Obama executive order calls for 'BuySecure' initiative
On Friday, President Barack Obama signed a wide-ranging executive order intended to move the U.S. toward greater security in payments and consumer data-sharing. The president's BuySecure initiative is his administration's response to massive data breaches that compromised the bank account and personal information of 100 million Americans during the past year, according to a fact sheet released by the United States Office of the Secretary.
The goal of the initiative is to provide tools to assist victims of identity theft, improve the government’s payment security (as both customer and a provider), and accelerate the transition to stronger security technologies and the development of next-generation payment security tools, including EMV-enabled smart cards.
According to the fact sheet:
... the president is signing an executive order to implement enhanced security measures, including securing credit, debit, and other payment cards with microchips in lieu of basic magnetic strips, and PINs, such as those standard on consumer ATM cards. He is calling on all stakeholders to join the administration and a number of major corporations in driving the economy toward more secure standards to safeguard consumer finances and reduce their chances of becoming victims of identity theft — America’s fastest-growing crime.
Obama also used the executive order signing as an occasion to announce a White House Summit on Cybersecurity and Consumer Protection to take place later this year. The summit bringing together key stakeholders in the consumer financial space to share best practices, promote adherence to stronger security standards, and discuss next generation technologies.
The president also renewed his call to Congress to enact "overdue" cybersecurity legislation that will help protect Americans — particularly by clarifying companies’ obligations when sensitive data is breached, the fact sheet said.
The following summary highlights actions outlined by the president's BuySecure initiative. The full text of the White House press office fact sheet is available online.
Leading by example: Federal transition to chip and PIN
Per the executive order, the federal government as of today is to transition to more secure credit, debit, and other payment cards.
New systems will meet the global security standard for microchip data storage and secure PIN functionality such as that used on ATM cards, the White House says.
The president explained that this action aims not only to ensure the security of transactions with the government, but also to help drive the market towards swifter adoption of stronger security standards.
To this end, the order mandates that chip and PIN will become the new payment security standard for the federal government. From Jan. 1, 2014, “chip and PIN” cards will become the standard for Federal Government programs such as SmartPay and Direct Express.
Additionally federal agencies (e.g., the United States Postal Service) that process consumer sales will update to chip and PIN card terminals. Every Federal agency processing consumer sales will actively replace any prior-generation card retail payment card terminals to those with new chip and PIN security features.
Building public-private awareness about secure authentication
The initiative calls for government agencies to ensure within the next 18 months that personal data digitally they release to citizens goes through multiple tests for authentication so that all personal information is protected by the most secure methods possible.
Additionally, the administration will work to improve resources available to consumers for the remediation of identity theft, including making credit scores more readily available to consumers; reducing by half the amount of time it required to remediate the average case of identity theft.
Enhanced information sharing
The Department of Justice and the FBI will improve and coordinate efforts to regularly submit information about compromised accounts and other information to the National Cyberforensics and Training Alliance’s Internet Fraud Alert System.
The call for data breach and cybersecurity legislation
According to the fact sheet, "[I]t remains clear that American businesses and consumers demand Congressional action." Obama called on legislators to enact new laws:
- data breach legislation to clarify the expectations consumers should have when their data has been breached, and steps companies must take to notify their customers of risks after a security breach; and
- cybersecurity legislation that will help the government better protect federal networks, as well as legislation that balances the need for greater information sharing and strong protection for privacy and civil liberties.
The financial community responds
Following the president's announcement of his BuySecure initiative, the American Banking Association published a statement from the organization's CEO, Frank Keating:
We applaud the president for highlighting the challenges facing American companies and consumers. Banks, payment networks and retailers are working together to make chip cards and readers widely available in advance of the October 2015 implementation deadline. ...
Banks invest hundreds of millions of dollars every year to put in place multiple layers of security to detect fraud before it occurs and effectively stop criminals in their tracks. We look forward to working with the White House, Treasury, Commerce and Homeland Security to share our best practices and new technologies that will aid in the fight against fraud.
Independent Community Bankers of America President and CEO Camden R. Fine summed up the concerns of many smaller FIs in his statement on the Obama plan:
... while community banks and other financial institution card issuers are investing in the migration to EMV chip technology for debit and credit cards, requiring these cards to immediately be PIN-capable as a first step will slow the transition to chip cards. Additionally, this solution will not provide safeguards in e-commerce transactions, when the card is not present.
To further protect the consumer from retail and online fraud, other technologies such as tokenization, which replaces card numbers with unique digital tokens, should be used in concert with chip technology. Further, subjecting all participants in the payments system to data-protection standards such as those already required of banks under the Gramm-Leach-Bliley Act would ensure more rigorous consumer protections. Finally, ensuring that parties at fault for data breaches are liable for losses would align incentives to keep consumer data safe and foster secure business practices.
Suzanne Cluckey Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally. She is now the editor of ATMmarketplace.com and BlockChainTechNews.com www