Last Friday, President Obama signed an executive order requiring credit and debit cards issued to and on behalf of the Federal Government to conform to the EMV standards currently used in Europe. The standards add so called Chip and PIN technologies to the cards that is dramatically more difficult for hackers to compromise than the magnetic strip swipe technology that most cards have today.
The order also speaks in more general terms about promoting security in government payments and online transactions. The President’s action is part of the Administration’s BuySecure initiative which also encourage private sector banks and retailers to move in the same direction. However, events seem to be spurring them on more than anything than else.
Moving to Chip and PIN has been discussed for several years in the private sector, but there has been some reluctance due to the complexities and costs of converting from the current system. New card readers will need to be deployed to be able to use Chip and PIN.
In the past year there has been a wave of high profile breaches of cardholder data from high profile and high volume retailers, from Target last November to Home Deport last month and Staples this month. Hundreds of millions of cardholder’s card data and, in some cases, other personal information stolen by hackers. Up to 100 million cardholders were compromised by the Target data Breach alone.
Hackers will use this information to create and sell counterfeit credit cards and commit other financial fraud.
The principal problem is that hackers have been able to infect point-of-sale systems with malware that can read the data from the magnetic strip when the card is swiped on the system’s reader. With Chip and PIN, the card data is stored in a printed microchip that is much harder to compromise and requires the entry of a PIN number by the user.
Countries that have widely implemented this technology have not had the kind of breaches seen in the US.