Obama's Executive Order On Payment Fraud Falls Short On Boosting Security, Say Experts


Printer-friendly version Email this CRN article

The Obama administration issued an executive order last week that forces federal agencies to purchase new payment terminals that support "enhanced" security features, but experts say the directive stops short of requiring fully activated encryption and other security measures that would reduce the risk of a data breach.

President Obama's executive order to improve the "Security of Consumer Financial Transactions" requires agencies to begin transitioning to more modern payment terminals that support Europay, MasterCard and Visa (EMV), also known as chip cards. The EMV-enabled payment terminals reduce fraud at retailer brick-and-mortar stores that support the smartcard payments.

"The Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system," according to a statement issued by the White House.

[Related: 10 Security Technologies Gaining From Data Breach Hysteria]

Under the Obama order, beginning Jan. 1, 2015, payment processing terminals acquired by federal agencies must support enhanced security features and a plan must be in place to install enabling software. In addition, federal agencies that issue credit and debit cards must begin replacing standard swipe cards with chip-enabled smartcards beginning on that date.

The executive order also requires agencies that accept online payments to protect personally identifiable data using multifactor authentication and establish "effective identity proofing."

The EMV payment technology, which is used widely in Europe, prevents fraudsters from paying for goods in stores using fraudulent cards. Consumers use a credit card with a chip and a PIN to pay at stores and kiosks for goods and services. In the U.S. the technology rollout is expected to take five years or more and payments using the chip-enabled cards will likely require a signature, rather than a PIN.

All merchants in the U.S. face an October 2015 deadline set by the payment brands to deploy and enable EMV-enabled terminals. If early adopters meet the 2015 date, the liability for fraudulent purchases would shift from merchants to the card brands. Deployment of the new terminals and other security technologies are fueling some channel business growth in the retail and health-care sectors, solution providers tell CRN.

Security experts say EMV doesn't address the main problem that led to many of the retail data breaches in recent months. Even with new EMV terminals, a criminal would still get the 15-digit credit or debit card number and the expiration date, said Ruston Miles, a payment security expert and chief innovation officer at Bluefin Payment Systems.

"Most folks are looking at EMV, but EMV doesn't fix the problem," said Miles, whose company sells validated point-to-point encrypted payment hardware and software. "Hackers couldn't make a new card to go to a gas station and purchase gas, but they could use the stolen data online."

Miles and other payment experts tell CRN that EMV adoption in Europe has forced criminals to shift their activity to online fraud schemes by making card-not-present transactions.

NEXT: Experts Say Point-To-Point Encryption Greatly Reduces Risk

Printer-friendly version Email this CRN article