Obama's Executive Order On Payment Fraud Falls Short On Boosting Security, Say Experts

The Obama administration issued an executive order last week that forces federal agencies to purchase new payment terminals that support "enhanced" security features, but experts say the directive stops short of requiring fully activated encryption and other security measures that would reduce the risk of a data breach.

President Obama's executive order to improve the "Security of Consumer Financial Transactions" requires agencies to begin transitioning to more modern payment terminals that support Europay, MasterCard and Visa (EMV), also known as chip cards. The EMV-enabled payment terminals reduce fraud at retailer brick-and-mortar stores that support the smartcard payments.

"The Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system," according to a statement issued by the White House.

[Related: 10 Security Technologies Gaining From Data Breach Hysteria]

Under the Obama order, beginning Jan. 1, 2015, payment processing terminals acquired by federal agencies must support enhanced security features and a plan must be in place to install enabling software. In addition, federal agencies that issue credit and debit cards must begin replacing standard swipe cards with chip-enabled smartcards beginning on that date.

The executive order also requires agencies that accept online payments to protect personally identifiable data using multifactor authentication and establish "effective identity proofing."

The EMV payment technology, which is used widely in Europe, prevents fraudsters from paying for goods in stores using fraudulent cards. Consumers use a credit card with a chip and a PIN to pay at stores and kiosks for goods and services. In the U.S. the technology rollout is expected to take five years or more and payments using the chip-enabled cards will likely require a signature, rather than a PIN.

All merchants in the U.S. face an October 2015 deadline set by the payment brands to deploy and enable EMV-enabled terminals. If early adopters meet the 2015 date, the liability for fraudulent purchases would shift from merchants to the card brands. Deployment of the new terminals and other security technologies are fueling some channel business growth in the retail and health-care sectors, solution providers tell CRN.

Security experts say EMV doesn't address the main problem that led to many of the retail data breaches in recent months. Even with new EMV terminals, a criminal would still get the 15-digit credit or debit card number and the expiration date, said Ruston Miles, a payment security expert and chief innovation officer at Bluefin Payment Systems.

"Most folks are looking at EMV, but EMV doesn't fix the problem," said Miles, whose company sells validated point-to-point encrypted payment hardware and software. "Hackers couldn't make a new card to go to a gas station and purchase gas, but they could use the stolen data online."

Miles and other payment experts tell CRN that EMV adoption in Europe has forced criminals to shift their activity to online fraud schemes by making card-not-present transactions.

NEXT: Experts Say Point-To-Point Encryption Greatly Reduces Risk

Fully encrypted payment terminals that encrypt payment data at the time a card is swiped would have greatly reduced the litany of retail data breaches in 2014, say security experts. Target, Home Depot and other large retailers have already deployed payment terminals that support encryption but haven't enabled the capability. Properly implemented point-to-point encryption is the only meaningful way to bolster security, said Chris Camejo, director of consulting and professional services at NTT Com Security.

"With EMV the card number is still transmitted to the computer in the clear [as opposed to encrypted] and could be captured out of memory by malware like BlackPOS," Camejo said. "It also doesn't do anything to prevent the card from being used in online transactions where chips don't come into play."

Merchants need to establish effective security policies, closely monitor systems and completely segment off the payment environment from the rest of the network, said Brian DiPaolo, assessment and compliance practice director at Houston-based managed services provider AccuData Systems. Too many merchants meet the Payment Card Industry Data Security Standards requirements and then aren't proactive about maintaining compliance throughout the year, resulting in security incidents and breaches, DiPaolo said. Suddenly adopting and enabling EMV-enabled terminals isn't going to solve those issues, he said.

’Chip-and-pin is overblown,’ said DiPaolo, a payment industry veteran certified to assess cardholder environments. ’There’s a whole other world of PCI card functions out there that address how you are managing data once it is on the network and mitigate the risk of activity that leads to a breach.’

PUBLISHED OCT. 20, 2014