Executive order on credit card security shouldn’t overlook mobile payments

In response to a series of high-profile data breaches at Target, Home Depot and JPMorgan Chase, earlier this month President Obama signed a new executive order designed to improve the security of consumer financial payment transactions. Specifically, the president directed federal agencies to begin upgrading their payment processing terminals to use new security features by Jan. 1, 2015. Included in this directive is a requirement to allow chip-and-PIN technology. Given the high cost of card payment fraud in the United States — estimated at $8.6 billion annually — this announcement is a useful step forward in improving the security of financial payments. However, it misses an important opportunity to move to the next generation of payment technology: contactless mobile payment systems.

{mosads}The benefits of contactless mobile payment systems, such as the new Apple Pay system, can best be understood in relation to other payment technologies. Chip-and-PIN cards, also known as EMV cards (because Europay, MasterCard and Visa created the standard), are an upgrade of the standard magnetic stripe credit and debit cards used throughout the United States. Magnetic stripe cards are notoriously insecure since the information stored on them can be read by anyone with access to the card. This enables criminals to easily forge transactions and produce counterfeit cards. In contrast, chip-and-PIN cards store data on an embedded microprocessor, use public key encryption to prevent counterfeiting and require a PIN to access data stored on the card. Retailers can use chip-and-PIN point-of-sale terminals to require two-factor authentication (i.e., the customer must possess both the card and the PIN number) before approving any transaction, thereby reducing credit card and debit card fraud. Because chip-and-PIN technology is such an improvement, credit card companies like Visa and MasterCard have announced new policies that will make retailers who do not upgrade their payment systems liable for fraudulent transactions.

However, chip-and-PIN cards do not solve all of the security risks faced by consumers, merchants and banks. Europe, which has long since moved to chip-and-PIN, still suffered approximately $2.1 billion in credit card fraud losses in 2013. Neither do they necessarily represent more convenience for the consumer. Consumers may still lose their wallets (perhaps with the PIN number written down) and they must still carry a wallet full of credit cards. Chip-and-PIN cards also do not solve the problem of fraud from certain remote transactions where there is no card presented to a merchant, such as online payments. Banks are developing additional security efforts to deal with these concerns, such as tokenization, which automatically substitutes a unique, securely generated alphanumeric sequence for a credit card number in online payments, thereby reducing the risk of sharing account numbers with third parties. Tokenization helps ensure that even if hackers gained access to a retailer’s sales transactions, they could not use this information to enable new fraudulent transactions.

Moreover, chip-and-PIN cards represent a standard that was produced almost 20 years ago. The new wave of payment innovations are occurring with contactless mobile payment systems, most notably near field communications (NFC) payment systems such as Apple Pay and Google Wallet, as well as Bluetooth low energy (BLE) payment systems such as PayPal Beacon, which give consumers the ability to make secure electronic payments using a mobile device. These payment systems not only include similar security features as chip-and-PIN cards, but they also integrate tokenization.

By issuing an executive order only calling for chip-and-PIN technology, the Obama administration has missed an opportunity to jump-start adoption of contactless payment systems. This is an opportunity that does not come often, as the cost to upgrade payment terminals can be substantial. For example, in the wake of the recent hacking incident in which 40 million credit card numbers were stolen from Target, the company estimates it will cost $50 million to upgrade all of its point-of-sale terminals. Fortunately, the executive order can easily be clarified and updated. To that end, the various agency heads responsible for implementing the order, including the secretary of the Treasury and the head of the General Services Administration, should issue guidance stating that any new payment processing terminals must support contactless payments. This will ensure that federal agencies do not waste their time or taxpayer dollars updating their systems to technology that is already out of date.

Castro is director of the Center for Data Innovation.