In the wake of major credit card breaches at Target Corp., Home Depot Inc. and JPMorgan Chase & Co. over the past year, President Barack Obama signed a new executive order Friday requiring consumer-facing federal agencies to upgrade their point-of-sale terminals and enhance security for federal payment cards by the start of 2015.
The order now requires federal agencies that issue credit, debit or other payment cards to use chip-and-PIN-technology-enabled cards. These cards have encrypted microchips embedded in them, rather than a single magnetic strip. The cards will also require a consumer to enter a personal identification number when making a purchase.
“Last year, millions of Americans became victims of identity theft, millions were victims of this kind of fraud,” Obama said at an event announcing the executive order at the Consumer Financial Protection Bureau. “The idea that somebody halfway around the world could run up thousands of dollars in your name just because they stole your number or because you swiped your card at the wrong place at the wrong time — that’s infuriating.”
According to the White House, the U.S. Postal Service has already transitioned its systems in retail facilities across the country. On the list of systems to be transitioned soon are U.S. passport offices, national parks, and Veterans Affairs retail and food stores.
“The goal is not just to ensure the security of doing retail business with the government, but also, through this increased demand, to help drive the market towards stiffer adoption of stronger security standards,” a fact sheet said.
Although Obama’s executive order has no direct effect on the nonagency consumer world, several major companies have agreed to upgrade their systems in a sign of support for the president’s action. Even companies like Target and Home Depot, who were victims of personal financial information breaches, have already transitioned their point-of-sale terminals to support chip-and-PIN cards. Home Depot also completed a payment security project that provides better encryption in its terminal systems.
To enact better financial security measures across the board, Obama also called on Congress to take action on data breach legislation.
“And even though I’m taking action today without Congress, Congress needs to do its part as well,” Obama said. “Today, data breaches are handled by dozens of separate state laws. It’s time to have one clear national standard that brings certainty to businesses and keeps consumers safe.”
The fact sheet accompanying the executive order highlighted the need for cybersecurity legislation.
“[The administration is] calling on Congress to pass meaningful cybersecurity legislation that will help the Government better protect federal networks and legislation that appropriately balances the needs for greater information sharing and strong protection for privacy and civil liberties,” the fact sheet said.
The executive order tasks the Treasury secretary to ensure that all payment-processing terminals acquired by agencies after Jan. 1, 2015, have the enhanced security features installed. The Treasury secretary will also be charged with developing a plan for agencies to install software that will support the new security measures.
Also by Jan. 1, the Treasury will ensure that prepaid cards for federal benefits will have the enhanced security features, and it will develop and roll out a plan to replace old cards.
The order also requires the General Services Administration to ensure that credit, debit and other payment cards provided through any GSA contracts have the enhanced security features by Jan. 1.
Agencies outside of GSA and Treasury are required to submit a plan to replace or enhance cards to the White House’s Office of Management and Budget.
The executive order also improves information sharing between agencies, as well as sharing between the public and private sector. By February 15, 2015, the Attorney General and the Homeland Security Secretary will issue guidance to agencies to require law enforcement agencies to submit information about compromised financial credentials to the National Cyber-Forensics and Training Alliance’s Internet Fraud System.
The Commerce and Justice departments, in conjunction with the Social Security Administration will look for any publicly available agency resources for victims of identity theft and provide that information to the Federal Trade Commission by March 15, 2015.
OMB and GSA will also partner with the FTC in order to improve and enhance the identitytheft.gov website. The White House declined to comment on whether the partnership with the FTC will include OMB’s U.S. Digital Service and GSA’s 18F.
By January 15, 2015, the National Security staff, the White House’s Office of Science and Technology Policy and OMB will present the president with a plan to ensure that agencies make personal data accessible to citizens through digital applications or the Web. This accessible information must be done consistent with the National Strategy for Trusted Identities in Cyberspace, an initiative out of the National Institute of Standards and Technology. According to the executive order, the elements of that plan must be put in place within 18 months.