WASHINGTON — Too little too late.
That's the verdict from many analysts after President Obama on Friday signed an executive order mandating the adoption of chip-and-PIN technology in government cards and enabled its use in facilities like Post Offices.
"I think it would've been nice to have it a couple years ago," said Brandon Kuehl, senior product manager at The Members Group in Des Moines, Iowa. "It's probably a day late and a dollar short. So many people have already started moving forward, so I'm not sure it holds a lot of weight."
Kuehl and other analysts spoke after Obama made a speech and held a formal signing ceremony of the order at the Consumer Financial Protection Bureau. The White House billed the event as a major initiative designed to increase data security for financial transactions by both adopting the use of EMV-chip technology for government cards and in its facilities, but also encouraging retailers and banks to follow suit.
But some analysts said the government's move was unlikely to have much impact, mostly because the industry is already well on its way to adopting chip-and-PIN technology, which improves security by making cards harder to counterfeit.
TMG's Kuehl noted that the Obama Administration's move will have little — if any — impact on credit unions.
"On the credit side, almost all of our issuers are either through their EMV projects or in process and almost all of them are signature only," he said. "To go back and change that now is probably out of the question for most of our issuers. On the debit side, all cards will have PIN no matter what, so for us it's kind of a non-issue. It's too late to have made any impact.... Maybe if they had done it around the Target timeline that might have helped, but now it's just too late."
Other analysts concurred.
"It's too little, too late," said Avivah Litan, senior researcher with the Gartner Group. "Honestly, this is so empty. There is no substance in here. It would have been nice if they would have done this a few years ago. At this point, it's pretty meaningless."
A White House fact sheet said the government will "lead by example in securing transactions and sensitive data." But analysts said the government — like all retailers and banks in the credit card market — would have been forced to make the move to chip-and-PIN by October 2015. That's when new rules from the card networks go into effect that shift fraud liability to most merchants or processors not using EMV technology (gas stations have until October 2017).
"The government is being a follower," said Julie Conroy, an analyst with Aite Group. "They are not being a leader because the payment industry is way ahead of them. The government had to do this because if they didn't upgrade their security, criminals would focus on them as the weakest link in the chain."
CUs Praise Obama Order
On the other hand, some within the credit union community praised Obama's move, including the two major CU trade groups.
CUNA commended the president's actions, with EVP and general counsel Eric Richard noting in a statement that "as a member of the Payments Security Task Force, CUNA has been actively engaged with payment networks, financial institutions, retailers and manufacturers to ensure chip cards and readers are accessible and enabled by the end of 2015. Credit unions have been and will continue to be involved in this important conversation, and we look forward to working with the Administration on this vital issue."
NAFCU's president and CEO Dan Berger was on hand for the event, and Berger said in a statement that the trade group "thanks the president for his leadership in addressing the growing cyber threats to consumers' data, and we will assist wherever we can to help credit unions and their members prepare." Berger added that NAFCU plans to continue to push for legislation to put merchants on the hook for damages sustained during a data breach, rather than financial institutions.
Ken Otsuka, senior risk-management consultant at CUNA Mutual Group, said in a statement that Obama's move could help persuade CUs to issue chip-and-PIN EMV cards rather than less secure chip-and-signature cards.
"However, EMV cards should not be viewed as a silver bullet," cautioned Otsuka. "Losses can still occur due to lost [or] stolen EMV cards that can be used to make-in-person transactions, particularly with chip-and-signature cards. Issuing chip-and-IN cards will reduce the risk of fraudulent transactions that result from lost [or] stolen cards."
Others in the wider financial services industry spoke highly of Obama's move and saying it will force the adoption of EMV by January, which is significantly faster than the October 2015 timeline.
"The government issues lots of debit cards for its benefit programs, and therefore by making this statement and putting out the target of January 2015, they're really leading by example, and saying that the market should be moving over to more secure chip cards as fast as possible," said Randy Vanderhoof, director of the EMV Migration Forum.
He also said it could have some influence with others.
"It sends a strong signal to the rest of the market that if there's anybody still thinking, perhaps this isn't that important and that they may not need to do this in the timeframes that have been presented, that perhaps they should be rethinking this," Vanderhoof said.
During Obama's appearance at the CFPB, the president touted the security of chip-and-PIN, noting that it had helped to curb fraud in other countries. The administration also plans later this year to hold a summit with businesses to "share best practices, promote adherence to stronger security standards, and discuss next-generation technologies," according to the White House.
"We're going to begin making sure that credit cards and credit-card readers issued by the United States government come equipped with two new layers of protection: a microchip in the card that's harder for thieves to clone than a magnetic strip, and a PIN number you enter into the reader just as you do with an ATM," said Obama. "We know this technology works. When Britain switched to a chip-and-PIN system, they cut fraud in stores by 70%."
There's been some debate among banks and retailers about whether adding chip-and-PIN technology would have stopped some of the major breaches at retailers like Target. EMV also does not protect e-commerce, since merchants cannot read the card's chip when accepting payments online.
Politics vs. Protection?
Obama acknowledged that EMV cannot "stop fraud on its own." The government will also work to make it easier for law enforcement to share information with the private sector about identity theft rings, he said.
But the president also reiterated his call for a bill clarifying when consumers will be notified about data breaches affecting them, along with legislation allowing for greater information-sharing among industry and government around cybersecurity threats.
"Today, data breaches are handled by dozens of separate state laws, and it's time to have one clear national standard that brings certainty to businesses and keeps consumers safe," Obama said.
Credit unions and their trade groups have been pressuring Congress to shift the responsibility for data breaches to merchants, rather than leaving financial institutions on the hook for the damages.
Yet observers who agree such a bill is necessary are skeptical it will ever pass Congress.
"If Congress could ever figure out how to do something, data security legislation would be great to see," said Aite's Conroy. "We've seen various forms come to the table but they can't get anything done."
Some analysts also noted that if the president was truly serious about consumer safety and preventing more major data breaches, he would've acted sooner than two weeks before a mid-term election during which is party may take a shellacking.
"If they really wanted to push forward chip-and-PIN, they'd do more than an executive order," said TMG's Kuehl. "They'd go through the CFPB and make it a requirement for everybody. Maybe not a requirement right now, but in three years everybody has to be chip-and-PIN. They didn't do that, so that tells me it's more politically motivated than actually trying to secure consumers, financial institutions and retailers. To me, if they wanted to do that they would've taken more steps than what they did."
--Aaron Passman of Credit Union Journal and John Reosti of American Banker contributed to this report.
