On Oct. 17, 2014, President Barack Obama signed an executive order directing that the federal government lead by example and implement chip and PIN technology for government-managed credit and debit card programs. In a speech at the Consumer Financial Protection Bureau, Obama laid out the BuySecure Initiative, which, in part, will mandate chip and PIN as the security standard for such programs as Direct Express, the prepaid debit card program that electronically distributes government benefits to recipients.
The initiative will undoubtedly provide more momentum for card issuers and merchants to transition their hardware and software to the Europay/MasterCard/Visa (EMV) chip and PIN protocol.
The initiative calls for the federal government to embark on an "enterprise-wide transition to more secure credit, debit, and other payment cards, as well as the retail payment terminals at government locations like the passport office, VA canteens, and national parks." The move is meant to increase data security for consumers by transitioning away from mag stripe technology on payment cards to chip and PIN technology, which is widely believed to be the more robust security protocol.
But the transition is also meant to spur the adoption of chip and PIN in the private sector. "The goal is not just to ensure the security of doing retail business with the government, but also, through this increased demand, to help drive the market towards swifter adoption of stronger security standards," said the White House in a statement. "Institutions like the United States Postal Service have already made this transition across tens of thousands of retail facilities across the country."
The transition is expected to begin on Jan. 1, 2015, with the goal of issuing over 1 million new chip and PIN cards by the end of 2015.
Additionally, the initiative involves upgrading the POS terminals at government agencies to accept EMV chip and PIN cards. The Department of the Treasury will oversee this part of the initiative, as it is in charge of the federal payment collection system.
All in support
Both sides of the U.S. commercial marketplace, as represented by the National Retail Federation and the Electronic Transactions Association, support BuySecure. In a statement, ETA Chief Executive Officer Jason Oxman approved of the government's announcement.
"EMV implementation is a vital step in addressing counterfeit card fraud, the single largest source of card fraud in the USA," Oxman said. "Although chip cards would not have stopped recent high-profile retail breaches, they are part of an overall secure technology deployment that includes tokenization and end-to-end encryption. … ETA applauds the administration’s support for a uniform national data breach notification standard and for greater information sharing on cyber threats."
Meanwhile, NRF President and CEO Matthew Shay said, "We applaud the administration for taking proactive and positive steps by adopting PIN and chip technology for government-issued debit and credit cards, among other things.
"As the world’s largest retail trade association, NRF continues to work with our members and other stakeholders on practical and comprehensive solutions that are less about process and more about progress toward how we collaboratively prevent and combat this criminal activity. From insisting on PIN and chip cards to facilitating greater information sharing among retailers and others sectors, we are committed to finding the right answers with the latest technologies to stop these cyber thieves."
The Retail Industry Leaders Association also supports Obama's initiative. "Retailers applaud the president's action to advance card security," said RILA President Sandy Kennedy. "Today's announcement should serve as a catalyst for widespread adoption of chip and PIN card security."
Onward with EMV
Obama also commended card issuers and large retailers for making the transition to EMV. Obama spotlighted actions taken by several national retailers and service providers:
- The American Express Co. will launch a $10 million program in January 2015 to assist small businesses in upgrading their POS systems to EMV.
- The Home Depot U.S.A. Inc. is transitioning 85,000 POS terminals to support EMV in stores and has enhanced encryption of payment data at its U.S. stores.
- Target Corp. completed installation of chip and PIN readers in all of its 1,801 stores; in early 2015, Target stores will begin accepting all chip-enabled cards and reissue over 20 million Target-branded chip and PIN-enabled credit and debit cards.
- Visa Inc. will invest more than $20 million to educate consumers and merchants on chip and other secure technologies, while also embarking on a national public service campaign in 20 cities.
- The Walgreen Co. upgraded its POS terminals to chip and PIN in 8,200 stores, and will begin accepting chip and PIN-based cards in early 2015.
- Wal-Mart Stores Inc. will have activated new chip and PIN readers in nearly 5,000 Walmart and Sam’s Club U.S. stores by Nov. 1, 2014.
SIDE NOTE
EMV in a Nutshell
The Smart Card Alliance defines EMV as an open-standard set of specifications for smart card payments and acceptance devices designed to ensure interoperability between chip-based payment cards and terminals. EMV chip cards contain an embedded microprocessor, which is considered more secure than traditional cards since payment information is stored in a secure chip rather than on a magnetic stripe.
EMV technology enhances card security three ways:
- Card authentication: Authentication occurs during the transaction either online by the issuer using a dynamic cryptogram or offline with via a terminal using Static Data Authentication, Dynamic Data Authentication or Combined DDA. Captured data cannot be used to execute new transactions.
- Cardholder verification: EMV supports four cardholder verification methods – offline PIN, online PIN, signature or no CVM – which is determined based on associated transaction risk.
- Transaction authorization: Online transactions are sent to the issuer, along with a transaction-specific cryptogram, for authorization. The card and terminal communicate in offline transactions to determine authorization acceptance.
The EMVCo, an entity owned by the major card brands, currently manages, maintains and updates EMV specifications. There are currently 80 countries across the global in various stages of EMV chip migration, including the United States.
Source: www.greensheet.com