIN marks a departure from the far more prevalent chip-and-signature standard, an approach that overwhelmingly has been adopted by a majority of U.S. banks that issue chip-based cards.
What is Chip-and-PIN?
Chip-and-PIN cards are a specific form of EMV-chipped payment cards. Short for “Europay, MasterCard, Visa,” after the companies that created the standard, EMV-chipped cards use embedded microprocessors to store cardholder data and allow for point-of-sale (PoS) devices to verify a card's authenticity via dynamic authentication methods. Chipped-based cards are far more expensive and difficult to counterfeit than the notoriously insecure magnetic stripe cards used throughout the United States. Data stored on a magnetic stripe easily can be copied and re-encoded onto a counterfeit card by virtually anyone with access to that card. EMV-chipped cards, on the other hand, address the counterfeiting problem by incorporating sophisticated authentication technology that can verify that a card is an original and not a copy.
Cardholders, in turn, are verified through methods imposed by the EMV-chipped card issuer. Chip-and-PIN cards require the cardholder to enter a personal identification number (PIN) in order to complete a transaction. They allow retailers to require two-factor authentication before approving any transaction, thereby addressing both counterfeiting and the use of lost or stolen cards. Chip-and-signature cards require only the customer's signature. They arguably are less secure than chip-and-PIN cards, because they do not address the use of lost or stolen cards.
The EMV standard already is widely used around the world. In fact, the United States is the last of the G20 countries to move to EMV-chipped cards. The high cost of replacing customer cards, ATMs, and payment terminals with EMV-capable equipment likely has deterred U.S. businesses from embracing the standard. This is changing, however, thanks to the industry's October 2015 deadline for merchants to upgrade to EMV-based payment systems or else assume all liability for counterfeit fraud they suffer.
Most countries that have adopted the EMV standard also have adopted PIN-based cardholder verification. Again, the United States is an exception. Few banks in the United States issue chip-and-PIN cards; most push chip-and-signature. The United States is the most competitive card market in the world, and no card issuer wants to have the most difficult card to use. In addition, card issuers point out that, at the end of the day, PINs are a static data element that can be stolen. When used with magnetic stripe data, stolen PINs can be used to withdraw cash directly from ATM machines—costs that banks must shoulder. Considering that PINs address only fraud when the card is lost or stolen, and that lost-and-stolen fraud is a small percentage of credit card fraud, the business case in the United States—for card issuers at least—has favored chip-and-signature.
What does the Executive Order Do?
Section 1 of the Executive Order outlines steps to secure federal payments. Specifically, Section 1 requires federal agencies to transition payment processing terminals and credit, debit, and other payment cards to employ enhanced security features, including chip-and-PIN technology. The Executive Order requires the following by January 1, 2015:
- The Secretary of Treasury must (i) ensure that all newly acquired payment processing terminals and prepaid debit cards for administering government benefits have enhanced security features; and (ii) develop a plan for federal agencies to install enabling software in older payment processing terminals that supports enhanced security features and to replace older prepaid debit cards that do not support such features.
- The Administrator of General Services similarly must ensure that credit, debit, and other payment cards provided through General Services Administration (GSA) contracts have enhanced security features, and must begin replacing credit, debit, and other payment cards without such capabilities.
- All other agencies with credit, debit, and other payment card programs must provide the Office of Management and Budget (OMB) plans for ensuring that their cards have enhanced security features.
Section 2 of the Executive Order aims to reduce the burden on consumers who have been victims of identity theft, including by substantially reducing the amount of time necessary for a consumer to remediate incidents.
Pursuant to Section 2, the Attorney General, in coordination with the Secretary of Homeland Security, must issue guidance by February 15, 2015, to promote regular submissions by Federal law enforcement agencies of compromised credentials to the National Cyber-Forensics and Training Alliance's Internet Fraud Alert System. Section 2 also directs the Department of Justice, the Department of Commerce, and the Social Security Administration to identify all publicly available agency resources for victims of identity theft and to provide the Federal Trade Commission (FTC) information about such resources no later than March 15, 2015. Finally, Section 2 provides that OMB and GSA shall assist the FTC in enhancing the functionality of IdentityTheft.gov, including by coordinating with the credit bureaus to streamline the reporting and remediation process. The Executive Order provides for the enhanced website to be available by May 15, 2015.
Section 3 of the Executive Order gives 90 days to the National Security Council, the Office of Science and Technology Policy, and OMB to present to the President a plan to ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity-proofing process. Relevant agencies are afforded 18 months to complete any required implementation steps set forth in the plan.
Too Little, Too Late?
For some, President Obama's Executive Order is a step in the right direction. In issuing the Order, President Obama announced a cybersecurity and consumer protection summit that will be held later this year. The summit will bring together key stakeholders in the consumer financial space to share best practices, promote adherence to stronger security standards, and discuss next-generation technologies. President Obama also encouraged the financial and retail sectors to follow the government's lead in transitioning to chip-and-PIN technology.
For others, the Executive Order falls short. Although the Order closely followed the launch of Apple Pay, it does not address next-generation payment technology. Instead, it focuses on a standard developed almost 20 years ago. In some respects, card issuers already are well ahead of the Administration with respect to the EMV standard. Visa, for example, made its initial road map announcement in 2011. Considering the likely investments already made by card issuers, some question whether the Order can influence the direction of the market. In addition, the Order covers only federal agencies. It does not reach businesses, despite recent high-profile cyber security breaches involving many large companies, including Target, JPMorgan, and Home Depot. Finally, some argue that chip-and-PIN cards do not solve important security risks faced by consumers. For example, they do not address online payments, where there is no card presented to a merchant.