By Ashden Fein and Randall Friedland
On Friday, President Obama signed an Executive Order directed at securing consumer transactions and sensitive data, improving consumer identify theft remediation, and better securing personal information on federally run websites. Among the security measures, the President ordered all federal government-issued credit cards be equipped, as soon as possible, with chip-and-PIN technology. The chip-and-PIN technology, commonly used in Europe, makes stealing credit card numbers more difficult. Chips are embedded in the credit cards and generate a unique code for every transaction requiring a user PIN (similar to a debit card)—adding another layer of security. Further, the Executive Order requires all retail payment card terminals at federal agencies to be able to accept the chip-and-PIN technology by January 1, 2015.
In addition to providing greater security measures for payments systems, the President ordered multiple agencies to better assist identity theft victims. First, the President ordered the Attorney General and the Secretary of Homeland Security to improve information sharing concerning compromised credentials between law enforcement agencies and the National Cyber-Forensics and Training Alliance’s Internet Fraud Alert System in an effort to reduce the time necessary for consumers to remediate an incident. The President also ordered multiple consumer-focused agencies to identify “all publicly available agency resources for victims of identity theft” and to provide that information to the Federal Trade Commission (FTC) no later than March 15, 2015, in an effort to consolidate the information at the FTC’s public website, IdentityTheft.gov. The President further ordered the Office of Management and Budget (OMB) and the General Services Administration to enhance IdentityTheft.gov, by “streamlin[ing] reporting and remediation process[es] with credit bureaus.”
The Executive Order also directs the National Security Council Staff, Office of Science and Technology Policy, and OMB to develop a plan within ninety days “to ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process.” A common example of multiple form authentication is logging into a website which requires a username and password, and once online, then requiring a separate PIN or an answer to a predetermined question. The Executive Order requires relevant federal agencies to implement this plan within eighteen months.
The President used the signing of the Executive Order as an opportunity to urge all stakeholders in “driving the economy towards more secure standards to safeguard consumer finances and reduce their chances of becoming victims of identity theft—America’s fastest-growing crime.” The President announced that by January 2015, some major retailers will be equipped with chip-and-PIN-compatible card terminals, and the private sector is taking actions to transition to more secure payment technologies, similar to the Executive Order’s mandate. As recent as today, the Payment Security Task Force (PST), forecasts that over 47% of merchants in the United States will have chip-and-PIN payment terminals by the end of 2015. The PST consists of U.S. banks, major retailers, and credit unions.
The President called on Congress to pass both data breach and cybersecurity legislation. Relatedly, the President announced that his Administration will host the White House’s Summit on Cybersecurity and Consumer Protection later this year with the objective of “bringing together major stakeholders on consumer financial protection issues to discuss how all members of our financial system can work together to further protect American consumers and their financial data, now and in the future.”