Obama's Chip-and-PIN Move Is 'Meaningless,' Analysts Say

WASHINGTON — An executive order signed by President Obama on Friday that mandated the adoption of chip-and-PIN technology in government cards and enabled its use in facilities like Post Offices is a "meaningless gesture" that smacks of politics over substance.

That, at least, was the judgment of several analysts following a speech by Obama and a formal signing of the order at the Consumer Financial Protection Bureau. The White House billed it as a major initiative designed to increase data security for financial transactions by both adopting the use of EMV-chip technology for government cards and in its facilities, but also encouraging retailers and banks to follow suit.

But analysts said the government's move was unlikely to have much impact, mostly because the industry is already well on its way to adopting chip-and-PIN technology, which improves security by making cards harder to counterfeit.

"It's too little, too late," said Avivah Litan, senior researcher with the Gartner Group. "Honestly, this is so empty. There is no substance in here. It would have been nice if they would have done this a few years ago. At this point, it's pretty meaningless."

A White House fact sheet said the government will "lead by example in securing transactions and sensitive data." But analysts said the government — like all retailers and banks in the credit card market — would have been forced to make the move to chip-and-PIN by October 2015. That's when new rules from the card networks go into effect that shift fraud liability to most merchants or processors not using EMV technology (gas stations have until October 2017).

"The government is being a follower," said Julie Conroy, an analyst with Aite Group. "They are not being a leader because the payment industry is way ahead of them. The government had to do this because if they didn't upgrade their security, criminals would focus on them as the weakest link in the chain."

To be sure, many in the industry saw the situation differently, praising Obama's move and saying it will force the adoption of EMV by January, which is significantly faster than the October 2015 timeline.

"It's important to think about this as the government as an issuer," said Jason Oxman, chief executive officer of the Electronic Transactions Association. "Obviously Comerica issues the card but the government is the owner of the program. It is as if a large issuer of network-branded cards announced they are moving to EMV issuance on a quick timetable. If you view it in that context, it is newsworthy… it's a very big deal."

Randy Vanderhoof, director of the EMV Migration Forum, agreed.

"The government issues lots of debit cards for its benefit programs, and therefore by making this statement and putting out the target of January 2015, they're really leading by example, and saying that the market should be moving over to more secure chip cards as fast as possible," Vanderhoof said.

He also said it could have some influence with others.

"It sends a strong signal to the rest of the market that if there's anybody still thinking, perhaps this isn't that important and that they may not need to do this in the timeframes that have been presented, that perhaps they should be rethinking this," Vanderhoof said.

During Obama's appearance at the CFPB, the president touted the security of chip-and-PIN, noting that it had helped to curb fraud in other countries.

"We're going to begin making sure that credit cards and credit-card readers issued by the United States government come equipped with two new layers of protection: a microchip in the card that's harder for thieves to clone than a magnetic strip, and a PIN number you enter into the reader just as you do with an ATM," said Obama. "We know this technology works. When Britain switched to a chip-and-PIN system, they cut fraud in stores by 70%."

There's been some debate among banks and retailers about whether adding chip-and-PIN technology would have stopped some of the major breaches at retailers like Target. EMV also does not protect e-commerce, since merchants cannot read the card's chip when accepting payments online.

Obama acknowledged that EMV cannot "stop fraud on its own." The government will also work to make it easier for law enforcement to share information with the private sector about identity theft rings, he said.

But the president also reiterated his call for a bill clarifying when consumers will be notified about data breaches affecting them, along with legislation allowing for greater information-sharing among industry and government around cybersecurity threats.

"Today, data breaches are handled by dozens of separate state laws, and it's time to have one clear national standard that brings certainty to businesses and keeps consumers safe," Obama said.

Yet observers who agree such a bill is necessary are skeptical it will ever pass Congress.

"If Congress could ever figure out how to do something, data security legislation would be great to see," said Conroy. "We've seen various forms come to the table but they can't get anything done."

Obama also highlighted the work of several companies taking steps to improve their data security.

A handful of retailers, including Home Depot and Target — two major retailers that have reported recent security breaches — along with Walgreens and Walmart, will be rolling out EMV-compatible card terminals over the next several months. Citigroup, meanwhile, has partnered with FICO to offer free monthly credit score updates to card-carrying customers. And MasterCard will begin offering free identify theft support before the end of the year.

But those retailers were all moving to chip-and-PIN technology anyway because of the looming October 2015 deadline. Even smaller banks have begun issuing chip cards. Memphis-based First Horizon Corp. said this month that it would issue chip cards to customers next year.

And while the bank plans to cut as much as $50 million from its expense base over the next three years, it is not reducing spending on cybersecurity.

"We've spent a lot on cybersecurity and we'll continue ramping up our investment," said Bryan Jordan, First Horizon's chairman and CEO, on a conference call today. "It's an issue our technology team has spent a lot of time on. … We need to remain vigilant."

The administration also plans later this year to hold a summit with businesses to "share best practices, promote adherence to stronger security standards, and discuss next-generation technologies," according to the White House.

But analysts said the president was focusing on the issue because it is a safe one in an election year.

"It's an easily accessible issue and it's entirely noncontroversial," said Isaac Boltansky, a policy analyst at Compass Point Research & Trading. "Obama could go and talk about an actual issue, leave without any political pitfalls or impacting any of the Senate races — that's a nice Friday."

John Reosti contributed to this article.

For reprint and licensing requests for this article, click here.
Law and regulation Bank technology
MORE FROM AMERICAN BANKER