Chip-and-PIN is Coming…To the US Government

Last Friday, in the wake of numerous data breaches, President Obama signed a new Executive Order that will change how federal agencies use payment cards and allow access to certain government portals.  Those changes include the adoption of chip-and-PIN (also known as EMV) payment terminals and cards, and the implementation of multi-factor authentication on digital applications where consumers can access personal information.

The Executive Order requires the executive departments and agencies to deploy chip-and-PIN payment processing terminals at government offices “as soon as possible.”  Legacy payment processing terminals do not have to be replaced immediately but all new terminals purchased after Jan. 1, 2015 must include the necessary hardware to support the enhanced security features.  The Department of Treasury also has until the same deadline to develop a plan on how the agencies can install the associated software-components to support these security features.

More importantly, by Jan. 1, 2015, all Direct Express prepaid debit cards used to pay government benefits will include the embedded chip.  The Office of Management and Budget is also charged with developing plans to replace the cards issued by other federal agencies with payment cards that include the enhanced security features.  In a speech to the CFPB on the same day, Present Obama announced that the Administration would be holding a summit with industry leaders and consumer advocates to spur the adoption of chip-and-PIN by the private sector ahead of the October 2015 liability shifting deadline set by the major card brands.

The President also mandated that all executive agencies implement certain authentication systems that require two or more independent factors (i.e., something you know, something you have or something you are).  The multi-factor authentication requirement applies to every digital application run by the agencies which allows individuals to access “personal data” (undefined by the Executive Order).  The plan for adding multi-factor authentication must be developed within 90 days and implemented within another 15 months.

Finally, the Executive Order requires specific federal agencies to coordinate the reporting by federal law enforcement of compromised credentials to the private sector Internet Fraud Alert System and consolidating identity theft resources for consumers on an improved IdentityTheft.gov website.