President Obama recently signed an executive order requiring federal agencies to improve the security of payment card transactions by upgrading to chip-and-PIN payment systems, which enable payments to be processed using an embedded microchip in the card that stores customer data. This transition—one of three specific steps outlined in the order—is part of a federal effort to improve the security of consumer financial transactions and encourage the private sector to follow suit.

In addition to the federal transition to chip-and-PIN, the order requires agencies to streamline federal identity theft assistance efforts and improve law enforcement information sharing for identity and payment card related crimes. The President intends for the federal government to "lead by example" in adopting secure payment technology ahead of the payment card industry's target date of October 2015. The order requires federal agencies to begin this transition no later than January 1, 2015.

Federal agencies, working with the Treasury Department, will upgrade their payment card processing terminals to accept chip-and-PIN enabled payment cards. Federal agencies must also use and issue such cards. This will require the General Services Administration and other agencies to amend their contracts with card issuers to require that federal purchase cards are chip-and-PIN enabled. Federal benefit programs that make benefits such as Social Security available to consumers through prepaid debit cards must also take steps to issue new chip-and-PIN enabled cards to beneficiaries who use prepaid cards. This upgrade is the first in a three-pronged approach to improve the security of payment transactions.

The second prong of the order requires the U.S. Department of Justice, the U.S. Department of Commerce, and the Social Security Administration to work with the Federal Trade Commission (FTC) to provide consumers with additional resources for combatting and remediating identity theft. The FTC will also work with credit bureaus to improve its identity theft assistance website, IdentityTheft.gov. This enhanced website will allow consumers to submit fraud reports directly to the credit bureaus. In addition, the order requires federal law enforcement agencies to improve information-sharing efforts about payment account fraud by submitting data to the National Cyber Forensics and Training Alliance's Internet Fraud Alert System.

Finally, the order requires federal agencies to develop a plan calling for federal agencies' digital applications to require multifactor authentication processes for consumers when the applications use personal information. This plan would adhere to the 2011 National Strategy for Trusted Identities in Cyberspace, and agencies will have 18 months to implement it.

The order does not have direct implications for the private sector at large; it only affects companies that contract with the federal government, such as the banks that issue payment cards for federal agencies. However, the order is intended to encourage the private sector to follow the example set by the federal government. For example, the fact sheet accompanying the order's release touts retailers that already have chip-and-PIN payment terminals in place. The fact sheet also highlights how financial institutions are assisting consumers with monitoring their identity, such as by providing consumers with their credit scores in a monthly statement.

The order is partly a response to the recent spate of high-profile data breaches at several major retailers where consumers' credit and debit card information was stolen by "hackers." The payment industry is encouraging the transition to chip-and-PIN by shifting liability for fraudulent card transactions; if a merchant continues to use magnetic swipe readers after the October 2015 shift date, the merchant will be liable for fraudulent transactions made using chip-and-PIN enabled cards.

Chip-and-PIN technology allows for more secure payments, especially during a point-of-sale transaction. Financial institutions are already issuing chip-and-PIN cards to consumers, and merchants should prepare for next year's liability shift by upgrading their payment processing terminals. Given hackers' focus on retailers' payment systems, upgrading ahead of the October 2015 liability shift could help reduce risk and protect consumers.

Members of Ballard Spahr’s Consumer Financial Services and Privacy and Data Security Groups regularly advise financial institutions on compliance with consumer financial services laws related to data security and privacy issues.

For more information, please contact CFS Practice Leader Alan S. Kaplinsky at 215.864.8544 or kaplinsky@ballardspahr.com.


Copyright © 2014 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices

Consumer Financial Services
Privacy and Data Security

CFPB

Visit CFPB Monitor, our blog on the Consumer Financial Protection Bureau >

Subscribe to the blog via e-mail >